ID | Severity | Title | Discussion (Rationale) | Fix Text (Description) | Check Text (OCIL Check) | SRG Refs | CCI Refs | 800-53 Refs |
xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration | medium | Set Account Expiration Following Inactivity | Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. | To specify the number of days after a password expires (which
signifies inactivity) until an account is permanently disabled, add or correct
the following line in /etc/default/useradd :
INACTIVE=If a password is currently on the verge of expiration, then
day(s) remain(s) until the account is automatically
disabled. However, if the password will not expire for another 60 days, then 60
days plus day(s) could
elapse until the account would be automatically disabled. See the
useradd man page for more information. |
To verify the INACTIVE setting, run the following command: $ grep "INACTIVE" /etc/default/useradd The output should indicate the INACTIVE configuration option is set to an appropriate integer as shown in the example below: $ grep "INACTIVE" /etc/default/useradd INACTIVE= Is it the case that the value of INACTIVE is greater than the expected value or is -1? |
SRG-OS-000118-GPOS-00060 |
CCI-000017 CCI-000795 |
AC-2 (3) IA-4 e |
xccdf_org.ssgproject.content_rule_accounts_authorized_local_users | medium | Only Authorized Local User Accounts Exist on Operating System | Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for individuals not requiring access to the system and application accounts for applications not installed on the system. | Enterprise Application tends to use the server or virtual machine exclusively.
Besides the default operating system user, there should be only authorized local
users required by the installed software groups and applications that exist on
the operating system. The authorized user list can be customized in the refine
value variable var_accounts_authorized_local_users_regex .
OVAL regular expression is used for the user list.
Configure the system so all accounts on the system are assigned to an active system,
application, or user account. Remove accounts that do not support approved system
activities or that allow for a normal user to perform administrative-level actions.
To remove unauthorized system accounts, use the following command:
$ sudo userdel unauthorized_user |
To verify that there are no unauthorized local user accounts, run the following command: $ less /etc/passwd Inspect the results, and if unauthorized local user accounts exist, remove them by running the following command: $ sudo userdel unauthorized_user Is it the case that there are unauthorized local user accounts on the system? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_accounts_have_homedir_login_defs | medium | Ensure Home Directories are Created for New Users | If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own. | All local interactive user accounts, upon creation, should be assigned a home directory.
Configure the operating system to assign home directories to all new local interactive users by setting the CREATE_HOME
parameter in /etc/login.defs to yes as follows:
CREATE_HOME yes |
Verify all local interactive users on Oracle Linux 7 are assigned a home directory upon creation with the following command: $ grep -i create_home /etc/login.defs CREATE_HOME yes Is it the case that the value for "CREATE_HOME" parameter is not set to "yes", the line is missing, or the line is commented out? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_accounts_logon_fail_delay | medium | Ensure the Logon Failure Delay is Set Correctly in login.defs | Increasing the time between a failed authentication attempt and re-prompting to enter credentials helps to slow a single-threaded brute force attack. | To ensure the logon failure delay controlled by /etc/login.defs is set properly,
add or correct the FAIL_DELAY setting in /etc/login.defs to read as follows:
FAIL_DELAY |
Verify the FAIL_DELAY setting is configured correctly in the /etc/login.defs file by running the following command: $ sudo grep -i "FAIL_DELAY" /etc/login.defs All output must show the value of FAIL_DELAY set as shown in the below: $ sudo grep -i "FAIL_DELAY" /etc/login.defs FAIL_DELAY Is it the case that the above command returns no output, or FAIL_DELAY is configured less than the expected value? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions | low | Limit the Number of Concurrent Login Sessions Allowed Per User | Limiting simultaneous user logins can insulate the system from denial of service problems caused by excessive logins. Automated login processes operating improperly or maliciously may result in an exceptional number of simultaneous login sessions. | Limiting the number of allowed users and sessions per user can limit risks related to Denial of
Service attacks. This addresses concurrent sessions for a single account and does not address
concurrent sessions by a single user via multiple accounts. To set the number of concurrent
sessions per user add the following line in /etc/security/limits.conf or
a file under /etc/security/limits.d/ :
* hard maxlogins |
Verify Oracle Linux 7 limits the number of concurrent sessions to "" for all accounts and/or account types with the following command: $ grep -r -s maxlogins /etc/security/limits.conf /etc/security/limits.d/*.conf /etc/security/limits.conf:* hard maxlogins 10 This can be set as a global domain (with the * wildcard) but may be set differently for multiple domains. Is it the case that the "maxlogins" item is missing, commented out, or the value is set greater than "<sub idref="var_accounts_max_concurrent_login_sessions" />" and is not documented with the Information System Security Officer (ISSO) as an operational requirement for all domains that have the "maxlogins" item assigned'? |
SRG-OS-000027-GPOS-00008 |
CCI-000054 |
AC-10 |
xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs | medium | Set Password Maximum Age | Any password, no matter how complex, can eventually be cracked. Therefore, passwords
need to be changed periodically. If the operating system does not limit the lifetime
of passwords and force users to change their passwords, there is the risk that the
operating system passwords could be compromised.
Setting the password maximum age ensures users are required to periodically change their passwords. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise. |
To specify password maximum age for new accounts,
edit the file /etc/login.defs
and add or correct the following line:
PASS_MAX_DAYSA value of 180 days is sufficient for many environments. The DoD requirement is 60. The profile requirement is . |
To check the maximum password age, run the command: $ grep PASS_MAX_DAYS /etc/login.defs The profile requirement is . Is it the case that PASS_MAX_DAYS is not set equal to or greater than the required value? |
SRG-OS-000076-GPOS-00044 |
CCI-000199 |
IA-5 (1) (d) |
xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs | medium | Set Password Minimum Age | Enforcing a minimum password lifetime helps to prevent repeated password
changes to defeat the password reuse or history enforcement requirement. If
users are allowed to immediately and continually change their password,
then the password could be repeatedly changed in a short period of time to
defeat the organization's policy regarding password reuse.
Setting the minimum password age protects against users cycling back to a favorite password after satisfying the password reuse requirement. |
To specify password minimum age for new accounts,
edit the file /etc/login.defs
and add or correct the following line:
PASS_MIN_DAYSA value of 1 day is considered sufficient for many environments. The DoD requirement is 1. The profile requirement is . |
To check the minimum password age, run the command: $ grep PASS_MIN_DAYS /etc/login.defs Is it the case that it is not equal to or greater than the required value? |
SRG-OS-000075-GPOS-00043 |
CCI-000198 |
IA-5 (1) (d) |
xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero | high | Verify Only Root Has UID 0 | An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner. | If any account other than root has a UID of 0, this misconfiguration should
be investigated and the accounts other than root should be removed or have
their UID changed.
If the account is associated with system commands or applications the UID should be changed to one greater than "0" but less than "1000." Otherwise assign a UID greater than "1000" that has not already been assigned. |
Verify that only the "root" account has a UID "0" assignment with the following command: $ awk -F: '$3 == 0 {print $1}' /etc/passwd root Is it the case that any accounts other than "root" have a UID of "0"? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit | medium | Ensure PAM Enforces Password Requirements - Minimum Digit Characters | Use of a complex password helps to increase the time and resources required
to compromise the password. Password complexity, or strength, is a measure of
the effectiveness of a password in resisting attempts at guessing and brute-force
attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Requiring digits makes password guessing attacks more difficult by ensuring a larger search space. |
The pam_pwquality module's dcredit parameter controls requirements for
usage of digits in a password. When set to a negative number, any password will be required to
contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional
length credit for each digit. Modify the dcredit setting in
/etc/security/pwquality.conf to require the use of a digit in passwords. |
To check how many digits are required in a password, run the following command: $ grep dcredit /etc/security/pwquality.conf The dcredit parameter (as a negative number) will indicate how many digits are required. Is it the case that dcredit is not found or not equal to or less than the required value? |
SRG-OS-000071-GPOS-00039 |
CCI-000194 |
IA-5 (1) (a) |
xccdf_org.ssgproject.content_rule_accounts_password_pam_difok | medium | Ensure PAM Enforces Password Requirements - Minimum Different Characters | Use of a complex password helps to increase the time and resources
required to compromise the password. Password complexity, or strength,
is a measure of the effectiveness of a password in resisting attempts
at guessing and brute–force attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Requiring a minimum number of different characters during password changes ensures that newly changed passwords should not resemble previously compromised ones. Note that passwords which are changed on compromised systems will still be compromised, however. |
The pam_pwquality module's difok parameter sets the number of characters
in a password that must not be present in and old password during a password change.
Modify the difok setting in /etc/security/pwquality.conf
to equal to require differing characters
when changing passwords. |
To check how many characters must differ during a password change, run the following command: $ sudo grep difok /etc/security/pwquality.conf difok = The difok parameter will indicate how many characters must differ. Is it the case that difok is not found or set to less than the required value? |
SRG-OS-000072-GPOS-00040 |
CCI-000195 |
IA-5 (1) (b) |
xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit | medium | Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters | Use of a complex password helps to increase the time and resources required
to compromise the password. Password complexity, or strength, is a measure of
the effectiveness of a password in resisting attempts at guessing and brute-force
attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space. |
The pam_pwquality module's lcredit parameter controls requirements for
usage of lowercase letters in a password. When set to a negative number, any password will be required to
contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional
length credit for each lowercase character. Modify the lcredit setting in
/etc/security/pwquality.conf to require the use of a lowercase character in passwords. |
To check how many lowercase characters are required in a password, run the following command: $ grep lcredit /etc/security/pwquality.conf The lcredit parameter (as a negative number) will indicate how many special characters are required. Is it the case that lcredit is not found or not less than or equal to the required value? |
SRG-OS-000070-GPOS-00038 |
CCI-000193 |
IA-5 (1) (a) |
xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat | medium | Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class | Use of a complex password helps to increase the time and resources required to compromise the password.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting
attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex a password, the greater the number of possible combinations that need to be tested before the password is compromised. |
The pam_pwquality module's maxclassrepeat parameter controls requirements for
consecutive repeating characters from the same character class. When set to a positive number, it will reject passwords
which contain more than that number of consecutive characters from the same character class. Modify the
maxclassrepeat setting in /etc/security/pwquality.conf to equal
to prevent a run of ( + 1) or more identical characters. |
To check the value for maximum consecutive repeating characters, run the following command: $ sudo grep maxclassrepeat /etc/security/pwquality.conf Is it the case that the value of "maxclassrepeat" is set to "0", more than "<sub idref="var_password_pam_maxclassrepeat" />" or is commented out? |
SRG-OS-000072-GPOS-00040 |
CCI-000195 |
IA-5 (1) (b) |
xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat | medium | Set Password Maximum Consecutive Repeating Characters | Use of a complex password helps to increase the time and resources required to compromise the password.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at
guessing and brute-force attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks. |
The pam_pwquality module's maxrepeat parameter controls requirements for
consecutive repeating characters. When set to a positive number, it will reject passwords
which contain more than that number of consecutive characters. Modify the maxrepeat setting
in /etc/security/pwquality.conf to equal to prevent a
run of ( + 1) or more identical characters. |
To check the maximum value for consecutive repeating characters, run the following command: $ sudo grep maxrepeat /etc/security/pwquality.conf Is it the case that the value of "maxrepeat" is set to more than "<sub idref="var_password_pam_maxrepeat" />" or is commented out? |
SRG-OS-000072-GPOS-00040 |
CCI-000195 |
IA-5 (1) (b) |
xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass | medium | Ensure PAM Enforces Password Requirements - Minimum Different Categories | Use of a complex password helps to increase the time and resources required to compromise the password.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts
at guessing and brute-force attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Requiring a minimum number of character categories makes password guessing attacks more difficult by ensuring a larger search space. |
The pam_pwquality module's minclass parameter controls
requirements for usage of different character classes, or types, of character
that must exist in a password before it is considered valid. For example,
setting this value to three (3) requires that any password must have characters
from at least three different categories in order to be approved. The default
value is zero (0), meaning there are no required classes. There are four
categories available:
* Upper-case characters * Lower-case characters * Digits * Special characters (for example, punctuation)Modify the minclass setting in /etc/security/pwquality.conf entry
to require
differing categories of characters when changing passwords. |
To check how many categories of characters must be used in password during a password change, run the following command: $ sudo grep minclass /etc/security/pwquality.conf The minclass parameter will indicate how many character classes must be used. If the requirement was for the password to contain characters from different categories, then this would appear as minclass = . Is it the case that the value of "minclass" is set to less than "<sub idref="var_password_pam_minclass" />" or is commented out? |
SRG-OS-000072-GPOS-00040 |
CCI-000195 |
IA-5 (1) (b) |
xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen | medium | Ensure PAM Enforces Password Requirements - Minimum Length | The shorter the password, the lower the number of possible combinations
that need to be tested before the password is compromised.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password. |
The pam_pwquality module's minlen parameter controls requirements for
minimum characters required in a password. Add minlen=
after pam_pwquality to set minimum password length requirements. |
To check how many characters are required in a password, run the following command: $ grep minlen /etc/security/pwquality.conf Your output should contain minlen = Is it the case that minlen is not found, or not equal to or greater than the required value? |
SRG-OS-000078-GPOS-00046 |
CCI-000205 |
IA-5 (1) (a) |
xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit | medium | Ensure PAM Enforces Password Requirements - Minimum Special Characters | Use of a complex password helps to increase the time and resources required
to compromise the password. Password complexity, or strength, is a measure of
the effectiveness of a password in resisting attempts at guessing and brute-force
attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space. |
The pam_pwquality module's ocredit= parameter controls requirements for
usage of special (or "other") characters in a password. When set to a negative number,
any password will be required to contain that many special characters.
When set to a positive number, pam_pwquality will grant +1
additional length credit for each special character. Modify the ocredit setting
in /etc/security/pwquality.conf to equal
to require use of a special character in passwords. |
To check how many special characters are required in a password, run the following command: $ grep ocredit /etc/security/pwquality.conf The ocredit parameter (as a negative number) will indicate how many special characters are required. Is it the case that value of "ocredit" is a positive number or is commented out? |
SRG-OS-000266-GPOS-00101 |
CCI-001619 |
IA-5 (1) (a) |
xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth | medium | Limit Password Reuse: password-auth | Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user. | Do not allow users to reuse recent passwords. This can be accomplished by using the
remember option for the pam_pwhistory PAM module.
In the file /etc/pam.d/password-auth , make sure the parameter
remember is present and it has a value equal to or greater than
. For example:
password control_flag pam_pwhistory.so ...existing_options... remember= use_authtokcontrol_flag should be one of the next values:
|
Verify Oracle Linux 7 is configured in the password-auth file to prohibit password reuse for a minimum of generations with the following command: $ grep -i remember /etc/pam.d/password-auth password pam_pwhistory.so use_authtok remember= retry=3 Is it the case that the line containing "pam_pwhistory.so" does not have the "remember" module argument set, is commented out, or the value of the "remember" module argument is set to less than "<sub idref="var_password_pam_remember" />"? |
SRG-OS-000077-GPOS-00045 |
CCI-000200 |
IA-5 (1) (e) |
xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth | medium | Limit Password Reuse: system-auth | Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user. | Do not allow users to reuse recent passwords. This can be accomplished by using the
remember option for the pam_pwhistory PAM module.
In the file /etc/pam.d/system-auth , make sure the parameter
remember is present and it has a value equal to or greater than
For example:
password control_flag pam_pwhistory.so ...existing_options... remember= use_authtokcontrol_flag should be one of the next values:
|
Verify Oracle Linux 7 is configured in the system-auth file to prohibit password reuse for a minimum of generations with the following command: $ grep -i remember /etc/pam.d/system-auth password pam_pwhistory.so use_authtok remember= retry=3 Is it the case that the line containing "pam_pwhistory.so" does not have the "remember" module argument set, is commented out, or the value of the "remember" module argument is set to less than "<sub idref="var_password_pam_remember" />"? |
SRG-OS-000077-GPOS-00045 |
CCI-000200 |
IA-5 (1) (e) |
xccdf_org.ssgproject.content_rule_accounts_password_pam_retry | medium | Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session | Setting the password retry prompts that are permitted on a per-session basis to a low value requires some software, such as SSH, to re-connect. This can slow down and draw additional attention to some types of password-guessing attacks. Note that this is different from account lockout, which is provided by the pam_faillock module. | To configure the number of retry prompts that are permitted per-session:
Edit the pam_pwquality.so statement in
/etc/pam.d/system-auth to show
retry= , or a lower value if site
policy is more restrictive. The DoD requirement is a maximum of 3 prompts
per session. |
Verify Oracle Linux 7 is configured to limit the "pwquality" retry option to . Check for the use of the "pwquality" retry option in the PAM files with the following command: $ grep pam_pwquality /etc/pam.d/system-auth password required pam_pwquality.so retry= Is it the case that the value of "retry" is set to "0" or greater than "<sub idref="var_password_pam_retry" />", or is missing? |
SRG-OS-000069-GPOS-00037 SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000192 CCI-000366 |
IA-5 (1) (a) CM-6 b |
xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit | medium | Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters | Use of a complex password helps to increase the time and resources required to compromise the password.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts
at guessing and brute-force attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. |
The pam_pwquality module's ucredit= parameter controls requirements for
usage of uppercase letters in a password. When set to a negative number, any password will be required to
contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional
length credit for each uppercase character. Modify the ucredit setting in
/etc/security/pwquality.conf to require the use of an uppercase character in passwords. |
To check how many uppercase characters are required in a password, run the following command: $ grep ucredit /etc/security/pwquality.conf The ucredit parameter (as a negative number) will indicate how many uppercase characters are required. This would appear as ucredit = -1. Is it the case that ucredit is not found or not set to the required value? |
SRG-OS-000069-GPOS-00037 SRG-OS-000070-GPOS-00038 |
CCI-000192 CCI-000193 |
IA-5 (1) (a) IA-5 (1) (a) |
xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing | medium | Set Existing Passwords Maximum Age | Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised. | Configure non-compliant accounts to enforce a -day maximum password lifetime
restriction by running the following command:
$ sudo chage -M USER |
Check whether the maximum time period for existing passwords is restricted to days with the following commands: $ sudo awk -F: '$5 > 60 {print $1 " " $5}' /etc/shadow $ sudo awk -F: '$5 <= 0 {print $1 " " $5}' /etc/shadow Is it the case that any results are returned that are not associated with a system account? |
SRG-OS-000076-GPOS-00044 |
CCI-000199 |
IA-5 (1) (d) |
xccdf_org.ssgproject.content_rule_accounts_password_set_min_life_existing | medium | Set Existing Passwords Minimum Age | Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse. | Configure non-compliant accounts to enforce a 24 hours/1 day minimum password
lifetime by running the following command:
$ sudo chage -m 1 USER |
Check whether the minimum time period between password changes for each user account is one day or greater. $ sudo awk -F: '$4 < 1 {print $1 " " $4}' /etc/shadow Is it the case that any results are returned that are not associated with a system account? |
SRG-OS-000075-GPOS-00043 |
CCI-000198 |
IA-5 (1) (d) |
xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny | medium | Lock Accounts After Failed Password Attempts | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking the account. | This rule configures the system to lock out accounts after a number of incorrect login attempts
using pam_faillock.so .
pam_faillock.so module requires multiple entries in pam files. These entries must be carefully
defined to work as expected. In order to avoid errors when manually editing these files, it is
recommended to use the appropriate tools, such as authselect or authconfig ,
depending on the OS version. |
Verify Oracle Linux 7 is configured to lock an account after unsuccessful logon attempts with the command: $ grep 'deny =' /etc/security/faillock.conf deny = . Is it the case that the "deny" option is not set to "<sub idref="var_accounts_passwords_pam_faillock_deny" />" or less (but not "0"), is missing or commented out? |
SRG-OS-000021-GPOS-00005 SRG-OS-000329-GPOS-00128 |
CCI-000044 CCI-002236 CCI-002237 CCI-002238 |
AC-7 a |
xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root | medium | Configure the root Account for Failed Password Attempts | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking the account. | This rule configures the system to lock out the root account after a number of
incorrect login attempts using pam_faillock.so .
pam_faillock.so module requires multiple entries in pam files. These entries must be carefully
defined to work as expected. In order to avoid errors when manually editing these files, it is
recommended to use the appropriate tools, such as authselect or authconfig ,
depending on the OS version. |
Verify Oracle Linux 7 is configured to lock the root account after unsuccessful logon attempts with the command: $ grep even_deny_root /etc/security/faillock.conf even_deny_root Is it the case that the "even_deny_root" option is not set, is missing or commented out? |
SRG-OS-000329-GPOS-00128 SRG-OS-000021-GPOS-00005 |
CCI-002238 CCI-000044 |
AC-7 a |
xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval | medium | Set Interval For Counting Failed Password Attempts | By limiting the number of failed logon attempts the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. | Utilizing pam_faillock.so , the fail_interval directive configures the system
to lock out an account after a number of incorrect login attempts within a specified time
period. |
To ensure the failed password attempt policy is configured correctly, run the following command: $ grep fail_interval /etc/security/faillock.conf The output should show fail_interval = <interval-in-seconds> where interval-in-seconds is or greater. Is it the case that the "fail_interval" option is not set to "<sub idref="var_accounts_passwords_pam_faillock_fail_interval" />" or less (but not "0"), the line is commented out, or the line is missing? |
SRG-OS-000021-GPOS-00005 SRG-OS-000329-GPOS-00128 |
CCI-000044 CCI-002236 CCI-002237 CCI-002238 |
AC-7 a |
xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time | medium | Set Lockout Time for Failed Password Attempts | By limiting the number of failed logon attempts the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. | This rule configures the system to lock out accounts during a specified time period after a
number of incorrect login attempts using pam_faillock.so .
pam_faillock.so module requires multiple entries in pam files. These entries must be carefully
defined to work as expected. In order to avoid any errors when manually editing these files,
it is recommended to use the appropriate tools, such as authselect or authconfig ,
depending on the OS version.
If unlock_time is set to 0 , manual intervention by an administrator is required
to unlock a user. This should be done using the faillock tool. |
Verify Oracle Linux 7 is configured to lock an account until released by an administrator after unsuccessful logon attempts with the command: $ grep 'unlock_time =' /etc/security/faillock.conf unlock_time = Is it the case that the "unlock_time" option is not set to "<sub idref="var_accounts_passwords_pam_faillock_unlock_time" />", the line is missing, or commented out? |
SRG-OS-000021-GPOS-00005 SRG-OS-000329-GPOS-00128 |
CCI-000044 CCI-002236 CCI-002237 CCI-002238 |
AC-7 a |
xccdf_org.ssgproject.content_rule_accounts_tmout | medium | Set Interactive Session Timeout | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. | Setting the TMOUT option in /etc/profile ensures that
all user sessions will terminate based on inactivity.
The value of TMOUT should be exported and read only.
The TMOUT
setting in a file loaded by /etc/profile , e.g.
/etc/profile.d/tmout.sh should read as follows:
declare -xr TMOUT= |
Run the following command to ensure the TMOUT value is configured for all users on the system: $ sudo grep TMOUT /etc/profile /etc/profile.d/*.sh The output should return the following: TMOUT= Is it the case that TMOUT is not set or its value is greater than expected setting? |
SRG-OS-000029-GPOS-00010 SRG-OS-000163-GPOS-00072 SRG-OS-000279-GPOS-00109 |
CCI-000057 CCI-001133 CCI-002361 |
AC-11 a SC-10 |
xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs | medium | Ensure the Default Umask is Set Correctly in login.defs | The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and written to by unauthorized users. | To ensure the default umask controlled by /etc/login.defs is set properly,
add or correct the UMASK setting in /etc/login.defs to read as follows:
UMASK |
Verify the UMASK setting is configured correctly in the /etc/login.defs file by running the following command: $ sudo grep "UMASK" /etc/login.defs All output must show the value of UMASK set as shown in the below: UMASK Is it the case that the above command returns no output, or the umask is configured incorrectly? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_accounts_umask_interactive_users | medium | Ensure the Default Umask is Set Correctly For Interactive Users | The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 700 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be 0. This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system. | Remove the UMASK environment variable from all interactive users initialization files. |
Verify the UMASK setting is not configured for interactive users, run the following command: $ sudo grep -ri "UMASK" /home Is it the case that the above command returns no output, or if the umask is configured incorrectly? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 SRG-OS-000365-GPOS-00152 |
CCI-000366 CCI-001814 |
CM-6 b |
xccdf_org.ssgproject.content_rule_accounts_user_dot_group_ownership | medium | User Initialization Files Must Be Group-Owned By The Primary User | Local initialization files for interactive users are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon. | Change the group owner of interactive users files to the group found
in /etc/passwdfor the user. To change the group owner of a local interactive user home directory, use the following command: $ sudo chgrp USER_GROUP /home/USER/.INIT_FILEThis rule ensures every initialization file related to an interactive user is group-owned by an interactive user. |
To verify the local initialization files of all local interactive users are group- owned by the appropriate user, inspect the primary group of the respective users in /etc/passwd and verify all initialization files under the respective users home directory. Check the group owner of all local interactive users initialization files. Is it the case that they are not? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_accounts_user_dot_no_world_writable_programs | medium | User Initialization Files Must Not Run World-Writable Programs | If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user files or otherwise compromise the system at the user level. If the system is compromised at the user level, it is easier to elevate privileges to eventually compromise the system at the root and network level. | Set the mode on files being executed by the user initialization files with the
following command:
$ sudo chmod o-w FILE |
Verify that local initialization files do not execute world-writable programs, execute the following command: $ sudo find /home -perm -002 -type f -name ".[^.]*" -exec ls -ld {} \; For all files listed, check for their presence in the local initialization files with the following command: Note: The example will be for a system that is configured to create users' home directories in the "/home" directory. sudo find /home/* -maxdepth 1 -type f -name \.\* -exec grep -H <file> {} \; Is it the case that user initialization files are executing world-writable programs? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_accounts_user_dot_user_ownership | medium | User Initialization Files Must Be Owned By the Primary User | Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon. | Set the owner of the user initialization files for interactive users to
the primary owner with the following command:
$ sudo chown USER /home/USER/.*This rule ensures every initialization file related to an interactive user is owned by an interactive user. |
To verify all local initialization files for interactive users are owned by the primary user, run the following command: $ sudo ls -al /home/USER/.* The user initialization files should be owned by USER. Is it the case that they are not? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_accounts_user_home_paths_only | medium | Ensure that Users Path Contains Only Local Directories | The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory (other than the users home directory), executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is interpreted as the current working directory. If deviations from the default system search path for the local interactive user are required, they must be documented with the Information System Security Officer (ISSO). | Ensure that all interactive user initialization files executable search path statements do not contain statements that will reference a working directory other than the users home directory. | To verify that all interactive user initialization files executable search path statements do not contain statements that will reference a working directory other than the users home directory, run the following command: $ sudo grep -r PATH /home/ Inspect the output for any PATH is references directories outside the home directory. Is it the case that paths contain more than local home directories? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_exists | medium | All Interactive Users Home Directories Must Exist | If a local interactive user has a home directory defined that does not exist, the user may be given access to the / directory as the current working directory upon logon. This could create a Denial of Service because the user would not be able to access their logon configuration files, and it may give them visibility to system files they normally would not be able to access. | Create home directories to all interactive users that currently do not
have a home directory assigned. Use the following commands to create the user
home directory assigned in /etc/passwd :
$ sudo mkdir /home/USER |
To verify the assigned home directory of all interactive users on the system exist, run the following command: $ sudo pwck -r Is it the case that users home directory does not exist? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_accounts_users_home_files_groupownership | medium | All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary User | If a local interactive users files are group-owned by a group of which the user is not a member, unintended users may be able to access them. | Change the group of a local interactive users files and directories to a
group that the interactive user is a member of. To change the group owner of a
local interactive users files and directories, use the following command:
$ sudo chgrp USER_GROUP /home/USER/FILE_DIRThis rule ensures every file or directory under the home directory related to an interactive user is group-owned by an interactive user. |
To verify all files and directories in interactive user home directory are group-owned by a group the user is a member of, run the following command: $ sudo ls -lLR /home/USER Is it the case that the group ownership is incorrect? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_accounts_users_home_files_ownership | medium | All User Files and Directories In The Home Directory Must Have a Valid Owner | If local interactive users do not own the files in their directories, unauthorized users may be able to access them. Additionally, if files are not owned by the user, this could be an indication of system compromise. | Either remove all files and directories from the system that
do not have a valid user, or assign a valid user to all unowned
files and directories. To assign a valid owner to a local
interactive user's files and directories, use the following command:
$ sudo chown -R USER /home/USERThis rule ensures every file or directory under the home directory related to an interactive user is owned by an interactive user. |
To verify all files and directories in a local interactive user's home directory have a valid owner, run the following command: $ sudo ls -lLR /home/USER Is it the case that the user ownership is incorrect? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_accounts_users_home_files_permissions | medium | All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissive | If a local interactive user files have excessive permissions, unintended users may be able to access or modify them. | Set the mode on files and directories in the local interactive user home
directory with the following command:
$ sudo chmod 0750 /home/USER/FILE_DIRFiles that begin with a "." are excluded from this requirement. |
To verify all files and directories contained in interactive user home directory, excluding local initialization files, have a mode of 0750, run the following command: $ sudo ls -lLR /home/USER Is it the case that home directory files or folders have incorrect permissions? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_agent_mfetpd_running | medium | Ensure McAfee Endpoint Security for Linux (ENSL) is running | Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems. | Install McAfee Endpoint Security for Linux antivirus software which is provided for DoD systems and uses signatures to search for the presence of viruses on the filesystem. | To verify that McAfee Endpoint Security for Linux is running, run the following command: $ sudo ps -ef | grep -i mfetpd Is it the case that virus scanning software is not running? |
SRG-OS-000191-GPOS-00080 |
CCI-001233 |
SI-2 (2) |
xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | medium | Configure Periodic Execution of AIDE | By default, AIDE does not install itself for periodic execution. Periodically
running AIDE is necessary to reveal unexpected changes in installed files.
Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item. |
At a minimum, AIDE should be configured to run a weekly scan.
To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab :
05 4 * * * root /usr/sbin/aide --checkTo implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab :
05 4 * * 0 root /usr/sbin/aide --checkAIDE can be executed periodically through other means; this is merely one example. The usage of cron's special time codes, such as @daily and
@weekly is acceptable. |
Verify the operating system routinely checks the baseline configuration for unauthorized changes. To determine that periodic AIDE execution has been scheduled, run the following command: $ grep aide /etc/crontab The output should return something similar to the following: 05 4 * * * root /usr/sbin/aide --check NOTE: The usage of special cron times, such as @daily or @weekly, is acceptable. Is it the case that AIDE is not configured to scan periodically? |
SRG-OS-000363-GPOS-00150 SRG-OS-000446-GPOS-00200 SRG-OS-000447-GPOS-00201 |
CCI-001744 CCI-002699 CCI-002702 |
|
xccdf_org.ssgproject.content_rule_aide_scan_notification | medium | Configure Notification of Post-AIDE Scan Details | Unauthorized changes to the baseline configuration could make the system vulnerable
to various attacks or allow unauthorized access to the operating system. Changes to
operating system configurations can have unintended side effects, some of which may
be relevant to security.
Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item. |
AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
If AIDE has already been configured for periodic execution in /etc/crontab , append the
following line to the existing AIDE line:
| /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhostOtherwise, add the following line to /etc/crontab :
05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhostAIDE can be executed periodically through other means; this is merely one example. |
To determine that periodic AIDE execution has been scheduled, run the following command: $ grep aide /etc/crontab The output should return something similar to the following: 05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost The email address that the notifications are sent to can be changed by overriding . Is it the case that AIDE has not been configured or has not been configured to notify personnel of scan details? |
SRG-OS-000363-GPOS-00150 SRG-OS-000446-GPOS-00200 SRG-OS-000447-GPOS-00201 |
CCI-001744 CCI-002699 CCI-002702 |
|
xccdf_org.ssgproject.content_rule_aide_use_fips_hashes | medium | Configure AIDE to Use FIPS 140-2 for Validating Hashes | File integrity tools use cryptographic hashes for verifying file contents and directories have not been altered. These hashes must be FIPS 140-2 approved cryptographic hashes. | By default, the sha512 option is added to the NORMAL ruleset in AIDE.
If using a custom ruleset or the sha512 option is missing, add sha512
to the appropriate ruleset.
For example, add sha512 to the following line in /etc/aide.conf :
NORMAL = FIPSR+sha512AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default. |
To determine that AIDE is configured for FIPS 140-2 file hashing, run the following command: $ grep sha512 /etc/aide.conf Verify that the sha512 option is added to the correct ruleset. Is it the case that the sha512 option is missing or not added to the correct ruleset? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_aide_verify_acls | low | Configure AIDE to Verify Access Control Lists (ACLs) | ACLs can provide permissions beyond those permitted through the file mode and must be verified by the file integrity tools. | By default, the acl option is added to the FIPSR ruleset in AIDE.
If using a custom ruleset or the acl option is missing, add acl
to the appropriate ruleset.
For example, add acl to the following line in /etc/aide.conf :
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default. The remediation provided with this rule adds acl to all rule sets available in
/etc/aide.conf
|
To determine that AIDE is verifying ACLs, run the following command: $ grep acl /etc/aide.conf Verify that the acl option is added to the correct ruleset. Is it the case that the acl option is missing or not added to the correct ruleset? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_aide_verify_ext_attributes | low | Configure AIDE to Verify Extended Attributes | Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications. | By default, the xattrs option is added to the FIPSR ruleset in AIDE.
If using a custom ruleset or the xattrs option is missing, add xattrs
to the appropriate ruleset.
For example, add xattrs to the following line in /etc/aide.conf :
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default. The remediation provided with this rule adds xattrs to all rule sets available in
/etc/aide.conf
|
To determine that AIDE is verifying extended file attributes, run the following command: $ grep xattrs /etc/aide.conf Verify that the xattrs option is added to the correct ruleset. Is it the case that the xattrs option is missing or not added to the correct ruleset? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod | medium | Record Events that Modify the System's Discretionary Access Controls - chmod | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d :
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod |
To determine if the system is configured to audit calls to the chmod system call, run the following command: $ sudo grep "chmod" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? |
SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000062-GPOS-00031 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000472-GPOS-00217 SRG-OS-000473-GPOS-00218 SRG-OS-000474-GPOS-00219 SRG-OS-000475-GPOS-00220 SRG-OS-000476-GPOS-00221 SRG-OS-000477-GPOS-00222 SRG-OS-000392-GPOS-00172 |
CCI-000126 CCI-000130 CCI-000135 CCI-000169 CCI-000172 CCI-002884 |
AU-2 d AU-3 AU-3 (1) AU-12 a AU-12 c |
xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown | medium | Record Events that Modify the System's Discretionary Access Controls - chown | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d :
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod |
To determine if the system is configured to audit calls to the chown system call, run the following command: $ sudo grep "chown" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? |
SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000062-GPOS-00031 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000472-GPOS-00217 SRG-OS-000473-GPOS-00218 SRG-OS-000474-GPOS-00219 SRG-OS-000475-GPOS-00220 SRG-OS-000476-GPOS-00221 SRG-OS-000477-GPOS-00222 SRG-OS-000392-GPOS-00172 |
CCI-000126 CCI-000130 CCI-000135 CCI-000169 CCI-000172 CCI-002884 |
AU-2 d AU-3 AU-3 (1) AU-12 a AU-12 c |
xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod | medium | Record Events that Modify the System's Discretionary Access Controls - fchmod | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d :
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod |
To determine if the system is configured to audit calls to the fchmod system call, run the following command: $ sudo grep "fchmod" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? |
SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000062-GPOS-00031 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000472-GPOS-00217 SRG-OS-000473-GPOS-00218 SRG-OS-000474-GPOS-00219 SRG-OS-000475-GPOS-00220 SRG-OS-000476-GPOS-00221 SRG-OS-000477-GPOS-00222 SRG-OS-000392-GPOS-00172 |
CCI-000126 CCI-000130 CCI-000135 CCI-000169 CCI-000172 CCI-002884 |
AU-2 d AU-3 AU-3 (1) AU-12 a AU-12 c |
xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat | medium | Record Events that Modify the System's Discretionary Access Controls - fchmodat | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d :
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod |
To determine if the system is configured to audit calls to the fchmodat system call, run the following command: $ sudo grep "fchmodat" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? |
SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000062-GPOS-00031 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000472-GPOS-00217 SRG-OS-000473-GPOS-00218 SRG-OS-000474-GPOS-00219 SRG-OS-000475-GPOS-00220 SRG-OS-000476-GPOS-00221 SRG-OS-000477-GPOS-00222 SRG-OS-000392-GPOS-00172 |
CCI-000126 CCI-000130 CCI-000135 CCI-000169 CCI-000172 CCI-002884 |
AU-2 d AU-3 AU-3 (1) AU-12 a AU-12 c |
xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown | medium | Record Events that Modify the System's Discretionary Access Controls - fchown | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d :
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod |
To determine if the system is configured to audit calls to the fchown system call, run the following command: $ sudo grep "fchown" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? |
SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000062-GPOS-00031 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000472-GPOS-00217 SRG-OS-000473-GPOS-00218 SRG-OS-000474-GPOS-00219 SRG-OS-000475-GPOS-00220 SRG-OS-000476-GPOS-00221 SRG-OS-000477-GPOS-00222 SRG-OS-000392-GPOS-00172 |
CCI-000126 CCI-000130 CCI-000135 CCI-000169 CCI-000172 CCI-002884 |
AU-2 d AU-3 AU-3 (1) AU-12 a AU-12 c |
xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat | medium | Record Events that Modify the System's Discretionary Access Controls - fchownat | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d :
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod |
To determine if the system is configured to audit calls to the fchownat system call, run the following command: $ sudo grep "fchownat" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? |
SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000062-GPOS-00031 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000472-GPOS-00217 SRG-OS-000473-GPOS-00218 SRG-OS-000474-GPOS-00219 SRG-OS-000475-GPOS-00220 SRG-OS-000476-GPOS-00221 SRG-OS-000477-GPOS-00222 SRG-OS-000392-GPOS-00172 |
CCI-000126 CCI-000130 CCI-000135 CCI-000169 CCI-000172 CCI-002884 |
AU-2 d AU-3 AU-3 (1) AU-12 a AU-12 c |
xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr | medium | Record Events that Modify the System's Discretionary Access Controls - fremovexattr | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | At a minimum, the audit system should collect file permission
changes for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d :
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod |
To determine if the system is configured to audit calls to the fremovexattr system call, run the following command: $ sudo grep "fremovexattr" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? |
SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000062-GPOS-00031 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000472-GPOS-00217 SRG-OS-000473-GPOS-00218 SRG-OS-000474-GPOS-00219 SRG-OS-000475-GPOS-00220 SRG-OS-000476-GPOS-00221 SRG-OS-000477-GPOS-00222 SRG-OS-000392-GPOS-00172 |
CCI-000130 CCI-000135 CCI-000169 CCI-000172 CCI-002884 |
AU-3 AU-3 (1) AU-12 a AU-12 c |
xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr | medium | Record Events that Modify the System's Discretionary Access Controls - fsetxattr | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d :
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod |
To determine if the system is configured to audit calls to the fsetxattr system call, run the following command: $ sudo grep "fsetxattr" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? |
SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000062-GPOS-00031 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000472-GPOS-00217 SRG-OS-000473-GPOS-00218 SRG-OS-000474-GPOS-00219 SRG-OS-000475-GPOS-00220 SRG-OS-000476-GPOS-00221 SRG-OS-000477-GPOS-00222 SRG-OS-000392-GPOS-00172 |
CCI-000126 CCI-000130 CCI-000135 CCI-000169 CCI-000172 CCI-002884 |
AU-2 d AU-3 AU-3 (1) AU-12 a AU-12 c |
xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown | medium | Record Events that Modify the System's Discretionary Access Controls - lchown | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d :
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod |
To determine if the system is configured to audit calls to the lchown system call, run the following command: $ sudo grep "lchown" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? |
SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000062-GPOS-00031 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000472-GPOS-00217 SRG-OS-000473-GPOS-00218 SRG-OS-000474-GPOS-00219 SRG-OS-000475-GPOS-00220 SRG-OS-000476-GPOS-00221 SRG-OS-000477-GPOS-00222 SRG-OS-000392-GPOS-00172 |
CCI-000126 CCI-000130 CCI-000135 CCI-000169 CCI-000172 CCI-002884 |
AU-2 d AU-3 AU-3 (1) AU-12 a AU-12 c |
xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr | medium | Record Events that Modify the System's Discretionary Access Controls - lremovexattr | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | At a minimum, the audit system should collect file permission
changes for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d :
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod |
To determine if the system is configured to audit calls to the lremovexattr system call, run the following command: $ sudo grep "lremovexattr" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? |
SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000062-GPOS-00031 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000472-GPOS-00217 SRG-OS-000473-GPOS-00218 SRG-OS-000474-GPOS-00219 SRG-OS-000475-GPOS-00220 SRG-OS-000476-GPOS-00221 SRG-OS-000477-GPOS-00222 SRG-OS-000392-GPOS-00172 |
CCI-000130 CCI-000135 CCI-000169 CCI-000172 CCI-002884 |
AU-3 AU-3 (1) AU-12 a AU-12 c |
xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr | medium | Record Events that Modify the System's Discretionary Access Controls - lsetxattr | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d :
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod |
To determine if the system is configured to audit calls to the lsetxattr system call, run the following command: $ sudo grep "lsetxattr" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? |
SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000062-GPOS-00031 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000472-GPOS-00217 SRG-OS-000473-GPOS-00218 SRG-OS-000474-GPOS-00219 SRG-OS-000475-GPOS-00220 SRG-OS-000476-GPOS-00221 SRG-OS-000477-GPOS-00222 SRG-OS-000392-GPOS-00172 |
CCI-000126 CCI-000130 CCI-000135 CCI-000169 CCI-000172 CCI-002884 |
AU-2 d AU-3 AU-3 (1) AU-12 a AU-12 c |
xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr | medium | Record Events that Modify the System's Discretionary Access Controls - removexattr | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | At a minimum, the audit system should collect file permission
changes for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
following line to a file with suffix .rules in the directory /etc/audit/rules.d :
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod |
To determine if the system is configured to audit calls to the removexattr system call, run the following command: $ sudo grep "removexattr" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? |
SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000062-GPOS-00031 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000472-GPOS-00217 SRG-OS-000473-GPOS-00218 SRG-OS-000474-GPOS-00219 SRG-OS-000475-GPOS-00220 SRG-OS-000476-GPOS-00221 SRG-OS-000477-GPOS-00222 SRG-OS-000392-GPOS-00172 |
CCI-000130 CCI-000135 CCI-000169 CCI-000172 CCI-002884 |
AU-3 AU-3 (1) AU-12 a AU-12 c |
xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr | medium | Record Events that Modify the System's Discretionary Access Controls - setxattr | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d :
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod |
To determine if the system is configured to audit calls to the setxattr system call, run the following command: $ sudo grep "setxattr" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? |
SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000062-GPOS-00031 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000472-GPOS-00217 SRG-OS-000473-GPOS-00218 SRG-OS-000474-GPOS-00219 SRG-OS-000475-GPOS-00220 SRG-OS-000476-GPOS-00221 SRG-OS-000477-GPOS-00222 SRG-OS-000392-GPOS-00172 |
CCI-000126 CCI-000130 CCI-000135 CCI-000169 CCI-000172 CCI-002884 |
AU-2 d AU-3 AU-3 (1) AU-12 a AU-12 c |
xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon | medium | Record Any Attempts to Run chcon | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
At a minimum, the audit system should collect any execution attempt
of the chcon command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d :
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Verify that Oracle Linux 7 is configured to audit the execution of the "chcon" command with the following command: $ sudo auditctl -l | grep chcon -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod Is it the case that the command does not return a line, or the line is commented out? |
SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000062-GPOS-00031 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000472-GPOS-00217 SRG-OS-000473-GPOS-00218 SRG-OS-000474-GPOS-00219 SRG-OS-000475-GPOS-00220 SRG-OS-000476-GPOS-00221 SRG-OS-000477-GPOS-00222 SRG-OS-000392-GPOS-00172 |
CCI-000130 CCI-000135 CCI-000169 CCI-000172 CCI-002884 |
AU-3 AU-3 (1) AU-12 a AU-12 c |
xccdf_org.ssgproject.content_rule_audit_rules_execution_semanage | medium | Record Any Attempts to Run semanage | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
At a minimum, the audit system should collect any execution attempt
of the semanage command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d :
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Verify that Oracle Linux 7 is configured to audit the execution of the "semanage" command with the following command: $ sudo auditctl -l | grep semanage -a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update Is it the case that the command does not return a line, or the line is commented out? |
SRG-OS-000062-GPOS-00031 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000472-GPOS-00217 SRG-OS-000473-GPOS-00218 SRG-OS-000474-GPOS-00219 SRG-OS-000475-GPOS-00220 SRG-OS-000476-GPOS-00221 SRG-OS-000477-GPOS-00222 SRG-OS-000392-GPOS-00172 |
CCI-000169 CCI-000172 CCI-002884 |
AU-12 a AU-12 c |
xccdf_org.ssgproject.content_rule_audit_rules_execution_setfiles | medium | Record Any Attempts to Run setfiles | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
At a minimum, the audit system should collect any execution attempt
of the setfiles command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d :
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Verify that Oracle Linux 7 is configured to audit the execution of the "setfiles" command with the following command: $ sudo auditctl -l | grep setfiles -a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update Is it the case that the command does not return a line, or the line is commented out? |
SRG-OS-000062-GPOS-00031 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000472-GPOS-00217 SRG-OS-000473-GPOS-00218 SRG-OS-000474-GPOS-00219 SRG-OS-000475-GPOS-00220 SRG-OS-000476-GPOS-00221 SRG-OS-000477-GPOS-00222 SRG-OS-000392-GPOS-00172 |
CCI-000169 CCI-000172 CCI-002884 |
AU-12 a AU-12 c |
xccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool | medium | Record Any Attempts to Run setsebool | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
At a minimum, the audit system should collect any execution attempt
of the setsebool command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d :
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Verify that Oracle Linux 7 is configured to audit the execution of the "setsebool" command with the following command: $ sudo auditctl -l | grep setsebool -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged Is it the case that the command does not return a line, or the line is commented out? |
SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000062-GPOS-00031 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000472-GPOS-00217 SRG-OS-000473-GPOS-00218 SRG-OS-000474-GPOS-00219 SRG-OS-000475-GPOS-00220 SRG-OS-000476-GPOS-00221 SRG-OS-000477-GPOS-00222 SRG-OS-000392-GPOS-00172 |
CCI-000130 CCI-000135 CCI-000169 CCI-000172 CCI-002884 |
AU-3 AU-3 (1) AU-12 a AU-12 c |
xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename | medium | Ensure auditd Collects File Deletion Events by User - rename | Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. | At a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d , setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=deleteIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete |
To determine if the system is configured to audit calls to the rename system call, run the following command: $ sudo grep "rename" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? |
SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000062-GPOS-00031 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000472-GPOS-00217 SRG-OS-000473-GPOS-00218 SRG-OS-000474-GPOS-00219 SRG-OS-000475-GPOS-00220 SRG-OS-000476-GPOS-00221 SRG-OS-000477-GPOS-00222 SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 SRG-OS-000392-GPOS-00172 |
CCI-000130 CCI-000135 CCI-000169 CCI-000172 CCI-000366 CCI-002884 |
AU-3 AU-3 (1) AU-12 a AU-12 c CM-6 b |
xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat | medium | Ensure auditd Collects File Deletion Events by User - renameat | Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. | At a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d , setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=deleteIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete |
To determine if the system is configured to audit calls to the renameat system call, run the following command: $ sudo grep "renameat" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? |
SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000062-GPOS-00031 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000472-GPOS-00217 SRG-OS-000473-GPOS-00218 SRG-OS-000474-GPOS-00219 SRG-OS-000475-GPOS-00220 SRG-OS-000476-GPOS-00221 SRG-OS-000477-GPOS-00222 SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 SRG-OS-000392-GPOS-00172 |
CCI-000130 CCI-000135 CCI-000169 CCI-000172 CCI-000366 CCI-002884 |
AU-3 AU-3 (1) AU-12 a AU-12 c CM-6 b |
xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir | medium | Ensure auditd Collects File Deletion Events by User - rmdir | Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. | At a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d , setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=deleteIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete |
To determine if the system is configured to audit calls to the rmdir system call, run the following command: $ sudo grep "rmdir" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? |
SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000062-GPOS-00031 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000472-GPOS-00217 SRG-OS-000473-GPOS-00218 SRG-OS-000474-GPOS-00219 SRG-OS-000475-GPOS-00220 SRG-OS-000476-GPOS-00221 SRG-OS-000477-GPOS-00222 SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 SRG-OS-000392-GPOS-00172 |
CCI-000130 CCI-000135 CCI-000169 CCI-000172 CCI-000366 CCI-002884 |
AU-3 AU-3 (1) AU-12 a AU-12 c CM-6 b |
xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink | medium | Ensure auditd Collects File Deletion Events by User - unlink | Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. | At a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d , setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=deleteIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete |
To determine if the system is configured to audit calls to the unlink system call, run the following command: $ sudo grep "unlink" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? |
SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000062-GPOS-00031 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000472-GPOS-00217 SRG-OS-000473-GPOS-00218 SRG-OS-000474-GPOS-00219 SRG-OS-000475-GPOS-00220 SRG-OS-000476-GPOS-00221 SRG-OS-000477-GPOS-00222 SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 SRG-OS-000392-GPOS-00172 |
CCI-000130 CCI-000135 CCI-000169 CCI-000172 CCI-000366 CCI-002884 |
AU-3 AU-3 (1) AU-12 a AU-12 c CM-6 b |
xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat | medium | Ensure auditd Collects File Deletion Events by User - unlinkat | Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. | At a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d , setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=deleteIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete |
To determine if the system is configured to audit calls to the unlinkat system call, run the following command: $ sudo grep "unlinkat" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? |
SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000062-GPOS-00031 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000472-GPOS-00217 SRG-OS-000473-GPOS-00218 SRG-OS-000474-GPOS-00219 SRG-OS-000475-GPOS-00220 SRG-OS-000476-GPOS-00221 SRG-OS-000477-GPOS-00222 SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 SRG-OS-000392-GPOS-00172 |
CCI-000130 CCI-000135 CCI-000169 CCI-000172 CCI-000366 CCI-002884 |
AU-3 AU-3 (1) AU-12 a AU-12 c CM-6 b |
xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete | medium | Ensure auditd Collects Information on Kernel Module Unloading - delete_module | The removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. | To capture kernel module unloading events, use following line, setting ARCH to
either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S delete_module -F auid>=1000 -F auid!=unset -F key=modulesPlace to add the line depends on a way auditd daemon is configured. If it is configured
to use the augenrules program (the default), add the line to a file with suffix
.rules in the directory /etc/audit/rules.d .
If the auditd daemon is configured to use the auditctl utility,
add the line to file /etc/audit/audit.rules . |
To determine if the system is configured to audit calls to the delete_module system call, run the following command: $ sudo grep "delete_module" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? |
SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000062-GPOS-00031 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000472-GPOS-00217 SRG-OS-000473-GPOS-00218 SRG-OS-000474-GPOS-00219 SRG-OS-000475-GPOS-00220 SRG-OS-000476-GPOS-00221 SRG-OS-000477-GPOS-00222 SRG-OS-000392-GPOS-00172 |
CCI-000130 CCI-000135 CCI-000169 CCI-000172 CCI-002884 |
AU-3 AU-3 (1) AU-12 a AU-12 c |
xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit | medium | Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module | The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. | If the auditd daemon is configured to use the augenrules program
to read audit rules during daemon startup (the default), add the following lines to a file
with suffix .rules in the directory /etc/audit/rules.d to capture kernel module
loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S finit_module -F auid>=1000 -F auid!=unset -F key=modulesIf the auditd daemon is configured to use the auditctl utility to read audit
rules during daemon startup, add the following lines to /etc/audit/audit.rules file
in order to capture kernel module loading and unloading events, setting ARCH to either b32 or
b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S finit_module -F auid>=1000 -F auid!=unset -F key=modules |
To determine if the system is configured to audit calls to the finit_module system call, run the following command: $ sudo grep "finit_module" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? |
SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000062-GPOS-00031 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000472-GPOS-00217 SRG-OS-000473-GPOS-00218 SRG-OS-000474-GPOS-00219 SRG-OS-000475-GPOS-00220 SRG-OS-000476-GPOS-00221 SRG-OS-000477-GPOS-00222 SRG-OS-000392-GPOS-00172 |
CCI-000130 CCI-000135 CCI-000169 CCI-000172 CCI-002884 |
AU-3 AU-3 (1) AU-12 a AU-12 c |
xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init | medium | Ensure auditd Collects Information on Kernel Module Loading - init_module | The addition of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. | To capture kernel module loading events, use following line, setting ARCH to
either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S init_module -F auid>=1000 -F auid!=unset -F key=modulesPlace to add the line depends on a way auditd daemon is configured. If it is configured
to use the augenrules program (the default), add the line to a file with suffix
.rules in the directory /etc/audit/rules.d .
If the auditd daemon is configured to use the auditctl utility,
add the line to file /etc/audit/audit.rules . |
To determine if the system is configured to audit calls to the init_module system call, run the following command: $ sudo grep "init_module" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? |
SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000062-GPOS-00031 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000472-GPOS-00217 SRG-OS-000473-GPOS-00218 SRG-OS-000474-GPOS-00219 SRG-OS-000475-GPOS-00220 SRG-OS-000476-GPOS-00221 SRG-OS-000477-GPOS-00222 SRG-OS-000392-GPOS-00172 |
CCI-000130 CCI-000135 CCI-000169 CCI-000172 CCI-002884 |
AU-3 AU-3 (1) AU-12 a AU-12 c |
xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock | medium | Record Attempts to Alter Logon and Logout Events - faillock | Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. | The audit system already collects login information for all users
and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d in order to watch for attempted manual
edits of files involved in storing logon events:
-w /var/run/faillock -p wa -k loginsIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file in order to watch for unattempted manual
edits of files involved in storing logon events:
-w /var/run/faillock -p wa -k logins |
Verify Oracle Linux 7 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd" with the following command: $ sudo auditctl -l | grep /var/run/faillock -w /var/run/faillock -p wa -k logins Is it the case that the command does not return a line, or the line is commented out? |
SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000472-GPOS-00217 SRG-OS-000473-GPOS-00218 SRG-OS-000474-GPOS-00219 SRG-OS-000475-GPOS-00220 SRG-OS-000476-GPOS-00221 SRG-OS-000477-GPOS-00222 SRG-OS-000392-GPOS-00172 |
CCI-000126 CCI-000172 CCI-002884 |
AU-2 d AU-12 c |
xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog | medium | Record Attempts to Alter Logon and Logout Events - lastlog | Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. | The audit system already collects login information for all users
and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d in order to watch for attempted manual
edits of files involved in storing logon events:
-w /var/log/lastlog -p wa -k loginsIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file in order to watch for unattempted manual
edits of files involved in storing logon events:
-w /var/log/lastlog -p wa -k logins |
Verify Oracle Linux 7 generates audit records for all account creations, modifications, disabling, and termination events that affect "/var/log/lastlog" with the following command: $ sudo auditctl -l | grep /var/log/lastlog -w /var/log/lastlog -p wa -k logins Is it the case that the command does not return a line, or the line is commented out? |
SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000062-GPOS-00031 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000472-GPOS-00217 SRG-OS-000473-GPOS-00218 SRG-OS-000474-GPOS-00219 SRG-OS-000475-GPOS-00220 SRG-OS-000476-GPOS-00221 SRG-OS-000477-GPOS-00222 SRG-OS-000392-GPOS-00172 |
CCI-000126 CCI-000130 CCI-000135 CCI-000169 CCI-000172 CCI-002884 |
AU-2 d AU-3 AU-3 (1) AU-12 a AU-12 c |
xccdf_org.ssgproject.content_rule_audit_rules_media_export | medium | Ensure auditd Collects Information on Exporting to Media (successful) | The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss. | At a minimum, the audit system should collect media exportation
events for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d , setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=exportIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export |
To determine if the system is configured to audit calls to the mount system call, run the following command: $ sudo grep "mount" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? |
SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000062-GPOS-00031 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000472-GPOS-00217 SRG-OS-000473-GPOS-00218 SRG-OS-000474-GPOS-00219 SRG-OS-000475-GPOS-00220 SRG-OS-000476-GPOS-00221 SRG-OS-000477-GPOS-00222 SRG-OS-000392-GPOS-00172 |
CCI-000130 CCI-000135 CCI-000169 CCI-000172 CCI-002884 |
AU-3 AU-3 (1) AU-12 a AU-12 c |
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage | medium | Ensure auditd Collects Information on the Use of Privileged Commands - chage | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d :
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules :
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Verify that Oracle Linux 7 is configured to audit the execution of the "chage" command with the following command: $ sudo auditctl -l | grep chage -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chage Is it the case that the command does not return a line, or the line is commented out? |
SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000062-GPOS-00031 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000472-GPOS-00217 SRG-OS-000473-GPOS-00218 SRG-OS-000474-GPOS-00219 SRG-OS-000475-GPOS-00220 SRG-OS-000476-GPOS-00221 SRG-OS-000477-GPOS-00222 SRG-OS-000392-GPOS-00172 |
CCI-000130 CCI-000135 CCI-000169 CCI-000172 CCI-002884 |
AU-3 AU-3 (1) AU-12 a AU-12 c |
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh | medium | Ensure auditd Collects Information on the Use of Privileged Commands - chsh | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d :
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules :
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Verify that Oracle Linux 7 is configured to audit the execution of the "chsh" command with the following command: $ sudo auditctl -l | grep chsh -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chsh Is it the case that the command does not return a line, or the line is commented out? |
SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000062-GPOS-00031 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000472-GPOS-00217 SRG-OS-000473-GPOS-00218 SRG-OS-000474-GPOS-00219 SRG-OS-000475-GPOS-00220 SRG-OS-000476-GPOS-00221 SRG-OS-000477-GPOS-00222 SRG-OS-000392-GPOS-00172 |
CCI-000130 CCI-000135 CCI-000169 CCI-000172 CCI-002884 |
AU-3 AU-3 (1) AU-12 a AU-12 c |
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab | medium | Ensure auditd Collects Information on the Use of Privileged Commands - crontab | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d :
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules :
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Verify that Oracle Linux 7 is configured to audit the execution of the "crontab" command with the following command: $ sudo auditctl -l | grep crontab -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-crontab Is it the case that the command does not return a line, or the line is commented out? |
SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000062-GPOS-00031 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000472-GPOS-00217 SRG-OS-000473-GPOS-00218 SRG-OS-000474-GPOS-00219 SRG-OS-000475-GPOS-00220 SRG-OS-000476-GPOS-00221 SRG-OS-000477-GPOS-00222 SRG-OS-000392-GPOS-00172 |
CCI-000130 CCI-000135 CCI-000169 CCI-000172 CCI-002884 |
AU-3 AU-3 (1) AU-12 a AU-12 c |
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd | medium | Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d :
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules :
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Verify that Oracle Linux 7 is configured to audit the execution of the "gpasswd" command with the following command: $ sudo auditctl -l | grep gpasswd -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-gpasswd Is it the case that the command does not return a line, or the line is commented out? |
SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000062-GPOS-00031 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000472-GPOS-00217 SRG-OS-000473-GPOS-00218 SRG-OS-000474-GPOS-00219 SRG-OS-000475-GPOS-00220 SRG-OS-000476-GPOS-00221 SRG-OS-000477-GPOS-00222 SRG-OS-000392-GPOS-00172 |
CCI-000130 CCI-000135 CCI-000169 CCI-000172 CCI-002884 |
AU-3 AU-3 (1) AU-12 a AU-12 c |
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_kmod | medium | Ensure auditd Collects Information on the Use of Privileged Commands - kmod | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d :
-w /usr/bin/kmod -p x -F auid!=unset -k modulesIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules :
-w /usr/bin/kmod -p x -F auid!=unset -k modules |
Verify that Oracle Linux 7 is configured to audit the execution of the "kmod" command with the following command: $ sudo auditctl -l | grep kmod -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-kmod Is it the case that the command does not return a line, or the line is commented out? |
SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000062-GPOS-00031 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000472-GPOS-00217 SRG-OS-000473-GPOS-00218 SRG-OS-000474-GPOS-00219 SRG-OS-000475-GPOS-00220 SRG-OS-000476-GPOS-00221 SRG-OS-000477-GPOS-00222 SRG-OS-000392-GPOS-00172 |
CCI-000130 CCI-000135 CCI-000169 CCI-000172 CCI-002884 |
AU-3 AU-3 (1) AU-12 a AU-12 c |
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_mount | medium | Ensure auditd Collects Information on the Use of Privileged Commands - mount | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d :
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules :
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Verify that Oracle Linux 7 is configured to audit the execution of the "mount" command with the following command: $ sudo auditctl -l | grep mount -a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount Is it the case that the command does not return a line, or the line is commented out? |
SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000062-GPOS-00031 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000472-GPOS-00217 SRG-OS-000473-GPOS-00218 SRG-OS-000474-GPOS-00219 SRG-OS-000475-GPOS-00220 SRG-OS-000476-GPOS-00221 SRG-OS-000477-GPOS-00222 SRG-OS-000392-GPOS-00172 |
CCI-000130 CCI-000135 CCI-000169 CCI-000172 CCI-002884 |
AU-3 AU-3 (1) AU-12 a AU-12 c |
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp | medium | Ensure auditd Collects Information on the Use of Privileged Commands - newgrp | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d :
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules :
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Verify that Oracle Linux 7 is configured to audit the execution of the "newgrp" command with the following command: $ sudo auditctl -l | grep newgrp -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged-newgrp Is it the case that the command does not return a line, or the line is commented out? |
SRG-OS-000037-GPOS-00015 SRG-OS-000062-GPOS-00031 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000472-GPOS-00217 SRG-OS-000473-GPOS-00218 SRG-OS-000474-GPOS-00219 SRG-OS-000475-GPOS-00220 SRG-OS-000476-GPOS-00221 SRG-OS-000477-GPOS-00222 SRG-OS-000392-GPOS-00172 |
CCI-000130 CCI-000169 CCI-000135 CCI-000172 CCI-002884 |
AU-3 AU-12 a AU-3 (1) AU-12 c |
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check | medium | Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d :
-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules :
-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Verify that Oracle Linux 7 is configured to audit the execution of the "pam_timestamp_check" command with the following command: $ sudo auditctl -l | grep pam_timestamp_check -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam_timestamp_check Is it the case that the command does not return a line, or the line is commented out? |
SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000062-GPOS-00031 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000472-GPOS-00217 SRG-OS-000473-GPOS-00218 SRG-OS-000474-GPOS-00219 SRG-OS-000475-GPOS-00220 SRG-OS-000476-GPOS-00221 SRG-OS-000477-GPOS-00222 SRG-OS-000392-GPOS-00172 |
CCI-000130 CCI-000135 CCI-000169 CCI-000172 CCI-002884 |
AU-3 AU-3 (1) AU-12 a AU-12 c |
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd | medium | Ensure auditd Collects Information on the Use of Privileged Commands - passwd | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d :
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules :
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Verify that Oracle Linux 7 is configured to audit the execution of the "passwd" command with the following command: $ sudo auditctl -l | grep passwd -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd Is it the case that the command does not return a line, or the line is commented out? |
SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000062-GPOS-00031 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000472-GPOS-00217 SRG-OS-000473-GPOS-00218 SRG-OS-000474-GPOS-00219 SRG-OS-000475-GPOS-00220 SRG-OS-000476-GPOS-00221 SRG-OS-000477-GPOS-00222 SRG-OS-000392-GPOS-00172 |
CCI-000130 CCI-000135 CCI-000169 CCI-000172 CCI-002884 |
AU-3 AU-3 (1) AU-12 a AU-12 c |
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postdrop | medium | Ensure auditd Collects Information on the Use of Privileged Commands - postdrop | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d :
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules :
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Verify that Oracle Linux 7 is configured to audit the execution of the "postdrop" command with the following command: $ sudo auditctl -l | grep postdrop -a always,exit -F path=/usr/bin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postdrop Is it the case that the command does not return a line, or the line is commented out? |
SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000062-GPOS-00031 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000472-GPOS-00217 SRG-OS-000473-GPOS-00218 SRG-OS-000474-GPOS-00219 SRG-OS-000475-GPOS-00220 SRG-OS-000476-GPOS-00221 SRG-OS-000477-GPOS-00222 SRG-OS-000392-GPOS-00172 |
CCI-000130 CCI-000135 CCI-000169 CCI-000172 CCI-002884 |
AU-3 AU-3 (1) AU-12 a AU-12 c |
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postqueue | medium | Ensure auditd Collects Information on the Use of Privileged Commands - postqueue | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d :
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules :
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Verify that Oracle Linux 7 is configured to audit the execution of the "postqueue" command with the following command: $ sudo auditctl -l | grep postqueue -a always,exit -F path=/usr/bin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postqueue Is it the case that the command does not return a line, or the line is commented out? |
SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000062-GPOS-00031 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000472-GPOS-00217 SRG-OS-000473-GPOS-00218 SRG-OS-000474-GPOS-00219 SRG-OS-000475-GPOS-00220 SRG-OS-000476-GPOS-00221 SRG-OS-000477-GPOS-00222 SRG-OS-000392-GPOS-00172 |
CCI-000130 CCI-000135 CCI-000169 CCI-000172 CCI-002884 |
AU-3 AU-3 (1) AU-12 a AU-12 c |
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign | medium | Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d :
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules :
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Verify that Oracle Linux 7 is configured to audit the execution of the "ssh-keysign" command with the following command: $ sudo auditctl -l | grep ssh-keysign -a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-keysign Is it the case that the command does not return a line, or the line is commented out? |
SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000062-GPOS-00031 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000472-GPOS-00217 SRG-OS-000473-GPOS-00218 SRG-OS-000474-GPOS-00219 SRG-OS-000475-GPOS-00220 SRG-OS-000476-GPOS-00221 SRG-OS-000477-GPOS-00222 SRG-OS-000392-GPOS-00172 |
CCI-000130 CCI-000135 CCI-000169 CCI-000172 CCI-002884 |
AU-3 AU-3 (1) AU-12 a AU-12 c |
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su | medium | Ensure auditd Collects Information on the Use of Privileged Commands - su | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d :
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules :
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Verify that Oracle Linux 7 is configured to audit the execution of the "su" command with the following command: $ sudo auditctl -l | grep su -a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-su Is it the case that the command does not return a line, or the line is commented out? |
SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000062-GPOS-00031 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000472-GPOS-00217 SRG-OS-000473-GPOS-00218 SRG-OS-000474-GPOS-00219 SRG-OS-000475-GPOS-00220 SRG-OS-000476-GPOS-00221 SRG-OS-000477-GPOS-00222 SRG-OS-000392-GPOS-00172 |
CCI-000130 CCI-000135 CCI-000169 CCI-000172 CCI-002884 |
AU-3 AU-3 (1) AU-12 a AU-12 c |
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo | medium | Ensure auditd Collects Information on the Use of Privileged Commands - sudo | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d :
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules :
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Verify that Oracle Linux 7 is configured to audit the execution of the "sudo" command with the following command: $ sudo auditctl -l | grep sudo -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged-sudo Is it the case that the command does not return a line, or the line is commented out? |
SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000062-GPOS-00031 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000472-GPOS-00217 SRG-OS-000473-GPOS-00218 SRG-OS-000474-GPOS-00219 SRG-OS-000475-GPOS-00220 SRG-OS-000476-GPOS-00221 SRG-OS-000477-GPOS-00222 SRG-OS-000392-GPOS-00172 |
CCI-000130 CCI-000135 CCI-000169 CCI-000172 CCI-002884 |
AU-3 AU-3 (1) AU-12 a AU-12 c |
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount | medium | Ensure auditd Collects Information on the Use of Privileged Commands - umount | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d :
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules :
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Verify that Oracle Linux 7 is configured to audit the execution of the "umount" command with the following command: $ sudo auditctl -l | grep umount -a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-umount Is it the case that the command does not return a line, or the line is commented out? |
SRG-OS-000037-GPOS-00015 SRG-OS-000062-GPOS-00031 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000472-GPOS-00217 SRG-OS-000473-GPOS-00218 SRG-OS-000474-GPOS-00219 SRG-OS-000475-GPOS-00220 SRG-OS-000476-GPOS-00221 SRG-OS-000477-GPOS-00222 SRG-OS-000392-GPOS-00172 |
CCI-000130 CCI-000169 CCI-000135 CCI-000172 CCI-002884 |
AU-3 AU-12 a AU-3 (1) AU-12 c |
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd | medium | Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d :
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules :
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Verify that Oracle Linux 7 is configured to audit the execution of the "unix_chkpwd" command with the following command: $ sudo auditctl -l | grep unix_chkpwd -a always,exit -F path=/usr/bin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix_chkpwd Is it the case that the command does not return a line, or the line is commented out? |
SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000062-GPOS-00031 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000472-GPOS-00217 SRG-OS-000473-GPOS-00218 SRG-OS-000474-GPOS-00219 SRG-OS-000475-GPOS-00220 SRG-OS-000476-GPOS-00221 SRG-OS-000477-GPOS-00222 SRG-OS-000392-GPOS-00172 |
CCI-000130 CCI-000135 CCI-000169 CCI-000172 CCI-002884 |
AU-3 AU-3 (1) AU-12 a AU-12 c |
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_userhelper | medium | Ensure auditd Collects Information on the Use of Privileged Commands - userhelper | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d :
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules :
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
Verify that Oracle Linux 7 is configured to audit the execution of the "userhelper" command with the following command: $ sudo auditctl -l | grep userhelper -a always,exit -F path=/usr/bin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged-userhelper Is it the case that the command does not return a line, or the line is commented out? |
SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000062-GPOS-00031 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000472-GPOS-00217 SRG-OS-000473-GPOS-00218 SRG-OS-000474-GPOS-00219 SRG-OS-000475-GPOS-00220 SRG-OS-000476-GPOS-00221 SRG-OS-000477-GPOS-00222 SRG-OS-000392-GPOS-00172 |
CCI-000135 CCI-000169 CCI-000172 CCI-002884 |
AU-3 (1) AU-12 a AU-12 c |
xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function | medium | Record Events When Privileged Executables Are Run | Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat. | Verify the system generates an audit record when privileged functions are executed.
If audit is using the "auditctl" tool to load the rules, run the following command:
$ sudo grep execve /etc/audit/audit.rulesIf audit is using the "augenrules" tool to load the rules, run the following command: $ sudo grep -r execve /etc/audit/rules.d -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgidIf both the "b32" and "b64" audit rules for "SUID" files are not defined, this is a finding. If both the "b32" and "b64" audit rules for "SGID" files are not defined, this is a finding. |
Verify Oracle Linux 7 audits the execution of privileged functions. Check if Oracle Linux 7 is configured to audit the execution of the "execve" system call using the following command: $ sudo grep execve /etc/audit/audit.rules The output should be the following: -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid Is it the case that the command does not return all lines, or the lines are commented out? |
SRG-OS-000365-GPOS-00152 SRG-OS-000354-GPOS-00142 SRG-OS-000358-GPOS-00145 SRG-OS-000352-GPOS-00140 SRG-OS-000353-GPOS-00141 SRG-OS-000350-GPOS-00138 SRG-OS-000351-GPOS-00139 SRG-OS-000348-GPOS-00136 SRG-OS-000349-GPOS-00137 SRG-OS-000337-GPOS-00129 SRG-OS-000326-GPOS-00126 SRG-OS-000327-GPOS-00127 |
CCI-001814 CCI-001882 CCI-001889 CCI-001880 CCI-001881 CCI-001878 CCI-001879 CCI-001875 CCI-001877 CCI-001914 CCI-002233 CCI-002234 |
|
xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions | medium | Ensure auditd Collects System Administrator Actions | The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes. | At a minimum, the audit system should collect administrator actions
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the default),
add the following line to a file with suffix .rules in the directory
/etc/audit/rules.d :
-w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actionsIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions |
To verify that auditing is configured for system administrator actions, run the following command: $ sudo auditctl -l | grep "watch=/etc/sudoers\|watch=/etc/sudoers.d\|-w /etc/sudoers\|-w /etc/sudoers.d" Is it the case that there is not output? |
SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000062-GPOS-00031 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000472-GPOS-00217 SRG-OS-000473-GPOS-00218 SRG-OS-000474-GPOS-00219 SRG-OS-000475-GPOS-00220 SRG-OS-000476-GPOS-00221 SRG-OS-000477-GPOS-00222 SRG-OS-000392-GPOS-00172 |
CCI-000126 CCI-000130 CCI-000135 CCI-000169 CCI-000172 CCI-002884 |
AU-2 d AU-3 AU-3 (1) AU-12 a AU-12 c |
xccdf_org.ssgproject.content_rule_audit_rules_system_shutdown | medium | Shutdown System When Auditing Failures Occur | It is critical for the appropriate personnel to be aware if a system
is at risk of failing to process audit logs as required. Without this
notification, the security personnel may be unaware of an impending failure of
the audit capability, and system operation may be adversely affected.
Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. |
If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to to the bottom of a file with suffix
.rules in the directory /etc/audit/rules.d :
-f 2If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to the
bottom of the /etc/audit/audit.rules file:
-f 2 |
To verify that the system will shutdown when auditd fails, run the following command: $ sudo grep "\-f 2" /etc/audit/audit.rules The output should contain: -f 2 Is it the case that the system is not configured to shutdown on auditd failures? |
SRG-OS-000046-GPOS-00022 SRG-OS-000047-GPOS-00023 |
CCI-000139 CCI-000140 |
AU-5 a AU-5 b |
xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat | medium | Record Unsuccessful Access Attempts to Files - creat | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d :
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
Verify Oracle Linux 7 generates an audit record for unsuccessful attempts to use the creat system call. If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: $ sudo grep -r creat /etc/audit/rules.d If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: $ sudo grep creat /etc/audit/audit.rules The output should be the following: -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? |
SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000062-GPOS-00031 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000472-GPOS-00217 SRG-OS-000473-GPOS-00218 SRG-OS-000474-GPOS-00219 SRG-OS-000475-GPOS-00220 SRG-OS-000476-GPOS-00221 SRG-OS-000477-GPOS-00222 SRG-OS-000392-GPOS-00172 |
CCI-000130 CCI-000135 CCI-000169 CCI-000172 CCI-002884 |
AU-3 AU-3 (1) AU-12 a AU-12 c |
xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate | medium | Record Unsuccessful Access Attempts to Files - ftruncate | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d :
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
Verify Oracle Linux 7 generates an audit record for unsuccessful attempts to use the ftruncate system call. If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: $ sudo grep -r ftruncate /etc/audit/rules.d If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: $ sudo grep ftruncate /etc/audit/audit.rules The output should be the following: -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? |
SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000062-GPOS-00031 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000472-GPOS-00217 SRG-OS-000473-GPOS-00218 SRG-OS-000474-GPOS-00219 SRG-OS-000475-GPOS-00220 SRG-OS-000476-GPOS-00221 SRG-OS-000477-GPOS-00222 SRG-OS-000392-GPOS-00172 |
CCI-000130 CCI-000135 CCI-000169 CCI-000172 CCI-002884 |
AU-3 AU-3 (1) AU-12 a AU-12 c |
xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open | medium | Record Unsuccessful Access Attempts to Files - open | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d :
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
Verify Oracle Linux 7 generates an audit record for unsuccessful attempts to use the open system call. If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: $ sudo grep -r open /etc/audit/rules.d If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: $ sudo grep open /etc/audit/audit.rules The output should be the following: -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? |
SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000062-GPOS-00031 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000472-GPOS-00217 SRG-OS-000473-GPOS-00218 SRG-OS-000474-GPOS-00219 SRG-OS-000475-GPOS-00220 SRG-OS-000476-GPOS-00221 SRG-OS-000477-GPOS-00222 SRG-OS-000392-GPOS-00172 |
CCI-000130 CCI-000135 CCI-000169 CCI-000172 CCI-002884 |
AU-3 AU-3 (1) AU-12 a AU-12 c |
xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at | medium | Record Unsuccessful Access Attempts to Files - open_by_handle_at | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d :
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
Verify Oracle Linux 7 generates an audit record for unsuccessful attempts to use the open_by_handle_at system call. If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: $ sudo grep -r open_by_handle_at /etc/audit/rules.d If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: $ sudo grep open_by_handle_at /etc/audit/audit.rules The output should be the following: -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? |
SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000062-GPOS-00031 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000472-GPOS-00217 SRG-OS-000473-GPOS-00218 SRG-OS-000474-GPOS-00219 SRG-OS-000475-GPOS-00220 SRG-OS-000476-GPOS-00221 SRG-OS-000477-GPOS-00222 SRG-OS-000392-GPOS-00172 |
CCI-000130 CCI-000135 CCI-000169 CCI-000172 CCI-002884 |
AU-3 AU-3 (1) AU-12 a AU-12 c |
xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat | medium | Record Unsuccessful Access Attempts to Files - openat | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d :
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
Verify Oracle Linux 7 generates an audit record for unsuccessful attempts to use the openat system call. If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: $ sudo grep -r openat /etc/audit/rules.d If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: $ sudo grep openat /etc/audit/audit.rules The output should be the following: -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? |
SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000062-GPOS-00031 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000472-GPOS-00217 SRG-OS-000473-GPOS-00218 SRG-OS-000474-GPOS-00219 SRG-OS-000475-GPOS-00220 SRG-OS-000476-GPOS-00221 SRG-OS-000477-GPOS-00222 SRG-OS-000392-GPOS-00172 |
CCI-000130 CCI-000135 CCI-000169 CCI-000172 CCI-002884 |
AU-3 AU-3 (1) AU-12 a AU-12 c |
xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate | medium | Record Unsuccessful Access Attempts to Files - truncate | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d :
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
Verify Oracle Linux 7 generates an audit record for unsuccessful attempts to use the truncate system call. If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: $ sudo grep -r truncate /etc/audit/rules.d If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: $ sudo grep truncate /etc/audit/audit.rules The output should be the following: -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? |
SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000062-GPOS-00031 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000472-GPOS-00217 SRG-OS-000473-GPOS-00218 SRG-OS-000474-GPOS-00219 SRG-OS-000475-GPOS-00220 SRG-OS-000476-GPOS-00221 SRG-OS-000477-GPOS-00222 SRG-OS-000392-GPOS-00172 |
CCI-000130 CCI-000135 CCI-000169 CCI-000172 CCI-002884 |
AU-3 AU-3 (1) AU-12 a AU-12 c |
xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group | medium | Record Events that Modify User/Group Information - /etc/group | In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d , in order to capture events that modify
account changes:
-w /etc/group -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:
-w /etc/group -p wa -k audit_rules_usergroup_modification |
Verify Oracle Linux 7 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group" with the following command: $ sudo auditctl -l | egrep '(/etc/group)' -w /etc/group -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? |
SRG-OS-000004-GPOS-00004 SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000062-GPOS-00031 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000472-GPOS-00217 SRG-OS-000473-GPOS-00218 SRG-OS-000474-GPOS-00219 SRG-OS-000475-GPOS-00220 SRG-OS-000476-GPOS-00221 SRG-OS-000477-GPOS-00222 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000274-GPOS-00104 SRG-OS-000275-GPOS-00105 SRG-OS-000276-GPOS-00106 SRG-OS-000277-GPOS-00107 SRG-OS-000303-GPOS-00120 SRG-OS-000304-GPOS-00121 SRG-OS-000392-GPOS-00172 |
CCI-000018 CCI-000130 CCI-000135 CCI-000169 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-001683 CCI-001684 CCI-001685 CCI-001686 CCI-002130 CCI-002132 CCI-002884 |
AC-2 (4) AU-3 AU-3 (1) AU-12 a AU-12 c AC-2 (4) AC-2 (4) AC-2 (4) AC-2 (4) AC-2 (4) AC-2 (4) AC-2 (4) |
xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow | medium | Record Events that Modify User/Group Information - /etc/gshadow | In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d , in order to capture events that modify
account changes:
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification |
Verify Oracle Linux 7 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow" with the following command: $ sudo auditctl -l | egrep '(/etc/gshadow)' -w /etc/gshadow -p wa -k identity If the command does not return a line, or the line is commented out, this is a finding. Is it the case that the system is not configured to audit account changes? |
SRG-OS-000004-GPOS-00004 SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000062-GPOS-00031 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000472-GPOS-00217 SRG-OS-000473-GPOS-00218 SRG-OS-000474-GPOS-00219 SRG-OS-000475-GPOS-00220 SRG-OS-000476-GPOS-00221 SRG-OS-000477-GPOS-00222 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000274-GPOS-00104 SRG-OS-000275-GPOS-00105 SRG-OS-000276-GPOS-00106 SRG-OS-000277-GPOS-00107 SRG-OS-000303-GPOS-00120 SRG-OS-000304-GPOS-00121 SRG-OS-000392-GPOS-00172 |
CCI-000018 CCI-000130 CCI-000135 CCI-000169 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-001683 CCI-001684 CCI-001685 CCI-001686 CCI-002130 CCI-002132 CCI-002884 |
AC-2 (4) AU-3 AU-3 (1) AU-12 a AU-12 c AC-2 (4) AC-2 (4) AC-2 (4) AC-2 (4) AC-2 (4) AC-2 (4) AC-2 (4) |
xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd | medium | Record Events that Modify User/Group Information - /etc/security/opasswd | In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d , in order to capture events that modify
account changes:
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification |
Verify Oracle Linux 7 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd" with the following command: $ sudo auditctl -l | egrep '(/etc/security/opasswd)' -w /etc/security/opasswd -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? |
SRG-OS-000004-GPOS-00004 SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000062-GPOS-00031 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000472-GPOS-00217 SRG-OS-000473-GPOS-00218 SRG-OS-000474-GPOS-00219 SRG-OS-000475-GPOS-00220 SRG-OS-000476-GPOS-00221 SRG-OS-000477-GPOS-00222 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000274-GPOS-00104 SRG-OS-000275-GPOS-00105 SRG-OS-000276-GPOS-00106 SRG-OS-000277-GPOS-00107 SRG-OS-000303-GPOS-00120 SRG-OS-000304-GPOS-00121 SRG-OS-000392-GPOS-00172 |
CCI-000018 CCI-000130 CCI-000135 CCI-000169 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-001683 CCI-001684 CCI-001685 CCI-001686 CCI-002130 CCI-002132 CCI-002884 |
AC-2 (4) AU-3 AU-3 (1) AU-12 a AU-12 c AC-2 (4) AC-2 (4) AC-2 (4) AC-2 (4) AC-2 (4) AC-2 (4) AC-2 (4) |
xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd | medium | Record Events that Modify User/Group Information - /etc/passwd | In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d , in order to capture events that modify
account changes:
-w /etc/passwd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:
-w /etc/passwd -p wa -k audit_rules_usergroup_modification |
Verify Oracle Linux 7 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd" with the following command: $ sudo auditctl -l | egrep '(/etc/passwd)' -w /etc/passwd -p wa -k identity Is it the case that the command does not return a line, or the line is commented out? |
SRG-OS-000004-GPOS-00004 SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000062-GPOS-00031 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000472-GPOS-00217 SRG-OS-000473-GPOS-00218 SRG-OS-000474-GPOS-00219 SRG-OS-000475-GPOS-00220 SRG-OS-000476-GPOS-00221 SRG-OS-000477-GPOS-00222 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000274-GPOS-00104 SRG-OS-000275-GPOS-00105 SRG-OS-000276-GPOS-00106 SRG-OS-000277-GPOS-00107 SRG-OS-000303-GPOS-00120 SRG-OS-000304-GPOS-00121 SRG-OS-000392-GPOS-00172 |
CCI-000018 CCI-000130 CCI-000135 CCI-000169 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-001683 CCI-001684 CCI-001685 CCI-001686 CCI-002130 CCI-002132 CCI-002884 |
AC-2 (4) AU-3 AU-3 (1) AU-12 a AU-12 c AC-2 (4) AC-2 (4) AC-2 (4) AC-2 (4) AC-2 (4) AC-2 (4) AC-2 (4) |
xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow | medium | Record Events that Modify User/Group Information - /etc/shadow | In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d , in order to capture events that modify
account changes:
-w /etc/shadow -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:
-w /etc/shadow -p wa -k audit_rules_usergroup_modification |
Verify Oracle Linux 7 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd with the following command: $ sudo auditctl -l | egrep '(/etc/shadow)' -w /etc/shadow -p wa -k identity Is it the case that command does not return a line, or the line is commented out? |
SRG-OS-000004-GPOS-00004 SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000062-GPOS-00031 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000472-GPOS-00217 SRG-OS-000473-GPOS-00218 SRG-OS-000474-GPOS-00219 SRG-OS-000475-GPOS-00220 SRG-OS-000476-GPOS-00221 SRG-OS-000477-GPOS-00222 SRG-OS-000239-GPOS-00089 SRG-OS-000240-GPOS-00090 SRG-OS-000241-GPOS-00091 SRG-OS-000274-GPOS-00104 SRG-OS-000275-GPOS-00105 SRG-OS-000276-GPOS-00106 SRG-OS-000277-GPOS-00107 SRG-OS-000303-GPOS-00120 SRG-OS-000304-GPOS-00121 SRG-OS-000392-GPOS-00172 |
CCI-000018 CCI-000130 CCI-000135 CCI-000169 CCI-000172 CCI-001403 CCI-001404 CCI-001405 CCI-001683 CCI-001684 CCI-001685 CCI-001686 CCI-002130 CCI-002132 CCI-002884 |
AC-2 (4) AU-3 AU-3 (1) AU-12 a AU-12 c AC-2 (4) AC-2 (4) AC-2 (4) AC-2 (4) AC-2 (4) AC-2 (4) AC-2 (4) |
xccdf_org.ssgproject.content_rule_auditd_audispd_configure_remote_server | medium | Configure audispd Plugin To Send Logs To Remote Server | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.Off-loading is a common process in information systems with limited audit storage capacity. | Configure the audispd plugin to off-load audit records onto a different
system or media from the system being audited.
Set the remote_server option in /etc/audisp/audisp-remote.confwith an IP address or hostname of the system that the audispd plugin should send audit records to. For example remote_server = |
To verify the audispd plugin off-loads audit records onto a different system or media from the system being audited, run the following command: $ sudo grep -i remote_server /etc/audisp/audisp-remote.conf The output should return something similar to remote_server = Is it the case that audispd is not sending logs to a remote system? |
SRG-OS-000342-GPOS-00133 SRG-OS-000479-GPOS-00224 |
CCI-001851 |
|
xccdf_org.ssgproject.content_rule_auditd_audispd_disk_full_action | medium | Configure audispd's Plugin disk_full_action When Disk Is Full | Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records. | Configure the action the operating system takes if the disk the audit records
are written to becomes full. Edit the file /etc/audisp/audisp-remote.conf .
Add or modify the following line, substituting ACTION appropriately:
disk_full_action = ACTIONSet this value to single to cause the system to switch to single user
mode for corrective action. Acceptable values also include syslog and
halt . For certain systems, the need for availability
outweighs the need to log all actions, and a different setting should be
determined. |
Inspect /etc/audisp/audisp-remote.conf and locate the following line to determine if the system is configured to either send to syslog, switch to single user mode, or halt when the disk is full: $ sudo grep -i disk_full_action /etc/audisp/audisp-remote.conf The output should return something similar to: disk_full_action = single Acceptable values also include syslog and halt. Is it the case that the system is not configured to switch to single user mode for corrective action? |
SRG-OS-000342-GPOS-00133 SRG-OS-000479-GPOS-00224 |
CCI-001851 |
|
xccdf_org.ssgproject.content_rule_auditd_audispd_encrypt_sent_records | medium | Encrypt Audit Records Sent With audispd Plugin | Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. | Configure the operating system to encrypt the transfer of off-loaded audit
records onto a different system or media from the system being audited.
Uncomment the enable_krb5 option in /etc/audisp/audisp-remote.conf, and set it with the following line: enable_krb5 = yes |
To verify the audispd plugin encrypts audit records off-loaded onto a different system or media from the system being audited, run the following command: $ sudo grep -i enable_krb5 /etc/audisp/audisp-remote.conf The output should return the following: enable_krb5 = yes Is it the case that audispd is not encrypting audit records when sent over the network? |
SRG-OS-000342-GPOS-00133 SRG-OS-000479-GPOS-00224 |
CCI-001851 |
|
xccdf_org.ssgproject.content_rule_auditd_audispd_network_failure_action | medium | Configure audispd's Plugin network_failure_action On Network Failure | Taking appropriate action when there is an error sending audit records to a remote system will minimize the possibility of losing audit records. | Configure the action the operating system takes if there is an error sending
audit records to a remote system. Edit the file /etc/audisp/audisp-remote.conf .
Add or modify the following line, substituting ACTION appropriately:
network_failure_action = ACTIONSet this value to single to cause the system to switch to single user
mode for corrective action. Acceptable values also include syslog and
halt . For certain systems, the need for availability
outweighs the need to log all actions, and a different setting should be
determined.
This profile configures the action to be . |
Inspect /etc/audisp/audisp-remote.conf and locate the following line to determine if the system is configured to perform a correct action according to the policy: $ sudo grep -i network_failure_action /etc/audisp/audisp-remote.conf The output should return: network_failure_action = Is it the case that the system is not configured to switch to single user mode for corrective action? |
SRG-OS-000342-GPOS-00133 SRG-OS-000479-GPOS-00224 |
CCI-001851 |
|
xccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct | medium | Configure auditd mail_acct Action on Low Disk Space | Email sent to the root account is typically aliased to the administrators of the system, who can take appropriate action. | The auditd service can be configured to send email to
a designated account in certain situations. Add or correct the following line
in /etc/audit/auditd.conf to ensure that administrators are notified
via email for those situations:
action_mail_acct = |
Verify that the Oracle Linux 7 "auditd" service is configured to notify the SA and ISSO in the event of an audit processing failure. Inspect /etc/audit/auditd.conf and locate the following line to determine if the system is configured to send email to an account when it needs to notify an administrator: action_mail_acct = Is it the case that auditd is not configured to send emails per identified actions? |
SRG-OS-000046-GPOS-00022 SRG-OS-000343-GPOS-00134 |
CCI-000139 CCI-001855 |
AU-5 a |
xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left | medium | Configure auditd space_left on Low Disk Space | Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption. | The auditd service can be configured to take an action
when disk space is running low but prior to running out of space completely.
Edit the file /etc/audit/auditd.conf . Add or modify the following line,
substituting SIZE_in_MB appropriately:
space_left = SIZE_in_MBSet this value to the appropriate size in Megabytes cause the system to notify the user of an issue. |
Inspect /etc/audit/auditd.conf and locate the following line to determine if the system is configured correctly: space_left SIZE_in_MB Is it the case that the system is not configured a specfic size in MB to notify administrators of an issue? |
SRG-OS-000343-GPOS-00134 |
CCI-001855 |
|
xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action | medium | Configure auditd space_left Action on Low Disk Space | Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption. | The auditd service can be configured to take an action
when disk space starts to run low.
Edit the file /etc/audit/auditd.conf . Modify the following line,
substituting ACTION appropriately:
space_left_action = ACTIONPossible values for ACTION are described in the auditd.conf man page.
These include:
email (instead of the default,
which is suspend ) as it is more likely to get prompt attention. Acceptable values
also include suspend , single , and halt . |
Inspect /etc/audit/auditd.conf and locate the following line to determine if the system is configured to email the administrator when disk space is starting to run low: $ sudo grep space_left_action /etc/audit/auditd.conf space_left_action Acceptable values are email, suspend, single, and halt. Is it the case that the system is not configured to send an email to the system administrator when disk space is starting to run low? |
SRG-OS-000343-GPOS-00134 |
CCI-001855 |
|
xccdf_org.ssgproject.content_rule_auditd_name_format | medium | Set hostname as computer node name in audit logs | If option name_format is left at its default value of
none , audit events from different computers may be hard
to distinguish. |
To configure Audit daemon to use value returned by gethostname
syscall as computer node name in the audit events,
set name_format to hostname
in /etc/audit/auditd.conf . |
To verify that Audit Daemon is configured to record the hostname in audit events, run the following command: $ sudo grep name_format /etc/audit/auditd.conf The output should return the following: name_format = hostname Is it the case that name_format isn't set to hostname? |
SRG-OS-000342-GPOS-00133 SRG-OS-000479-GPOS-00224 |
CCI-001851 |
|
xccdf_org.ssgproject.content_rule_auditd_overflow_action | medium | Appropriate Action Must be Setup When the Internal Audit Event Queue is Full | The audit system should have an action setup in the event the internal event queue becomes full so that no data is lost. | The audit system should have an action setup in the event the internal event queue becomes full.
To setup an overflow action edit /etc/audisp/audispd.conf . Set overflow_action
to one of the following values: syslog , single , halt . |
Verify the audit system is configured to take an appropriate action when the internal event queue is full: $ sudo grep -i overflow_action /etc/audisp/audispd.conf The output should contain overflow_action = syslog If the value of the "overflow_action" option is not set to syslog, single, halt or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. Is it the case that auditd overflow action is not set correctly? |
SRG-OS-000342-GPOS-00133 SRG-OS-000479-GPOS-00224 |
CCI-001851 |
|
xccdf_org.ssgproject.content_rule_banner_etc_issue | medium | Modify the System Login Banner | Display of a standardized and approved use notification before granting
access to the operating system ensures privacy and security notification
verbiage used is consistent with applicable federal laws, Executive Orders,
directives, policies, regulations, standards, and guidance.
System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist. |
To configure the system login banner edit /etc/issue . Replace the
default text with a message compliant with the local site policy or a legal
disclaimer.
The DoD required text is either:
You are accessing a U.S. Government (USG) Information System (IS) that
is provided for USG-authorized use only. By using this IS (which includes
any device attached to this IS), you consent to the following conditions:
OR: I've read & consent to terms in IS user agreem't.
|
To check if the system login banner is compliant, run the following command: $ cat /etc/issue Is it the case that it does not display the required banner? |
SRG-OS-000023-GPOS-00006 SRG-OS-000024-GPOS-00007 SRG-OS-000228-GPOS-00088 SRG-OS-000228-GPOS-00088 SRG-OS-000228-GPOS-00088 SRG-OS-000228-GPOS-00088 SRG-OS-000228-GPOS-00088 |
CCI-000048 CCI-000050 CCI-001384 CCI-001385 CCI-001386 CCI-001387 CCI-001388 |
AC-8 a AC-8 b AC-8 c AC-8 c AC-8 c AC-8 c AC-8 c |
xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll | medium | Configure Time Service Maxpoll Interval | Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints). | The maxpoll should be configured to
in /etc/ntp.conf or
/etc/chrony.conf to continuously poll time servers. To configure
maxpoll in /etc/ntp.conf or /etc/chrony.conf
add the following after each `server`, `pool` or `peer` entry:
maxpollto serverdirectives. If using chrony any pooldirectives should be configured too. If no server or pool directives are configured, the rule evaluates
to pass. |
Verify Oracle Linux 7 is securely comparing internal information system clocks at a regular interval with an NTP server with the following command: $ sudo grep maxpoll /etc/ntp.conf /etc/chrony.conf server [ntp.server.name] iburst maxpoll . Is it the case that "maxpoll" has not been set to the value of "<sub idref="var_time_service_set_maxpoll" />", is commented out, or is missing? |
SRG-OS-000355-GPOS-00143 SRG-OS-000356-GPOS-00144 |
CCI-001891 CCI-002046 |
|
xccdf_org.ssgproject.content_rule_clean_components_post_updating | low | Ensure yum Removes Previous Package Versions | Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by some adversaries. |
yum should be configured to remove previous software components after
new versions have been installed. To configure yum to remove the
previous software components after updating, set the clean_requirements_on_remove
to 1 in /etc/yum.conf . |
Verify Oracle Linux 7 removes all software components after updated versions have been installed. $ grep clean_requirements_on_remove /etc/yum.conf clean_requirements_on_remove=1 Is it the case that '"clean_requirements_on_remove" is not set to "1"'? |
SRG-OS-000437-GPOS-00194 |
CCI-002617 |
|
xccdf_org.ssgproject.content_rule_configure_firewalld_ports | medium | Configure the Firewalld Ports | In order to prevent unauthorized connection of devices, unauthorized transfer of information,
or unauthorized tunneling (i.e., embedding of data types within data types), organizations must
disable or restrict unused or unnecessary physical and logical ports/protocols on information
systems.
Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by one component. To support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business. |
Configure the firewalld ports to allow approved services to have access to the system.
To configure firewalld to open ports, run the following command:
firewall-cmd --permanent --add-port=port_number/tcpTo configure firewalld to allow access for pre-defined services, run the following
command:
firewall-cmd --permanent --add-service=service_name |
Inspect the list of enabled firewall ports and verify they are configured correctly by running the following command: $ sudo firewall-cmd --list-all Is it the case that the firewalld rules are not configured? |
SRG-OS-000096-GPOS-00050 SRG-OS-000297-GPOS-00115 |
CCI-000382 CCI-002314 |
CM-7 |
xccdf_org.ssgproject.content_rule_configure_firewalld_rate_limiting | medium | Configure firewalld To Rate Limit Connections | DoS is a condition when a resource is not available for legitimate users. When
this occurs, the organization either cannot accomplish its mission or must
operate at degraded capacity.
This requirement addresses the configuration of the operating system to mitigate the impact of DoS attacks that have occurred or are ongoing on system availability. For each system, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exist to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing memory partitions). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks. |
Create a direct firewall rule to protect against DoS attacks with the following
command:
$ sudo firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp -m limit --limit 25/minute --limit-burst 100 -j INPUT_ZONES |
To verify the operating system protects against or limits the effects of DoS attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces, run the following command: $ sudo firewall-cmd --permanent --direct --get-rules ipv4 filter INPUT_direct The output should return: 0 -p tcp -m limit --limit 25/minute --limit-burst 100 -j INPUT_ZONES Is it the case that firewalld is not rate limiting connections? |
SRG-OS-000420-GPOS-00186 |
CCI-002385 |
|
xccdf_org.ssgproject.content_rule_dconf_db_up_to_date | high | Make sure that the dconf databases are up-to-date with regards to respective keyfiles | Unlike text-based keyfiles, the binary database is impossible to check by OVAL. Therefore, in order to evaluate dconf configuration, both have to be true at the same time - configuration files have to be compliant, and the database needs to be more recent than those keyfiles, which gives confidence that it reflects them. | By default, DConf uses a binary database as a data backend.
The system-level database is compiled from keyfiles in the /etc/dconf/db/
directory by the dconf updatecommand. More specifically, content present in the following directories: /etc/dconf/db/gdm.d /etc/dconf/db/local.d |
In order to be sure that the databases are up-to-date, run the dconf update command as the administrator. Is it the case that The system-wide dconf databases are up-to-date with regards to respective keyfiles? |
|||
xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled | medium | Enable GNOME3 Login Warning Banner | Display of a standardized and approved use notification before granting access to the operating system
ensures privacy and security notification verbiage used is consistent with applicable federal laws,
Executive Orders, directives, policies, regulations, standards, and guidance.
For U.S. Government systems, system use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist. |
In the default graphical environment, displaying a login warning banner
in the GNOME Display Manager's login screen can be enabled on the login
screen by setting banner-message-enable to true .
To enable, add or edit banner-message-enable to
/etc/dconf/db/gdm.d/00-security-settings . For example:
[org/gnome/login-screen] banner-message-enable=trueOnce the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/login-screen/banner-message-enableAfter the settings have been set, run dconf update .
The banner text must also be set. |
To ensure a login warning banner is enabled, run the following: $ grep banner-message-enable /etc/dconf/db/gdm.d/* If properly configured, the output should be true. To ensure a login warning banner is locked and cannot be changed by a user, run the following: $ grep banner-message-enable /etc/dconf/db/gdm.d/locks/* If properly configured, the output should be /org/gnome/login-screen/banner-message-enable. Is it the case that it is not? |
SRG-OS-000023-GPOS-00006 SRG-OS-000024-GPOS-00007 SRG-OS-000228-GPOS-00088 SRG-OS-000228-GPOS-00088 SRG-OS-000228-GPOS-00088 SRG-OS-000228-GPOS-00088 SRG-OS-000228-GPOS-00088 |
CCI-000048 CCI-000050 CCI-001384 CCI-001385 CCI-001386 CCI-001387 CCI-001388 |
AC-8 a AC-8 b AC-8 c AC-8 c AC-8 c AC-8 c AC-8 c |
xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount | medium | Disable GNOME3 Automounting | Disabling automatic mounting in GNOME3 can prevent the introduction of malware via removable media. It will, however, also prevent desktop users from legitimate use of removable media. | The system's default desktop environment, GNOME3, will mount
devices and removable media (such as DVDs, CDs and USB flash drives) whenever
they are inserted into the system. To disable automount within GNOME3, add or set
automount to false in /etc/dconf/db/local.d/00-security-settings .
For example:
[org/gnome/desktop/media-handling] automount=falseOnce the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/media-handling/automountAfter the settings have been set, run dconf update . |
These settings can be verified by running the following: $ gsettings get org.gnome.desktop.media-handling automount If properly configured, the output for automount should be false. To ensure that users cannot enable automount in GNOME3, run the following: $ grep 'automount' /etc/dconf/db/local.d/locks/* If properly configured, the output for automount should be /org/gnome/desktop/media-handling/automount Is it the case that GNOME automounting is not disabled? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 SRG-OS-000114-GPOS-00059 SRG-OS-000378-GPOS-00163 |
CCI-000366 CCI-000778 CCI-001958 |
CM-6 b IA-3 |
xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open | medium | Disable GNOME3 Automount Opening | Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity. Disabling automatic mounting in GNOME3 can prevent the introduction of malware via removable media. It will, however, also prevent desktop users from legitimate use of removable media. | The system's default desktop environment, GNOME3, will mount
devices and removable media (such as DVDs, CDs and USB flash drives) whenever
they are inserted into the system. To disable automount-open within GNOME3, add or set
automount-open to false in /etc/dconf/db/local.d/00-security-settings .
For example:
[org/gnome/desktop/media-handling] automount-open=falseOnce the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/media-handling/automount-openAfter the settings have been set, run dconf update . |
These settings can be verified by running the following: $ gsettings get org.gnome.desktop.media-handling automount-open If properly configured, the output for automount-openshould be false. To ensure that users cannot enable automount opening in GNOME3, run the following: $ grep 'automount-open' /etc/dconf/db/local.d/locks/* If properly configured, the output for automount-open should be /org/gnome/desktop/media-handling/automount-open Is it the case that GNOME automounting is not disabled? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 SRG-OS-000114-GPOS-00059 SRG-OS-000378-GPOS-00163 |
CCI-000366 CCI-000778 CCI-001958 |
CM-6 b IA-3 |
xccdf_org.ssgproject.content_rule_dconf_gnome_disable_autorun | medium | Disable GNOME3 Automount running | Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity. Disabling automatic mount running in GNOME3 can prevent the introduction of malware via removable media. It will, however, also prevent desktop users from legitimate use of removable media. | The system's default desktop environment, GNOME3, will mount
devices and removable media (such as DVDs, CDs and USB flash drives) whenever
they are inserted into the system. To disable autorun-never within GNOME3, add or set
autorun-never to true in /etc/dconf/db/local.d/00-security-settings .
For example:
[org/gnome/desktop/media-handling] autorun-never=trueOnce the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/media-handling/autorun-neverAfter the settings have been set, run dconf update . |
These settings can be verified by running the following: $ gsettings get org.gnome.desktop.media-handling autorun-never If properly configured, the output for autorun-nevershould be true. To ensure that users cannot enable autorun in GNOME3, run the following: $ grep 'autorun-never' /etc/dconf/db/local.d/locks/* If properly configured, the output for autorun-never should be /org/gnome/desktop/media-handling/autorun-never Is it the case that GNOME autorun is not disabled? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 SRG-OS-000114-GPOS-00059 SRG-OS-000378-GPOS-00163 |
CCI-000366 CCI-000778 CCI-001958 |
CM-6 b IA-3 |
xccdf_org.ssgproject.content_rule_dconf_gnome_disable_ctrlaltdel_reboot | high | Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3 | A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. | By default, GNOME will reboot the system if the
Ctrl-Alt-Del key sequence is pressed.
To configure the system to ignore the Ctrl-Alt-Del key sequence
from the Graphical User Interface (GUI) instead of rebooting the system,
add or set logout to '' in
/etc/dconf/db/local.d/00-security-settings . For example:
[org/gnome/settings-daemon/plugins/media-keys] logout=''Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent
user modification. For example:
/org/gnome/settings-daemon/plugins/media-keys/logoutAfter the settings have been set, run dconf update . |
To ensure the system is configured to ignore the Ctrl-Alt-Del sequence, run the following command: $ gsettings get org.gnome.settings-daemon.plugins.media-keys logout $ grep logout /etc/dconf/db/local.d/locks/* If properly configured, the output should be /org/gnome/settings-daemon/plugins/media-keys/logout Is it the case that GNOME3 is configured to reboot when Ctrl-Alt-Del is pressed? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_dconf_gnome_enable_smartcard_auth | medium | Enable the GNOME3 Login Smartcard Authentication | Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials. | In the default graphical environment, smart card authentication
can be enabled on the login screen by setting enable-smartcard-authentication
to true .
To enable, add or edit enable-smartcard-authentication to
/etc/dconf/db/gdm.d/00-security-settings . For example:
[org/gnome/login-screen] enable-smartcard-authentication=trueOnce the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/login-screen/enable-smartcard-authenticationAfter the settings have been set, run dconf update . |
To ensure smart card authentication on the login screen is enabled, run the following command: $ grep enable-smartcard-authentication /etc/dconf/db/gdm.d/* The output should be true. To ensure that users cannot disable smart card authentication on the login screen, run the following: $ grep enable-smartcard-authentication /etc/dconf/db/gdm.d/locks/* If properly configured, the output should be /org/gnome/login-screen/enable-smartcard-authentication Is it the case that enable-smartcard-authentication has not been configured or is disabled? |
SRG-OS-000105-GPOS-00052 SRG-OS-000106-GPOS-00053 SRG-OS-000107-GPOS-00054 SRG-OS-000108-GPOS-00055 SRG-OS-000375-GPOS-00160 SRG-OS-000377-GPOS-00162 |
CCI-000765 CCI-000766 CCI-000767 CCI-000768 CCI-000771 CCI-000772 CCI-000884 CCI-001948 CCI-001954 |
IA-2 (1) IA-2 (2) IA-2 (3) IA-2 (4) IA-2 (6) IA-2 (7) MA-4 (4) |
xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text | medium | Set the GNOME3 Login Warning Banner Text | An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. | In the default graphical environment, configuring the login warning banner text
in the GNOME Display Manager's login screen can be configured on the login
screen by setting banner-message-text to 'APPROVED_BANNER'
where APPROVED_BANNER is the approved banner for your environment.
To enable, add or edit banner-message-text to
/etc/dconf/db/gdm.d/00-security-settings . For example:
[org/gnome/login-screen] banner-message-text='APPROVED_BANNER'Once the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/login-screen/banner-message-textAfter the settings have been set, run dconf update .
When entering a warning banner that spans several lines, remember
to begin and end the string with ' and use \n for new lines. |
To ensure the login warning banner text is properly set, run the following: $ grep banner-message-text /etc/dconf/db/gdm.d/* If properly configured, the proper banner text will appear. To ensure the login warning banner text is locked and cannot be changed by a user, run the following: $ grep banner-message-text /etc/dconf/db/gdm.d/locks/* If properly configured, the output should be /org/gnome/login-screen/banner-message-text. Is it the case that it does not? |
SRG-OS-000023-GPOS-00006 SRG-OS-000228-GPOS-00088 SRG-OS-000228-GPOS-00088 SRG-OS-000228-GPOS-00088 SRG-OS-000228-GPOS-00088 SRG-OS-000228-GPOS-00088 |
CCI-000048 CCI-001384 CCI-001385 CCI-001386 CCI-001387 CCI-001388 |
AC-8 a AC-8 c AC-8 c AC-8 c AC-8 c AC-8 c |
xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled | medium | Enable GNOME3 Screensaver Idle Activation | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate
physical vicinity of the information system but does not logout because of the temporary nature of the absence.
Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity,
GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the
session lock.
Enabling idle activation of the screensaver ensures the screensaver will be activated after the idle delay. Applications requiring continuous, real-time screen display (such as network management products) require the login session does not have administrator rights and the display station is located in a controlled-access area. |
To activate the screensaver in the GNOME3 desktop after a period of inactivity,
add or set idle-activation-enabled to true in
/etc/dconf/db/local.d/00-security-settings . For example:
[org/gnome/desktop/screensaver] idle-activation-enabled=trueOnce the setting has been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/idle-activation-enabledAfter the settings have been set, run dconf update . |
To check the screensaver mandatory use status, run the following command: $ gsettings get org.gnome.desktop.screensaver idle-activation-enabled If properly configured, the output should be true. To ensure that users cannot disable the screensaver idle inactivity setting, run the following: $ grep idle-activation-enabled /etc/dconf/db/local.d/locks/* If properly configured, the output should be /org/gnome/desktop/screensaver/idle-activation-enabled Is it the case that idle-activation-enabled is not enabled or configured? |
SRG-OS-000029-GPOS-00010 |
CCI-000057 |
AC-11 a |
xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_locked | medium | Ensure Users Cannot Change GNOME3 Screensaver Idle Activation | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense. | If not already configured, ensure that users cannot change GNOME3 screensaver lock settings
by adding /org/gnome/desktop/screensaver/idle-activation-enabledto /etc/dconf/db/local.d/00-security-settings .
For example:
/org/gnome/desktop/screensaver/idle-activation-enabledAfter the settings have been set, run dconf update . |
To ensure that users cannot disable the screensaver idle inactivity setting, run the following: $ grep idle-activation-enabled /etc/dconf/db/local.d/locks/* If properly configured, the output should be /org/gnome/desktop/screensaver/idle-activation-enabled Is it the case that idle-activation-enabled is not locked? |
SRG-OS-000029-GPOS-00010 |
CCI-000057 |
AC-11 a |
xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay | medium | Set GNOME3 Screensaver Inactivity Timeout | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME3 can be configured to identify when a user's session has idled and take action to initiate a session lock. | The idle time-out value for inactivity in the GNOME3 desktop is configured via the idle-delay
setting must be set under an appropriate configuration file(s) in the /etc/dconf/db/local.d directory
and locked in /etc/dconf/db/local.d/locks directory to prevent user modification.
For example, to configure the system for a 15 minute delay, add the following to /etc/dconf/db/local.d/00-security-settings :
[org/gnome/desktop/session] idle-delay=uint32 900 |
To check the current idle time-out value, run the following command: $ gsettings get org.gnome.desktop.session idle-delay If properly configured, the output should be 'uint32 '. To ensure that users cannot change the screensaver inactivity timeout setting, run the following: $ grep idle-delay /etc/dconf/db/local.d/locks/* If properly configured, the output should be /org/gnome/desktop/session/idle-delay Is it the case that idle-delay is set to 0 or a value greater than <sub idref="inactivity_timeout_value" />? |
SRG-OS-000029-GPOS-00010 SRG-OS-000031-GPOS-00012 |
CCI-000057 CCI-000060 |
AC-11 a AC-11 (1) |
xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay | medium | Set GNOME3 Screensaver Lock Delay After Activation Period | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense. | To activate the locking delay of the screensaver in the GNOME3 desktop when
the screensaver is activated, add or set lock-delay to uint32 in
/etc/dconf/db/local.d/00-security-settings . For example:
[org/gnome/desktop/screensaver] lock-delay=uint32After the settings have been set, run dconf update . |
To check that the screen locks immediately when activated, run the following command: $ gsettings get org.gnome.desktop.screensaver lock-delay If properly configured, the output should be 'uint32 '. Is it the case that the screensaver lock delay is missing, or is set to a value greater than <sub idref="var_screensaver_lock_delay" />? |
SRG-OS-000028-GPOS-00009 SRG-OS-000029-GPOS-00010 SRG-OS-000031-GPOS-00012 |
CCI-000056 CCI-000057 CCI-000060 |
AC-11 b AC-11 a AC-11 (1) |
xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled | medium | Enable GNOME3 Screensaver Lock After Idle Period | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense. |
To activate locking of the screensaver in the GNOME3 desktop when it is activated,
add or set lock-enabled to true in
/etc/dconf/db/local.d/00-security-settings . For example:
[org/gnome/desktop/screensaver] lock-enabled=trueOnce the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/lock-enabledAfter the settings have been set, run dconf update . |
To check the status of the idle screen lock activation, run the following command: $ gsettings get org.gnome.desktop.screensaver lock-enabled If properly configured, the output should be true. To ensure that users cannot change how long until the screensaver locks, run the following: $ grep lock-enabled /etc/dconf/db/local.d/locks/* If properly configured, the output for lock-enabled should be /org/gnome/desktop/screensaver/lock-enabled Is it the case that screensaver locking is not enabled and/or has not been set or configured correctly? |
SRG-OS-000028-GPOS-00009 SRG-OS-000030-GPOS-00011 SRG-OS-000031-GPOS-00012 |
CCI-000056 CCI-000058 CCI-000060 |
AC-11 b AC-11 a AC-11 (1) |
xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_locked | medium | Ensure Users Cannot Change GNOME3 Screensaver Lock After Idle Period | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense. | If not already configured, ensure that users cannot change GNOME3 screensaver lock settings
by adding /org/gnome/desktop/screensaver/lock-enabledto /etc/dconf/db/local.d/00-security-settings .
For example:
/org/gnome/desktop/screensaver/lock-enabledAfter the settings have been set, run dconf update . |
To ensure that users cannot change how long until the screensaver locks, run the following: $ grep lock-enabled /etc/dconf/db/local.d/locks/* If properly configured, the output for lock-enabled should be /org/gnome/desktop/screensaver/lock-enabled Is it the case that screensaver locking is not locked? |
SRG-OS-000028-GPOS-00009 SRG-OS-000029-GPOS-00010 |
CCI-000056 CCI-000057 |
AC-11 b AC-11 a |
xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks | medium | Ensure Users Cannot Change GNOME3 Screensaver Settings | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the session lock. As such, users should not be allowed to change session settings. | If not already configured, ensure that users cannot change GNOME3 screensaver lock settings
by adding /org/gnome/desktop/screensaver/lock-delay
to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/lock-delayAfter the settings have been set, run dconf update . |
To ensure that users cannot change session idle and lock settings, run the following: $ grep 'lock-delay' /etc/dconf/db/local.d/locks/* If properly configured, the output should return: /org/gnome/desktop/screensaver/lock-delay Is it the case that GNOME3 session settings are not locked or configured properly? |
SRG-OS-000029-GPOS-00010 SRG-OS-000031-GPOS-00012 |
CCI-000057 CCI-000060 |
AC-11 a AC-11 (1) |
xccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks | medium | Ensure Users Cannot Change GNOME3 Session Idle Settings | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the session lock. As such, users should not be allowed to change session settings. | If not already configured, ensure that users cannot change GNOME3 session idle settings
by adding /org/gnome/desktop/session/idle-delay
to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/session/idle-delayAfter the settings have been set, run dconf update . |
To ensure that users cannot change session idle and lock settings, run the following: $ grep 'idle-delay' /etc/dconf/db/local.d/locks/* If properly configured, the output should return: /org/gnome/desktop/session/idle-delay Is it the case that idle-delay is not locked? |
SRG-OS-000029-GPOS-00010 SRG-OS-000031-GPOS-00012 |
CCI-000057 CCI-000060 |
AC-11 a AC-11 (1) |
xccdf_org.ssgproject.content_rule_dir_perms_world_writable_system_owned | medium | Ensure All World-Writable Directories Are Owned by a System Account | Allowing a user account to own a world-writable directory is undesirable because it allows the owner of that directory to remove or replace any files that may be placed in the directory by other users. | All directories in local partitions which are world-writable should be owned by root or another system account. If any world-writable directories are not owned by a system account, this should be investigated. Following this, the files should be deleted or assigned to an appropriate owner. | The following command will discover and print world-writable directories that are not owned by a system account, given the assumption that only system accounts have a uid lower than 500. Run it once for each local partition PART: $ sudo find PART -xdev -type d -perm -0002 -uid +499 -print Is it the case that there is output? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_dir_perms_world_writable_system_owned_group | medium | Ensure All World-Writable Directories Are Group Owned by a System Account | Allowing a user account to group own a world-writable directory is undesirable because it allows the owner of that directory to remove or replace any files that may be placed in the directory by other users. | All directories in local partitions which are world-writable should be group owned by root or another system account. If any world-writable directories are not group owned by a system account, this should be investigated. Following this, the files should be deleted or assigned to an appropriate group. | The following command will discover and print world-writable directories that are not group owned by a system account, given the assumption that only system accounts have a gid lower than 1000. Run it once for each local partition PART: $ sudo find PART -xdev -type d -perm -0002 -gid +999 -print Is it the case that there is output? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot | high | Disable Ctrl-Alt-Del Reboot Activation | A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. | By default, SystemD will reboot the system if the Ctrl-Alt-Del
key sequence is pressed.
To configure the system to ignore the Ctrl-Alt-Del key sequence from the
command line instead of rebooting the system, do either of the following:
ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.targetor systemctl mask ctrl-alt-del.target Do not simply delete the /usr/lib/systemd/system/ctrl-alt-del.service file,
as this file may be restored during future system updates. |
To ensure the system is configured to mask the Ctrl-Alt-Del sequence, Check that the ctrl-alt-del.target is masked and not active with the following command: sudo systemctl status ctrl-alt-del.target The output should indicate that the target is masked and not active. It might resemble following output: ctrl-alt-del.target Loaded: masked (/dev/null; bad) Active: inactive (dead) Is it the case that the system is configured to reboot when Ctrl-Alt-Del is pressed? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_disable_host_auth | medium | Disable Host-Based Authentication | SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. | SSH's cryptographic host-based authentication is
more secure than .rhosts authentication. However, it is
not recommended that hosts unilaterally trust one another, even
within an organization.
The default SSH configuration disables host-based authentication. The appropriate configuration is used if no value is set for HostbasedAuthentication .
To explicitly disable host-based authentication, add or correct the following line in /etc/ssh/sshd_config :
HostbasedAuthentication no |
To determine how the SSH daemon's HostbasedAuthentication option is set, run the following command: $ sudo grep -i HostbasedAuthentication /etc/ssh/sshd_config If a line indicating no is returned, then the required value is set. Is it the case that the required value is not set? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_disallow_bypass_password_sudo | medium | Disallow Configuration to Bypass Password Requirements for Privilege Escalation | Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate. | Verify the operating system is not configured to bypass password requirements for privilege
escalation. Check the configuration of the "/etc/pam.d/sudo" file with the following command:
$ sudo grep pam_succeed_if /etc/pam.d/sudoIf any occurrences of "pam_succeed_if" is returned from the command, this is a finding. |
Verify the operating system is not configured to bypass password requirements for privilege escalation. Check the configuration of the "/etc/pam.d/sudo" file with the following command: $ sudo grep pam_succeed_if /etc/pam.d/sudo Is it the case that system is configured to bypass password requirements for privilege escalation? |
SRG-OS-000373-GPOS-00156 SRG-OS-000373-GPOS-00157 SRG-OS-000373-GPOS-00158 |
CCI-002038 |
|
xccdf_org.ssgproject.content_rule_display_login_attempts | low | Ensure PAM Displays Last Logon/Access Notification | Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts that were made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators. | To configure the system to notify users of last logon/access
using pam_lastlog , add or correct the pam_lastlog
settings in
/etc/pam.d/postlogin to read as follows:
session required pam_lastlog.so showfailedAnd make sure that the silent option is not set for
pam_lastlog module. |
Verify users are provided with feedback on when account accesses last occurred with the following command: $ sudo grep pam_lastlog /etc/pam.d/postlogin session required pam_lastlog.so showfailed Is it the case that "pam_lastlog" is missing from "/etc/pam.d/postlogin" file, or the silent option is present? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | high | Ensure gpgcheck Enabled In Main yum Configuration | Changes to any software components can have significant effects on the
overall security of the operating system. This requirement ensures the
software has not been tampered with and that it has been provided by a
trusted vendor.
Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA). |
The gpgcheck option controls whether
RPM packages' signatures are always checked prior to installation.
To configure yum to check package signatures before installing
them, ensure the following line appears in /etc/yum.conf in
the [main] section:
gpgcheck=1 |
To determine whether yum is configured to use gpgcheck, inspect /etc/yum.conf and ensure the following appears in the [main] section: gpgcheck=1 A value of 1 indicates that gpgcheck is enabled. Absence of a gpgcheck line or a setting of 0 indicates that it is disabled. Is it the case that GPG checking is not enabled? |
SRG-OS-000366-GPOS-00153 |
CCI-001749 |
|
xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages | high | Ensure gpgcheck Enabled for Local Packages | Changes to any software components can have significant effects to the overall security
of the operating system. This requirement ensures the software has not been tampered and
has been provided by a trusted vendor.
Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. |
yum should be configured to verify the signature(s) of local packages
prior to installation. To configure yum to verify signatures of local
packages, set the localpkg_gpgcheck to 1 in /etc/yum.conf . |
To verify that localpkg_gpgcheck is configured properly, run the following command: $ grep localpkg_gpgcheck /etc/yum.conf The output should return something similar to: localpkg_gpgcheck=1 Is it the case that gpgcheck is not enabled or configured correctly to verify local packages? |
SRG-OS-000366-GPOS-00153 |
CCI-001749 |
|
xccdf_org.ssgproject.content_rule_file_groupowner_cron_allow | medium | Verify Group Who Owns /etc/cron.allow file | If the owner of the cron.allow file is not set to root, the possibility exists for an unauthorized user to view or edit sensitive information. | If /etc/cron.allow exists, it must be group-owned by root .
To properly set the group owner of /etc/cron.allow , run the command:
$ sudo chgrp root /etc/cron.allow |
To check the group ownership of /etc/cron.allow, run the command: $ ls -lL /etc/cron.allow If properly configured, the output should indicate the following group-owner: root Is it the case that /etc/cron.allow does not have a group owner of root? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_file_groupownership_home_directories | medium | All Interactive User Home Directories Must Be Group-Owned By The Primary User | If the Group Identifier (GID) of a local interactive users home directory is not the same as the primary GID of the user, this would allow unauthorized access to the users files, and users that share the same group may not be able to access files that they legitimately should. | Change the group owner of interactive users home directory to the
group found in /etc/passwd . To change the group owner of
interactive users home directory, use the following command:
$ sudo chgrp USER_GROUP /home/USERThis rule ensures every home directory related to an interactive user is group-owned by an interactive user. It also ensures that interactive users are group-owners of one and only one home directory. |
To verify the assigned home directory of all interactive users is group- owned by that users primary GID, run the following command: # ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd) Is it the case that the group ownership is incorrect? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_file_owner_cron_allow | medium | Verify User Who Owns /etc/cron.allow file | If the owner of the cron.allow file is not set to root, the possibility exists for an unauthorized user to view or edit sensitive information. | If /etc/cron.allow exists, it must be owned by root .
To properly set the owner of /etc/cron.allow , run the command:
$ sudo chown root /etc/cron.allow |
To check the ownership of /etc/cron.allow, run the command: $ ls -lL /etc/cron.allow If properly configured, the output should indicate the following owner: root Is it the case that /etc/cron.allow does not have an owner of root? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_file_ownership_home_directories | medium | All Interactive User Home Directories Must Be Owned By The Primary User | If a local interactive user does not own their home directory, unauthorized users could access or modify the user's files, and the users may not be able to access their own files. | Change the owner of interactive users home directories to that correct
owner. To change the owner of a interactive users home directory, use
the following command:
$ sudo chown USER /home/USERThis rule ensures every home directory related to an interactive user is owned by an interactive user. It also ensures that interactive users are owners of one and only one home directory. |
To verify the home directory ownership, run the following command: # ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd) Is it the case that the user ownership is incorrect? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit | medium | System Audit Logs Must Be Owned By Root | Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. | All audit logs must be owned by root user and group. By default, the path for audit log is /var/log/audit/. To properly set the owner of /var/log/audit , run the command:
$ sudo chown root /var/log/auditTo properly set the owner of /var/log/audit/* , run the command:
$ sudo chown root /var/log/audit/* |
To properly set the owner of /var/log/audit, run the command: $ sudo chown root /var/log/audit To properly set the owner of /var/log/audit/*, run the command: $ sudo chown root /var/log/audit/* Is it the case that ? |
SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028 SRG-OS-000059-GPOS-00029 SRG-OS-000206-GPOS-00084 |
CCI-000162 CCI-000163 CCI-000164 CCI-001314 |
AU-9 AU-9 AU-9 SI-11 c |
xccdf_org.ssgproject.content_rule_file_permission_user_init_files | medium | Ensure All User Initialization Files Have Mode 0740 Or Less Permissive | Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon. | Set the mode of the user initialization files to 0740 with the
following command:
$ sudo chmod 0740 /home/USER/.INIT_FILE |
To verify that all user initialization files have a mode of 0740 or less permissive, run the following command: $ sudo find /home -type f -name '\.*' \( -perm -0002 -o -perm -0020 \) There should be no output. Is it the case that they are not 0740 or more permissive? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_file_permissions_home_directories | medium | All Interactive User Home Directories Must Have mode 0750 Or Less Permissive | Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users. | Change the mode of interactive users home directories to 0750 . To
change the mode of interactive users home directory, use the
following command:
$ sudo chmod 0750 /home/USER |
To verify the assigned home directory of all interactive user home directories have a mode of 0750 or less permissive, run the following command: $ sudo ls -l /home Inspect the output for any directories with incorrect permissions. Is it the case that they are more permissive? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key | medium | Verify Permissions on SSH Server Private *_key Key Files | If an unauthorized user obtains the private SSH host key file, the host could be impersonated. | SSH server private keys - files that match the /etc/ssh/*_key glob, have to have restricted permissions.
If those files are owned by the root user and the root group, they have to have the 0600 permission or stricter. |
To check the permissions of /etc/ssh/*_key, run the command: $ ls -l /etc/ssh/*_key If properly configured, the output should indicate the following permissions: -rw------- Is it the case that /etc/ssh/*_key does not have unix mode -rw-------? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key | medium | Verify Permissions on SSH Server Public *.pub Key Files | If a public host key file is modified by an unauthorized user, the SSH service may be compromised. | To properly set the permissions of /etc/ssh/*.pub , run the command: $ sudo chmod 0644 /etc/ssh/*.pub |
To check the permissions of /etc/ssh/*.pub, run the command: $ ls -l /etc/ssh/*.pub If properly configured, the output should indicate the following permissions: -rw-r--r-- Is it the case that /etc/ssh/*.pub does not have unix mode -rw-r--r--? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned | medium | Ensure All Files Are Owned by a Group | Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed. | If any files are not owned by a group, then the
cause of their lack of group-ownership should be investigated.
Following this, the files should be deleted or assigned to an
appropriate group. The following command will discover and print
any files on local partitions which do not belong to a valid group:
$ df --local -P | awk '{if (NR!=1) print $6}' | sudo xargs -I '{}' find '{}' -xdev -nogroupTo search all filesystems on a system including network mounted filesystems the following command can be run manually for each partition: $ sudo find PARTITION -xdev -nogroup |
The following command will discover and print any files on local partitions which do not belong to a valid group. $ df --local -P | awk '{if (NR!=1) print $6}' | sudo xargs -I '{}' find '{}' -xdev -nogroup Either remove all files and directories from the system that do not have a valid group, or assign a valid group with the chgrp command: $ sudo chgrp group file Is it the case that there is output? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 SRG-OS-000312-GPOS-00122 SRG-OS-000312-GPOS-00123 SRG-OS-000312-GPOS-00124 |
CCI-000366 CCI-002165 |
CM-6 b |
xccdf_org.ssgproject.content_rule_file_permissions_var_log_audit | medium | System Audit Logs Must Have Mode 0640 or Less Permissive | If users can write to audit logs, audit trails can be modified or destroyed. |
If log_group in /etc/audit/auditd.conf is set to a group other than the
root
group account, change the mode of the audit log files with the following command:
$ sudo chmod 0640 audit_file Otherwise, change the mode of the audit log files with the following command: $ sudo chmod 0600 audit_file |
Run the following command to check the mode of the system audit logs: $ sudo grep -iw log_file /etc/audit/auditd.conf log_file=/var/log/audit/audit.log $ sudo stat -c "%n %a" /var/log/audit/* $ sudo ls -l /var/log/audit Audit logs must be mode 0640 or less permissive. Is it the case that any permissions are more permissive? |
SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028 SRG-OS-000059-GPOS-00029 SRG-OS-000206-GPOS-00084 |
CCI-000162 CCI-000163 CCI-000164 CCI-001314 |
AU-9 AU-9 AU-9 SI-11 c |
xccdf_org.ssgproject.content_rule_gid_passwd_group_same | low | All GIDs referenced in /etc/passwd must be defined in /etc/group | If a user is assigned the Group Identifier (GID) of a group not existing on the system, and a group with the Group Identifier (GID) is subsequently created, the user may have unintended rights to any files associated with the group. | Add a group to the system for each GID referenced without a corresponding group. | To ensure all GIDs referenced in /etc/passwd are defined in /etc/group, run the following command: $ sudo pwck -qr There should be no output. Is it the case that GIDs referenced in /etc/passwd are returned as not defined in /etc/group? |
SRG-OS-000104-GPOS-00051 |
CCI-000764 |
IA-2 |
xccdf_org.ssgproject.content_rule_gnome_gdm_disable_automatic_login | high | Disable GDM Automatic Login | Failure to restrict system access to authenticated users negatively impacts operating system security. | The GNOME Display Manager (GDM) can allow users to automatically login without
user interaction or credentials. User should always be required to authenticate themselves
to the system that they are authorized to use. To disable user ability to automatically
login to the system, set the AutomaticLoginEnable to false in the
[daemon] section in /etc/gdm/custom.conf . For example:
[daemon] AutomaticLoginEnable=false |
To verify that automatic logins are disabled, run the following command: $ grep -Pzoi "^\[daemon]\\nautomaticlogin.*" /etc/gdm/custom.conf The output should show the following: [daemon] AutomaticLoginEnable=false Is it the case that GDM allows users to automatically login? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_gnome_gdm_disable_guest_login | high | Disable GDM Guest Login | Failure to restrict system access to authenticated users negatively impacts operating system security. | The GNOME Display Manager (GDM) can allow users to login without credentials
which can be useful for public kiosk scenarios. Allowing users to login without credentials
or "guest" account access has inherent security risks and should be disabled. To do disable
timed logins or guest account access, set the TimedLoginEnable to false in
the [daemon] section in /etc/gdm/custom.conf . For example:
[daemon] TimedLoginEnable=false |
To verify that timed logins are disabled, run the following command: $ grep -Pzoi "^\[daemon]\\ntimedlogin.*" /etc/gdm/custom.conf The output should show the following: [daemon] TimedLoginEnable=false Is it the case that GDM allows a guest to login without credentials? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_grub2_admin_username | medium | Set the Boot Loader Admin Username to a Non-Default Value | Having a non-default grub superuser username makes password-guessing attacks less effective. | The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
To maximize the protection, select a password-protected superuser account with unique name, and modify the /etc/grub.d/01_users configuration file to reflect the account name change.
Do not to use common administrator account names like root, admin, or administrator for the grub2 superuser account. Change the superuser to a different username (The default is 'root'). $ sed -i 's/\(set superuser=\).*/\1"<unique user ID>"/g' /etc/grub.d/01_users Once the superuser account has been added, update the grub.cfg file by running:
grubby --update-kernel=ALL |
To verify the boot loader superuser account has been set, run the following command: sudo grep -A1 "superusers" /boot/grub2/grub.cfg The output should show the following: set superusers="superusers-account" export superusers where superusers-account is the actual account name different from common names like root, admin, or administrator and different from any other existing user name. Is it the case that superuser account is not set or is set to root, admin, administrator or any other existing user name? |
SRG-OS-000080-GPOS-00048 |
CCI-000213 |
AC-3 |
xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode | high | Enable FIPS Mode in GRUB2 | Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. | To ensure FIPS mode is enabled, install package dracut-fips , and rebuild initramfs by running the following commands:
$ sudo yum install dracut-fips dracut -fAfter the dracut command has been run, add the argument fips=1 to the default
GRUB 2 command line for the Linux operating system in
/etc/default/grub , in the manner below:
GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap rhgb quiet rd.shell=0 fips=1"Finally, rebuild the grub.cfg file by using the
grub2-mkconfig -ocommand as follows:
|
To verify that FIPS is enabled properly in grub, run the following command: $ grep fips /etc/default/grub The output should contain fips=1 Is it the case that FIPS is not configured or enabled in grub? |
SRG-OS-000033-GPOS-00014 SRG-OS-000120-GPOS-00061 SRG-OS-000185-GPOS-00079 SRG-OS-000396-GPOS-00176 SRG-OS-000478-GPOS-00223 SRG-OS-000405-GPOS-00184 |
CCI-000068 CCI-000803 CCI-001199 CCI-002450 CCI-002476 |
AC-17 (2) IA-7 SC-28 |
xccdf_org.ssgproject.content_rule_grub2_no_removeable_media | medium | Boot Loader Is Not Installed On Removeable Media | Malicious users with removable boot media can gain access to a system configured to use removable media as the boot loader. | The system must not allow removable media to be used as the boot loader.
Remove alternate methods of booting the system from removable media.
usb0 , cd , fd0 , etc. are some examples of removeable
media which should not exist in the line:
set root='hd0,msdos1' |
To verify the system is not configured to use a boot loader on removable media, run the following command: $ sudo grep "set root='hd0" /boot/grub2/grub.cfg The output should return something similar to: set root='hd0,msdos1' usb0, cd, fd0, etc. are some examples of removeable media which should not exist in the line: set root='hd0,msdos1' Is it the case that it is not? |
SRG-OS-000364-GPOS-00151 SRG-OS-000365-GPOS-00152 |
CCI-001813 CCI-001814 |
|
xccdf_org.ssgproject.content_rule_grub2_password | high | Set Boot Loader Password in grub2 | Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode. | The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
Since plaintext passwords are a security risk, generate a hash for the password by running the following command: # grub2-setpasswordWhen prompted, enter the password that was selected. |
First, check whether the password is defined in either /boot/grub2/user.cfg or /boot/grub2/grub.cfg. Run the following commands: $ sudo grep '^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$' /boot/grub2/user.cfg $ sudo grep '^[\s]*password_pbkdf2[\s]+.*[\s]+grub\.pbkdf2\.sha512.*$' /boot/grub2/grub.cfg Second, check that a superuser is defined in /boot/grub2/grub.cfg. $ sudo grep '^[\s]*set[\s]+superusers=("?)[a-zA-Z_]+\1$' /boot/grub2/grub.cfg Is it the case that it does not produce any output? |
SRG-OS-000080-GPOS-00048 |
CCI-000213 |
AC-3 |
xccdf_org.ssgproject.content_rule_grub2_uefi_admin_username | medium | Set the UEFI Boot Loader Admin Username to a Non-Default Value | Having a non-default grub superuser username makes password-guessing attacks less effective. | The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
To maximize the protection, select a password-protected superuser account with unique name, and modify the /etc/grub.d/01_users configuration file to reflect the account name change.
It is highly suggested not to use common administrator account names like root, admin, or administrator for the grub2 superuser account. Change the superuser to a different username (The default is 'root'). $ sed -i 's/\(set superusers=\).*/\1"<unique user ID>"/g' /etc/grub.d/01_users Once the superuser account has been added, update the grub.cfg file by running:
grubby --update-kernel=ALL |
To verify the boot loader superuser account has been set, run the following command: sudo grep -A1 "superusers" /boot/efi/EFI/redhat/grub.cfg The output should show the following: set superusers="superusers-account" export superusers where superusers-account is the actual account name different from common names like root, admin, or administrator and different from any other existing user name. Is it the case that superuser account is not set or is set to an existing name or to a common name? |
SRG-OS-000080-GPOS-00048 |
CCI-000213 |
AC-3 |
xccdf_org.ssgproject.content_rule_grub2_uefi_password | high | Set the UEFI Boot Loader Password | Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode. | The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
Since plaintext passwords are a security risk, generate a hash for the password by running the following command: # grub2-setpasswordWhen prompted, enter the password that was selected. |
To verify the boot loader superuser password has been set, run the following command: $ sudo grep "^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$" /boot/efi/EFI/redhat/user.cfg The output should be similar to: GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC 2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0 916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7 0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828 Is it the case that no password is set? |
SRG-OS-000080-GPOS-00048 |
CCI-000213 |
AC-3 |
xccdf_org.ssgproject.content_rule_install_antivirus | high | Install Virus Scanning Software | Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems. | Virus scanning software can be used to protect a system from penetration from computer viruses and to limit their spread through intermediate systems. The virus scanning software should be configured to perform scans dynamically on accessed files. If this capability is not available, the system must be configured to scan, at a minimum, all altered files on the system on a daily basis. If the system processes inbound SMTP mail, the virus scanner must be configured to scan all received mail. | Verify an anti-virus solution is installed on the system. The anti-virus solution may be bundled with an approved host-based security solution. Is it the case that there is no anti-virus solution installed on the system? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 CCI-001239 CCI-001668 |
CM-6 b SI-3 a SI-3 a |
xccdf_org.ssgproject.content_rule_install_smartcard_packages | medium | Install Smart Card Packages For Multifactor Authentication | Using an authentication device, such as a CAC or token that is separate from
the information system, ensures that even if the information system is
compromised, that compromise will not affect credentials stored on the
authentication device.
Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card. |
Configure the operating system to implement multifactor authentication by
installing the required package with the following command:
The pam_pkcs11 package can be installed with the following command:
$ sudo yum install pam_pkcs11 |
Check that Oracle Linux 7 has the packages for smart card support installed. Run the following command to determine if the pam_pkcs11 package is installed: $ rpm -q pam_pkcs11 Is it the case that smartcard software is not installed? |
SRG-OS-000105-GPOS-00052 SRG-OS-000375-GPOS-00160 SRG-OS-000376-GPOS-00161 SRG-OS-000377-GPOS-00162 |
CCI-000765 CCI-001948 CCI-001953 CCI-001954 |
IA-2 (1) |
xccdf_org.ssgproject.content_rule_installed_OS_is_vendor_supported | high | The Installed Operating System Is Vendor Supported | An operating system is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve any security issue discovered in the system software. | The installed operating system must be maintained by a vendor. Oracle Linux is supported by Oracle Corporation. As the Oracle Linux vendor, Oracle Corporation is responsible for providing security patches. | To verify that the installed operating system is supported, run the following command: $ grep -i "oracle" /etc/oracle-release Oracle Linux 7 Is it the case that the installed operating system is not supported? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled | medium | Disable DCCP Support | Disabling DCCP protects the system against exploitation of any flaws in its implementation. | The Datagram Congestion Control Protocol (DCCP) is a
relatively new transport layer protocol, designed to support
streaming media and telephony.
To configure the system to prevent the dccp
kernel module from being loaded, add the following line to the file /etc/modprobe.d/dccp.conf :
install dccp /bin/trueTo configure the system to prevent the dccp from being used,
add the following line to file /etc/modprobe.d/dccp.conf :
blacklist dccp |
If the system is configured to prevent the loading of the dccp kernel module, it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. These lines can also instruct the module loading system to ignore the dccp kernel module via blacklist keyword. Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: $ grep -r dccp /etc/modprobe.conf /etc/modprobe.d Is it the case that no line is returned? |
SRG-OS-000378-GPOS-00163 |
CCI-001958 |
|
xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled | medium | Disable Modprobe Loading of USB Storage Driver | USB storage devices such as thumb drives can be used to introduce malicious software. | To prevent USB storage devices from being used, configure the kernel module loading system
to prevent automatic loading of the USB storage driver.
To configure the system to prevent the usb-storage
kernel module from being loaded, add the following line to the file /etc/modprobe.d/usb-storage.conf :
install usb-storage /bin/trueTo configure the system to prevent the usb-storage from being used,
add the following line to file /etc/modprobe.d/usb-storage.conf :
blacklist usb-storageThis will prevent the modprobe program from loading the usb-storage
module, but will not prevent an administrator (or another program) from using the
insmod program to load the module manually. |
If the system is configured to prevent the loading of the usb-storage kernel module, it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. These lines can also instruct the module loading system to ignore the usb-storage kernel module via blacklist keyword. Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: $ grep -r usb-storage /etc/modprobe.conf /etc/modprobe.d Is it the case that no line is returned? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 SRG-OS-000114-GPOS-00059 SRG-OS-000378-GPOS-00163 |
CCI-000366 CCI-000778 CCI-001958 |
CM-6 b IA-3 |
xccdf_org.ssgproject.content_rule_libreswan_approved_tunnels | medium | Verify Any Configured IPSec Tunnel Connections | IP tunneling mechanisms can be used to bypass network filtering. | Libreswan provides an implementation of IPsec
and IKE, which permits the creation of secure tunnels over
untrusted networks. As such, IPsec can be used to circumvent certain
network requirements such as filtering. Verify that if any IPsec connection
(conn ) configured in /etc/ipsec.conf and /etc/ipsec.d
exists is an approved organizational connection. |
Verify that Oracle Linux 7 does not have unauthorized IP tunnels configured. If "libreswan" is installed, check to see if the "IPsec" service is active with the following command: # systemctl status ipsec ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled) Active: inactive (dead) If the "IPsec" service is active, check for configured IPsec connections (conn), perform the following: grep -rni conn /etc/ipsec.conf /etc/ipsec.d/ Verify any returned results for organizational approval. Is it the case that the IPSec tunnels are not approved? |
CCI-000336 |
CM-4 (2) |
|
xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev | medium | Add nodev Option to /dev/shm | The only legitimate location for device files is the /dev directory
located on the root partition. The only exception to this is chroot jails. |
The nodev mount option can be used to prevent creation of device
files in /dev/shm . Legitimate character and block devices should
not exist within temporary directories like /dev/shm .
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
/dev/shm . |
Verify the nodev option is configured for the /dev/shm mount point, run the following command: $ sudo mount | grep '\s/dev/shm\s' . . . /dev/shm . . . nodev . . . Is it the case that the "/dev/shm" file system does not have the "nodev" option set? |
SRG-OS-000368-GPOS-00154 |
CCI-001764 |
|
xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec | medium | Add noexec Option to /dev/shm | Allowing users to execute binaries from world-writable directories
such as /dev/shm can expose the system to potential compromise. |
The noexec mount option can be used to prevent binaries
from being executed out of /dev/shm .
It can be dangerous to allow the execution of binaries
from world-writable temporary storage directories such as /dev/shm .
Add the noexec option to the fourth column of
/etc/fstab for the line which controls mounting of
/dev/shm . |
Verify the noexec option is configured for the /dev/shm mount point, run the following command: $ sudo mount | grep '\s/dev/shm\s' . . . /dev/shm . . . noexec . . . Is it the case that the "/dev/shm" file system does not have the "noexec" option set? |
SRG-OS-000368-GPOS-00154 |
CCI-001764 |
|
xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid | medium | Add nosuid Option to /dev/shm | The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions. | The nosuid mount option can be used to prevent execution
of setuid programs in /dev/shm . The SUID and SGID permissions should not
be required in these world-writable directories.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/dev/shm . |
Verify the nosuid option is configured for the /dev/shm mount point, run the following command: $ sudo mount | grep '\s/dev/shm\s' . . . /dev/shm . . . nosuid . . . Is it the case that the "/dev/shm" file system does not have the "nosuid" option set? |
SRG-OS-000368-GPOS-00154 |
CCI-001764 |
|
xccdf_org.ssgproject.content_rule_mount_option_home_nosuid | medium | Add nosuid Option to /home | The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from user home directory partitions. | The nosuid mount option can be used to prevent
execution of setuid programs in /home . The SUID and SGID permissions
should not be required in these user data directories.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/home . |
Verify the nosuid option is configured for the /home mount point, run the following command: $ sudo mount | grep '\s/home\s' . . . /home . . . nosuid . . . Is it the case that the "/home" file system does not have the "nosuid" option set? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_mount_option_krb_sec_remote_filesystems | medium | Mount Remote Filesystems with Kerberos Security | When an NFS server is configured to use AUTH_SYS a selected userid and groupid are used to handle requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The AUTH_GSS method of authentication uses certificates on the server and client systems to more securely authenticate the remote mount request. | Add the sec=krb5:krb5i:krb5p option to the fourth column of /etc/fstab for the line which controls mounting of
any NFS mounts. |
To verify the sec option is configured for all NFS mounts, run the following command: $ mount | grep "sec=" All NFS mounts should show the sec=krb5:krb5i:krb5p setting in parentheses. This is not applicable if NFS is not implemented. Is it the case that the setting is not configured, has the 'sys' option added, or does not have all Kerberos options added? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_mount_option_noexec_remote_filesystems | medium | Mount Remote Filesystems with noexec | The noexec mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. | Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of
any NFS mounts. |
To verify the noexec option is configured for all NFS mounts, run the following command: $ mount | grep nfs All NFS mounts should show the noexec setting in parentheses. This is not applicable if NFS is not implemented. Is it the case that the setting does not show? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_mount_option_nosuid_remote_filesystems | medium | Mount Remote Filesystems with nosuid | NFS mounts should not present suid binaries to users. Only vendor-supplied suid executables should be installed to their default location on the local filesystem. | Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of
any NFS mounts. |
To verify the nosuid option is configured for all NFS mounts, run the following command: $ mount | grep nfs All NFS mounts should show the nosuid setting in parentheses. This is not applicable if NFS is not implemented. Is it the case that the setting does not show? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_mount_option_nosuid_removable_partitions | medium | Add nosuid Option to Removable Media Partitions | The presence of SUID and SGID executables should be tightly controlled. Allowing users to introduce SUID or SGID binaries from partitions mounted off of removable media would allow them to introduce their own highly-privileged programs. | The nosuid mount option prevents set-user-identifier (SUID)
and set-group-identifier (SGID) permissions from taking effect. These permissions
allow users to execute binaries with the same permissions as the owner and group
of the file respectively. Users should not be allowed to introduce SUID and SGID
files into the system via partitions mounted from removeable media.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
any removable media partitions. |
Verify file systems that are used for removable media are mounted with the "nosuid" option with the following command: $ sudo more /etc/fstab UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid,nodev,noexec 0 0 Is it the case that file system found in "/etc/fstab" refers to removable media and it does not have the "nosuid" option set? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_network_configure_name_resolution | medium | Configure Multiple DNS Servers in /etc/resolv.conf | To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the failure of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging. |
Determine whether the system is using local or DNS name resolution with the
following command:
$ sudo grep hosts /etc/nsswitch.conf hosts: files dnsIf the DNS entry is missing from the host's line in the "/etc/nsswitch.conf" file, the "/etc/resolv.conf" file must be empty. Verify the "/etc/resolv.conf" file is empty with the following command: $ sudo ls -al /etc/resolv.conf -rw-r--r-- 1 root root 0 Aug 19 08:31 resolv.confIf the DNS entry is found on the host's line of the "/etc/nsswitch.conf" file, then verify the following: Multiple Domain Name System (DNS) Servers should be configured in /etc/resolv.conf . This provides redundant name resolution services
in the event that a domain server crashes. To configure the system to contain
as least 2 DNS servers, add a corresponding nameserver
ip_address entry in /etc/resolv.conf for each DNS
server where ip_address is the IP address of a valid DNS server.
For example:
search example.com nameserver 192.168.0.1 nameserver 192.168.0.2 |
Verify that DNS servers have been configured properly, perform the following: $ sudo grep nameserver /etc/resolv.conf Is it the case that less than two lines are returned that are not commented out? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_network_sniffer_disabled | medium | Ensure System is Not Acting as a Network Sniffer | Network interfaces in promiscuous mode allow for the capture of all network traffic
visible to the system. If unauthorized individuals can access these applications, it
may allow them to collect information such as logon IDs, passwords, and key exchanges
between systems.
If the system is being used to perform a network troubleshooting function, the use of these tools must be documented with the Information Systems Security Manager (ISSM) and restricted to only authorized personnel. |
The system should not be acting as a network sniffer, which can
capture all traffic on the network to which it is connected. Run the following
to determine if any interface is running in promiscuous mode:
$ ip link | grep PROMISCPromiscuous mode of an interface can be disabled with the following command: $ sudo ip link set dev
|
Verify that Promiscuous mode of an interface is disabled, run the following command: $ ip link | grep PROMISC Is it the case that any network device is in promiscuous mode? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_no_empty_passwords | high | Prevent Login to Accounts With Empty Password | If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. | If an account is configured for password authentication
but does not have an assigned password, it may be possible to log
into the account without authentication. Remove any instances of the
nullok in
/etc/pam.d/system-auth and
/etc/pam.d/password-auth
to prevent logins with empty passwords. |
To verify that null passwords cannot be used, run the following command: $ grep nullok /etc/pam.d/system-auth /etc/pam.d/password-auth If this produces any output, it may be possible to log into accounts with empty passwords. Remove any instances of the nullok option to prevent logins with empty passwords. Is it the case that NULL passwords can be used? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow | high | Ensure There Are No Accounts With Blank or Null Passwords | If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. | Check the "/etc/shadow" file for blank passwords with the
following command:
$ sudo awk -F: '!$2 {print $1}' /etc/shadowIf the command returns any results, this is a finding. Configure all accounts on the system to have a password or lock the account with the following commands: Perform a password reset: $ sudo passwd [username]Lock an account: $ sudo passwd -l [username] |
To verify that null passwords cannot be used, run the following command: $ sudo awk -F: '!$2 {print $1}' /etc/shadow If this produces any output, it may be possible to log into accounts with empty passwords. Is it the case that Blank or NULL passwords can be used? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_no_files_unowned_by_user | medium | Ensure All Files Are Owned by a User | Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed. | If any files are not owned by a user, then the
cause of their lack of ownership should be investigated.
Following this, the files should be deleted or assigned to an
appropriate user. The following command will discover and print
any files on local partitions which do not belong to a valid user:
$ df --local -P | awk {'if (NR!=1) print $6'} | sudo xargs -I '{}' find '{}' -xdev -nouserTo search all filesystems on a system including network mounted filesystems the following command can be run manually for each partition: $ sudo find PARTITION -xdev -nouser |
The following command will discover and print any files on local partitions which do not belong to a valid user. $ df --local -P | awk {'if (NR!=1) print $6'} | sudo xargs -I '{}' find '{}' -xdev -nouser Either remove all files and directories from the system that do not have a valid user, or assign a valid user to all unowned files and directories on the system with the chown command: $ sudo chown user file Is it the case that files exist that are not owned by a valid user? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 SRG-OS-000312-GPOS-00122 SRG-OS-000312-GPOS-00123 SRG-OS-000312-GPOS-00124 |
CCI-000366 CCI-002165 |
CM-6 b |
xccdf_org.ssgproject.content_rule_no_host_based_files | high | Remove Host-Based Authentication Files | The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication. | The shosts.equiv file list remote hosts
and users that are trusted by the local system.
To remove these files, run the following command to delete them from any
location:
$ sudo rm /[path]/[to]/[file]/shosts.equiv |
Verify that there are no shosts.equiv files on the system, run the following command: $ find / -name shosts.equiv Is it the case that shosts.equiv files exist? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_no_user_host_based_files | high | Remove User Host-Based Authentication Files | The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication. | The ~/.shosts (in each user's home directory) files
list remote hosts and users that are trusted by the
local system. To remove these files, run the following command
to delete them from any location:
$ sudo find / -name '.shosts' -type f -delete |
To verify that there are no .shosts files on the system, run the following command: $ sudo find / -name '.shosts' Is it the case that .shosts files exist? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_package_aide_installed | medium | Install AIDE | The AIDE package must be installed if it is to be available for integrity checking. | The aide package can be installed with the following command:
$ sudo yum install aide |
Run the following command to determine if the aide package is installed: $ rpm -q aide Is it the case that the package is not installed? |
SRG-OS-000445-GPOS-00199 SRG-OS-000446-GPOS-00200 SRG-OS-000363-GPOS-00150 |
CCI-002696 CCI-002699 CCI-001744 |
|
xccdf_org.ssgproject.content_rule_package_mcafeetp_installed | medium | Install McAfee Endpoint Security for Linux (ENSL) | Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems. | Install McAfee Endpoint Security for Linux antivirus software
which is provided for DoD systems and uses signatures to search for the
presence of viruses on the filesystem.
The McAfeeTP package can be installed with the following command:
$ sudo yum install McAfeeTP |
Run the following command to determine if the McAfeeTP package is installed: $ rpm -q McAfeeTP Is it the case that the package is not installed? |
SRG-OS-000191-GPOS-00080 |
CCI-001233 |
SI-2 (2) |
xccdf_org.ssgproject.content_rule_package_openssh-server_installed | medium | Install the OpenSSH Server Package | Without protection of the transmitted information, confidentiality, and integrity may be compromised because unprotected communications can be intercepted and either read or altered. | The openssh-server package should be installed.
The openssh-server package can be installed with the following command:
$ sudo yum install openssh-server |
Run the following command to determine if the openssh-server package is installed: $ rpm -q openssh-server Is it the case that the package is not installed? |
SRG-OS-000423-GPOS-00187 SRG-OS-000481-GPOS-00481 SRG-OS-000425-GPOS-00189 SRG-OS-000424-GPOS-00188 SRG-OS-000426-GPOS-00190 |
CCI-002418 CCI-002420 CCI-002421 CCI-002422 |
|
xccdf_org.ssgproject.content_rule_package_rsh-server_removed | high | Uninstall rsh-server Package | The rsh-server service provides unencrypted remote access service which does not
provide for the confidentiality and integrity of user passwords or the remote session and has very weak
authentication. If a privileged user were to login using this service, the privileged user password
could be compromised. The rsh-server package provides several obsolete and insecure
network services. Removing it decreases the risk of those services' accidental (or intentional)
activation. |
The rsh-server package can be removed with the following command:
$ sudo yum erase rsh-server |
Run the following command to determine if the rsh-server package is installed: $ rpm -q rsh-server Is it the case that the package is installed? |
SRG-OS-000095-GPOS-00049 |
CCI-000381 |
CM-7 |
xccdf_org.ssgproject.content_rule_package_telnet-server_removed | high | Uninstall telnet-server Package | It is detrimental for operating systems to provide, or install by default,
functionality exceeding requirements or mission objectives. These
unnecessary capabilities are often overlooked and therefore may remain
unsecure. They increase the risk to the platform by providing additional
attack vectors.
The telnet service provides an unencrypted remote access service which does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to login using this service, the privileged user password could be compromised. Removing the telnet-server package decreases the risk of the
telnet service's accidental (or intentional) activation. |
The telnet-server package can be removed with the following command:
$ sudo yum erase telnet-server |
Run the following command to determine if the telnet-server package is installed: $ rpm -q telnet-server Is it the case that the package is installed? |
SRG-OS-000095-GPOS-00049 |
CCI-000381 |
CM-7 |
xccdf_org.ssgproject.content_rule_package_tftp-server_removed | high | Uninstall tftp-server Package | Removing the tftp-server package decreases the risk of the accidental
(or intentional) activation of tftp services.
If TFTP is required for operational support (such as transmission of router configurations), its use must be documented with the Information Systems Securty Manager (ISSM), restricted to only authorized personnel, and have access control rules established. |
The tftp-server package can be removed with the following command: $ sudo yum erase tftp-server |
Run the following command to determine if the tftp-server package is installed: $ rpm -q tftp-server Is it the case that the package is installed? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 SRG-OS-000362-GPOS-00149 SRG-OS-000364-GPOS-00151 SRG-OS-000365-GPOS-00152 |
CCI-000318 CCI-000366 CCI-000368 CCI-001812 CCI-001813 CCI-001814 |
CM-3 e CM-6 b CM-6 c |
xccdf_org.ssgproject.content_rule_package_vsftpd_removed | high | Uninstall vsftpd Package | Removing the vsftpd package decreases the risk of its
accidental activation. |
The vsftpd package can be removed with the following command: $ sudo yum erase vsftpd |
Run the following command to determine if the vsftpd package is installed: $ rpm -q vsftpd Is it the case that the package is installed? |
SRG-OS-000074-GPOS-00042 SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 SRG-OS-000095-GPOS-00049 |
CCI-000197 CCI-000366 CCI-000381 |
IA-5 (1) (c) CM-6 b CM-7 |
xccdf_org.ssgproject.content_rule_package_ypserv_removed | high | Uninstall ypserv Package | The NIS service provides an unencrypted authentication service which does
not provide for the confidentiality and integrity of user passwords or the
remote session.
Removing the ypserv package decreases the risk of the accidental
(or intentional) activation of NIS or NIS+ services. |
The ypserv package can be removed with the following command:
$ sudo yum erase ypserv |
Run the following command to determine if the ypserv package is installed: $ rpm -q ypserv Is it the case that the package is installed? |
SRG-OS-000095-GPOS-00049 |
CCI-000381 |
CM-7 |
xccdf_org.ssgproject.content_rule_partition_for_home | low | Ensure /home Located On Separate Partition | Ensuring that /home is mounted on its own partition enables the
setting of more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage. |
If user home directories will be stored locally, create a separate partition
for /home at installation time (or migrate it later using LVM). If
/home will be mounted from another system such as an NFS server, then
creating a separate partition is not necessary at installation time, and the
mountpoint can instead be configured later. |
Verify that a separate file system/partition has been created for /home with the following command: $ mountpoint /home Is it the case that "/home is not a mountpoint" is returned? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 CCI-001208 |
CM-6 b SC-32 |
xccdf_org.ssgproject.content_rule_partition_for_tmp | low | Ensure /tmp Located On Separate Partition | The /tmp partition is used as temporary storage by many programs.
Placing /tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it. |
The /tmp directory is a world-writable directory used
for temporary file storage. Ensure it has its own partition or
logical volume at installation time, or migrate it using LVM. |
Verify that a separate file system/partition has been created for /tmp with the following command: $ mountpoint /tmp Is it the case that "/tmp is not a mountpoint" is returned? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_partition_for_var | low | Ensure /var Located On Separate Partition | Ensuring that /var is mounted on its own partition enables the
setting of more restrictive mount options. This helps protect
system services such as daemons or other programs which use it.
It is not uncommon for the /var directory to contain
world-writable directories installed by other software packages. |
The /var directory is used by daemons and other system
services to store frequently-changing data. Ensure that /var has its own partition
or logical volume at installation time, or migrate it using LVM. |
Verify that a separate file system/partition has been created for /var with the following command: $ mountpoint /var Is it the case that "/var is not a mountpoint" is returned? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_partition_for_var_log_audit | low | Ensure /var/log/audit Located On Separate Partition | Placing /var/log/audit in its own partition
enables better separation between audit files
and other files, and helps ensure that
auditing cannot be halted due to the partition running out
of space. |
Audit logs are stored in the /var/log/audit directory.
Ensure that /var/log/audit has its own partition or logical
volume at installation time, or migrate it using LVM.
Make absolutely certain that it is large enough to store all
audit logs that will be created by the auditing daemon. |
Verify that a separate file system/partition has been created for /var/log/audit with the following command: $ mountpoint /var/log/audit Is it the case that "/var/log/audit is not a mountpoint" is returned? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 SRG-OS-000341-GPOS-00132 |
CCI-000366 CCI-001849 |
CM-6 b |
xccdf_org.ssgproject.content_rule_passwd_system-auth_substack | medium | Configure PAMs passwd Module To Implement system-auth Substack When Changing Passwords | Including system-auth from the passwd module ensures that the user must pass through the PAM configuration for system authentication as found in /etc/pam.d/system-auth when changing passwords. | Verify that pam is configured to use /etc/pam.d/system-auth
when changing passwords. Look for the following line in /etc/pam.d/passwd :
password substack system-auth |
To verify that PAM implements system-auth when changing passwords run the following command: # cat /etc/pam.d/passwd | grep -i substack | grep -i system-auth password substack system-auth Is it the case that /etc/pam.d/passwd does not implement /etc/pam.d/system-auth? |
SRG-OS-000069-GPOS-00037 |
CCI-000192 |
IA-5 (1) (a) |
xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay | medium | Prevent Unrestricted Mail Relaying | If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity. | Modify the /etc/postfix/main.cffile to restrict client connections to the local network with the following command: $ sudo postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject' |
Verify that Oracle Linux 7 is configured to prevent unrestricted mail relaying, run the following command: $ sudo postconf -n smtpd_client_restrictions Is it the case that the "smtpd_client_restrictions" parameter contains any entries other than "permit_mynetworks" and "reject"? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_require_emergency_target_auth | medium | Require Authentication for Emergency Systemd Target | This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password. | Emergency mode is intended as a system recovery
method, providing a single user root access to the system
during a failed boot sequence.
By default, Emergency mode is protected by requiring a password and is set in /usr/lib/systemd/system/emergency.service . |
To check if authentication is required for emergency mode, run the following command: $ grep sulogin /usr/lib/systemd/system/emergency.service The output should be similar to the following, and the line must begin with ExecStart and /sbin/sulogin. ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default" Then, check if the emergency target requires the emergency service: Run the following command: $ sudo grep Requires /usr/lib/systemd/system/emergency.target The output should be the following: Requires=emergency.service Then, check if there is no custom emergency target configured in systemd configuration. Run the following command: $ sudo grep -r emergency.target /etc/systemd/system/ The output should be empty. Then, check if there is no custom emergency service configured in systemd configuration. Run the following command: $ sudo grep -r emergency.service /etc/systemd/system/ The output should be empty. Is it the case that the output is different? |
SRG-OS-000080-GPOS-00048 |
CCI-000213 |
AC-3 |
xccdf_org.ssgproject.content_rule_require_singleuser_auth | medium | Require Authentication for Single User Mode | This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password. | Single-user mode is intended as a system recovery
method, providing a single user root access to the system by
providing a boot option at startup.
By default, single-user mode is protected by requiring a password and is set in /usr/lib/systemd/system/rescue.service . |
To check if authentication is required for single-user mode, run the following command: $ grep sulogin /usr/lib/systemd/system/rescue.service The output should be similar to the following, and the line must begin with ExecStart and /sbin/sulogin. ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default" Then, verify that the rescue service is in the runlevel1.target. Run the following command: $ sudo grep "^Requires=.*rescue\.service" /usr/lib/systemd/system/runlevel1.target The output should be the following: Requires=sysinit.target rescue.service Then, check if there is no custom runlevel1 target configured in systemd configuration. Run the following command: $ sudo grep -r "^runlevel1.target$" /etc/systemd/system There should be no output. Then, check if there is no custom rescue service configured in systemd configuration. Run the following command: $ sudo grep -r "^rescue.service$" /etc/systemd/system There should be no output. Is it the case that the output is different? |
SRG-OS-000080-GPOS-00048 |
CCI-000213 |
AC-3 |
xccdf_org.ssgproject.content_rule_rpm_verify_hashes | high | Verify File Hashes with RPM | The hashes of important files like system executables should match the information given by the RPM database. Executables with erroneous hashes could be a sign of nefarious activity on the system. | Without cryptographic integrity protections, system
executables and files can be altered by unauthorized users without
detection.
The RPM package management system can check the hashes of
installed software packages, including many that are important to system
security.
To verify that the cryptographic hash of system files and commands matches vendor
values, run the following command to list which files on the system
have hashes that differ from what is expected by the RPM database:
$ rpm -Va --noconfig | grep '^..5'A "c" in the second column indicates that a file is a configuration file, which may appropriately be expected to change. If the file was not expected to change, investigate the cause of the change using audit logs or other means. The package can then be reinstalled to restore the file. Run the following command to determine which package owns the file: $ rpm -qf FILENAMEThe package can be reinstalled from a yum repository using the command: $ sudo yum reinstall PACKAGENAMEAlternatively, the package can be reinstalled from trusted media using the command: $ sudo rpm -Uvh PACKAGENAME |
The following command will list which files on the system have file hashes different from what is expected by the RPM database. $ rpm -Va --noconfig | awk '$1 ~ /..5/ && $2 != "c"' Is it the case that there is output? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 SRG-OS-000366-GPOS-00153 |
CCI-000366 CCI-001749 |
CM-6 b |
xccdf_org.ssgproject.content_rule_rpm_verify_ownership | high | Verify and Correct Ownership with RPM | Ownership of binaries and configuration files that is incorrect could allow an unauthorized user to gain privileges that they should not have. The ownership set by the vendor should be maintained. Any deviations from this baseline should be investigated. | The RPM package management system can check file ownership
permissions of installed software packages, including many that are
important to system security. After locating a file with incorrect
permissions, which can be found with
rpm -Va | awk '{ if (substr($0,6,1)=="U" || substr($0,7,1)=="G") print $NF }'run the following command to determine which package owns it: $ rpm -qf FILENAMENext, run the following command to reset its permissions to the correct values: $ sudo rpm --setugids PACKAGENAME |
The following command will list which files on the system have ownership different from what is expected by the RPM database: $ rpm -Va | rpm -Va --nofiledigest | awk '{ if (substr($0,6,1)=="U" || substr($0,7,1)=="G") print $NF }' Is it the case that there is output? |
SRG-OS-000257-GPOS-00098 SRG-OS-000278-GPOS-00108 |
CCI-001494 CCI-001496 |
AU-9 AU-9 (3) |
xccdf_org.ssgproject.content_rule_rpm_verify_permissions | high | Verify and Correct File Permissions with RPM | Permissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated. | The RPM package management system can check file access permissions
of installed software packages, including many that are important
to system security.
Verify that the file permissions of system files
and commands match vendor values. Check the file permissions
with the following command:
$ sudo rpm -Va | awk '{ if (substr($0,2,1)=="M") print $NF }'Output indicates files that do not match vendor defaults. After locating a file with incorrect permissions, run the following command to determine which package owns it: $ rpm -qf FILENAME Next, run the following command to reset its permissions to the correct values: $ sudo rpm --setperms PACKAGENAME |
The following command will list which files on the system have permissions different from what is expected by the RPM database: $ rpm -Va | awk '{ if (substr($0,2,1)=="M") print $NF }' Is it the case that there is output? |
SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098 SRG-OS-000258-GPOS-00099 SRG-OS-000278-GPOS-00108 |
CCI-001493 CCI-001494 CCI-001495 CCI-001496 |
AU-9 AU-9 AU-9 AU-9 (3) |
xccdf_org.ssgproject.content_rule_rsyslog_cron_logging | medium | Ensure cron Is Logging To Rsyslog | Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users. | Cron logging must be implemented to spot intrusions or trace
cron job status. If cron is not logging to rsyslog , it
can be implemented by adding the following to the RULES section of
/etc/rsyslog.conf :
cron.* /var/log/cron |
Verify that cron is logging to rsyslog, run the following command: grep -rni "cron\.\*" /etc/rsyslog.* cron.* /var/log/cron Is it the case that cron is not logging to rsyslog? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_rsyslog_nolisten | medium | Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server | Any process which receives messages from the network incurs some risk of receiving malicious messages. This risk can be eliminated for rsyslog by configuring it not to listen on the network. | The rsyslog daemon should not accept remote messages
unless the system acts as a log server.
To ensure that it is not listening on the network, ensure the following lines are
not found in /etc/rsyslog.conf :
$ModLoad imtcp $InputTCPServerRun port $ModLoad imudp $UDPServerRun port $ModLoad imrelp $InputRELPServerRun port |
Verify that the system is not accepting "rsyslog" messages from other systems unless it is documented as a log aggregation server. Display the contents of the configuration file: cat /etc/rsyslog.conf $ModLoad imtcp $InputTCPServerRun port $ModLoad imudp $UDPServerRun port $ModLoad imrelp $InputRELPServerRun port If any of the above modules are being loaded in the "/etc/rsyslog.conf" file, ask to see the documentation for the system being used for log aggregation. Is it the case that rsyslog accepts remote messages and is not documented as a log aggregation system? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 SRG-OS-000362-GPOS-00149 SRG-OS-000364-GPOS-00151 SRG-OS-000365-GPOS-00152 |
CCI-000318 CCI-000366 CCI-000368 CCI-001812 CCI-001813 CCI-001814 |
CM-3 e CM-6 b CM-6 c |
xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost | medium | Ensure Logs Sent To Remote Host | A log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise. | To configure rsyslog to send logs to a remote log server,
open /etc/rsyslog.conf and read and understand the last section of the file,
which describes the multiple directives necessary to activate remote
logging.
Along with these other directives, the system can be configured
to forward its logs to a particular log server by
adding or correcting one of the following lines,
substituting appropriately.
The choice of protocol depends on the environment of the system;
although TCP and RELP provide more reliable message delivery,
they may not be supported in all environments.
To use UDP for log message delivery: *.* @ To use TCP for log message delivery: *.* @@ To use RELP for log message delivery: *.* :omrelp: There must be a resolvable DNS CNAME or Alias record set to "" for logs to be sent correctly to the centralized logging utility. |
To ensure logs are sent to a remote host, examine the file /etc/rsyslog.conf. If using UDP, a line similar to the following should be present: *.* @ If using TCP, a line similar to the following should be present: *.* @@ If using RELP, a line similar to the following should be present: *.* :omrelp: Is it the case that no evidence that the audit logs are being off-loaded to another system or media? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 SRG-OS-000342-GPOS-00133 SRG-OS-000479-GPOS-00224 |
CCI-000366 CCI-001348 CCI-000136 CCI-001851 |
CM-6 b AU-9 (2) AU-3 (2) |
xccdf_org.ssgproject.content_rule_sebool_ssh_sysadm_login | medium | Disable the ssh_sysadm_login SELinux Boolean | Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users. | By default, the SELinux boolean ssh_sysadm_login is disabled.
If this setting is enabled, it should be disabled.
To disable the ssh_sysadm_login SELinux boolean, run the following command:
$ sudo setsebool -P ssh_sysadm_login off |
Run the following command to determine if the ssh_sysadm_login SELinux boolean is disabled: $ getsebool ssh_sysadm_login If properly configured, the output should show the following: ssh_sysadm_login --> off Is it the case that ssh_sysadm_login is not disabled? |
SRG-OS-000312-GPOS-00122 SRG-OS-000312-GPOS-00123 SRG-OS-000312-GPOS-00124 SRG-OS-000324-GPOS-00125 |
CCI-002165 CCI-002235 |
|
xccdf_org.ssgproject.content_rule_security_patches_up_to_date | medium | Ensure Software Patches Installed | Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise. |
If the system is joined to the ULN
or a yum server, run the following command to install updates:
$ sudo yum updateIf the system is not configured to use one of these sources, updates (in the form of RPM packages) can be manually downloaded from the ULN and installed using rpm .
NOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy dictates. |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 CCI-001227 |
CM-6 b SI-2 a |
|
xccdf_org.ssgproject.content_rule_selinux_all_devicefiles_labeled | medium | Ensure No Device Files are Unlabeled by SELinux | If a device file carries the SELinux type device_t or
unlabeled_t , then SELinux cannot properly restrict access to the
device file. |
Device files, which are used for communication with important system
resources, should be labeled with proper SELinux types. If any device files
carry the SELinux type device_t or unlabeled_t , report the
bug so that policy can be corrected. Supply information about what the
device is and what programs use it.
To check for incorrectly labeled device files, run following commands: $ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n" $ sudo find /dev -context *:unlabeled_t:* \( -type c -o -type b \) -printf "%p %Z\n"It should produce no output in a well-configured system. |
To check for incorrectly labeled device files, run following commands: $ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n" $ sudo find /dev -context *:unlabeled_t:* \( -type c -o -type b \) -printf "%p %Z\n" It should produce no output in a well-configured system. Is it the case that there is output? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 SRG-OS-000362-GPOS-00149 SRG-OS-000364-GPOS-00151 SRG-OS-000365-GPOS-00152 |
CCI-000022 CCI-000032 CCI-000318 CCI-000366 CCI-000368 CCI-001812 CCI-001813 CCI-001814 |
AC-3 (3) (a) AC-4 (8) CM-3 e CM-6 b CM-6 c |
xccdf_org.ssgproject.content_rule_selinux_confine_to_least_privilege | medium | Confine SELinux Users To Roles That Conform To Least Privilege | Preventing non-privileged users from executing privileged functions mitigates
the risk that unauthorized individuals or processes may gain unnecessary access
to information or privileges.
Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users. |
Configure the operating system to confine SELinux users to roles that conform
to least privilege. Use the following command to map the "staff_u" SELinux user
to the "staff_r" and "sysadm_r" roles:
$ sudo semanage user -m staff_u -R staff_r -R sysadm_r Use the following command to map the "user_u" SELinux user to the "user_r" role: $ sudo semanage -m user_u -R user_r |
Verify the operating system confines SELinux users to roles that conform to least privilege. Check the SELinux User list to SELinux Roles mapping by using the following command: sudo semanage user -l The output should look like this: SELinuxUser LabelingPrefix MLS/MCSLevel MLS/MCSRange SELinuxRoles guest_u user s0 s0 guest_r root user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r sysadm_u user s0 s0-s0:c0.c1023 sysadm_r system_u user s0 s0-s0:c0.c1023 system_r unconfined_r unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r user_u user s0 s0 user_r xguest_u user s0 s0 xguest_r Is it the case that selinux users are not confined to least privilege? |
SRG-OS-000312-GPOS-00122 SRG-OS-000312-GPOS-00123 SRG-OS-000312-GPOS-00124 SRG-OS-000324-GPOS-00125 |
CCI-002165 CCI-002235 |
|
xccdf_org.ssgproject.content_rule_selinux_context_elevation_for_sudo | medium | Elevate The SELinux Context When An Administrator Calls The Sudo Command | Preventing non-privileged users from executing privileged functions mitigates
the risk that unauthorized individuals or processes may gain unnecessary access
to information or privileges.
Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users. |
Configure the operating system to elevate the SELinux context when an administrator calls
the sudo command.
Edit a file in the /etc/sudoers.d directory with the following command:
sudo visudo -f /etc/sudoers.d/CUSTOM_FILEUse the following example to build the CUSTOM_FILE in the /etc/sudoers.d directory to allow any administrator belonging to a designated sudoers admin group to elevate their SELinux context with the use of the sudo command: %wheel ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALL |
Verify the operating system elevates the SELinux context when an administrator calls the sudo command with the following command: This command must be ran as root: grep sysadm_r /etc/sudoers.d/* %wheel ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALL Is it the case that selinux context does not elevate when running sudo command? |
SRG-OS-000312-GPOS-00122 SRG-OS-000312-GPOS-00123 SRG-OS-000312-GPOS-00124 SRG-OS-000324-GPOS-00125 |
CCI-002165 CCI-002235 |
|
xccdf_org.ssgproject.content_rule_selinux_policytype | medium | Configure SELinux Policy | Setting the SELinux policy to targeted or a more specialized policy
ensures the system will confine processes that are likely to be
targeted for exploitation, such as network or system services.
Note: During the development or debugging of SELinux modules, it is common to temporarily place non-production systems in permissive mode. In such
temporary cases, SELinux policies should be developed, and once work
is completed, the system should be reconfigured to
. |
The SELinux targeted policy is appropriate for
general-purpose desktops and servers, as well as systems in many other roles.
To configure the system to use this policy, add or correct the following line
in /etc/selinux/config :
SELINUXTYPE=Other policies, such as mls , provide additional security labeling
and greater confinement but are not compatible with many general-purpose
use cases. |
Verify the SELINUX on Oracle Linux 7 is using the policy with the following command: $ sestatus | grep policy Loaded policy name: Is it the case that the loaded policy name is not "<sub idref="var_selinux_policy_name" />"? |
SRG-OS-000312-GPOS-00122 SRG-OS-000312-GPOS-00123 SRG-OS-000312-GPOS-00124 SRG-OS-000445-GPOS-00199 |
CCI-002165 CCI-002696 |
|
xccdf_org.ssgproject.content_rule_selinux_state | medium | Ensure SELinux State is Enforcing | Setting the SELinux state to enforcing ensures SELinux is able to confine potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the system or further elevating their privileges. | The SELinux state should be set to at
system boot time. In the file /etc/selinux/config , add or correct the
following line to configure the system to boot into enforcing mode:
SELINUX= |
Ensure that Oracle Linux 7 verifies correct operation of security functions. Check if "SELinux" is active and in "" mode with the following command: $ sudo getenforce Is it the case that SELINUX is not set to enforcing? |
SRG-OS-000134-GPOS-00068 SRG-OS-000312-GPOS-00122 SRG-OS-000312-GPOS-00123 SRG-OS-000312-GPOS-00124 SRG-OS-000445-GPOS-00199 |
CCI-001084 CCI-002165 CCI-002696 |
SC-3 |
xccdf_org.ssgproject.content_rule_selinux_user_login_roles | medium | Map System Users To The Appropriate SELinux Role | Preventing non-privileged users from executing privileged functions mitigates
the risk that unauthorized individuals or processes may gain unnecessary access
to information or privileges.
Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users. |
Configure the operating system to prevent non-privileged users from executing
privileged functions to include disabling, circumventing, or altering
implemented security safeguards/countermeasures. All administrators must be
mapped to the sysadm_u or staff_u users with the
appropriate domains (sysadm_t and staff_t ).
$ sudo semanage login -m -s sysadm_u USERor $ sudo semanage login -m -s staff_u USER All authorized non-administrative users must be mapped to the user_u role or the appropriate domain
(user_t).
$ sudo semanage login -m -s user_u USER |
To verify the operating system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures, run the following command: $ sudo semanage login -l All administrators must be mapped to the sysadm_u or staff_u users with the appropriate domains (sysadm_t and staff_t). All authorized non-administrative users must be mapped to the user_u role or the appropriate domain (user_t). Is it the case that non-admin users are not confined correctly? |
SRG-OS-000312-GPOS-00122 SRG-OS-000312-GPOS-00123 SRG-OS-000312-GPOS-00124 SRG-OS-000324-GPOS-00125 |
CCI-002165 CCI-002235 |
|
xccdf_org.ssgproject.content_rule_service_auditd_enabled | medium | Enable auditd Service | Without establishing what type of events occurred, it would be difficult
to establish, correlate, and investigate the events leading up to an outage or attack.
Ensuring the auditd service is active ensures audit records
generated by the kernel are appropriately recorded.
Additionally, a properly configured audit subsystem ensures that actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. |
The auditd service is an essential userspace component of
the Linux Auditing System, as it is responsible for writing audit records to
disk.
The auditd service can be enabled with the following command:
$ sudo systemctl enable auditd.service |
Run the following command to determine the current status of the auditd service: $ sudo systemctl is-active auditd If the service is running, it should return the following: active Is it the case that the auditd service is not running? |
SRG-OS-000037-GPOS-00015 SRG-OS-000038-GPOS-00016 SRG-OS-000039-GPOS-00017 SRG-OS-000040-GPOS-00018 SRG-OS-000041-GPOS-00019 SRG-OS-000042-GPOS-00020 SRG-OS-000042-GPOS-00021 SRG-OS-000051-GPOS-00024 SRG-OS-000054-GPOS-00025 SRG-OS-000064-GPOS-00033 SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-OS-000470-GPOS-00214 SRG-OS-000471-GPOS-00215 SRG-OS-000471-GPOS-00216 SRG-OS-000472-GPOS-00217 SRG-OS-000473-GPOS-00218 SRG-OS-000474-GPOS-00219 SRG-OS-000475-GPOS-00220 SRG-OS-000476-GPOS-00221 SRG-OS-000477-GPOS-00222 SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 SRG-OS-000254-GPOS-00095 SRG-OS-000255-GPOS-00096 SRG-OS-000365-GPOS-00152 SRG-OS-000348-GPOS-00136 SRG-OS-000122-GPOS-00063 SRG-OS-000349-GPOS-00137 SRG-OS-000392-GPOS-00172 SRG-OS-000350-GPOS-00138 SRG-OS-000351-GPOS-00139 SRG-OS-000352-GPOS-00140 SRG-OS-000353-GPOS-00141 SRG-OS-000354-GPOS-00142 SRG-OS-000358-GPOS-00145 SRG-OS-000337-GPOS-00129 SRG-OS-000062-GPOS-00031 |
CCI-000126 CCI-000130 CCI-000131 CCI-000132 CCI-000133 CCI-000134 CCI-000135 CCI-000154 CCI-000158 CCI-000172 CCI-000366 CCI-001464 CCI-001487 CCI-001814 CCI-001875 CCI-001876 CCI-001877 CCI-002884 CCI-001878 CCI-001879 CCI-001880 CCI-001881 CCI-001882 CCI-001889 CCI-001914 CCI-000169 |
AU-2 d AU-3 AU-3 AU-3 AU-3 AU-3 AU-3 (1) AU-6 (4) AU-7 (1) AU-12 c CM-6 b AU-14 (1) AU-3 AU-12 a |
xccdf_org.ssgproject.content_rule_service_autofs_disabled | medium | Disable the Automounter | Disabling the automounter permits the administrator to
statically control filesystem mounting through /etc/fstab .
Additionally, automatically mounting filesystems permits easy introduction of unknown devices, thereby facilitating malicious activity. |
The autofs daemon mounts and unmounts filesystems, such as user
home directories shared via NFS, on demand. In addition, autofs can be used to handle
removable media, and the default configuration provides the cdrom device as /misc/cd .
However, this method of providing access to removable media is not common, so autofs
can almost always be disabled if NFS is not in use. Even if NFS is required, it may be
possible to configure filesystem mounts statically by editing /etc/fstab
rather than relying on the automounter.
The autofs service can be disabled with the following command:
$ sudo systemctl mask --now autofs.service |
To check that the autofs service is disabled in system boot configuration, run the following command: $ sudo systemctl is-enabled autofs Output should indicate the autofs service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ sudo systemctl is-enabled autofs disabled Run the following command to verify autofs is not active (i.e. not running) through current runtime configuration: $ sudo systemctl is-active autofs If the service is not running the command will return the following output: inactive The service will also be masked, to check that the autofs is masked, run the following command: $ sudo systemctl show autofs | grep "LoadState\|UnitFileState" If the service is masked the command will return the following outputs: LoadState=masked UnitFileState=masked Is it the case that the "autofs" is loaded and not masked? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 SRG-OS-000114-GPOS-00059 SRG-OS-000378-GPOS-00163 |
CCI-000366 CCI-000778 CCI-001958 |
CM-6 b IA-3 |
xccdf_org.ssgproject.content_rule_service_firewalld_enabled | medium | Verify firewalld Enabled | Access control methods provide the ability to enhance system security posture by restricting services and known good IP addresses and address ranges. This prevents connections from unknown hosts and protocols. |
The firewalld service can be enabled with the following command:
$ sudo systemctl enable firewalld.service |
Run the following command to determine the current status of the firewalld service: $ sudo systemctl is-active firewalld If the service is running, it should return the following: active Is it the case that the "firewalld" service is disabled, masked, or not started.? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 SRG-OS-000096-GPOS-00050 SRG-OS-000297-GPOS-00115 |
CCI-000366 CCI-000382 CCI-002314 |
CM-6 b CM-7 |
xccdf_org.ssgproject.content_rule_service_kdump_disabled | medium | Disable KDump Kernel Crash Analyzer (kdump) | Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition. Unless the system is used for kernel development or testing, there is little need to run the kdump service. | The kdump service provides a kernel crash dump analyzer. It uses the kexec
system call to boot a secondary kernel ("capture" kernel) following a system
crash, which can load information from the crashed kernel for analysis.
The kdump service can be disabled with the following command:
$ sudo systemctl mask --now kdump.service |
To check that the kdump service is disabled in system boot configuration, run the following command: $ sudo systemctl is-enabled kdump Output should indicate the kdump service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ sudo systemctl is-enabled kdump disabled Run the following command to verify kdump is not active (i.e. not running) through current runtime configuration: $ sudo systemctl is-active kdump If the service is not running the command will return the following output: inactive The service will also be masked, to check that the kdump is masked, run the following command: $ sudo systemctl show kdump | grep "LoadState\|UnitFileState" If the service is masked the command will return the following outputs: LoadState=masked UnitFileState=masked Is it the case that the "kdump" is loaded and not masked? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 SRG-OS-000269-GPOS-00103 |
CCI-000366 CCI-001665 |
CM-6 b SC-24 |
xccdf_org.ssgproject.content_rule_service_sshd_enabled | medium | Enable the OpenSSH Service | Without protection of the transmitted information, confidentiality, and
integrity may be compromised because unprotected communications can be
intercepted and either read or altered.
This checklist item applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, etc). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. |
The SSH server service, sshd, is commonly needed.
The sshd service can be enabled with the following command:
$ sudo systemctl enable sshd.service |
Run the following command to determine the current status of the sshd service: $ sudo systemctl is-active sshd If the service is running, it should return the following: active Is it the case that sshd service is disabled? |
SRG-OS-000423-GPOS-00187 SRG-OS-000481-GPOS-00481 SRG-OS-000425-GPOS-00189 SRG-OS-000424-GPOS-00188 SRG-OS-000426-GPOS-00190 |
CCI-002418 CCI-002420 CCI-002421 CCI-002422 |
|
xccdf_org.ssgproject.content_rule_set_firewalld_default_zone | medium | Set Default firewalld Zone for Incoming Packets | In firewalld the default zone is applied only after all
the applicable rules in the table are examined for a match. Setting the
default zone to drop implements proper design for a firewall, i.e.
any packets which are not explicitly permitted should not be
accepted. |
To set the default zone to drop for
the built-in default zone which processes incoming IPv4 and IPv6 packets,
modify the following line in
/etc/firewalld/firewalld.conf to be:
DefaultZone=drop |
Inspect the file /etc/firewalld/firewalld.conf to determine the default zone for the firewalld. It should be set to DefaultZone=drop: $ sudo grep DefaultZone /etc/firewalld/firewalld.conf Is it the case that the default zone is not set to DROP? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_libuserconf | medium | Set Password Hashing Algorithm in /etc/libuser.conf | Passwords need to be protected at all times, and encryption is the standard
method for protecting passwords. If passwords are not encrypted, they can
be plainly read (i.e., clear text) and easily compromised. Passwords that
are encrypted with a weak algorithm are no more protected than if they are
kepy in plain text.
This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the crypt_style configuration option ensures the use
of a strong hashing algorithm that makes password cracking attacks more
difficult. |
In /etc/libuser.conf , add or correct the following line in its
[defaults] section to ensure the system will use the SHA-512
algorithm for password hashing:
crypt_style = sha512 |
Verify that the libuser is set to encrypt password with a FIPS 140-2 approved cryptographic hashing algorithm. Check the hashing algorithm that is being used to hash passwords with the following command: $ sudo grep -i crypt_style /etc/libuser.conf crypt_style = sha512 Is it the case that crypt_style is not set to sha512? |
SRG-OS-000073-GPOS-00041 |
CCI-000196 |
IA-5 (1) (c) |
xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs | medium | Set Password Hashing Algorithm in /etc/login.defs | Passwords need to be protected at all times, and encryption is the standard method for protecting passwords.
If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords
that are encrypted with a weak algorithm are no more protected than if they are kept in plain text.
Using a stronger hashing algorithm makes password cracking attacks more difficult. |
In /etc/login.defs , add or correct the following line to ensure
the system will use SHA-512 as the hashing algorithm:
ENCRYPT_METHOD SHA512 |
Verify that the shadow password suite configuration is set to encrypt password with a FIPS 140-2 approved cryptographic hashing algorithm. Check the hashing algorithm that is being used to hash passwords with the following command: $ sudo grep -i ENCRYPT_METHOD /etc/login.defs ENCRYPT_METHOD SHA512 Is it the case that ENCRYPT_METHOD is not set to SHA512? |
SRG-OS-000073-GPOS-00041 |
CCI-000196 |
IA-5 (1) (c) |
xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth | medium | Set PAM''s Password Hashing Algorithm | Passwords need to be protected at all times, and encryption is the standard
method for protecting passwords. If passwords are not encrypted, they can
be plainly read (i.e., clear text) and easily compromised. Passwords that
are encrypted with a weak algorithm are no more protected than if they are
kepy in plain text.
This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the crypt_style configuration option ensures the use
of a strong hashing algorithm that makes password cracking attacks more
difficult. |
The PAM system service can be configured to only store encrypted
representations of passwords. In "/etc/pam.d/system-auth", the
password section of the file controls which PAM modules execute
during a password change. Set the pam_unix.so module in the
password section to include the argument sha512 , as shown
below:
password sufficient pam_unix.so sha512 other arguments... This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default. |
Inspect the password section of /etc/pam.d/system-auth and ensure that the pam_unix.so module is configured to use the argument sha512: $ sudo grep "^password.*pam_unix\.so.*sha512" /etc/pam.d/system-auth password sufficient pam_unix.so sha512 Is it the case that "sha512" is missing, or is commented out? |
SRG-OS-000073-GPOS-00041 SRG-OS-000120-GPOS-00061 |
CCI-000196 CCI-000803 |
IA-5 (1) (c) IA-7 |
xccdf_org.ssgproject.content_rule_smartcard_auth | medium | Enable Smart Card Login | Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials. | To enable smart card authentication, consult the documentation at: | Interview the SA to determine if all accounts not exempted by policy are using CAC authentication. For DoD systems, the following systems and accounts are exempt from using smart card (CAC) authentication: SIPRNET systems Standalone systems Application accounts Temporary employee accounts, such as students or interns, who cannot easily receive a CAC or PIV Operational tactical locations that are not collocated with RAPIDS workstations to issue CAC or ALT Test systems, such as those with an Interim Approval to Test (IATT) and use a separate VPN, firewall, or security measure preventing access to network and system components from outside the protection boundary documented in the IATT. Is it the case that non-exempt accounts are not using CAC authentication? |
SRG-OS-000104-GPOS-00051 SRG-OS-000105-GPOS-00052 SRG-OS-000106-GPOS-00053 SRG-OS-000107-GPOS-00054 SRG-OS-000108-GPOS-00055 SRG-OS-000109-GPOS-00056 |
CCI-000764 CCI-000765 CCI-000766 CCI-000767 CCI-000768 CCI-000770 CCI-000771 CCI-000772 CCI-000884 |
IA-2 IA-2 (1) IA-2 (2) IA-2 (3) IA-2 (4) IA-2 (5) (b) IA-2 (6) IA-2 (7) MA-4 (4) |
xccdf_org.ssgproject.content_rule_smartcard_configure_cert_checking | medium | Configure Smart Card Certificate Status Checking | Using an authentication device, such as a CAC or token that is separate from
the information system, ensures that even if the information system is
compromised, that compromise will not affect credentials stored on the
authentication device.
Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card. |
Configure the operating system to do certificate status checking for PKI
authentication. Modify all of the cert_policy lines in
/etc/pam_pkcs11/pam_pkcs11.conf to include ocsp_on like so:
cert_policy = ca, ocsp_on, signature; |
To verify the operating system implements certificate status checking for PKI authentication, run the following command: $ sudo grep -i cert_policy /etc/pam_pkcs11/pam_pkcs11.conf The output should return multiple lines similiar to the following: cert_policy = ca, ocsp_on, signature; cert_policy = ca, ocsp_on, signature; cert_policy = ca, ocsp_on, signature; Is it the case that ocsp_on is not configured? |
SRG-OS-000375-GPOS-00160 SRG-OS-000376-GPOS-00161 SRG-OS-000377-GPOS-00162 |
CCI-001948 CCI-001953 CCI-001954 |
|
xccdf_org.ssgproject.content_rule_snmpd_not_default_password | high | Ensure Default SNMP Password Is Not Used | Whether active or not, default simple network management protocol (SNMP) community strings must be changed to maintain security. If the service is running with the default authenticators, then anyone can gather data about the system and the network and use the information to potentially compromise the integrity of the system and network(s). | Edit /etc/snmp/snmpd.conf , remove or change the default community strings of
public and private .
This profile configures new read-only community string to and read-write community string to .
Once the default community strings have been changed, restart the SNMP service:
$ sudo service snmpd restart |
To ensure the default password is not set, run the following command: $ sudo grep -v "^#" /etc/snmp/snmpd.conf| grep -E 'public|private' There should be no output. Is it the case that the default SNMP passwords public and private have not been changed or removed? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2 | high | Allow Only SSH Protocol 2 | SSH protocol version 1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system. | Only SSH protocol version 2 connections should be
permitted. The default setting in
/etc/ssh/sshd_config is correct, and can be
verified by ensuring that the following
line appears:
Protocol 2 |
To check which SSH protocol version is allowed, check version of openssh-server with following command: $ rpm -qi openssh-server | grep Version Versions equal to or higher than 7.4 only allow Protocol 2. If version is lower than 7.4, run the following command to check configuration: $ sudo grep Protocol /etc/ssh/sshd_config If configured properly, output should be Protocol 2 Is it the case that it is commented out or is not set correctly to Protocol 2? |
SRG-OS-000074-GPOS-00042 SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000197 CCI-000366 |
IA-5 (1) (c) CM-6 b |
xccdf_org.ssgproject.content_rule_sshd_disable_compression | medium | Disable Compression Or Set Compression to delayed | If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges. | Compression is useful for slow network connections over long
distances but can cause performance issues on local LANs. If use of compression
is required, it should be enabled only after a user has authenticated; otherwise,
it should be disabled. To disable compression or delay compression until after
a user has successfully authenticated, add or correct the following line in the
/etc/ssh/sshd_config file:
Compression |
To check if compression is enabled or set correctly, run the following command: $ sudo grep Compression /etc/ssh/sshd_config If configured properly, output should be no or delayed. Is it the case that it is commented out, or is not set to no or delayed? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords | high | Disable SSH Access via Empty Passwords | Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere. | Disallow SSH login with empty passwords.
The default SSH configuration disables logins with empty passwords. The appropriate
configuration is used if no value is set for PermitEmptyPasswords .
To explicitly disallow SSH login from accounts with empty passwords, add or correct the following line in /etc/ssh/sshd_config :
PermitEmptyPasswords noAny accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords. |
To determine how the SSH daemon's PermitEmptyPasswords option is set, run the following command: $ sudo grep -i PermitEmptyPasswords /etc/ssh/sshd_config If a line indicating no is returned, then the required value is set. Is it the case that the required value is not set? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 SRG-OS-000106-GPOS-00053 |
CCI-000366 CCI-000766 |
CM-6 b IA-2 (2) |
xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth | medium | Disable GSSAPI Authentication | GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system. | Unless needed, SSH should not permit extraneous or unnecessary
authentication mechanisms like GSSAPI.
The default SSH configuration disallows authentications based on GSSAPI. The appropriate configuration is used if no value is set for GSSAPIAuthentication .
To explicitly disable GSSAPI authentication, add or correct the following line in /etc/ssh/sshd_config :
GSSAPIAuthentication no |
To determine how the SSH daemon's GSSAPIAuthentication option is set, run the following command: $ sudo grep -i GSSAPIAuthentication /etc/ssh/sshd_config If a line indicating no is returned, then the required value is set. Is it the case that the required value is not set? |
SRG-OS-000362-GPOS-00149 SRG-OS-000364-GPOS-00151 SRG-OS-000365-GPOS-00152 SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000318 CCI-000368 CCI-001812 CCI-001813 CCI-001814 CCI-000366 |
CM-3 e CM-6 c CM-6 b |
xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth | medium | Disable Kerberos Authentication | Kerberos authentication for SSH is often implemented using GSSAPI. If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Configuring these settings for the SSH daemon provides additional assurance that remote logon via SSH will not use unused methods of authentication, even in the event of misconfiguration elsewhere. | Unless needed, SSH should not permit extraneous or unnecessary
authentication mechanisms like Kerberos.
The default SSH configuration disallows authentication validation through Kerberos. The appropriate configuration is used if no value is set for KerberosAuthentication .
To explicitly disable Kerberos authentication, add or correct the following line in /etc/ssh/sshd_config :
KerberosAuthentication no |
To determine how the SSH daemon's KerberosAuthentication option is set, run the following command: $ sudo grep -i KerberosAuthentication /etc/ssh/sshd_config If a line indicating no is returned, then the required value is set. Is it the case that the required value is not set? |
SRG-OS-000362-GPOS-00149 SRG-OS-000364-GPOS-00151 SRG-OS-000365-GPOS-00152 SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000318 CCI-000368 CCI-001812 CCI-001813 CCI-001814 CCI-000366 |
CM-3 e CM-6 c CM-6 b |
xccdf_org.ssgproject.content_rule_sshd_disable_rhosts | medium | Disable SSH Support for .rhosts Files | SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. | SSH can emulate the behavior of the obsolete rsh
command in allowing users to enable insecure access to their
accounts via .rhosts files.
The default SSH configuration disables support for .rhosts . The appropriate
configuration is used if no value is set for IgnoreRhosts .
To explicitly disable support for .rhosts files, add or correct the following line in /etc/ssh/sshd_config :
IgnoreRhosts yes |
To determine how the SSH daemon's IgnoreRhosts option is set, run the following command: $ sudo grep -i IgnoreRhosts /etc/ssh/sshd_config If a line indicating yes is returned, then the required value is set. Is it the case that the required value is not set? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa | medium | Disable SSH Support for Rhosts RSA Authentication | Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere. | SSH can allow authentication through the obsolete rsh
command through the use of the authenticating user's SSH keys. This should be disabled.
To ensure this behavior is disabled, add or correct the following line in /etc/ssh/sshd_config :
RhostsRSAAuthentication no |
To check which SSH protocol version is allowed, check version of openssh-server with following command: $ rpm -qi openssh-server | grep Version Versions equal to or higher than 7.4 have deprecated the RhostsRSAAuthentication option. If version is lower than 7.4, run the following command to check configuration: To determine how the SSH daemon's RhostsRSAAuthentication option is set, run the following command: $ sudo grep -i RhostsRSAAuthentication /etc/ssh/sshd_config If a line indicating no is returned, then the required value is set. Is it the case that the required value is not set? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_sshd_disable_root_login | medium | Disable SSH Root Login | Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging directly on as root. In addition, logging in with a user-specific account provides individual accountability of actions performed on the system and also helps to minimize direct attack attempts on root's password. | The root user should never be allowed to login to a
system directly over a network.
To disable root login via SSH, add or correct the following line in
/etc/ssh/sshd_config :
PermitRootLogin no |
To determine how the SSH daemon's PermitRootLogin option is set, run the following command: $ sudo grep -i PermitRootLogin /etc/ssh/sshd_config If a line indicating no is returned, then the required value is set. Is it the case that the required value is not set? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 SRG-OS-000109-GPOS-00056 |
CCI-000366 CCI-000770 |
CM-6 b IA-2 (5) (b) |
xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts | medium | Disable SSH Support for User Known Hosts | Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere. | SSH can allow system users to connect to systems if a cache of the remote
systems public keys is available. This should be disabled.
To ensure this behavior is disabled, add or correct the following line in /etc/ssh/sshd_config :
IgnoreUserKnownHosts yes |
To determine how the SSH daemon's IgnoreUserKnownHosts option is set, run the following command: $ sudo grep -i IgnoreUserKnownHosts /etc/ssh/sshd_config If a line indicating yes is returned, then the required value is set. Is it the case that the required value is not set? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding | medium | Disable X11 Forwarding | Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders. | The X11Forwarding parameter provides the ability to tunnel X11 traffic
through the connection to enable remote graphic connections.
SSH has the capability to encrypt remote X11 connections when SSH's
X11Forwarding option is enabled.
The default SSH configuration disables X11Forwarding. The appropriate configuration is used if no value is set for X11Forwarding .
To explicitly disable X11 Forwarding, add or correct the following line in /etc/ssh/sshd_config :
X11Forwarding no |
To determine how the SSH daemon's X11Forwarding option is set, run the following command: $ sudo grep -i X11Forwarding /etc/ssh/sshd_config If a line indicating no is returned, then the required value is set. Is it the case that the required value is not set? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env | medium | Do Not Allow SSH Environment Options | SSH environment options potentially allow users to bypass access restriction in some configurations. | Ensure that users are not able to override environment variables of the SSH daemon.
The default SSH configuration disables environment processing. The appropriate configuration is used if no value is set for PermitUserEnvironment .
To explicitly disable Environment options, add or correct the following /etc/ssh/sshd_config :
PermitUserEnvironment no |
To determine how the SSH daemon's PermitUserEnvironment option is set, run the following command: $ sudo grep -i PermitUserEnvironment /etc/ssh/sshd_config If a line indicating no is returned, then the required value is set. Is it the case that the required value is not set? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes | medium | Enable Use of Strict Mode Checking | If other users have access to modify user-specific SSH configuration files, they may be able to log into the system as another user. | SSHs StrictModes option checks file and ownership permissions in
the user's home directory .ssh folder before accepting login. If world-
writable permissions are found, logon is rejected.
The default SSH configuration has StrictModes enabled. The appropriate
configuration is used if no value is set for StrictModes .
To explicitly enable StrictModes in SSH, add or correct the following line in
/etc/ssh/sshd_config :
StrictModes yes |
To determine how the SSH daemon's StrictModes option is set, run the following command: $ sudo grep -i StrictModes /etc/ssh/sshd_config If a line indicating yes is returned, then the required value is set. Is it the case that the required value is not set? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner | medium | Enable SSH Warning Banner | The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution. | To enable the warning banner and ensure it is consistent
across the system, add or correct the following line in
/etc/ssh/sshd_config :
Banner /etc/issueAnother section contains information on how to create an appropriate system-wide warning banner. |
To determine how the SSH daemon's Banner option is set, run the following command: $ sudo grep -i Banner /etc/ssh/sshd_config If a line indicating /etc/issue is returned, then the required value is set. Is it the case that the required value is not set? |
SRG-OS-000023-GPOS-00006 SRG-OS-000024-GPOS-00007 SRG-OS-000228-GPOS-00088 SRG-OS-000228-GPOS-00088 SRG-OS-000228-GPOS-00088 SRG-OS-000228-GPOS-00088 SRG-OS-000228-GPOS-00088 |
CCI-000048 CCI-000050 CCI-001384 CCI-001385 CCI-001386 CCI-001387 CCI-001388 |
AC-8 a AC-8 b AC-8 c AC-8 c AC-8 c AC-8 c AC-8 c |
xccdf_org.ssgproject.content_rule_sshd_print_last_log | medium | Enable SSH Print Last Log | Providing users feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use. | Ensure that SSH will display the date and time of the last successful account logon.
The default SSH configuration enables print of the date and time of the last login. The appropriate configuration is used if no value is set for PrintLastLog .
To explicitly enable LastLog in SSH, add or correct the following line in /etc/ssh/sshd_config :
PrintLastLog yes |
To determine how the SSH daemon's PrintLastLog option is set, run the following command: $ sudo grep -i PrintLastLog /etc/ssh/sshd_config If a line indicating yes is returned, then the required value is set. Is it the case that the required value is not set? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout | medium | Set SSH Idle Timeout Interval | Terminating an idle ssh session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been let unattended. | SSH allows administrators to set an idle timeout interval. After this interval
has passed, the idle user will be automatically logged out.
To set an idle timeout interval, edit the following line in /etc/ssh/sshd_config as
follows:
ClientAliveInterval The timeout interval is given in seconds. For example, have a timeout of 10 minutes, set interval to 600. If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made in /etc/ssh/sshd_config . Keep in mind that
some processes may stop SSH from correctly detecting that the user is idle. |
Run the following command to see what the timeout interval is: $ sudo grep ClientAliveInterval /etc/ssh/sshd_config If properly configured, the output should be: ClientAliveInterval Is it the case that it is commented out or not configured properly? |
SRG-OS-000126-GPOS-00066 SRG-OS-000163-GPOS-00072 SRG-OS-000279-GPOS-00109 |
CCI-000879 CCI-001133 CCI-002361 |
MA-4 e SC-10 |
xccdf_org.ssgproject.content_rule_sshd_set_keepalive_0 | medium | Set SSH Client Alive Count Max to zero | This ensures a user login will be terminated as soon as the ClientAliveInterval
is reached. |
The SSH server sends at most ClientAliveCountMax messages
during a SSH session and waits for a response from the SSH client.
The option ClientAliveInterval configures timeout after
each ClientAliveCountMax message. If the SSH server does not
receive a response from the client, then the connection is considered idle
and terminated.
To ensure the SSH idle timeout occurs precisely when the
ClientAliveInterval is set, set the ClientAliveCountMax to
value of 0 in
/etc/ssh/sshd_config : |
To ensure ClientAliveInterval is set correctly, run the following command: $ sudo grep ClientAliveCountMax /etc/ssh/sshd_config If properly configured, the output should be: ClientAliveCountMax 0 In this case, the SSH idle timeout occurs precisely when the ClientAliveInterval is set. Is it the case that it is commented out or not configured properly? |
SRG-OS-000126-GPOS-00066 SRG-OS-000163-GPOS-00072 SRG-OS-000279-GPOS-00109 |
CCI-000879 CCI-001133 CCI-002361 |
MA-4 e SC-10 |
xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers_ordered_stig | medium | Use Only FIPS 140-2 Validated Ciphers | Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore
cannot be relied upon to provide confidentiality or integrity, and system data may be compromised.
Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets industry and government requirements. For government systems, this allows Security Levels 1, 2, 3, or 4 for use on Oracle Linux 7. |
Limit the ciphers to those algorithms which are FIPS-approved.
The following line in /etc/ssh/sshd_config
demonstrates use of FIPS-approved ciphers:
Ciphers aes256-ctr,aes192-ctr,aes128-ctrThis rule ensures that there are configured ciphers mentioned above (or their subset), keeping the given order of algorithms. |
Only FIPS ciphers should be used. To verify that only FIPS-approved ciphers are in use, run the following command: $ sudo grep Ciphers /etc/ssh/sshd_config The output should contain only following ciphers (or a subset) in the exact order: aes256-ctr,aes192-ctr,aes128-ctr Is it the case that FIPS ciphers are not configured or the enabled ciphers are not FIPS-approved? |
SRG-OS-000033-GPOS-00014 SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 SRG-OS-000120-GPOS-00061 SRG-OS-000125-GPOS-00065 SRG-OS-000393-GPOS-00173 SRG-OS-000394-GPOS-00174 |
CCI-000068 CCI-000366 CCI-000803 CCI-000877 CCI-002890 CCI-003123 |
AC-17 (2) CM-6 b IA-7 MA-4 c |
xccdf_org.ssgproject.content_rule_sshd_use_approved_macs_ordered_stig | medium | Use Only FIPS 140-2 Validated MACs | DoD Information Systems are required to use FIPS-approved cryptographic hash functions. The only SSHv2 hash algorithms meeting this requirement is SHA2. | Limit the MACs to those hash algorithms which are FIPS-approved.
The following line in /etc/ssh/sshd_config
demonstrates use of FIPS-approved MACs:
MACs hmac-sha2-512,hmac-sha2-256This rule ensures that there are configured MACs mentioned above (or their subset), keeping the given order of algorithms. |
Only FIPS-approved MACs should be used. To verify that only FIPS-approved MACs are in use, run the following command: $ sudo grep -i macs /etc/ssh/sshd_config The output should contain only following MACs (or a subset) in the exact order: MACs Is it the case that MACs option is commented out or not using FIPS-approved hash algorithms? |
SRG-OS-000033-GPOS-00014 SRG-OS-000120-GPOS-00061 SRG-OS-000125-GPOS-00065 SRG-OS-000250-GPOS-00093 SRG-OS-000394-GPOS-00174 |
CCI-000068 CCI-000803 CCI-000877 CCI-001453 CCI-003123 |
AC-17 (2) IA-7 MA-4 c AC-17 (2) |
xccdf_org.ssgproject.content_rule_sshd_use_priv_separation | medium | Enable Use of Privilege Separation | SSH daemon privilege separation causes the SSH process to drop root privileges when not needed which would decrease the impact of software vulnerabilities in the unprivileged section. | When enabled, SSH will create an unprivileged child process that
has the privilege of the authenticated user. To enable privilege separation in
SSH, add or correct the following line in the /etc/ssh/sshd_config file:
UsePrivilegeSeparation |
To check if UsePrivilegeSeparation is enabled or set correctly, run the following command: $ sudo grep UsePrivilegeSeparation /etc/ssh/sshd_config If configured properly, output should be . Is it the case that it is commented out or is not enabled? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_sshd_x11_use_localhost | medium | Prevent remote hosts from connecting to the proxy display | When X11 forwarding is enabled, there may be additional exposure to the
server and client displays if the sshd proxy display is configured to listen
on the wildcard address. By default, sshd binds the forwarding server to the
loopback address and sets the hostname part of the DISPLAY
environment variable to localhost. This prevents remote hosts from
connecting to the proxy display. |
The SSH daemon should prevent remote hosts from connecting to the proxy
display.
The default SSH configuration for X11UseLocalhost is yes ,
which prevents remote hosts from connecting to the proxy display.
To explicitly prevent remote connections to the proxy display, add or correct the following line in /etc/ssh/sshd_config :
X11UseLocalhost yes
|
To determine how the SSH daemon's X11UseLocalhost option is set, run the following command: $ sudo grep -i X11UseLocalhost /etc/ssh/sshd_config If a line indicating yes is returned, then the required value is set. Is it the case that the display proxy is listening on wildcard address? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_sssd_enable_pam_services | medium | Configure PAM in SSSD Services | Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. | SSSD should be configured to run SSSD pam services.
To configure SSSD to known SSH hosts, add pam
to services under the [sssd] section in
/etc/sssd/sssd.conf . For example:
[sssd] services = sudo, autofs, pam |
To verify that SSSD is configured for PAM services, run the following command: $ sudo grep services /etc/sssd/sssd.conf If configured properly, output should be similar to services = pam Is it the case that it does not exist or 'pam' is not added to the 'services' option under the 'sssd' section? |
SRG-OS-000375-GPOS-00160 SRG-OS-000376-GPOS-00161 SRG-OS-000377-GPOS-00162 |
CCI-001948 CCI-001953 CCI-001954 |
|
xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca | medium | Configure SSSD LDAP Backend Client CA Certificate | Without cryptographic integrity protections, information can be altered by
unauthorized users without detection.
Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash. |
Configure SSSD to implement cryptography to protect the
integrity of LDAP remote access sessions. By setting
the ldap_tls_cacertoption in /etc/sssd/sssd.confto point to the path for the X.509 certificates used for peer authentication. ldap_tls_cacert /path/to/tls/ca.cert |
To verify the operating system implements cryptography to protect the integrity of remote ldap access sessions, run the following command: $ sudo grep ldap_tls_cacert /etc/sssd/sssd.conf The output should return the following with a correctly configured CA cert path: ldap_tls_cacert /path/to/tls/ca.cert Is it the case that the TLS CA cert is not configured? |
SRG-OS-000250-GPOS-00093 |
CCI-001453 |
AC-17 (2) |
xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca_dir | medium | Configure SSSD LDAP Backend Client CA Certificate Location | Without cryptographic integrity protections, information can be altered by
unauthorized users without detection.
Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash. |
Configure SSSD to implement cryptography to protect the
integrity of LDAP remote access sessions. By setting
the ldap_tls_cacertdiroption in /etc/sssd/sssd.confto point to the path for the X.509 certificates used for peer authentication. ldap_tls_cacertdir /path/to/tls/cacert |
To verify the operating system implements cryptography to protect the integrity of remote ldap access sessions, run the following command: $ sudo grep ldap_tls_cacertdir /etc/sssd/sssd.conf The output should return the following with a correctly configured CA cert path: ldap_tls_cacertdir /path/to/tls/cacert Is it the case that the TLS CA cert is not configured? |
SRG-OS-000250-GPOS-00093 |
CCI-001453 |
AC-17 (2) |
xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_reqcert | medium | Configure SSSD LDAP Backend Client to Demand a Valid Certificate from the Server | Without a valid certificate presented to the LDAP client backend, the identity of a server can be forged compromising LDAP remote access sessions. | Configure SSSD to demand a valid certificate from the server to
protect the integrity of LDAP remote access sessions by setting
the ldap_tls_reqcertoption in /etc/sssd/sssd.confto demand . |
To verify the LDAP client backend demands a valid certificate from the server in remote LDAP access sessions, run the following command: $ sudo grep ldap_tls_reqcert /etc/sssd/sssd.conf The output should return the following: ldap_tls_reqcert = demand Is it the case that the TLS reqcert is not set to demand? |
SRG-OS-000250-GPOS-00093 |
CCI-001453 |
AC-17 (2) |
xccdf_org.ssgproject.content_rule_sssd_ldap_start_tls | high | Configure SSSD LDAP Backend to Use TLS For All Transactions | Without cryptographic integrity protections, information can be altered by unauthorized users without detection. The ssl directive specifies whether to use TLS or not. If not specified it will default to no. It should be set to start_tls rather than doing LDAP over SSL. | The LDAP client should be configured to implement TLS for the integrity
of all remote LDAP authentication sessions. If the id_provider is
set to ldap or ipa in /etc/sssd/sssd.conf or any of the
/etc/sssd/sssd.conf.d configuration files, ldap_id_use_start_tls
must be set to true .
To check if LDAP is configured to use TLS when id_provider is
set to ldap or ipa , use the following command:
$ sudo grep -i ldap_id_use_start_tls /etc/sssd/sssd.conf |
If the system is not using TLS, set the ldap_id_use_start_tls option in /etc/sssd/sssd.conf to true. Is it the case that the 'ldap_id_use_start_tls' option is not set to 'true'? |
SRG-OS-000250-GPOS-00093 |
CCI-001453 |
AC-17 (2) |
xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | medium | Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate | Without re-authentication, users may access resources or perform tasks for which they
do not have authorization.
When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate. |
The sudo !authenticate option, when specified, allows a user to execute commands using
sudo without having to authenticate. This should be disabled by making sure that the
!authenticate option does not exist in /etc/sudoers configuration file or
any sudo configuration snippets in /etc/sudoers.d/ . |
To determine if !authenticate has not been configured for sudo, run the following command: $ sudo grep -r \!authenticate /etc/sudoers /etc/sudoers.d/ The command should return no output. Is it the case that !authenticate is specified in the sudo config files? |
SRG-OS-000373-GPOS-00156 SRG-OS-000373-GPOS-00157 SRG-OS-000373-GPOS-00158 |
CCI-002038 |
|
xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | medium | Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD | Without re-authentication, users may access resources or perform tasks for which they
do not have authorization.
When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate. |
The sudo NOPASSWD tag, when specified, allows a user to execute
commands using sudo without having to authenticate. This should be disabled
by making sure that the NOPASSWD tag does not exist in
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/ . |
To determine if NOPASSWD has been configured for sudo, run the following command: $ sudo grep -ri nopasswd /etc/sudoers /etc/sudoers.d/ The command should return no output. Is it the case that nopasswd is specified in the sudo config files? |
SRG-OS-000373-GPOS-00156 SRG-OS-000373-GPOS-00157 SRG-OS-000373-GPOS-00158 |
CCI-002038 |
|
xccdf_org.ssgproject.content_rule_sudo_require_reauthentication | medium | The operating system must require Re-Authentication when using the sudo command. Ensure sudo timestamp_timeout is appropriate - sudo timestamp_timeout | Without re-authentication, users may access resources or perform tasks for which they
do not have authorization.
When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate. |
The sudo timestamp_timeout tag sets the amount of time sudo password prompt waits.
The default timestamp_timeout value is 5 minutes.
The timestamp_timeout should be configured by making sure that the
timestamp_timeout tag exists in
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/ .
If the value is set to an integer less than 0, the user's time stamp will not expire
and the user will not have to re-authenticate for privileged actions until the user's session is terminated. |
Verify the operating system requires re-authentication when using the "sudo" command to elevate privileges, run the following command: sudo grep -ri '^Defaults.*timestamp_timeout' /etc/sudoers /etc/sudoers.d The output should be: /etc/sudoers:Defaults timestamp_timeout=0 or "timestamp_timeout" is set to a positive number. If conflicting results are returned, this is a finding. Is it the case that timestamp_timeout is not set with the appropriate value for sudo? |
SRG-OS-000373-GPOS-00156 SRG-OS-000373-GPOS-00157 SRG-OS-000373-GPOS-00158 |
CCI-002038 |
|
xccdf_org.ssgproject.content_rule_sudo_restrict_privilege_elevation_to_authorized | medium | The operating system must restrict privilege elevation to authorized personnel | If the "sudoers" file is not configured correctly, any user defined on the system can initiate privileged actions on the target system. | The sudo command allows a user to execute programs with elevated
(administrator) privileges. It prompts the user for their password
and confirms your request to execute a command by checking a file,
called sudoers.
Restrict privileged actions by removing the following entries from the sudoers file:
ALL ALL=(ALL) ALL
ALL ALL=(ALL:ALL) ALL
|
Determine if "sudoers" file restricts sudo access run the following commands: $ sudo grep -PR '^\s*ALL\s+ALL\=\(ALL\)\s+ALL\s*$' /etc/sudoers /etc/sudoers.d/* $ sudo grep -PR '^\s*ALL\s+ALL\=\(ALL\:ALL\)\s+ALL\s*$' /etc/sudoers /etc/sudoers.d/* Is it the case that either of the commands returned a line? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_sudoers_default_includedir | medium | Ensure sudo only includes the default configuration directory | Some sudo configurtion options allow users to run programs without re-authenticating.
Use of these configuration options makes it easier for one compromised accound to be used to
compromise other accounts. |
Administrators can configure authorized sudo users via drop-in files, and it is possible to include
other directories and configuration files from the file currently being parsed.
Make sure that /etc/sudoers only includes drop-in configuration files from /etc/sudoers.d ,
or that no drop-in file is included.
Either the /etc/sudoers should contain only one #includedir directive pointing to
/etc/sudoers.d , and no file in /etc/sudoers.d/ should include other files or directories;
Or the /etc/sudoers should not contain any #include ,
@include , #includedir or @includedir directives.
Note that the '#' character doesn't denote a comment in the configuration file. |
To determine whether sudo command includes configuration files from the appropriate directory, run the following command: $ sudo grep -rP '^[#@]include(dir)?' /etc/sudoers /etc/sudoers.d If only the line /etc/sudoers:#includedir /etc/sudoers.d is returned, then the drop-in include configuration is set correctly. Any other line returned is a finding. Is it the case that the /etc/sudoers doesn't include /etc/sudores.d or includes other directories?? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_sudoers_validate_passwd | medium | Ensure invoking users password for privilege escalation when using sudo | If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. | The sudoers security policy requires that users authenticate themselves before they can use sudo.
When sudoers requires authentication, it validates the invoking user's credentials.
The expected output for:
sudo cvtsudoers -f sudoers /etc/sudoers | grep -E '^Defaults !?(rootpw|targetpw|runaspw)$' Defaults !targetpw Defaults !rootpw Defaults !runaspwor if cvtsudoers not supported: sudo find /etc/sudoers /etc/sudoers.d \( \! -name '*~' -a \! -name '*.*' \) -exec grep -E --with-filename '^[[:blank:]]*Defaults[[:blank:]](.*[[:blank:]])?!?\b(rootpw|targetpw|runaspw)' -- {} \; /etc/sudoers:Defaults !targetpw /etc/sudoers:Defaults !rootpw /etc/sudoers:Defaults !runaspw |
Run the following command to Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation: sudo cvtsudoers -f sudoers /etc/sudoers | grep -E '^Defaults !?(rootpw|targetpw|runaspw)' or if cvtsudoers not supported: sudo find /etc/sudoers /etc/sudoers.d \( \! -name '*~' -a \! -name '*.*' \) -exec grep -E --with-filename '^[[:blank:]]*Defaults[[:blank:]](.*[[:blank:]])?!?\b(rootpw|targetpw|runaspw)' -- {} \; If no results are returned, this is a finding. If conflicting results are returned, this is a finding. If "Defaults !targetpw" is not defined, this is a finding. If "Defaults !rootpw" is not defined, this is a finding. If "Defaults !runaspw" is not defined, this is a finding. Is it the case that invoke user passwd when using sudo? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 CCI-002227 |
CM-6 b |
xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space | medium | Enable Randomized Layout of Virtual Address Space | Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code they have introduced into a process's address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code in order to re-purpose it using return oriented programming (ROP) techniques. | To set the runtime status of the kernel.randomize_va_space kernel parameter, run the following command: $ sudo sysctl -w kernel.randomize_va_space=2To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : kernel.randomize_va_space = 2 |
The runtime status of the kernel.randomize_va_space kernel parameter can be queried by running the following command: $ sysctl kernel.randomize_va_space 2. Is it the case that the correct value is not returned? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 SRG-OS-000433-GPOS-00192 SRG-OS-000433-GPOS-00193 |
CCI-000366 CCI-002824 |
CM-6 b |
xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects | medium | Disable Accepting ICMP Redirects for All IPv4 Interfaces | ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages modify the
host's route table and are unauthenticated. An illicit ICMP redirect
message could result in a man-in-the-middle attack.
This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required." |
To set the runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : net.ipv4.conf.all.accept_redirects = 0 |
The runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.accept_redirects 0. Is it the case that the correct value is not returned? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 CCI-001503 CCI-001551 |
CM-6 b CM-6 d AC-4 |
xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route | medium | Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces | Source-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router,
which can be used to bypass network security measures. This requirement
applies only to the forwarding of source-routerd traffic, such as when IPv4
forwarding is enabled and the system is functioning as a router.
Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required. |
To set the runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : net.ipv4.conf.all.accept_source_route = 0 |
The runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.accept_source_route 0. Is it the case that the correct value is not returned? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter | medium | Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces | Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks. | To set the runtime status of the net.ipv4.conf.all.rp_filter kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.rp_filter=1To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : net.ipv4.conf.all.rp_filter = 1 |
The runtime status of the net.ipv4.conf.all.rp_filter parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.rp_filter The output of the command should indicate either: net.ipv4.conf.all.rp_filter = 1 or: net.ipv4.conf.all.rp_filter = 2 The output of the command should not indicate: net.ipv4.conf.all.rp_filter = 0 The preferable way how to assure the runtime compliance is to have correct persistent configuration, and rebooting the system. The persistent sysctl parameter configuration is performed by specifying the appropriate assignment in any file located in the /etc/sysctl.d directory. Verify that there is not any existing incorrect configuration by executing the following command: $ grep -r '^\s*net.ipv4.conf.all.rp_filter\s*=' /etc/sysctl.conf /etc/sysctl.d The command should not find any assignments other than: net.ipv4.conf.all.rp_filter = 1 or: net.ipv4.conf.all.rp_filter = 2 Conflicting assignments are not allowed. Is it the case that the net.ipv4.conf.all.rp_filter is not set to 1 or 2 or is configured to be 0? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 CCI-001551 |
CM-6 b AC-4 |
xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects | medium | Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces | ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages contain information
from the system's route table possibly revealing portions of the network topology.
The ability to send ICMP redirects is only appropriate for systems acting as routers. |
To set the runtime status of the net.ipv4.conf.all.send_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.send_redirects=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : net.ipv4.conf.all.send_redirects = 0 |
The runtime status of the net.ipv4.conf.all.send_redirects kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.send_redirects 0. Is it the case that the correct value is not returned? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects | medium | Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces | ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages modify the
host's route table and are unauthenticated. An illicit ICMP redirect
message could result in a man-in-the-middle attack.
This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required. |
To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : net.ipv4.conf.default.accept_redirects = 0 |
The runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.accept_redirects 0. Is it the case that the correct value is not returned? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 CCI-001551 |
CM-6 b AC-4 |
xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route | medium | Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default | Source-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router,
which can be used to bypass network security measures.
Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required, such as when IPv4 forwarding is enabled and the system is legitimately functioning as a router. |
To set the runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : net.ipv4.conf.default.accept_source_route = 0 |
The runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.accept_source_route 0. Is it the case that the correct value is not returned? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 CCI-001551 |
CM-6 b AC-4 |
xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter | medium | Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default | Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks. | To set the runtime status of the net.ipv4.conf.default.rp_filter kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.rp_filter=1To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : net.ipv4.conf.default.rp_filter = 1 |
The runtime status of the net.ipv4.conf.default.rp_filter kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.rp_filter 1. Is it the case that the correct value is not returned? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects | medium | Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default | ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages contain information
from the system's route table possibly revealing portions of the network topology.
The ability to send ICMP redirects is only appropriate for systems acting as routers. |
To set the runtime status of the net.ipv4.conf.default.send_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.send_redirects=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : net.ipv4.conf.default.send_redirects = 0 |
The runtime status of the net.ipv4.conf.default.send_redirects kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.send_redirects 0. Is it the case that the correct value is not returned? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts | medium | Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces | Responding to broadcast (ICMP) echoes facilitates network mapping
and provides a vector for amplification attacks.
Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network. |
To set the runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : net.ipv4.icmp_echo_ignore_broadcasts = 1 |
The runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter can be queried by running the following command: $ sysctl net.ipv4.icmp_echo_ignore_broadcasts 1. Is it the case that the correct value is not returned? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward | medium | Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces | Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this capability is used when not required, system network information may be unnecessarily transmitted across the network. | To set the runtime status of the net.ipv4.ip_forward kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.ip_forward=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : net.ipv4.ip_forward = 0 |
The runtime status of the net.ipv4.ip_forward kernel parameter can be queried by running the following command: $ sysctl net.ipv4.ip_forward 0. The ability to forward packets is only appropriate for routers. Is it the case that the correct value is not returned? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route | medium | Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces | Source-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router, which can
be used to bypass network security measures. This requirement applies only to the
forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and
the system is functioning as a router.
Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required. |
To set the runtime status of the net.ipv6.conf.all.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : net.ipv6.conf.all.accept_source_route = 0 |
The runtime status of the net.ipv6.conf.all.accept_source_route kernel parameter can be queried by running the following command: $ sysctl net.ipv6.conf.all.accept_source_route 0. Is it the case that the correct value is not returned? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_tftpd_uses_secure_mode | medium | Ensure tftp Daemon Uses Secure Mode | Using the -s option causes the TFTP service to only serve files from the
given directory. Serving files from an intentionally-specified directory
reduces the risk of sharing files which should remain private. |
If running the tftp service is necessary, it should be configured
to change its root directory at startup. To do so, ensure
/etc/xinetd.d/tftp includes -s as a command line argument, as shown in
the following example:
server_args = -s |
If TFTP is not installed, this is not applicable. To determine if TFTP is installed, run the following command: $ rpm -qa | grep tftp Verify tftp is configured by with the -s option by running the following command: grep "server_args" /etc/xinetd.d/tftp server_args = -s Is it the case that "server_args" line does not have a "-s" option, and a subdirectory is not assigned? |
SRG-OS-000360-GPOS-00147 SRG-OS-000480-GPOS-00225 SRG-OS-000480-GPOS-00226 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00228 SRG-OS-000480-GPOS-00229 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00232 |
CCI-000366 |
CM-6 b |
xccdf_org.ssgproject.content_rule_uefi_no_removeable_media | medium | UEFI Boot Loader Is Not Installed On Removeable Media | Malicious users with removable boot media can gain access to a system configured to use removable media as the boot loader. | The system must not allow removable media to be used as the boot loader.
Remove alternate methods of booting the system from removable media.
usb0 , cd , fd0 , etc. are some examples of removeable
media which should not exist in the line:
set root='hd0,msdos1' |
To verify the system is not configured to use a boot loader on removable media, run the following command: $ sudo grep "set root='hd0" /boot/efi/EFI/redhat/grub.cfg The output should return something similar to: set root='hd0,msdos1' usb0, cd, fd0, etc. are some examples of removeable media which should not exist in the line: set root='hd0,msdos1' Is it the case that it is not? |
SRG-OS-000364-GPOS-00151 SRG-OS-000365-GPOS-00152 |
CCI-001813 CCI-001814 |
|
xccdf_org.ssgproject.content_rule_wireless_disable_interfaces | medium | Deactivate Wireless Network Interfaces | The use of wireless networking can introduce many different attack vectors into the organization's network. Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless access point (AP), allowing validated systems to connect to the malicious AP and enabling the attacker to monitor and record network traffic. These malicious APs can also serve to create a man-in-the-middle attack or be used to create a denial of service to valid network resources. | Deactivating wireless network interfaces should prevent normal usage of the wireless
capability.
Configure the system to disable all wireless network interfaces with the following command: $ sudo nmcli radio all off |
Verify that there are no wireless interfaces configured on the system with the following command: $ sudo nmcli device The output should only contain wireless devices in unavailable state, like in the following example: wlp0s20f3 wifi unavailable -- Is it the case that wireless interfaces are not active? |
SRG-OS-000423-GPOS-00187 SRG-OS-000481-GPOS-00481 SRG-OS-000424-GPOS-00188 SRG-OS-000300-GPOS-00118 SRG-OS-000299-GPOS-00117 |
CCI-000085 CCI-002418 CCI-002421 CCI-001443 CCI-001444 |
AC-19 c AC-18 (1) AC-18 (1) |