draftGuide to the Secure Configuration of Red Hat Enterprise Linux 7This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 7. It is a rendering of
content structured in the eXtensible Configuration Checklist Description Format (XCCDF)
in order to support security automation. The SCAP content is
is available in the scap-security-guide package which is developed at
https://www.open-scap.org/security-policies/scap-security-guide.
Providing system administrators with such guidance informs them how to securely
configure systems under their control in a variety of network roles. Policy
makers and baseline creators can use this catalog of settings, with its
associated references to higher-level security control catalogs, in order to
assist them in security baseline creation. This guide is a catalog, not a
checklist, and satisfaction of every item is not likely to be possible or
sensible in many operational scenarios. However, the XCCDF format enables
granular selection and adjustment of settings, and their association with OVAL
and OCIL content provides an automated checking capability. Transformations of
this document, and its associated automated checking content, are capable of
providing baselines that meet a diverse set of policy objectives. Some example
XCCDF Profiles, which are selections of items that form checklists and
can be used as baselines, are available with this guide. They can be
processed, in an automated fashion, with tools that support the Security
Content Automation Protocol (SCAP). The DISA STIG, which provides required
settings for US Department of Defense systems, is one example of a baseline
created from this guidance.
Do not attempt to implement any of the settings in
this guide without first testing them in a non-operational environment. The
creators of this guidance assume no responsibility whatsoever for its use by
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
The SCAP Security Guide Projecthttps://www.open-scap.org/security-policies/scap-security-guideRed Hat and Red Hat Enterprise Linux are either registered
trademarks or trademarks of Red Hat, Inc. in the United States and other
countries. All other names are registered trademarks or trademarks of their
respective companies.
0.1.49SCAP Security Guide ProjectSCAP Security Guide ProjectFrank J Cameron (CAM1244) <cameron@ctc.com>0x66656c6978 <0x66656c6978@users.noreply.github.com>Gabe Alford <redhatrises@gmail.com>Firas AlShafei <firas.alshafei@us.abb.com>Christopher Anderson <cba@fedoraproject.org>angystardust <angystardust@users.noreply.github.com>Chuck Atkins <chuck.atkins@kitware.com>Ryan Ballanger <root@rballang-admin-2.fastenal.com>Alex Baranowski <alex@euro-linux.com>Molly Jo Bault <Molly.Jo.Bault@ballardtech.com>Gabriel Becker <ggasparb@redhat.com>Alexander Bergmann <abergmann@suse.com>Jose Luis BG <bgjoseluis@gmail.com>Joseph Bisch <joseph.bisch@gmail.com>Jeffrey Blank <blank@eclipse.ncsc.mil>Olivier Bonhomme <ptitoliv@ptitoliv.net>Ted Brunell <tbrunell@redhat.com>Blake Burkhart <blake.burkhart@us.af.mil>Patrick Callahan <pmc@patrickcallahan.com>Nick Carboni <ncarboni@redhat.com>James Cassell <james.cassell@ll.mit.edu>Frank Caviggia <fcaviggi@ra.iad.redhat.com>Eric Christensen <echriste@redhat.com>Jayson Cofell <1051437+70k10@users.noreply.github.com>Caleb Cooper <coopercd@ornl.gov>Deric Crago <deric.crago@gmail.com>Maura Dailey <maura@eclipse.ncsc.mil>Klaas Demter <demter@atix.de>dhanushkar-wso2 <dhanushkar@wso2.com>Andrew DiPrinzio <andrew.diprinzio@jhuapl.edu>dom <dominique.blaze@devinci.fr>Jean-Baptiste Donnette <jean-baptiste.donnette@epita.fr>drax <applezip@gmail.com>Sebastian Dunne <sdunne@redhat.com>Greg Elin <gregelin@gitmachines.com>Alexis Facques <alexis.facques@mythalesgroup.io>Leah Fisher <lfisher047@gmail.com>Alijohn Ghassemlouei <alijohn.ghassemlouei@sapns2.com>ghylock <ghylock@gmail.com>Andrew Gilmore <agilmore2@gmail.com>Joshua Glemza <jglemza@nasa.gov>Loren Gordon <lorengordon@users.noreply.github.com>Patrik Greco <sikevux@sikevux.se>Steve Grubb <sgrubb@redhat.com>Marek Haicman <mhaicman@redhat.com>Rebekah Hayes <rhayes@corp.rivierautilities.com>Trey Henefield <thenefield@gmail.com>Henning Henkel <henning.henkel@helvetia.ch>hex2a <hex2a@users.noreply.github.com>John Hooks <jhooks@starscream.pa.jhbcomputers.com>Jakub Hrozek <jhrozek@redhat.com>De Huo <De.Huo@windriver.com>Robin Price II <robin@redhat.com>Yasir Imam <yimam@redhat.com>Jiri Jaburek <jjaburek@redhat.com>Keith Jackson <keithkjackson@gmail.com>Jeremiah Jahn <jeremiah@goodinassociates.com>Stephan Joerrens <Stephan.Joerrens@fiduciagad.de>Jono <jono@ubuntu-18.localdomain>Kai Kang <kai.kang@windriver.com>Charles Kernstock <charles.kernstock@ultra-ats.com>Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>Nathan Kinder <nkinder@redhat.com>Lee Kinser <lee.kinser@gmail.com>Evgeny Kolesnikov <ekolesni@redhat.com>Peter 'Pessoft' Kolínek <github@pessoft.com>Luke Kordell <luke.t.kordell@lmco.com>Malte Kraus <malte.kraus@suse.com>kspargur <kspargur@kspargur.csb>Amit Kumar <amitkuma@redhat.com>Fen Labalme <fen@civicactions.com>Ian Lee <lee1001@llnl.gov>Jarrett Lee <jarrettl@umd.edu>Jan Lieskovsky <jlieskov@redhat.com>Šimon Lukašík <slukasik@redhat.com>Milan Lysonek <mlysonek@redhat.com>Fredrik Lysén <fredrik@pipemore.se>Caitlin Macleod <caitelatte@gmail.com>Matus Marhefka <mmarhefk@redhat.com>Jamie Lorwey Martin <jlmartin@redhat.com>Robert McAllister <rmcallis@redhat.com>Michael McConachie <michael@redhat.com>Khary Mendez <kharyam@gmail.com>Rodney Mercer <rmercer@harris.com>Matt Micene <nzwulfin@gmail.com>Brian Millett <bmillett@gmail.com>Mixer9 <35545791+Mixer9@users.noreply.github.com>mmosel <mmosel@kde.example.com>Zbynek Moravec <zmoravec@redhat.com>Kazuo Moriwaka <moriwaka@users.noreply.github.com>Michael Moseley <michael@eclipse.ncsc.mil>Joe Nall <joe@nall.com>Neiloy <neiloy@redhat.com>Axel Nennker <axel@nennker.de>Michele Newman <mnewman@redhat.com>Sean O'Keeffe <seanokeeffe797@gmail.com>Ilya Okomin <ilya.okomin@oracle.com>Kaustubh Padegaonkar <theTuxRacer@gmail.com>Michael Palmiotto <mpalmiotto@tresys.com>Max R.D. Parmer <maxp@trystero.is>Jan Pazdziora <jpazdziora@redhat.com>pcactr <paul.c.arnold4.ctr@mail.mil>Kenneth Peeples <kennethwpeeples@gmail.com>Nathan Peters <Nathaniel.Peters@ca.com>Frank Lin PIAT <fpiat@klabs.be>Stefan Pietsch <mail.ipv4v6+gh@gmail.com>Vojtech Polasek <vpolasek@redhat.com>Orion Poplawski <orion@nwra.com>Martin Preisler <mpreisle@redhat.com>Wesley Ceraso Prudencio <wcerasop@redhat.com>Raphael Sanchez Prudencio <rsprudencio@redhat.com>T.O. Radzy Radzykewycz <radzy@windriver.com>Kenyon Ralph <kenyon@kenyonralph.com>Mike Ralph <mralph@redhat.com>Rick Renshaw <Richard_Renshaw@xtoenergy.com>Chris Reynolds <c.reynolds82@gmail.com>rhayes <rhayes@rivierautilities.com>Pat Riehecky <riehecky@fnal.gov>rlucente-se-jboss <rlucente@redhat.com>Juan Antonio Osorio Robles <jaosorior@redhat.com>Matt Rogers <mrogers@redhat.com>Jesse Roland <j.roland277@gmail.com>Joshua Roys <roysjosh@gmail.com>rrenshaw <bofh69@yahoo.com>Chris Ruffalo <chris.ruffalo@gmail.com>Ray Shaw (Cont ARL/CISD) rvshaw <rvshaw@esme.arl.army.mil>Willy Santos <wsantos@redhat.com>Gautam Satish <gautams@hpe.com>Watson Sato <wsato@redhat.com>Satoru SATOH <satoru.satoh@gmail.com>Alexander Scheel <ascheel@redhat.com>Bryan Schneiders <pschneiders@trisept.com>shaneboulden <shane.boulden@gmail.com>Spencer Shimko <sshimko@tresys.com>Mark Shoger <mshoger@redhat.com>Thomas Sjögren <konstruktoid@users.noreply.github.com>Francisco Slavin <fslavin@tresys.com>David Smith <dsmith@eclipse.ncsc.mil>Kevin Spargur <kspargur@redhat.com>Kenneth Stailey <kstailey.lists@gmail.com>Leland Steinke <leland.j.steinke.ctr@mail.mil>Justin Stephenson <jstephen@redhat.com>Brian Stinson <brian@bstinson.com>Jake Stookey <jakestookey@gmail.com>Jonathan Sturges <jsturges@jsturges.remote.csb>Philippe Thierry <phil@reseau-libre.net>Derek Thurston <thegrit@gmail.com>tianzhenjia <jiatianzhen@cmss.chinamobile.com>Paul Tittle <ptittle@cmf.nrl.navy.mil>tomas.hudik <tomas.hudik@embedit.cz>Jeb Trayer <jeb.d.trayer@uscg.mil>Matěj Týč <matyc@redhat.com>VadimDor <29509093+VadimDor@users.noreply.github.com>Shawn Wells <shawn@redhat.com>Daniel E. White <linuxdan@users.noreply.github.com>Roy Williams <roywilli@roywilli.redhat.com>Rob Wilmoth <rwilmoth@redhat.com>Lucas Yamanishi <lucas.yamanishi@onyxpoint.com>Xirui Yang <xirui.yang@oracle.com>Kevin Zimmerman <kevin.zimmerman@kitware.com>Jan Černý <jcerny@redhat.com>Michal Šrubař <msrubar@redhat.com>https://github.com/OpenSCAP/scap-security-guide/releases/latestHealth Insurance Portability and Accountability Act (HIPAA)The HIPAA Security Rule establishes U.S. national standards to protect individuals’
electronic personal health information that is created, received, used, or
maintained by a covered entity. The Security Rule requires appropriate
administrative, physical and technical safeguards to ensure the
confidentiality, integrity, and security of electronic protected health
information.
This profile configures Red Hat Enterprise Linux 7 to the HIPAA Security
Rule identified for securing of electronic protected health information.DRAFT - ANSSI DAT-NT28 (high)Draft profile for ANSSI compliance at the high level. ANSSI stands for Agence nationale de la sécurité des systèmes d'information. Based on https://www.ssi.gouv.fr/.C2S for Red Hat Enterprise Linux 7This profile demonstrates compliance against the
U.S. Government Commercial Cloud Services (C2S) baseline.
This baseline was inspired by the Center for Internet Security
(CIS) Red Hat Enterprise Linux 7 Benchmark, v2.1.1 - 01-31-2017.
For the SCAP Security Guide project to remain in compliance with
CIS' terms and conditions, specifically Restrictions(8), note
there is no representation or claim that the C2S profile will
ensure a system is in compliance or consistency with the CIS
baseline.DRAFT - ANSSI DAT-NT28 (intermediary)Draft profile for ANSSI compliance at the intermediary level. ANSSI stands for Agence nationale de la sécurité des systèmes d'information. Based on https://www.ssi.gouv.fr/.PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7Ensures PCI-DSS v3.2.1 security configuration settings are applied.DRAFT - ANSSI DAT-NT28 (minimal)Draft profile for ANSSI compliance at the minimal level. ANSSI stands for Agence nationale de la sécurité des systèmes d'information. Based on https://www.ssi.gouv.fr/.VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Enterprise Linux Hypervisor (RHELH)This compliance profile reflects the core set of security
related configuration settings for deployment of Red Hat Enterprise
Linux Hypervisor (RHELH) 7.x into U.S. Defense, Intelligence, and Civilian agencies.
Development partners and sponsors include the U.S. National Institute
of Standards and Technology (NIST), U.S. Department of Defense,
the National Security Agency, and Red Hat.
This baseline implements configuration requirements from the following
sources:
- Committee on National Security Systems Instruction No. 1253 (CNSSI 1253)
- NIST 800-53 control selections for MODERATE impact systems (NIST 800-53)
- U.S. Government Configuration Baseline (USGCB)
- NIAP Protection Profile for Virtualization v1.0 (VPP v1.0)
For any differing configuration requirements, e.g. password lengths, the stricter
security setting was chosen. Security Requirement Traceability Guides (RTMs) and
sample System Security Configuration Guides are provided via the
scap-security-guide-docs package.
This profile reflects U.S. Government consensus content and is developed through
the ComplianceAsCode project, championed by the National
Security Agency. Except for differences in formatting to accommodate
publishing processes, this profile mirrors ComplianceAsCode
content as minor divergences, such as bugfixes, work through the
consensus and release processes.Standard System Security Profile for Red Hat Enterprise Linux 7This profile contains rules to ensure standard security baseline
of a Red Hat Enterprise Linux 7 system. Regardless of your system's workload
all of these checks should pass.OSPP - Protection Profile for General Purpose Operating Systems v4.2.1This profile reflects mandatory configuration controls identified in the
NIAP Configuration Annex to the Protection Profile for General Purpose
Operating Systems (Protection Profile Version 4.2.1).
This configuration profile is consistent with CNSSI-1253, which requires
U.S. National Security Systems to adhere to certain configuration
parameters. Accordingly, this configuration profile is suitable for
use in U.S. National Security Systems.Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)From NIST 800-171, Section 2.2:
Security requirements for protecting the confidentiality of CUI in non-federal
information systems and organizations have a well-defined structure that
consists of:
(i) a basic security requirements section;
(ii) a derived security requirements section.
The basic security requirements are obtained from FIPS Publication 200, which
provides the high-level and fundamental security requirements for federal
information and information systems. The derived security requirements, which
supplement the basic security requirements, are taken from the security controls
in NIST Special Publication 800-53.
This profile configures Red Hat Enterprise Linux 7 to the NIST Special
Publication 800-53 controls identified for securing Controlled Unclassified
Information (CUI).DRAFT - ANSSI DAT-NT28 (enhanced)Draft profile for ANSSI compliance at the enhanced level. ANSSI stands for Agence nationale de la sécurité des systèmes d'information. Based on https://www.ssi.gouv.fr/.Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)This profile contains the minimum security relevant
configuration settings recommended by Red Hat, Inc for
Red Hat Enterprise Linux 7 instances deployed by Red Hat Certified
Cloud Providers.Australian Cyber Security Centre (ACSC) Essential EightThis profile contains configuration checks for Red Hat Enterprise Linux 7
that align to the Australian Cyber Security Centre (ACSC) Essential Eight.
A copy of the Essential Eight in Linux Environments guide can be found at the
ACSC website:
https://www.cyber.gov.au/publications/essential-eight-in-linux-environments[DRAFT] DISA STIG for Red Hat Enterprise Linux Virtualization Host (RHELH)This *draft* profile contains configuration checks that align to the
DISA STIG for Red Hat Enterprise Linux Virtualization Host (RHELH).DISA STIG for Red Hat Enterprise Linux 7This profile contains configuration checks that align to the
DISA STIG for Red Hat Enterprise Linux V1R4.
In addition to being applicable to Red Hat Enterprise Linux 7, DISA recognizes this
configuration baseline as applicable to the operating system tier of
Red Hat technologies that are based on Red Hat Enterprise Linux 7, such as:
- Red Hat Enterprise Linux Server
- Red Hat Enterprise Linux Workstation and Desktop
- Red Hat Enterprise Linux for HPC
- Red Hat Storage
- Red Hat Containers with a Red Hat Enterprise Linux 7 imageNIST National Checklist Program Security GuideThis compliance profile reflects the core set of security
related configuration settings for deployment of Red Hat Enterprise
Linux 7.x into U.S. Defense, Intelligence, and Civilian agencies.
Development partners and sponsors include the U.S. National Institute
of Standards and Technology (NIST), U.S. Department of Defense,
the National Security Agency, and Red Hat.
This baseline implements configuration requirements from the following
sources:
- Committee on National Security Systems Instruction No. 1253 (CNSSI 1253)
- NIST Controlled Unclassified Information (NIST 800-171)
- NIST 800-53 control selections for MODERATE impact systems (NIST 800-53)
- U.S. Government Configuration Baseline (USGCB)
- NIAP Protection Profile for General Purpose Operating Systems v4.2.1 (OSPP v4.2.1)
- DISA Operating System Security Requirements Guide (OS SRG)
For any differing configuration requirements, e.g. password lengths, the stricter
security setting was chosen. Security Requirement Traceability Guides (RTMs) and
sample System Security Configuration Guides are provided via the
scap-security-guide-docs package.
This profile reflects U.S. Government consensus content and is developed through
the OpenSCAP/SCAP Security Guide initiative, championed by the National
Security Agency. Except for differences in formatting to accommodate
publishing processes, this profile mirrors OpenSCAP/SCAP Security Guide
content as minor divergences, such as bugfixes, work through the
consensus and release processes.Criminal Justice Information Services (CJIS) Security PolicyThis profile is derived from FBI's CJIS v5.4
Security Policy. A copy of this policy can be found at the CJIS Security
Policy Resource Center:
https://www.fbi.gov/services/cjis/cjis-security-policy-resource-centerRemediation functions used by the SCAP Security Guide ProjectXCCDF form of the various remediation functions as used by remediation scripts from the SCAP Security Guide Project.Remediation function perform_audit_adjtimex_settimeofday_stime_remediationShared bash remediation function. Not intended to be changed by tailoring.# Function to fix syscall audit rule for given system call. It is
# based on example audit syscall rule definitions as outlined in
# /usr/share/doc/audit-2.3.7/stig.rules file provided with the audit
# package. It will combine multiple system calls belonging to the same
# syscall group into one audit rule (rather than to create audit rule per
# different system call) to avoid audit infrastructure performance penalty
# in the case of 'one-audit-rule-definition-per-one-system-call'. See:
#
# https://www.redhat.com/archives/linux-audit/2014-November/msg00009.html
#
# for further details.
#
# Expects five arguments (each of them is required) in the form of:
# * audit tool tool used to load audit rules,
# either 'auditctl', or 'augenrules
# * audit rules' pattern audit rule skeleton for same syscall
# * syscall group greatest common string this rule shares
# with other rules from the same group
# * architecture architecture this rule is intended for
# * full form of new rule to add expected full form of audit rule as to be
# added into audit.rules file
#
# Note: The 2-th up to 4-th arguments are used to determine how many existing
# audit rules will be inspected for resemblance with the new audit rule
# (5-th argument) the function is going to add. The rule's similarity check
# is performed to optimize audit.rules definition (merge syscalls of the same
# group into one rule) to avoid the "single-syscall-per-audit-rule" performance
# penalty.
#
# Example call:
#
# See e.g. 'audit_rules_file_deletion_events.sh' remediation script
#
function fix_audit_syscall_rule {
# Load function arguments into local variables
local tool="$1"
local pattern="$2"
local group="$3"
local arch="$4"
local full_rule="$5"
# Check sanity of the input
if [ $# -ne "5" ]
then
echo "Usage: fix_audit_syscall_rule 'tool' 'pattern' 'group' 'arch' 'full rule'"
echo "Aborting."
exit 1
fi
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
# -----------------------------------------------------------------------------------------
# auditctl | Doesn't matter | /etc/audit/audit.rules |
# -----------------------------------------------------------------------------------------
# augenrules | Yes | /etc/audit/rules.d/*.rules |
# augenrules | No | /etc/audit/rules.d/$key.rules |
# -----------------------------------------------------------------------------------------
#
declare -a files_to_inspect
retval=0
# First check sanity of the specified audit tool
if [ "$tool" != 'auditctl' ] && [ "$tool" != 'augenrules' ]
then
echo "Unknown audit rules loading tool: $1. Aborting."
echo "Use either 'auditctl' or 'augenrules'!"
return 1
# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
# file to the list of files to be inspected
elif [ "$tool" == 'auditctl' ]
then
files_to_inspect+=('/etc/audit/audit.rules' )
# If audit tool is 'augenrules', then check if the audit rule is defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
elif [ "$tool" == 'augenrules' ]
then
# Extract audit $key from audit rule so we can use it later
key=$(expr "$full_rule" : '.*-k[[:space:]]\([^[:space:]]\+\)' '|' "$full_rule" : '.*-F[[:space:]]key=\([^[:space:]]\+\)')
readarray -t matches < <(sed -s -n -e "\;${pattern};!d" -e "/${arch}/!d" -e "/${group}/!d;F" /etc/audit/rules.d/*.rules)
if [ $? -ne 0 ]
then
retval=1
fi
for match in "${matches[@]}"
do
files_to_inspect+=("${match}")
done
# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
if [ ${#files_to_inspect[@]} -eq "0" ]
then
file_to_inspect="/etc/audit/rules.d/$key.rules"
files_to_inspect=("$file_to_inspect")
if [ ! -e "$file_to_inspect" ]
then
touch "$file_to_inspect"
chmod 0640 "$file_to_inspect"
fi
fi
fi
#
# Indicator that we want to append $full_rule into $audit_file by default
local append_expected_rule=0
for audit_file in "${files_to_inspect[@]}"
do
# Filter existing $audit_file rules' definitions to select those that:
# * follow the rule pattern, and
# * meet the hardware architecture requirement, and
# * are current syscall group specific
readarray -t existing_rules < <(sed -e "\;${pattern};!d" -e "/${arch}/!d" -e "/${group}/!d" "$audit_file")
if [ $? -ne 0 ]
then
retval=1
fi
# Process rules found case-by-case
for rule in "${existing_rules[@]}"
do
# Found rule is for same arch & key, but differs (e.g. in count of -S arguments)
if [ "${rule}" != "${full_rule}" ]
then
# If so, isolate just '(-S \w)+' substring of that rule
rule_syscalls=$(echo "$rule" | grep -o -P '(-S \w+ )+')
# Check if list of '-S syscall' arguments of that rule is subset
# of '-S syscall' list of expected $full_rule
if grep -q -- "$rule_syscalls" <<< "$full_rule"
then
# Rule is covered (i.e. the list of -S syscalls for this rule is
# subset of -S syscalls of $full_rule => existing rule can be deleted
# Thus delete the rule from audit.rules & our array
sed -i -e "\;${rule};d" "$audit_file"
if [ $? -ne 0 ]
then
retval=1
fi
existing_rules=("${existing_rules[@]//$rule/}")
else
# Rule isn't covered by $full_rule - it besides -S syscall arguments
# for this group contains also -S syscall arguments for other syscall
# group. Example: '-S lchown -S fchmod -S fchownat' => group='chown'
# since 'lchown' & 'fchownat' share 'chown' substring
# Therefore:
# * 1) delete the original rule from audit.rules
# (original '-S lchown -S fchmod -S fchownat' rule would be deleted)
# * 2) delete the -S syscall arguments for this syscall group, but
# keep those not belonging to this syscall group
# (original '-S lchown -S fchmod -S fchownat' would become '-S fchmod'
# * 3) append the modified (filtered) rule again into audit.rules
# if the same rule not already present
#
# 1) Delete the original rule
sed -i -e "\;${rule};d" "$audit_file"
if [ $? -ne 0 ]
then
retval=1
fi
# 2) Delete syscalls for this group, but keep those from other groups
# Convert current rule syscall's string into array splitting by '-S' delimiter
IFS_BKP="$IFS"
IFS=$'-S'
read -a rule_syscalls_as_array <<< "$rule_syscalls"
# Reset IFS back to default
IFS="$IFS_BKP"
# Splitting by "-S" can't be replaced by the readarray functionality easily
# Declare new empty string to hold '-S syscall' arguments from other groups
new_syscalls_for_rule=''
# Walk through existing '-S syscall' arguments
for syscall_arg in "${rule_syscalls_as_array[@]}"
do
# Skip empty $syscall_arg values
if [ "$syscall_arg" == '' ]
then
continue
fi
# If the '-S syscall' doesn't belong to current group add it to the new list
# (together with adding '-S' delimiter back for each of such item found)
if grep -q -v -- "$group" <<< "$syscall_arg"
then
new_syscalls_for_rule="$new_syscalls_for_rule -S $syscall_arg"
fi
done
# Replace original '-S syscall' list with the new one for this rule
updated_rule=${rule//$rule_syscalls/$new_syscalls_for_rule}
# Squeeze repeated whitespace characters in rule definition (if any) into one
updated_rule=$(echo "$updated_rule" | tr -s '[:space:]')
# 3) Append the modified / filtered rule again into audit.rules
# (but only in case it's not present yet to prevent duplicate definitions)
if ! grep -q -- "$updated_rule" "$audit_file"
then
echo "$updated_rule" >> "$audit_file"
fi
fi
else
# $audit_file already contains the expected rule form for this
# architecture & key => don't insert it second time
append_expected_rule=1
fi
done
# We deleted all rules that were subset of the expected one for this arch & key.
# Also isolated rules containing system calls not from this system calls group.
# Now append the expected rule if it's not present in $audit_file yet
if [[ ${append_expected_rule} -eq "0" ]]
then
echo "$full_rule" >> "$audit_file"
fi
done
return $retval
}
# Function to perform remediation for the 'adjtimex', 'settimeofday', and 'stime' audit
# system calls on RHEL, Fedora or OL systems.
# Remediation performed for both possible tools: 'auditctl' and 'augenrules'.
#
# Note: 'stime' system call isn't known at 64-bit arch (see "$ ausyscall x86_64 stime" 's output)
# therefore excluded from the list of time group system calls to be audited on this arch
#
# Example Call:
#
# perform_audit_adjtimex_settimeofday_stime_remediation
#
function perform_audit_adjtimex_settimeofday_stime_remediation {
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=${ARCH} -S .* -k *"
# Create expected audit group and audit rule form for particular system call & architecture
if [ ${ARCH} = "b32" ]
then
# stime system call is known at 32-bit arch (see e.g "$ ausyscall i386 stime" 's output)
# so append it to the list of time group system calls to be audited
GROUP="\(adjtimex\|settimeofday\|stime\)"
FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -S stime -k audit_time_rules"
elif [ ${ARCH} = "b64" ]
then
# stime system call isn't known at 64-bit arch (see "$ ausyscall x86_64 stime" 's output)
# therefore don't add it to the list of time group system calls to be audited
GROUP="\(adjtimex\|settimeofday\)"
FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -k audit_time_rules"
fi
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
}Remediation function create_audit_remediation_unsuccessful_file_modification_detailedShared bash remediation function. Not intended to be changed by tailoring.function create_audit_remediation_unsuccessful_file_modification_detailed {
mkdir -p "$(dirname "$1")"
# The - option to mark a here document limit string (<<-EOF) suppresses leading tabs (but not spaces) in the output.
cat <<-EOF > "$1"
## This content is a section of an Audit config snapshot recommended for linux systems that target OSPP compliance.
## The following content has been retreived on 2019-03-11 from: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules
## The purpose of these rules is to meet the requirements for Operating
## System Protection Profile (OSPP)v4.2. These rules depends on having
## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed.
## Unsuccessful file creation (open with O_CREAT)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
## Unsuccessful file modifications (open for write or truncate)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
## Unsuccessful file access (any other opens) This has to go last.
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
EOF
}Remediation function include_mount_options_functionsShared bash remediation function. Not intended to be changed by tailoring.function include_mount_options_functions {
:
}
# $1: type of filesystem
# $2: new mount point option
# $3: filesystem of new mount point (used when adding new entry in fstab)
# $4: mount type of new mount point (used when adding new entry in fstab)
function ensure_mount_option_for_vfstype {
local _vfstype="$1" _new_opt="$2" _filesystem=$3 _type=$4 _vfstype_points=()
readarray -t _vfstype_points < <(grep -E "[[:space:]]${_vfstype}[[:space:]]" /etc/fstab | awk '{print $2}')
for _vfstype_point in "${_vfstype_points[@]}"
do
ensure_mount_option_in_fstab "$_vfstype_point" "$_new_opt" "$_filesystem" "$_type"
done
}
# $1: mount point
# $2: new mount point option
# $3: device or virtual string (used when adding new entry in fstab)
# $4: mount type of mount point (used when adding new entry in fstab)
function ensure_mount_option_in_fstab {
local _mount_point="$1" _new_opt="$2" _device=$3 _type=$4
local _mount_point_match_regexp="" _previous_mount_opts=""
_mount_point_match_regexp="$(get_mount_point_regexp "$_mount_point")"
if [ "$(grep -c "$_mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
# runtime opts without some automatic kernel/userspace-added defaults
_previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \
| sed -E "s/(rw|defaults|seclabel|${_new_opt})(,|$)//g;s/,$//")
[ "$_previous_mount_opts" ] && _previous_mount_opts+=","
echo "${_device} ${_mount_point} ${_type} defaults,${_previous_mount_opts}${_new_opt} 0 0" >> /etc/fstab
elif [ "$(grep "$_mount_point_match_regexp" /etc/fstab | grep -c "$_new_opt")" -eq 0 ]; then
_previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/fstab | awk '{print $4}')
sed -i "s|\(${_mount_point_match_regexp}.*${_previous_mount_opts}\)|\1,${_new_opt}|" /etc/fstab
fi
}
# $1: mount point
function get_mount_point_regexp {
printf "[[:space:]]%s[[:space:]]" "$1"
}
# $1: mount point
function assert_mount_point_in_fstab {
local _mount_point_match_regexp
_mount_point_match_regexp="$(get_mount_point_regexp "$1")"
grep "$_mount_point_match_regexp" -q /etc/fstab \
|| { echo "The mount point '$1' is not even in /etc/fstab, so we can't set up mount options" >&2; return 1; }
}
# $1: mount point
function remove_defaults_from_fstab_if_overriden {
local _mount_point_match_regexp
_mount_point_match_regexp="$(get_mount_point_regexp "$1")"
if grep "$_mount_point_match_regexp" /etc/fstab | grep -q "defaults,"
then
sed -i "s|\(${_mount_point_match_regexp}.*\)defaults,|\1|" /etc/fstab
fi
}
# $1: mount point
function ensure_partition_is_mounted {
local _mount_point="$1"
mkdir -p "$_mount_point" || return 1
if mountpoint -q "$_mount_point"; then
mount -o remount --target "$_mount_point"
else
mount --target "$_mount_point"
fi
}Remediation function fix_audit_syscall_ruleShared bash remediation function. Not intended to be changed by tailoring.# Function to fix syscall audit rule for given system call. It is
# based on example audit syscall rule definitions as outlined in
# /usr/share/doc/audit-2.3.7/stig.rules file provided with the audit
# package. It will combine multiple system calls belonging to the same
# syscall group into one audit rule (rather than to create audit rule per
# different system call) to avoid audit infrastructure performance penalty
# in the case of 'one-audit-rule-definition-per-one-system-call'. See:
#
# https://www.redhat.com/archives/linux-audit/2014-November/msg00009.html
#
# for further details.
#
# Expects five arguments (each of them is required) in the form of:
# * audit tool tool used to load audit rules,
# either 'auditctl', or 'augenrules
# * audit rules' pattern audit rule skeleton for same syscall
# * syscall group greatest common string this rule shares
# with other rules from the same group
# * architecture architecture this rule is intended for
# * full form of new rule to add expected full form of audit rule as to be
# added into audit.rules file
#
# Note: The 2-th up to 4-th arguments are used to determine how many existing
# audit rules will be inspected for resemblance with the new audit rule
# (5-th argument) the function is going to add. The rule's similarity check
# is performed to optimize audit.rules definition (merge syscalls of the same
# group into one rule) to avoid the "single-syscall-per-audit-rule" performance
# penalty.
#
# Example call:
#
# See e.g. 'audit_rules_file_deletion_events.sh' remediation script
#
function fix_audit_syscall_rule {
# Load function arguments into local variables
local tool="$1"
local pattern="$2"
local group="$3"
local arch="$4"
local full_rule="$5"
# Check sanity of the input
if [ $# -ne "5" ]
then
echo "Usage: fix_audit_syscall_rule 'tool' 'pattern' 'group' 'arch' 'full rule'"
echo "Aborting."
exit 1
fi
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
# -----------------------------------------------------------------------------------------
# auditctl | Doesn't matter | /etc/audit/audit.rules |
# -----------------------------------------------------------------------------------------
# augenrules | Yes | /etc/audit/rules.d/*.rules |
# augenrules | No | /etc/audit/rules.d/$key.rules |
# -----------------------------------------------------------------------------------------
#
declare -a files_to_inspect
retval=0
# First check sanity of the specified audit tool
if [ "$tool" != 'auditctl' ] && [ "$tool" != 'augenrules' ]
then
echo "Unknown audit rules loading tool: $1. Aborting."
echo "Use either 'auditctl' or 'augenrules'!"
return 1
# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
# file to the list of files to be inspected
elif [ "$tool" == 'auditctl' ]
then
files_to_inspect+=('/etc/audit/audit.rules' )
# If audit tool is 'augenrules', then check if the audit rule is defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
elif [ "$tool" == 'augenrules' ]
then
# Extract audit $key from audit rule so we can use it later
key=$(expr "$full_rule" : '.*-k[[:space:]]\([^[:space:]]\+\)' '|' "$full_rule" : '.*-F[[:space:]]key=\([^[:space:]]\+\)')
readarray -t matches < <(sed -s -n -e "\;${pattern};!d" -e "/${arch}/!d" -e "/${group}/!d;F" /etc/audit/rules.d/*.rules)
if [ $? -ne 0 ]
then
retval=1
fi
for match in "${matches[@]}"
do
files_to_inspect+=("${match}")
done
# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
if [ ${#files_to_inspect[@]} -eq "0" ]
then
file_to_inspect="/etc/audit/rules.d/$key.rules"
files_to_inspect=("$file_to_inspect")
if [ ! -e "$file_to_inspect" ]
then
touch "$file_to_inspect"
chmod 0640 "$file_to_inspect"
fi
fi
fi
#
# Indicator that we want to append $full_rule into $audit_file by default
local append_expected_rule=0
for audit_file in "${files_to_inspect[@]}"
do
# Filter existing $audit_file rules' definitions to select those that:
# * follow the rule pattern, and
# * meet the hardware architecture requirement, and
# * are current syscall group specific
readarray -t existing_rules < <(sed -e "\;${pattern};!d" -e "/${arch}/!d" -e "/${group}/!d" "$audit_file")
if [ $? -ne 0 ]
then
retval=1
fi
# Process rules found case-by-case
for rule in "${existing_rules[@]}"
do
# Found rule is for same arch & key, but differs (e.g. in count of -S arguments)
if [ "${rule}" != "${full_rule}" ]
then
# If so, isolate just '(-S \w)+' substring of that rule
rule_syscalls=$(echo "$rule" | grep -o -P '(-S \w+ )+')
# Check if list of '-S syscall' arguments of that rule is subset
# of '-S syscall' list of expected $full_rule
if grep -q -- "$rule_syscalls" <<< "$full_rule"
then
# Rule is covered (i.e. the list of -S syscalls for this rule is
# subset of -S syscalls of $full_rule => existing rule can be deleted
# Thus delete the rule from audit.rules & our array
sed -i -e "\;${rule};d" "$audit_file"
if [ $? -ne 0 ]
then
retval=1
fi
existing_rules=("${existing_rules[@]//$rule/}")
else
# Rule isn't covered by $full_rule - it besides -S syscall arguments
# for this group contains also -S syscall arguments for other syscall
# group. Example: '-S lchown -S fchmod -S fchownat' => group='chown'
# since 'lchown' & 'fchownat' share 'chown' substring
# Therefore:
# * 1) delete the original rule from audit.rules
# (original '-S lchown -S fchmod -S fchownat' rule would be deleted)
# * 2) delete the -S syscall arguments for this syscall group, but
# keep those not belonging to this syscall group
# (original '-S lchown -S fchmod -S fchownat' would become '-S fchmod'
# * 3) append the modified (filtered) rule again into audit.rules
# if the same rule not already present
#
# 1) Delete the original rule
sed -i -e "\;${rule};d" "$audit_file"
if [ $? -ne 0 ]
then
retval=1
fi
# 2) Delete syscalls for this group, but keep those from other groups
# Convert current rule syscall's string into array splitting by '-S' delimiter
IFS_BKP="$IFS"
IFS=$'-S'
read -a rule_syscalls_as_array <<< "$rule_syscalls"
# Reset IFS back to default
IFS="$IFS_BKP"
# Splitting by "-S" can't be replaced by the readarray functionality easily
# Declare new empty string to hold '-S syscall' arguments from other groups
new_syscalls_for_rule=''
# Walk through existing '-S syscall' arguments
for syscall_arg in "${rule_syscalls_as_array[@]}"
do
# Skip empty $syscall_arg values
if [ "$syscall_arg" == '' ]
then
continue
fi
# If the '-S syscall' doesn't belong to current group add it to the new list
# (together with adding '-S' delimiter back for each of such item found)
if grep -q -v -- "$group" <<< "$syscall_arg"
then
new_syscalls_for_rule="$new_syscalls_for_rule -S $syscall_arg"
fi
done
# Replace original '-S syscall' list with the new one for this rule
updated_rule=${rule//$rule_syscalls/$new_syscalls_for_rule}
# Squeeze repeated whitespace characters in rule definition (if any) into one
updated_rule=$(echo "$updated_rule" | tr -s '[:space:]')
# 3) Append the modified / filtered rule again into audit.rules
# (but only in case it's not present yet to prevent duplicate definitions)
if ! grep -q -- "$updated_rule" "$audit_file"
then
echo "$updated_rule" >> "$audit_file"
fi
fi
else
# $audit_file already contains the expected rule form for this
# architecture & key => don't insert it second time
append_expected_rule=1
fi
done
# We deleted all rules that were subset of the expected one for this arch & key.
# Also isolated rules containing system calls not from this system calls group.
# Now append the expected rule if it's not present in $audit_file yet
if [[ ${append_expected_rule} -eq "0" ]]
then
echo "$full_rule" >> "$audit_file"
fi
done
return $retval
}Remediation function set_faillock_option_to_value_in_pam_fileShared bash remediation function. Not intended to be changed by tailoring.function set_faillock_option_to_value_in_pam_file {
# If invoked with no arguments, exit. This is an intentional behavior.
[ $# -gt 1 ] || return 0
[ $# -ge 3 ] || die "$0 requires exactly zero, three, or four arguments"
[ $# -le 4 ] || die "$0 requires exactly zero, three, or four arguments"
local _pamFile="$1" _option="$2" _value="$3" _insert_lines_callback="$4"
# pam_faillock.so already present?
if grep -q "^auth.*pam_faillock.so.*" "$_pamFile"; then
# pam_faillock.so present, is the option present?
if grep -q "^auth.*[default=die].*pam_faillock.so.*authfail.*$_option=" "$_pamFile"; then
# both pam_faillock.so & option present, just correct option to the right value
sed -i --follow-symlinks "s/\(^auth.*required.*pam_faillock.so.*preauth.*silent.*\)\($_option *= *\).*/\1\2$_value/" "$_pamFile"
sed -i --follow-symlinks "s/\(^auth.*[default=die].*pam_faillock.so.*authfail.*\)\($_option *= *\).*/\1\2$_value/" "$_pamFile"
# pam_faillock.so present, but the option not yet
else
# append correct option value to appropriate places
sed -i --follow-symlinks "/^auth.*required.*pam_faillock.so.*preauth.*silent.*/ s/$/ $_option=$_value/" "$_pamFile"
sed -i --follow-symlinks "/^auth.*[default=die].*pam_faillock.so.*authfail.*/ s/$/ $_option=$_value/" "$_pamFile"
fi
# pam_faillock.so not present yet
else
test -z "$_insert_lines_callback" || "$_insert_lines_callback" "$_option" "$_value" "$_pamFile"
# insert pam_faillock.so preauth & authfail rows with proper value of the option in question
fi
}Remediation function include_merge_files_by_linesShared bash remediation function. Not intended to be changed by tailoring.function include_merge_files_by_lines {
:
}
# 1: Filename of the "master" file
# 2: Filename of the newly created file
function create_empty_file_like {
local lines_count
lines_count=$(cat "$1" | wc -l)
for _ in $(seq 1 "$lines_count"); do
printf '\n' >> "$2"
done
}
# 1: Filename of the "master" file
# 2: Filename of sample flie
function second_file_is_same_except_newlines {
local lines_of_master lines_of_sample len_of_master line_number i
readarray -t lines_of_master < "$1"
readarray -t lines_of_sample < "$2"
len_of_master="${#lines_of_master[@]}"
if test "$len_of_master" != "${#lines_of_sample[@]}"; then
echo "Files '$1' and '$2' have different number of lines, $len_of_master and ${#lines_of_sample[@]} respectively."
return 1
fi
for line_number in $(seq 1 "$len_of_master"); do
i=$((line_number - 1))
test -n "${lines_of_sample[$i]}" || continue
if test "${lines_of_master[$i]}" != "${lines_of_sample[$i]}"; then
echo "Line $line_number is different in files '$1' and '$2'."
return 1
fi
done
}
# 1: Filename of the "master" file
# 2: Filename of sample flie
# 3: List of indices (1-based, space-separated string)
function merge_first_lines_to_second_on_indices {
local lines_of_master lines_of_sample line_number i
test -f "$2" || create_empty_file_like "$1" "$2"
readarray -t lines_of_master < "$1"
readarray -t lines_of_sample < "$2"
error_msg="$(second_file_is_same_except_newlines "$1" "$2")"
if test $? != 0; then
echo "Error merging lines into '$2': $error_msg" >&2
return 1
fi
for line_number in $3; do
i=$((line_number - 1))
lines_of_sample[$i]="${lines_of_master[$i]}"
done
printf "%s\n" "${lines_of_sample[@]}" > "$2"
}Remediation function populateShared bash remediation function. Not intended to be changed by tailoring.# The populate function isn't directly used by SSG at the moment but it can be
# used for testing purposes and will be used in SSG Testsuite in the future.
function populate {
# code to populate environment variables needed (for unit testing)
if [ -z "${!1}" ]; then
echo "$1 is not defined. Exiting."
exit
fi
}Remediation function fix_audit_watch_ruleShared bash remediation function. Not intended to be changed by tailoring.# Function to fix audit file system object watch rule for given path:
# * if rule exists, also verifies the -w bits match the requirements
# * if rule doesn't exist yet, appends expected rule form to $files_to_inspect
# audit rules file, depending on the tool which was used to load audit rules
#
# Expects four arguments (each of them is required) in the form of:
# * audit tool tool used to load audit rules,
# either 'auditctl', or 'augenrules'
# * path value of -w audit rule's argument
# * required access bits value of -p audit rule's argument
# * key value of -k audit rule's argument
#
# Example call:
#
# fix_audit_watch_rule "auditctl" "/etc/localtime" "wa" "audit_time_rules"
#
function fix_audit_watch_rule {
# Load function arguments into local variables
local tool="$1"
local path="$2"
local required_access_bits="$3"
local key="$4"
# Check sanity of the input
if [ $# -ne "4" ]
then
echo "Usage: fix_audit_watch_rule 'tool' 'path' 'bits' 'key'"
echo "Aborting."
exit 1
fi
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
# -----------------------------------------------------------------------------------------
# auditctl | Doesn't matter | /etc/audit/audit.rules |
# -----------------------------------------------------------------------------------------
# augenrules | Yes | /etc/audit/rules.d/*.rules |
# augenrules | No | /etc/audit/rules.d/$key.rules |
# -----------------------------------------------------------------------------------------
declare -a files_to_inspect
files_to_inspect=()
# Check sanity of the specified audit tool
if [ "$tool" != 'auditctl' ] && [ "$tool" != 'augenrules' ]
then
echo "Unknown audit rules loading tool: $1. Aborting."
echo "Use either 'auditctl' or 'augenrules'!"
exit 1
# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
# into the list of files to be inspected
elif [ "$tool" == 'auditctl' ]
then
files_to_inspect+=('/etc/audit/audit.rules')
# If the audit is 'augenrules', then check if rule is already defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
# If rule isn't defined, add '/etc/audit/rules.d/$key.rules' to list of files for inspection.
elif [ "$tool" == 'augenrules' ]
then
readarray -t matches < <(grep -P "[\s]*-w[\s]+$path" /etc/audit/rules.d/*.rules)
# For each of the matched entries
for match in "${matches[@]}"
do
# Extract filepath from the match
rulesd_audit_file=$(echo $match | cut -f1 -d ':')
# Append that path into list of files for inspection
files_to_inspect+=("$rulesd_audit_file")
done
# Case when particular audit rule isn't defined yet
if [ "${#files_to_inspect[@]}" -eq "0" ]
then
# Append '/etc/audit/rules.d/$key.rules' into list of files for inspection
local key_rule_file="/etc/audit/rules.d/$key.rules"
# If the $key.rules file doesn't exist yet, create it with correct permissions
if [ ! -e "$key_rule_file" ]
then
touch "$key_rule_file"
chmod 0640 "$key_rule_file"
fi
files_to_inspect+=("$key_rule_file")
fi
fi
# Finally perform the inspection and possible subsequent audit rule
# correction for each of the files previously identified for inspection
for audit_rules_file in "${files_to_inspect[@]}"
do
# Check if audit watch file system object rule for given path already present
if grep -q -P -- "[\s]*-w[\s]+$path" "$audit_rules_file"
then
# Rule is found => verify yet if existing rule definition contains
# all of the required access type bits
# Escape slashes in path for use in sed pattern below
local esc_path=${path//$'/'/$'\/'}
# Define BRE whitespace class shortcut
local sp="[[:space:]]"
# Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
current_access_bits=$(sed -ne "s/$sp*-w$sp\+$esc_path$sp\+-p$sp\+\([rxwa]\{1,4\}\).*/\1/p" "$audit_rules_file")
# Split required access bits string into characters array
# (to check bit's presence for one bit at a time)
for access_bit in $(echo "$required_access_bits" | grep -o .)
do
# For each from the required access bits (e.g. 'w', 'a') check
# if they are already present in current access bits for rule.
# If not, append that bit at the end
if ! grep -q "$access_bit" <<< "$current_access_bits"
then
# Concatenate the existing mask with the missing bit
current_access_bits="$current_access_bits$access_bit"
fi
done
# Propagate the updated rule's access bits (original + the required
# ones) back into the /etc/audit/audit.rules file for that rule
sed -i "s/\($sp*-w$sp\+$esc_path$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)/\1$current_access_bits\3/" "$audit_rules_file"
else
# Rule isn't present yet. Append it at the end of $audit_rules_file file
# with proper key
echo "-w $path -p $required_access_bits -k $key" >> "$audit_rules_file"
fi
done
}Remediation function dieShared bash remediation function. Not intended to be changed by tailoring.# Print a message to stderr and exit the shell
# $1: The message to print.
# $2: The error code (optional, default is 1)
function die {
local _message="$1" _rc="${2:-1}"
printf '%s\n' "$_message" >&2
exit "$_rc"
}Remediation function perform_audit_rules_privileged_commands_remediationShared bash remediation function. Not intended to be changed by tailoring.# Function to perform remediation for 'audit_rules_privileged_commands' rule
#
# Expects two arguments:
#
# audit_tool tool used to load audit rules
# One of 'auditctl' or 'augenrules'
#
# min_auid Minimum original ID the user logged in with
#
# Example Call(s):
#
# perform_audit_rules_privileged_commands_remediation "auditctl" "500"
# perform_audit_rules_privileged_commands_remediation "augenrules" "1000"
#
function perform_audit_rules_privileged_commands_remediation {
#
# Load function arguments into local variables
local tool="$1"
local min_auid="$2"
# Check sanity of the input
if [ $# -ne "2" ]
then
echo "Usage: perform_audit_rules_privileged_commands_remediation 'auditctl | augenrules' '500 | 1000'"
echo "Aborting."
exit 1
fi
declare -a files_to_inspect=()
# Check sanity of the specified audit tool
if [ "$tool" != 'auditctl' ] && [ "$tool" != 'augenrules' ]
then
echo "Unknown audit rules loading tool: $1. Aborting."
echo "Use either 'auditctl' or 'augenrules'!"
exit 1
# If the audit tool is 'auditctl', then:
# * add '/etc/audit/audit.rules'to the list of files to be inspected,
# * specify '/etc/audit/audit.rules' as the output audit file, where
# missing rules should be inserted
elif [ "$tool" == 'auditctl' ]
then
files_to_inspect=("/etc/audit/audit.rules")
output_audit_file="/etc/audit/audit.rules"
#
# If the audit tool is 'augenrules', then:
# * add '/etc/audit/rules.d/*.rules' to the list of files to be inspected
# (split by newline),
# * specify /etc/audit/rules.d/privileged.rules' as the output file, where
# missing rules should be inserted
elif [ "$tool" == 'augenrules' ]
then
readarray -t files_to_inspect < <(find /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -print)
output_audit_file="/etc/audit/rules.d/privileged.rules"
fi
# Obtain the list of SUID/SGID binaries on the particular system (split by newline)
# into privileged_binaries array
readarray -t privileged_binaries < <(find / -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null)
# Keep list of SUID/SGID binaries that have been already handled within some previous iteration
declare -a sbinaries_to_skip=()
# For each found sbinary in privileged_binaries list
for sbinary in "${privileged_binaries[@]}"
do
# Check if this sbinary wasn't already handled in some of the previous sbinary iterations
# Return match only if whole sbinary definition matched (not in the case just prefix matched!!!)
if [[ $(sed -ne "\|${sbinary}|p" <<< "${sbinaries_to_skip[*]}") ]]
then
# If so, don't process it second time & go to process next sbinary
continue
fi
# Reset the counter of inspected files when starting to check
# presence of existing audit rule for new sbinary
local count_of_inspected_files=0
# Define expected rule form for this binary
expected_rule="-a always,exit -F path=${sbinary} -F perm=x -F auid>=${min_auid} -F auid!=unset -k privileged"
# If list of audit rules files to be inspected is empty, just add new rule and move on to next binary
if [[ ${#files_to_inspect[@]} -eq 0 ]]; then
echo "$expected_rule" >> "$output_audit_file"
continue
fi
# Replace possible slash '/' character in sbinary definition so we could use it in sed expressions below
sbinary_esc=${sbinary//$'/'/$'\/'}
# For each audit rules file from the list of files to be inspected
for afile in "${files_to_inspect[@]}"
do
# Search current audit rules file's content for match. Match criteria:
# * existing rule is for the same SUID/SGID binary we are currently processing (but
# can contain multiple -F path= elements covering multiple SUID/SGID binaries)
# * existing rule contains all arguments from expected rule form (though can contain
# them in arbitrary order)
base_search=$(sed -e '/-a always,exit/!d' -e '/-F path='"${sbinary_esc}"'/!d' \
-e '/-F path=[^[:space:]]\+/!d' -e '/-F perm=.*/!d' \
-e '/-F auid>='"${min_auid}"'/!d' -e '/-F auid!=\(4294967295\|unset\)/!d' \
-e '/-k \|-F key=/!d' "$afile")
# Increase the count of inspected files for this sbinary
count_of_inspected_files=$((count_of_inspected_files + 1))
# Require execute access type to be set for existing audit rule
exec_access='x'
# Search current audit rules file's content for presence of rule pattern for this sbinary
if [[ $base_search ]]
then
# Current audit rules file already contains rule for this binary =>
# Store the exact form of found rule for this binary for further processing
concrete_rule=$base_search
# Select all other SUID/SGID binaries possibly also present in the found rule
readarray -t handled_sbinaries < <(grep -o -e "-F path=[^[:space:]]\+" <<< "$concrete_rule")
handled_sbinaries=("${handled_sbinaries[@]//-F path=/}")
# Merge the list of such SUID/SGID binaries found in this iteration with global list ignoring duplicates
readarray -t sbinaries_to_skip < <(for i in "${sbinaries_to_skip[@]}" "${handled_sbinaries[@]}"; do echo "$i"; done | sort -du)
# Separate concrete_rule into three sections using hash '#'
# sign as a delimiter around rule's permission section borders
concrete_rule="$(echo "$concrete_rule" | sed -n "s/\(.*\)\+\(-F perm=[rwax]\+\)\+/\1#\2#/p")"
# Split concrete_rule into head, perm, and tail sections using hash '#' delimiter
rule_head=$(cut -d '#' -f 1 <<< "$concrete_rule")
rule_perm=$(cut -d '#' -f 2 <<< "$concrete_rule")
rule_tail=$(cut -d '#' -f 3 <<< "$concrete_rule")
# Extract already present exact access type [r|w|x|a] from rule's permission section
access_type=${rule_perm//-F perm=/}
# Verify current permission access type(s) for rule contain 'x' (execute) permission
if ! grep -q "$exec_access" <<< "$access_type"
then
# If not, append the 'x' (execute) permission to the existing access type bits
access_type="$access_type$exec_access"
# Reconstruct the permissions section for the rule
new_rule_perm="-F perm=$access_type"
# Update existing rule in current audit rules file with the new permission section
sed -i "s#${rule_head}\(.*\)${rule_tail}#${rule_head}${new_rule_perm}${rule_tail}#" "$afile"
fi
# If the required audit rule for particular sbinary wasn't found yet, insert it under following conditions:
#
# * in the "auditctl" mode of operation insert particular rule each time
# (because in this mode there's only one file -- /etc/audit/audit.rules to be inspected for presence of this rule),
#
# * in the "augenrules" mode of operation insert particular rule only once and only in case we have already
# searched all of the files from /etc/audit/rules.d/*.rules location (since that audit rule can be defined
# in any of those files and if not, we want it to be inserted only once into /etc/audit/rules.d/privileged.rules file)
#
elif [ "$tool" == "auditctl" ] || [[ "$tool" == "augenrules" && $count_of_inspected_files -eq "${#files_to_inspect[@]}" ]]
then
# Check if this sbinary wasn't already handled in some of the previous afile iterations
# Return match only if whole sbinary definition matched (not in the case just prefix matched!!!)
if [[ ! $(sed -ne "\|${sbinary}|p" <<< "${sbinaries_to_skip[*]}") ]]
then
# Current audit rules file's content doesn't contain expected rule for this
# SUID/SGID binary yet => append it
echo "$expected_rule" >> "$output_audit_file"
fi
continue
fi
done
done
}Remediation function replace_or_appendShared bash remediation function. Not intended to be changed by tailoring.# Function to replace configuration setting in config file or add the configuration setting if
# it does not exist.
#
# Expects arguments:
#
# config_file: Configuration file that will be modified
# key: Configuration option to change
# value: Value of the configuration option to change
# cce: The CCE identifier or '@CCENUM@' if no CCE identifier exists
# format: The printf-like format string that will be given stripped key and value as arguments,
# so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =)
#
# Optional arugments:
#
# format: Optional argument to specify the format of how key/value should be
# modified/appended in the configuration file. The default is key = value.
#
# Example Call(s):
#
# With default format of 'key = value':
# replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@'
#
# With custom key/value format:
# replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s'
#
# With a variable:
# replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s'
#
function replace_or_append {
local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option=''
local config_file=$1
local key=$2
local value=$3
local cce=$4
local format=$5
if [ "$case_insensitive_mode" = yes ]; then
sed_case_insensitive_option="i"
grep_case_insensitive_option="-i"
fi
[ -n "$format" ] || format="$default_format"
# Check sanity of the input
[ $# -ge "3" ] || { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; }
# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
# Otherwise, regular sed command will do.
sed_command=('sed' '-i')
if test -L "$config_file"; then
sed_command+=('--follow-symlinks')
fi
# Test that the cce arg is not empty or does not equal @CCENUM@.
# If @CCENUM@ exists, it means that there is no CCE assigned.
if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then
cce="${cce}"
else
cce="CCE"
fi
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "$key")
# shellcheck disable=SC2059
printf -v formatted_output "$format" "$stripped_key" "$value"
# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then
"${sed_command[@]}" "s/${key}\\>.*/$formatted_output/g$sed_case_insensitive_option" "$config_file"
else
# \n is precaution for case where file ends without trailing newline
printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file"
printf '%s\n' "$formatted_output" >> "$config_file"
fi
}System SettingsContains rules that check correct system settings.Configure SyslogThe syslog service has been the default Unix logging mechanism for
many years. It has a number of downsides, including inconsistent log format,
lack of authentication for received messages, and lack of authentication,
encryption, or reliable transport for messages sent over a network. However,
due to its long history, syslog is a de facto standard which is supported by
almost all Unix applications.
In Red Hat Enterprise Linux 7, rsyslog has replaced ksyslogd as the
syslog daemon of choice, and it includes some additional security features
such as reliable, connection-oriented (i.e. TCP) transmission of logs, the
option to log to database formats, and the encryption of log data en route to
a central logging server.
This section discusses how to configure rsyslog for
best effect, and how to use tools provided with the system to maintain and
monitor logs.Ensure rsyslog-gnutls is installedTLS protocol support for rsyslog is installed.
The rsyslog-gnutls package can be installed with the following command:
$ sudo yum install rsyslog-gnutlsFMT_SMF_EXT.1SRG-OS-000480-GPOS-00227SRG-OS-000120-GPOS-00061The rsyslog-gnutls package provides Transport Layer Security (TLS) support
for the rsyslog daemon, which enables secure remote logging.
if ! rpm -q --quiet "rsyslog-gnutls" ; then
yum install -y "rsyslog-gnutls"
fi
- name: Ensure rsyslog-gnutls is installed
package:
name: rsyslog-gnutls
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- package_rsyslog-gnutls_installed
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
include install_rsyslog-gnutls
class install_rsyslog-gnutls {
package { 'rsyslog-gnutls':
ensure => 'installed',
}
}
package --add=rsyslog-gnutls
Ensure rsyslog is InstalledRsyslog is installed by default. The rsyslog package can be installed with the following command: $ sudo yum install rsyslogNT28(R5)NT28(R46)4.2.31141516356APO11.04BAI03.05DSS05.04DSS05.07MEA02.01CCI-001311CCI-001312164.312(a)(2)(ii)4.3.3.3.94.3.3.5.84.3.4.4.74.4.2.14.4.2.24.4.2.4SR 2.10SR 2.11SR 2.12SR 2.8SR 2.9A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1CM-6(a)PR.PT-1SRG-OS-000479-GPOS-00224SRG-OS-000051-GPOS-00024The rsyslog package provides the rsyslog daemon, which provides
system logging services.CCE-80187-8
if ! rpm -q --quiet "rsyslog" ; then
yum install -y "rsyslog"
fi
- name: Ensure rsyslog is installed
package:
name: rsyslog
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- package_rsyslog_installed
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80187-8
- NIST-800-53-CM-6(a)
include install_rsyslog
class install_rsyslog {
package { 'rsyslog':
ensure => 'installed',
}
}
package --add=rsyslog
Enable rsyslog ServiceThe rsyslog service provides syslog-style logging by default on Red Hat Enterprise Linux 7.
The rsyslog service can be enabled with the following command:
$ sudo systemctl enable rsyslog.serviceNT28(R5)NT28(R46)4.2.1.1112131415162356789APO10.01APO10.03APO10.04APO10.05APO11.04APO13.01BAI03.05BAI04.04DSS01.03DSS03.05DSS05.02DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.01CCI-001311CCI-001312CCI-001557CCI-001851164.312(a)(2)(ii)4.3.2.6.74.3.3.3.94.3.3.5.84.3.4.4.74.4.2.14.4.2.24.4.2.4SR 2.10SR 2.11SR 2.12SR 2.8SR 2.9SR 6.1SR 6.2SR 7.1SR 7.2A.12.1.3A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.14.2.7A.15.2.1A.15.2.2A.17.2.1CM-6(a)AU-4(1)DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.DS-4PR.PT-1The rsyslog service must be running in order to provide
logging services, which are essential to system administration.CCE-80188-6
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" start 'rsyslog.service'
"$SYSTEMCTL_EXEC" enable 'rsyslog.service'
- name: Enable service rsyslog
block:
- name: Gather the package facts
package_facts:
manager: auto
- name: Enable service rsyslog
service:
name: rsyslog
enabled: 'yes'
state: started
when:
- '"rsyslog" in ansible_facts.packages'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_rsyslog_enabled
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80188-6
- NIST-800-53-CM-6(a)
- NIST-800-53-AU-4(1)
include enable_rsyslog
class enable_rsyslog {
service {'rsyslog':
enable => true,
ensure => 'running',
}
}
Disable Logwatch on Clients if a Logserver ExistsDoes your site have a central logserver which has been configured to report
on logs received from all systems? If so:
$ sudo rm /etc/cron.daily/0logwatch
If no logserver exists, it will be necessary for each system to run
Logwatch individually. Using a central logserver provides the security and
reliability benefits discussed earlier, and also makes monitoring logs
easier and less time-intensive for administrators.CCE-80198-5Rsyslog Logs Sent To Remote HostIf system logs are to be useful in detecting malicious
activities, it is necessary to send logs to a remote server. An
intruder who has compromised the root account on a system may
delete the log entries which indicate that the system was attacked
before they are seen by an administrator.
However, it is recommended that logs be stored on the local
host in addition to being sent to the loghost, especially if
rsyslog has been configured to use the UDP protocol to send
messages over a network. UDP does not guarantee reliable delivery,
and moderately busy sites will lose log messages occasionally,
especially in periods of high traffic which may be the result of an
attack. In addition, remote rsyslog messages are not
authenticated in any way by default, so it is easy for an attacker to
introduce spurious messages to the central log server. Also, some
problems cause loss of network connectivity, which will prevent the
sending of messages to the central server. For all of these reasons, it is
better to store log messages both centrally and on each host, so
that they can be correlated if necessary.Remote Log ServerSpecify an URI or IP address of a remote host where the log messages will be sent and stored.logcollectorEnsure Logs Sent To Remote HostTo configure rsyslog to send logs to a remote log server,
open /etc/rsyslog.conf and read and understand the last section of the file,
which describes the multiple directives necessary to activate remote
logging.
Along with these other directives, the system can be configured
to forward its logs to a particular log server by
adding or correcting one of the following lines,
substituting appropriately.
The choice of protocol depends on the environment of the system;
although TCP and RELP provide more reliable message delivery,
they may not be supported in all environments.
To use UDP for log message delivery:
*.* @
To use TCP for log message delivery:
*.* @@
To use RELP for log message delivery:
*.* :omrelp:
There must be a resolvable DNS CNAME or Alias record set to "" for logs to be sent correctly to the centralized logging utility.NT28(R7)NT28(R43)NT12(R5)4.2.1.41131415162356APO11.04APO13.01BAI03.05BAI04.04DSS05.04DSS05.07MEA02.01CCI-000366CCI-001348CCI-000136CCI-001851164.308(a)(1)(ii)(D)164.308(a)(5)(ii)(B)164.308(a)(5)(ii)(C)164.308(a)(6)(ii)164.308(a)(8)164.310(d)(2)(iii)164.312(b)164.314(a)(2)(i)(C)164.314(a)(2)(iii)4.3.3.3.94.3.3.5.84.3.4.4.74.4.2.14.4.2.24.4.2.4SR 2.10SR 2.11SR 2.12SR 2.8SR 2.9SR 7.1SR 7.2A.12.1.3A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.17.2.1CM-6(a)AU-4(1)AU-9(2)PR.DS-4PR.PT-1FAU_GEN.1.1.cSRG-OS-000480-GPOS-00227RHEL-07-031000SV-86833r2_ruleSRG-OS-000032-VMM-000130A log server (loghost) receives syslog messages from one or more
systems. This data can be used as an additional log source in the event a
system is compromised and its local logs are suspect. Forwarding log messages
to a remote loghost also provides system administrators with a centralized
place to view the status of multiple hosts within the enterprise.CCE-27343-3
rsyslog_remote_loghost_address=""
replace_or_append '/etc/rsyslog.conf' '^\*\.\*' "@@$rsyslog_remote_loghost_address" 'CCE-27343-3' '%s %s'
- name: XCCDF Value rsyslog_remote_loghost_address # promote to variable
set_fact:
rsyslog_remote_loghost_address: !!str
tags:
- always
- name: Set rsyslog remote loghost
lineinfile:
dest: /etc/rsyslog.conf
regexp: ^\*\.\*
line: '*.* @@{{ rsyslog_remote_loghost_address }}'
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- rsyslog_remote_loghost
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27343-3
- DISA-STIG-RHEL-07-031000
- NIST-800-53-CM-6(a)
- NIST-800-53-AU-4(1)
- NIST-800-53-AU-9(2)
Ensure All Logs are Rotated by logrotate
Edit the file /etc/logrotate.d/syslog. Find the first
line, which should look like this (wrapped for clarity):
/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler \
/var/log/boot.log /var/log/cron {
Edit this line so that it contains a one-space-separated
listing of each log file referenced in /etc/rsyslog.conf.
All logs in use on a system must be rotated regularly, or the
log files will consume disk space over time, eventually interfering
with system operation. The file /etc/logrotate.d/syslog is the
configuration file used by the logrotate program to maintain all
log files written by syslog. By default, it rotates logs weekly and
stores four archival copies of each log. These settings can be
modified by editing /etc/logrotate.conf, but the defaults are
sufficient for purposes of this guide.
Note that logrotate is run nightly by the cron job
/etc/cron.daily/logrotate. If particularly active logs need to be
rotated more often than once a day, some other mechanism must be
used.Ensure Logrotate Runs PeriodicallyThe logrotate utility allows for the automatic rotation of
log files. The frequency of rotation is specified in /etc/logrotate.conf,
which triggers a cron task. To configure logrotate to run daily, add or correct
the following line in /etc/logrotate.conf:
# rotate log files frequency
dailyNT28(R43)NT12(R18)1141516356APO11.04BAI03.05DSS05.04DSS05.07MEA02.01CCI-0003664.3.3.3.94.3.3.5.84.3.4.4.74.4.2.14.4.2.24.4.2.4SR 2.10SR 2.11SR 2.12SR 2.8SR 2.9A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1CM-6(a)PR.PT-1Req-10.7Log files that are not properly rotated run the risk of growing so large
that they fill up the /var/log partition. Valuable logging information could be lost
if the /var/log partition becomes full.CCE-80195-1
LOGROTATE_CONF_FILE="/etc/logrotate.conf"
CRON_DAILY_LOGROTATE_FILE="/etc/cron.daily/logrotate"
# daily rotation is configured
grep -q "^daily$" $LOGROTATE_CONF_FILE|| echo "daily" >> $LOGROTATE_CONF_FILE
# remove any line configuring weekly, monthly or yearly rotation
sed -i -r "/^(weekly|monthly|yearly)$/d" $LOGROTATE_CONF_FILE
# configure cron.daily if not already
if ! grep -q "^[[:space:]]*/usr/sbin/logrotate[[:alnum:][:blank:][:punct:]]*$LOGROTATE_CONF_FILE$" $CRON_DAILY_LOGROTATE_FILE; then
echo "#!/bin/sh" > $CRON_DAILY_LOGROTATE_FILE
echo "/usr/sbin/logrotate $LOGROTATE_CONF_FILE" >> $CRON_DAILY_LOGROTATE_FILE
fi
Ensure Proper Configuration of Log FilesThe file /etc/rsyslog.conf controls where log message are written.
These are controlled by lines called rules, which consist of a
selector and an action.
These rules are often customized depending on the role of the system, the
requirements of the environment, and whatever may enable
the administrator to most effectively make use of log data.
The default rules in Red Hat Enterprise Linux 7 are:
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg *
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
See the man page rsyslog.conf(5) for more information.
Note that the rsyslog daemon can be configured to use a timestamp format that
some log processing programs may not understand. If this occurs,
edit the file /etc/rsyslog.conf and add or edit the following line:$ ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormatgroup who owns log filesSpecify group owner of all logfiles specified in
/etc/rsyslog.conf.rootadmrootUser who owns log filesSpecify user owner of all logfiles specified in
/etc/rsyslog.conf.rootadmrootEnsure Log Files Are Owned By Appropriate GroupThe group-owner of all log files written by
rsyslog should be .
These log files are determined by the second part of each Rule line in
/etc/rsyslog.conf and typically all appear in /var/log.
For each log file LOGFILE referenced in /etc/rsyslog.conf,
run the following command to inspect the file's group owner:
$ ls -l LOGFILE
If the owner is not , run the following command to
correct this:
$ sudo chgrp LOGFILENT28(R46)NT28(R5)12131415161835APO01.06DSS05.04DSS05.07DSS06.02CCI-0013144.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)AC-6(1)PR.AC-4PR.DS-5Req-10.5.1Req-10.5.2The log files generated by rsyslog contain valuable information regarding system
configuration, user authentication, and other such information. Log files should be
protected from unauthorized access.CCE-80190-2Ensure Log Files Are Owned By Appropriate UserThe owner of all log files written by
rsyslog should be .
These log files are determined by the second part of each Rule line in
/etc/rsyslog.conf and typically all appear in /var/log.
For each log file LOGFILE referenced in /etc/rsyslog.conf,
run the following command to inspect the file's owner:
$ ls -l LOGFILE
If the owner is not , run the following command to
correct this:
$ sudo chown LOGFILENT28(R46)NT28(R5)12131415161835APO01.06DSS05.04DSS05.07DSS06.02CCI-0013144.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)AC-6(1)PR.AC-4PR.DS-5Req-10.5.1Req-10.5.2The log files generated by rsyslog contain valuable information regarding system
configuration, user authentication, and other such information. Log files should be
protected from unauthorized access.CCE-80189-4Ensure cron Is Logging To RsyslogCron logging must be implemented to spot intrusions or trace
cron job status. If cron is not logging to rsyslog, it
can be implemented by adding the following to the RULES section of
/etc/rsyslog.conf:
cron.* /var/log/cron1141516356APO10.01APO10.03APO10.04APO10.05APO11.04BAI03.05DSS05.04DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.01CCI-0003664.3.2.6.74.3.3.3.94.3.3.5.84.3.4.4.74.4.2.14.4.2.24.4.2.4SR 2.10SR 2.11SR 2.12SR 2.8SR 2.9SR 6.1A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.15.2.1A.15.2.2CM-6(a)ID.SC-4PR.PT-1FAU_GEN.1.1.cSRG-OS-000480-GPOS-00227RHEL-07-021100SV-86675r2_ruleCron logging can be used to trace the successful or unsuccessful execution
of cron jobs. It can also be used to spot intrusions into the use of the cron
facility by unauthorized and malicious users.CCE-80380-9
if ! grep -s "^\s*cron\.\*\s*/var/log/cron$" /etc/rsyslog.conf /etc/rsyslog.d/*.conf; then
mkdir -p /etc/rsyslog.d
echo "cron.* /var/log/cron" >> /etc/rsyslog.d/cron.conf
fi
Ensure System Log Files Have Correct PermissionsThe file permissions for all log files written by rsyslog should
be set to 600, or more restrictive. These log files are determined by the
second part of each Rule line in /etc/rsyslog.conf and typically
all appear in /var/log. For each log file LOGFILE
referenced in /etc/rsyslog.conf, run the following command to
inspect the file's permissions:
$ ls -l LOGFILE
If the permissions are not 600 or more restrictive, run the following
command to correct this:
$ sudo chmod 0600 LOGFILE"NT28(R36)4.2.1.3CCI-001314CM-6(a)AC-6(1)Req-10.5.1Req-10.5.2Log files can contain valuable information regarding system
configuration. If the system log files are not protected unauthorized
users could change the logged data, eliminating their forensic value.CCE-80191-0
# List of log file paths to be inspected for correct permissions
# * Primarily inspect log file paths listed in /etc/rsyslog.conf
RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf"
# * And also the log file paths listed after rsyslog's $IncludeConfig directive
# (store the result into array for the case there's shell glob used as value of IncludeConfig)
readarray -t RSYSLOG_INCLUDE_CONFIG < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2)
# Declare an array to hold the final list of different log file paths
declare -a LOG_FILE_PATHS
# Browse each file selected above as containing paths of log files
# ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration)
for LOG_FILE in "${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}"
do
# From each of these files extract just particular log file path(s), thus:
# * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters,
# * Ignore empty lines,
# * Strip quotes and closing brackets from paths.
# * Ignore paths that match /dev|/etc.*\.conf, as those are paths, but likely not log files
# * From the remaining valid rows select only fields constituting a log file path
# Text file column is understood to represent a log file path if and only if all of the following are met:
# * it contains at least one slash '/' character,
# * it is preceded by space
# * it doesn't contain space (' '), colon (':'), and semicolon (';') characters
# Search log file for path(s) only in case it exists!
if [[ -f "${LOG_FILE}" ]]
then
NORMALIZED_CONFIG_FILE_LINES=$(sed -e "/^[[:space:]|#|$]/d" "${LOG_FILE}")
LINES_WITH_PATHS=$(grep '[^/]*\s\+\S*/\S\+' <<< "${NORMALIZED_CONFIG_FILE_LINES}")
FILTERED_PATHS=$(sed -e 's/[^\/]*[[:space:]]*\([^:;[:space:]]*\)/\1/g' <<< "${LINES_WITH_PATHS}")
CLEANED_PATHS=$(sed -e "s/[\"')]//g; /\\/etc.*\.conf/d; /\\/dev\\//d" <<< "${FILTERED_PATHS}")
MATCHED_ITEMS=$(sed -e "/^$/d" <<< "${CLEANED_PATHS}")
# Since above sed command might return more than one item (delimited by newline), split the particular
# matches entries into new array specific for this log file
readarray -t ARRAY_FOR_LOG_FILE <<< "$MATCHED_ITEMS"
# Concatenate the two arrays - previous content of $LOG_FILE_PATHS array with
# items from newly created array for this log file
LOG_FILE_PATHS+=("${ARRAY_FOR_LOG_FILE[@]}")
# Delete the temporary array
unset ARRAY_FOR_LOG_FILE
fi
done
for LOG_FILE_PATH in "${LOG_FILE_PATHS[@]}"
do
# Sanity check - if particular $LOG_FILE_PATH is empty string, skip it from further processing
if [ -z "$LOG_FILE_PATH" ]
then
continue
fi
# Also for each log file check if its permissions differ from 600. If so, correct them
if [ -f "$LOG_FILE_PATH" ] && [ "$(/usr/bin/stat -c %a "$LOG_FILE_PATH")" -ne 600 ]
then
/bin/chmod 600 "$LOG_FILE_PATH"
fi
done
Configure rsyslogd to Accept Remote Messages If Acting as a Log ServerBy default, rsyslog does not listen over the network
for log messages. If needed, modules can be enabled to allow
the rsyslog daemon to receive messages from other systems and for the system
thus to act as a log server.
If the system is not a log server, then lines concerning these modules
should remain commented out.
Ensure syslog-ng is Installedsyslog-ng can be installed in replacement of rsyslog.
The syslog-ng-core package can be installed with the following command:
$ sudo yum install syslog-ng-coreNT28(R46)NT28(R5)5.1.11141516356APO11.04BAI03.05DSS05.04DSS05.07MEA02.01CCI-001311CCI-0013124.3.3.3.94.3.3.5.84.3.4.4.74.4.2.14.4.2.24.4.2.4SR 2.10SR 2.11SR 2.12SR 2.8SR 2.9A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1CM-6(a)PR.PT-1The syslog-ng-core package provides the syslog-ng daemon, which provides
system logging services.
if ! rpm -q --quiet "syslogng" ; then
yum install -y "syslogng"
fi
- name: Ensure syslogng is installed
package:
name: syslogng
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- package_syslogng_installed
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- NIST-800-53-CM-6(a)
include install_syslogng
class install_syslogng {
package { 'syslogng':
ensure => 'installed',
}
}
package --add=syslogng
Enable syslog-ng ServiceThe syslog-ng service (in replacement of rsyslog) provides syslog-style logging by default on Debian 8.
The syslog-ng service can be enabled with the following command:
$ sudo systemctl enable syslog-ng.serviceNT28(R46)NT28(R5)5.1.2112131415162356789APO10.01APO10.03APO10.04APO10.05APO11.04APO13.01BAI03.05BAI04.04DSS01.03DSS03.05DSS05.02DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.01CCI-001311CCI-001312CCI-001557CCI-0018514.3.2.6.74.3.3.3.94.3.3.5.84.3.4.4.74.4.2.14.4.2.24.4.2.4SR 2.10SR 2.11SR 2.12SR 2.8SR 2.9SR 6.1SR 6.2SR 7.1SR 7.2A.12.1.3A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.14.2.7A.15.2.1A.15.2.2A.17.2.1CM-6(a)AU-4(1)DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.DS-4PR.PT-1The syslog-ng service must be running in order to provide
logging services, which are essential to system administration.
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" start 'syslogng.service'
"$SYSTEMCTL_EXEC" enable 'syslogng.service'
- name: Enable service syslogng
block:
- name: Gather the package facts
package_facts:
manager: auto
- name: Enable service syslogng
service:
name: syslogng
enabled: 'yes'
state: started
when:
- '"syslogng" in ansible_facts.packages'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_syslogng_enabled
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- NIST-800-53-CM-6(a)
- NIST-800-53-AU-4(1)
include enable_syslogng
class enable_syslogng {
service {'syslogng':
enable => true,
ensure => 'running',
}
}
Enable rsyslog to Accept Messages via UDP, if Acting As Log ServerThe rsyslog daemon should not accept remote messages
unless the system acts as a log server.
If the system needs to act as a central log server, add the following lines to
/etc/rsyslog.conf to enable reception of messages over UDP:
$ModLoad imudp
$UDPServerRun 5144.2.1.51141516356APO11.04BAI03.05DSS05.04DSS05.07MEA02.014.3.3.3.94.3.3.5.84.3.4.4.74.4.2.14.4.2.24.4.2.4SR 2.10SR 2.11SR 2.12SR 2.8SR 2.9A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1CM-6(a)AU-6(3)AU-6(4)PR.PT-1Many devices, such as switches, routers, and other Unix-like systems, may only support
the traditional syslog transmission over UDP. If the system must act as a log server,
this enables it to receive their messages as well.CCE-80194-4Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log ServerThe rsyslog daemon should not accept remote messages
unless the system acts as a log server.
To ensure that it is not listening on the network, ensure the following lines are
not found in /etc/rsyslog.conf:
$ModLoad imtcp
$InputTCPServerRun port
$ModLoad imudp
$UDPServerRun port
$ModLoad imrelp
$InputRELPServerRun port111121314151618345689APO01.06APO11.04APO13.01BAI03.05BAI10.01BAI10.02BAI10.03BAI10.05DSS01.05DSS03.01DSS05.02DSS05.04DSS05.07DSS06.02MEA02.01CCI-000318CCI-000368CCI-001812CCI-001813CCI-0018144.2.3.44.3.3.3.94.3.3.44.3.3.5.84.3.4.3.24.3.4.3.34.3.4.4.74.4.2.14.4.2.24.4.2.44.4.3.3SR 2.10SR 2.11SR 2.12SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 7.1SR 7.6A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.12.1.1A.12.1.2A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.5.1A.12.6.2A.12.7.1A.13.1.1A.13.1.2A.13.1.3A.13.2.1A.13.2.2A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.14.2.2A.14.2.3A.14.2.4A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-7(a)CM-7(b)CM-6(a)DE.AE-1ID.AM-3PR.AC-5PR.DS-5PR.IP-1PR.PT-1PR.PT-4SRG-OS-000480-GPOS-00227RHEL-07-031010SV-86835r2_ruleAny process which receives messages from the network incurs some risk
of receiving malicious messages. This risk can be eliminated for
rsyslog by configuring it not to listen on the network.CCE-80192-8Enable rsyslog to Accept Messages via TCP, if Acting As Log ServerThe rsyslog daemon should not accept remote messages
unless the system acts as a log server.
If the system needs to act as a central log server, add the following lines to
/etc/rsyslog.conf to enable reception of messages over TCP:
$ModLoad imtcp
$InputTCPServerRun 5144.2.1.51141516356APO11.04BAI03.05DSS05.04DSS05.07MEA02.014.3.3.3.94.3.3.5.84.3.4.4.74.4.2.14.4.2.24.4.2.4SR 2.10SR 2.11SR 2.12SR 2.8SR 2.9A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1CM-6(a)AU-6(3)AU-6(4)PR.PT-1If the system needs to act as a log server, this ensures that it can receive
messages over a reliable TCP connection.CCE-80193-6Configure Logwatch on the Central Log ServerIs this system the central log server? If so, edit the file /etc/logwatch/conf/logwatch.conf as shown below.Configure Logwatch SplitHosts LineIf SplitHosts is set, Logwatch will separate entries by hostname.
This makes the report longer but significantly more usable. If it is not
set, then Logwatch will not report which host generated a given log entry,
and that information is almost always necessary
SplitHosts = yes CCE-80197-7Configure Logwatch HostLimit LineOn a central logserver, you want Logwatch to summarize all syslog entries,
including those which did not originate on the logserver itself. The
HostLimit setting tells Logwatch to report on all hosts, not just
the one on which it is running.
HostLimit = no CCE-80196-9Network Configuration and FirewallsMost systems must be connected to a network of some
sort, and this brings with it the substantial risk of network
attack. This section discusses the security impact of decisions
about networking which must be made when configuring a system.
This section also discusses firewalls, network access
controls, and other network security frameworks, which allow
system-level rules to be written that can limit an attackers' ability
to connect to your system. These rules can specify that network
traffic should be allowed or denied from certain IP addresses,
hosts, and networks. The rules can also specify which of the
system's network services are available to particular hosts or
networks.Prevent non-Privileged Users from Modifying Network Interfaces using nmcliBy default, non-privileged users are given permissions to modify networking
interfaces and configurations using the nmcli command. Non-privileged
users should not be making configuration changes to network configurations. To
ensure that non-privileged users do not have permissions to make changes to the
network configuration using nmcli, create the following configuration in
/etc/polkit-1/localauthority/20-org.d/10-nm-harden-access.pkla:
[Disable General User Access to NetworkManager]
Identity=default
Action=org.freedesktop.NetworkManager.*
ResultAny=no
ResultInactive=no
ResultActive=auth_admin
3.1.16AC-18(4)CM-6(a)Allowing non-privileged users to make changes to network settings can allow
untrusted access, prevent system availability, and/or can lead to a compromise or
attack.CCE-82178-5
printf "[Disable General User Access to NetworkManager]\nIdentity=default\nAction=org.freedesktop.NetworkManager.*\nResultAny=no\nResultInactive=no\nResultActive=auth_admin\n" > /etc/polkit-1/localauthority/20-org.d/10-nm-harden-access.pkla
- name: Ensure non-privileged users do not have access to nmcli
ini_file:
path: /etc/polkit-1/localauthority/20-org.d/10-nm-harden-access.pkla
section: Disable General User Access to NetworkManager
option: '{{ item.option }}'
value: '{{ item.value }}'
create: true
loop:
- option: Identity
value: default
- option: Action
value: org.freedesktop.NetworkManager.*
- option: ResultAny
value: 'no'
- option: ResultInactive
value: 'no'
- option: ResultActive
value: auth_admin
tags:
- network_nmcli_permissions
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82178-5
- NIST-800-171-3.1.16
- NIST-800-53-AC-18(4)
- NIST-800-53-CM-6(a)
Disable Client Dynamic DNS UpdatesDynamic DNS allows clients to dynamically update their own DNS records.
The updates are transmitted by unencrypted means which can reveal information
to a potential malicious user. If the system does not require Dynamic DNS,
remove all DHCP_HOSTNAME references from the
/etc/sysconfig/network-scripts/ifcfg-interface scripts. If
dhclient is used, remove all send host-name hostname
references from the /etc/dhclient.conf configuration file and/or any
reference from the /etc/dhcp directory.1139BAI10.01BAI10.02BAI10.03BAI10.05CCI-0003664.3.4.3.24.3.4.3.3SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4CM-7(a)CM-7(b)CM-6(a)PR.IP-1SRG-OS-000480-GPOS-00227Dynamic DNS updates transmit unencrypted information about a system
including its name and address and should not be used unless needed.CCE-80357-7Configure Multiple DNS Servers in /etc/resolv.confMultiple Domain Name System (DNS) Servers should be configured
in /etc/resolv.conf. This provides redundant name resolution services
in the event that a domain server crashes. To configure the system to contain
as least 2 DNS servers, add a corresponding nameserver
ip_address entry in /etc/resolv.conf for each DNS
server where ip_address is the IP address of a valid DNS server.
For example:
search example.com
nameserver 192.168.0.1
nameserver 192.168.0.212158APO13.01DSS05.02CCI-000366SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 7.1SR 7.6A.13.1.1A.13.2.1A.14.1.3SC-20(a)CM-6(a)PR.PT-4SRG-OS-000480-GPOS-00227RHEL-07-040600SV-86905r2_ruleTo provide availability for name resolution services, multiple redundant
name servers are mandated. A failure in name resolution could lead to the
failure of security functions requiring name resolution, which may include
time synchronization, centralized authentication, and remote system logging.CCE-80438-5Disable Zeroconf NetworkingZeroconf networking allows the system to assign itself an IP
address and engage in IP communication without a statically-assigned address or
even a DHCP server. Automatic address assignment via Zeroconf (or DHCP) is not
recommended. To disable Zeroconf automatic route assignment in the 169.254.0.0
subnet, add or correct the following line in /etc/sysconfig/network:
NOZEROCONF=yes111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.064.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.IP-1PR.PT-3Zeroconf addresses are in the network 169.254.0.0. The networking
scripts add entries to the system's routing table for these addresses. Zeroconf
address assignment commonly occurs when the system is configured to use DHCP
but fails to receive an address assignment from the DHCP server.CCE-80173-8echo "NOZEROCONF=yes" >> /etc/sysconfig/network
Ensure System is Not Acting as a Network SnifferThe system should not be acting as a network sniffer, which can
capture all traffic on the network to which it is connected. Run the following
to determine if any interface is running in promiscuous mode:
$ ip link | grep PROMISC1111439APO11.06APO12.06BAI03.10BAI09.01BAI09.02BAI09.03BAI10.01BAI10.02BAI10.03BAI10.05DSS01.05DSS04.05DSS05.02DSS05.05DSS06.06CCI-0003664.2.3.44.3.3.3.74.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.34.4.3.4SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6SR 7.8A.11.1.2A.11.2.4A.11.2.5A.11.2.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.16.1.6A.8.1.1A.8.1.2A.9.1.2CM-7(a)CM-7(b)CM-6(a)CM-7(2)MA-3DE.DP-5ID.AM-1PR.IP-1PR.MA-1PR.PT-3SRG-OS-000480-GPOS-00227RHEL-07-040670SV-86919r2_ruleNetwork interfaces in promiscuous mode allow for the capture of all network traffic
visible to the system. If unauthorized individuals can access these applications, it
may allow them to collect information such as logon IDs, passwords, and key exchanges
between systems.
If the system is being used to perform a network troubleshooting function, the use of these
tools must be documented with the Information Systems Security Manager (ISSM) and restricted
to only authorized personnel.CCE-80174-6IPv6The system includes support for Internet Protocol
version 6. A major and often-mentioned improvement over IPv4 is its
enormous increase in the number of available addresses. Another
important feature is its support for automatic configuration of
many network settings.Disable Support for IPv6 Unless NeededDespite configuration that suggests support for IPv6 has
been disabled, link-local IPv6 address auto-configuration occurs
even when only an IPv4 address is assigned. The only way to
effectively prevent execution of the IPv6 networking stack is to
instruct the system not to activate the IPv6 kernel module.Disable Interface Usage of IPv6To disable interface usage of IPv6, add or correct the following lines in /etc/sysconfig/network:
NETWORKING_IPV6=no
IPV6INIT=noCCE-80176-1Disable IPv6 Networking Support Automatic LoadingTo prevent the IPv6 kernel module (ipv6) from binding to the
IPv6 networking stack, add the following line to
/etc/modprobe.d/disabled.conf (or another file in
/etc/modprobe.d):
options ipv6 disable=1
This permits the IPv6 module to be loaded (and thus satisfy other modules that
depend on it), while disabling support for the IPv6 protocol.111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.064.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.IP-1PR.PT-3Any unnecessary network stacks - including IPv6 - should be disabled, to reduce
the vulnerability to exploitation.
# Prevent the IPv6 kernel module (ipv6) from loading the IPv6 networking stack
echo "options ipv6 disable=1" > /etc/modprobe.d/ipv6.conf
# Since according to: https://access.redhat.com/solutions/72733
# "ipv6 disable=1" options doesn't always disable the IPv6 networking stack from
# loading, instruct also sysctl configuration to disable IPv6 according to:
# https://access.redhat.com/solutions/8709#rhel6disable
declare -a IPV6_SETTINGS=("net.ipv6.conf.all.disable_ipv6" "net.ipv6.conf.default.disable_ipv6")
for setting in "${IPV6_SETTINGS[@]}"
do
# Set runtime =1 for setting
/sbin/sysctl -q -n -w "$setting=1"
# If setting is present in /etc/sysctl.conf, change value to "1"
# else, add "$setting = 1" to /etc/sysctl.conf
if grep -q ^"$setting" /etc/sysctl.conf ; then
sed -i "s/^$setting.*/$setting = 1/g" /etc/sysctl.conf
else
echo "" >> /etc/sysctl.conf
echo "# Set $setting = 1 per security requirements" >> /etc/sysctl.conf
echo "$setting = 1" >> /etc/sysctl.conf
fi
done
Disable Support for RPC IPv6RPC services for NFSv4 try to load transport modules for
udp6 and tcp6 by default, even if IPv6 has been disabled in
/etc/modprobe.d. To prevent RPC services such as rpc.mountd
from attempting to start IPv6 network listeners, remove or comment out the
following two lines in /etc/netconfig:
udp6 tpi_clts v inet6 udp - -
tcp6 tpi_cots_ord v inet6 tcp - -111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.063.1.204.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.IP-1PR.PT-3CCE-80177-9
# Drop 'tcp6' and 'udp6' entries from /etc/netconfig to prevent RPC
# services for NFSv4 from attempting to start IPv6 network listeners
declare -a IPV6_RPC_ENTRIES=("tcp6" "udp6")
for rpc_entry in "${IPV6_RPC_ENTRIES[@]}"
do
sed -i "/^${rpc_entry}[[:space:]]\\+tpi\\_.*inet6.*/d" /etc/netconfig
done
Disable IPv6 Networking Support Automatic LoadingTo disable support for (ipv6) add the following line to
/etc/sysctl.d/ipv6.conf (or another file in
/etc/sysctl.d):
net.ipv6.conf.all.disable_ipv6 = 1
This disables IPv6 on all network interfaces as other services and system
functionality require the IPv6 stack loaded to work.3.3.3111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.063.1.20CCI-0015514.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.IP-1PR.PT-3Any unnecessary network stacks - including IPv6 - should be disabled, to reduce
the vulnerability to exploitation.CCE-80175-3
#
# Set runtime for net.ipv6.conf.all.disable_ipv6
#
/sbin/sysctl -q -n -w net.ipv6.conf.all.disable_ipv6="1"
#
# If net.ipv6.conf.all.disable_ipv6 present in /etc/sysctl.conf, change value to "1"
# else, add "net.ipv6.conf.all.disable_ipv6 = 1" to /etc/sysctl.conf
#
replace_or_append '/etc/sysctl.conf' '^net.ipv6.conf.all.disable_ipv6' "1" 'CCE-80175-3'
- name: Ensure sysctl net.ipv6.conf.all.disable_ipv6 is set to 1
sysctl:
name: net.ipv6.conf.all.disable_ipv6
value: '1'
state: present
reload: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sysctl_net_ipv6_conf_all_disable_ipv6
- medium_severity
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- CCE-80175-3
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
Configure IPv6 Settings if NecessaryA major feature of IPv6 is the extent to which systems
implementing it can automatically configure their networking
devices using information from the network. From a security
perspective, manually configuring important configuration
information is preferable to accepting it from the network
in an unauthenticated fashion.net.ipv6.conf.all.accept_redirectsToggle ICMP Redirect Acceptance001net.ipv6.conf.all.accept_source_routeTrackers could be using source-routed packets to
generate traffic that seems to be intra-net, but actually was
created outside and has been redirected.001net.ipv6.conf.default.accept_raAccept default router advertisements by default?001net.ipv6.conf.default.accept_redirectsToggle ICMP Redirect Acceptance By Default001net.ipv6.conf.default.accept_source_routeTrackers could be using source-routed packets to
generate traffic that seems to be intra-net, but actually was
created outside and has been redirected.001IPV6_AUTOCONFToggle global IPv6 auto-configuration (only, if global
forwarding is disabled)nonoyesnet.ipv6.conf.all.accept_raAccept all router advertisements?001net.ipv6.conf.all.forwardingToggle IPv6 Forwarding001Use Privacy Extensions for AddressTo introduce randomness into the automatic generation of IPv6
addresses, add or correct the following line in
/etc/sysconfig/network-scripts/ifcfg-interface:
IPV6_PRIVACY=rfc3041
Automatically-generated IPv6 addresses are based on the underlying hardware
(e.g. Ethernet) address, and so it becomes possible to track a piece of
hardware over its lifetime using its traffic. If it is important for a system's
IP address to not trivially reveal its hardware address, this setting should be
applied.3.1.20CCI-000366CCE-80185-2
# enable randomness in ipv6 address generation
for interface in /etc/sysconfig/network-scripts/ifcfg-*
do
echo "IPV6_PRIVACY=rfc3041" >> $interface
done
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by DefaultTo set the runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0
If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_source_route = 0NT28(R22)11213141516184689APO01.06APO13.01DSS01.05DSS03.01DSS05.02DSS05.04DSS05.07DSS06.023.1.20CCI-0003664.2.3.44.3.3.44.4.3.3SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 7.1SR 7.6A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.12.1.1A.12.1.2A.13.1.1A.13.1.2A.13.1.3A.13.2.1A.13.2.2A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-7(a)CM-7(b)CM-6(a)DE.AE-1ID.AM-3PR.AC-5PR.DS-5PR.PT-4SRG-OS-000480-GPOS-00227Source-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router, which can
be used to bypass network security measures. This requirement applies only to the
forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and
the system is functioning as a router.
Accepting source-routed packets in the IPv6 protocol has few legitimate
uses. It should be disabled unless it is absolutely required.CCE-80355-1
sysctl_net_ipv6_conf_default_accept_source_route_value=""
#
# Set runtime for net.ipv6.conf.default.accept_source_route
#
/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_source_route="$sysctl_net_ipv6_conf_default_accept_source_route_value"
#
# If net.ipv6.conf.default.accept_source_route present in /etc/sysctl.conf, change value to appropriate value
# else, add "net.ipv6.conf.default.accept_source_route = value" to /etc/sysctl.conf
#
replace_or_append '/etc/sysctl.conf' '^net.ipv6.conf.default.accept_source_route' "$sysctl_net_ipv6_conf_default_accept_source_route_value" 'CCE-80355-1'
- name: XCCDF Value sysctl_net_ipv6_conf_default_accept_source_route_value # promote to variable
set_fact:
sysctl_net_ipv6_conf_default_accept_source_route_value: !!str
tags:
- always
- name: Ensure sysctl net.ipv6.conf.default.accept_source_route is set
sysctl:
name: net.ipv6.conf.default.accept_source_route
value: '{{ sysctl_net_ipv6_conf_default_accept_source_route_value }}'
state: present
reload: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sysctl_net_ipv6_conf_default_accept_source_route
- medium_severity
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- CCE-80355-1
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 InterfacesTo set the runtime status of the net.ipv6.conf.all.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0
If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_source_route = 0NT28(R22)11213141516184689APO01.06APO13.01DSS01.05DSS03.01DSS05.02DSS05.04DSS05.07DSS06.023.1.20CCI-0003664.2.3.44.3.3.44.4.3.3SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 7.1SR 7.6A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.12.1.1A.12.1.2A.13.1.1A.13.1.2A.13.1.3A.13.2.1A.13.2.2A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-7(a)CM-7(b)CM-6(a)DE.AE-1ID.AM-3PR.AC-5PR.DS-5PR.PT-4SRG-OS-000480-GPOS-00227RHEL-07-040830SV-86943r2_ruleSource-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router, which can
be used to bypass network security measures. This requirement applies only to the
forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and
the system is functioning as a router.
Accepting source-routed packets in the IPv6 protocol has few legitimate
uses. It should be disabled unless it is absolutely required.CCE-80179-5
sysctl_net_ipv6_conf_all_accept_source_route_value=""
#
# Set runtime for net.ipv6.conf.all.accept_source_route
#
/sbin/sysctl -q -n -w net.ipv6.conf.all.accept_source_route="$sysctl_net_ipv6_conf_all_accept_source_route_value"
#
# If net.ipv6.conf.all.accept_source_route present in /etc/sysctl.conf, change value to appropriate value
# else, add "net.ipv6.conf.all.accept_source_route = value" to /etc/sysctl.conf
#
replace_or_append '/etc/sysctl.conf' '^net.ipv6.conf.all.accept_source_route' "$sysctl_net_ipv6_conf_all_accept_source_route_value" 'CCE-80179-5'
- name: XCCDF Value sysctl_net_ipv6_conf_all_accept_source_route_value # promote to variable
set_fact:
sysctl_net_ipv6_conf_all_accept_source_route_value: !!str
tags:
- always
- name: Ensure sysctl net.ipv6.conf.all.accept_source_route is set
sysctl:
name: net.ipv6.conf.all.accept_source_route
value: '{{ sysctl_net_ipv6_conf_all_accept_source_route_value }}'
state: present
reload: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sysctl_net_ipv6_conf_all_accept_source_route
- medium_severity
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- CCE-80179-5
- DISA-STIG-RHEL-07-040830
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
Disable Kernel Parameter for IPv6 ForwardingTo set the runtime status of the net.ipv6.conf.all.forwarding kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.forwarding=0
If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.forwarding = 0111121314151623789APO13.01BAI04.04BAI10.01BAI10.02BAI10.03BAI10.05DSS01.03DSS03.05DSS05.02DSS05.05DSS05.07DSS06.06CCI-0003664.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 6.2SR 7.1SR 7.2SR 7.6A.12.1.2A.12.1.3A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.17.2.1A.9.1.2CM-7(a)CM-7(b)CM-6(a)DE.CM-1PR.DS-4PR.IP-1PR.PT-3IP forwarding permits the kernel to forward packets from one network
interface to another. The ability to forward packets between two networks is
only appropriate for systems acting as routers.CCE-80356-9
sysctl_net_ipv6_conf_all_forwarding_value=""
#
# Set runtime for net.ipv6.conf.all.forwarding
#
/sbin/sysctl -q -n -w net.ipv6.conf.all.forwarding="$sysctl_net_ipv6_conf_all_forwarding_value"
#
# If net.ipv6.conf.all.forwarding present in /etc/sysctl.conf, change value to appropriate value
# else, add "net.ipv6.conf.all.forwarding = value" to /etc/sysctl.conf
#
replace_or_append '/etc/sysctl.conf' '^net.ipv6.conf.all.forwarding' "$sysctl_net_ipv6_conf_all_forwarding_value" 'CCE-80356-9'
- name: XCCDF Value sysctl_net_ipv6_conf_all_forwarding_value # promote to variable
set_fact:
sysctl_net_ipv6_conf_all_forwarding_value: !!str
tags:
- always
- name: Ensure sysctl net.ipv6.conf.all.forwarding is set
sysctl:
name: net.ipv6.conf.all.forwarding
value: '{{ sysctl_net_ipv6_conf_all_forwarding_value }}'
state: present
reload: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sysctl_net_ipv6_conf_all_forwarding
- medium_severity
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- CCE-80356-9
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
Disable Accepting ICMP Redirects for All IPv6 InterfacesTo set the runtime status of the net.ipv6.conf.all.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0
If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_redirects = 0NT28(R22)3.3.2111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.063.1.20CCI-0015514.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.IP-1PR.PT-3SRG-OS-000480-GPOS-00227An illicit ICMP redirect message could result in a man-in-the-middle attack.CCE-80182-9
sysctl_net_ipv6_conf_all_accept_redirects_value=""
#
# Set runtime for net.ipv6.conf.all.accept_redirects
#
/sbin/sysctl -q -n -w net.ipv6.conf.all.accept_redirects="$sysctl_net_ipv6_conf_all_accept_redirects_value"
#
# If net.ipv6.conf.all.accept_redirects present in /etc/sysctl.conf, change value to appropriate value
# else, add "net.ipv6.conf.all.accept_redirects = value" to /etc/sysctl.conf
#
replace_or_append '/etc/sysctl.conf' '^net.ipv6.conf.all.accept_redirects' "$sysctl_net_ipv6_conf_all_accept_redirects_value" 'CCE-80182-9'
- name: XCCDF Value sysctl_net_ipv6_conf_all_accept_redirects_value # promote to variable
set_fact:
sysctl_net_ipv6_conf_all_accept_redirects_value: !!str
tags:
- always
- name: Ensure sysctl net.ipv6.conf.all.accept_redirects is set
sysctl:
name: net.ipv6.conf.all.accept_redirects
value: '{{ sysctl_net_ipv6_conf_all_accept_redirects_value }}'
state: present
reload: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sysctl_net_ipv6_conf_all_accept_redirects
- medium_severity
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- CCE-80182-9
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
Manually Assign IPv6 Router AddressEdit the file
/etc/sysconfig/network-scripts/ifcfg-interface, and add or correct
the following line (substituting your gateway IP as appropriate):
IPV6_DEFAULTGW=2001:0DB8::0001
Router addresses should be manually set and not accepted via any
auto-configuration or router advertisement.CCI-000366CCE-80186-0Manually Assign Global IPv6 AddressTo manually assign an IP address for an interface, edit the
file /etc/sysconfig/network-scripts/ifcfg-interface. Add or correct the
following line (substituting the correct IPv6 address):
IPV6ADDR=2001:0DB8::ABCD/64
Manually assigning an IP address is preferable to accepting one from routers or
from the network otherwise. The example address here is an IPv6 address
reserved for documentation purposes, as defined by RFC3849.CCI-000366CCE-80184-5Disable Accepting Router Advertisements on all IPv6 Interfaces by DefaultTo set the runtime status of the net.ipv6.conf.default.accept_ra kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_ra=0
If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_ra = 03.3.1111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.063.1.204.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.IP-1PR.PT-3SRG-OS-000480-GPOS-00227An illicit router advertisement message could result in a man-in-the-middle attack.CCE-80181-1
sysctl_net_ipv6_conf_default_accept_ra_value=""
#
# Set runtime for net.ipv6.conf.default.accept_ra
#
/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_ra="$sysctl_net_ipv6_conf_default_accept_ra_value"
#
# If net.ipv6.conf.default.accept_ra present in /etc/sysctl.conf, change value to appropriate value
# else, add "net.ipv6.conf.default.accept_ra = value" to /etc/sysctl.conf
#
replace_or_append '/etc/sysctl.conf' '^net.ipv6.conf.default.accept_ra' "$sysctl_net_ipv6_conf_default_accept_ra_value" 'CCE-80181-1'
- name: XCCDF Value sysctl_net_ipv6_conf_default_accept_ra_value # promote to variable
set_fact:
sysctl_net_ipv6_conf_default_accept_ra_value: !!str
tags:
- always
- name: Ensure sysctl net.ipv6.conf.default.accept_ra is set
sysctl:
name: net.ipv6.conf.default.accept_ra
value: '{{ sysctl_net_ipv6_conf_default_accept_ra_value }}'
state: present
reload: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sysctl_net_ipv6_conf_default_accept_ra
- unknown_severity
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- CCE-80181-1
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
Configure Accepting Router Advertisements on All IPv6 InterfacesTo set the runtime status of the net.ipv6.conf.all.accept_ra kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_ra=0
If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_ra = 03.3.1111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.063.1.204.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.IP-1PR.PT-3SRG-OS-000480-GPOS-00227An illicit router advertisement message could result in a man-in-the-middle attack.CCE-80180-3
sysctl_net_ipv6_conf_all_accept_ra_value=""
#
# Set runtime for net.ipv6.conf.all.accept_ra
#
/sbin/sysctl -q -n -w net.ipv6.conf.all.accept_ra="$sysctl_net_ipv6_conf_all_accept_ra_value"
#
# If net.ipv6.conf.all.accept_ra present in /etc/sysctl.conf, change value to appropriate value
# else, add "net.ipv6.conf.all.accept_ra = value" to /etc/sysctl.conf
#
replace_or_append '/etc/sysctl.conf' '^net.ipv6.conf.all.accept_ra' "$sysctl_net_ipv6_conf_all_accept_ra_value" 'CCE-80180-3'
- name: XCCDF Value sysctl_net_ipv6_conf_all_accept_ra_value # promote to variable
set_fact:
sysctl_net_ipv6_conf_all_accept_ra_value: !!str
tags:
- always
- name: Ensure sysctl net.ipv6.conf.all.accept_ra is set
sysctl:
name: net.ipv6.conf.all.accept_ra
value: '{{ sysctl_net_ipv6_conf_all_accept_ra_value }}'
state: present
reload: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sysctl_net_ipv6_conf_all_accept_ra
- unknown_severity
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- CCE-80180-3
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 InterfacesTo set the runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0
If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_redirects = 0NT28(R22)3.3.2111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.063.1.20CCI-0015514.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.IP-1PR.PT-3SRG-OS-000480-GPOS-00227An illicit ICMP redirect message could result in a man-in-the-middle attack.CCE-80183-7
sysctl_net_ipv6_conf_default_accept_redirects_value=""
#
# Set runtime for net.ipv6.conf.default.accept_redirects
#
/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_redirects="$sysctl_net_ipv6_conf_default_accept_redirects_value"
#
# If net.ipv6.conf.default.accept_redirects present in /etc/sysctl.conf, change value to appropriate value
# else, add "net.ipv6.conf.default.accept_redirects = value" to /etc/sysctl.conf
#
replace_or_append '/etc/sysctl.conf' '^net.ipv6.conf.default.accept_redirects' "$sysctl_net_ipv6_conf_default_accept_redirects_value" 'CCE-80183-7'
- name: XCCDF Value sysctl_net_ipv6_conf_default_accept_redirects_value # promote to variable
set_fact:
sysctl_net_ipv6_conf_default_accept_redirects_value: !!str
tags:
- always
- name: Ensure sysctl net.ipv6.conf.default.accept_redirects is set
sysctl:
name: net.ipv6.conf.default.accept_redirects
value: '{{ sysctl_net_ipv6_conf_default_accept_redirects_value }}'
state: present
reload: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sysctl_net_ipv6_conf_default_accept_redirects
- medium_severity
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- CCE-80183-7
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
Limit Network-Transmitted Configuration if Using Static IPv6 AddressesTo limit the configuration information requested from other
systems and accepted from the network on a system that uses
statically-configured IPv6 addresses, add the following lines to
/etc/sysctl.conf:
net.ipv6.conf.default.router_solicitations = 0
net.ipv6.conf.default.accept_ra_rtr_pref = 0
net.ipv6.conf.default.accept_ra_pinfo = 0
net.ipv6.conf.default.accept_ra_defrtr = 0
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.default.dad_transmits = 0
net.ipv6.conf.default.max_addresses = 1
The router_solicitations setting determines how many router
solicitations are sent when bringing up the interface. If addresses are
statically assigned, there is no need to send any solicitations.
The accept_ra_pinfo setting controls whether the system will accept
prefix info from the router.
The accept_ra_defrtr setting controls whether the system will accept
Hop Limit settings from a router advertisement. Setting it to 0 prevents a
router from changing your default IPv6 Hop Limit for outgoing packets.
The autoconf setting controls whether router advertisements can cause
the system to assign a global unicast address to an interface.
The dad_transmits setting determines how many neighbor solicitations
to send out per address (global and link-local) when bringing up an interface
to ensure the desired address is unique on the network.
The max_addresses setting determines how many global unicast IPv6
addresses can be assigned to each interface. The default is 16, but it should
be set to exactly the number of statically configured global addresses
required.IPSec SupportSupport for Internet Protocol Security (IPsec)
is provided in Red Hat Enterprise Linux 7 with Libreswan.Install libreswan PackageThe Libreswan package provides an implementation of IPsec
and IKE, which permits the creation of secure tunnels over
untrusted networks. The libreswan package can be installed with the following command:
$ sudo yum install libreswan1215358APO13.01DSS01.04DSS05.02DSS05.03DSS05.04CCI-001130CCI-0011314.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.8SR 1.13SR 2.6SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 7.1SR 7.6A.11.2.4A.11.2.6A.13.1.1A.13.2.1A.14.1.3A.15.1.1A.15.2.1A.6.2.1A.6.2.2CM-6(a)PR.AC-3PR.MA-2PR.PT-4Req-4.1SRG-OS-000480-GPOS-00227SRG-OS-000120-GPOS-00061Providing the ability for remote users or systems
to initiate a secure VPN connection protects information when it is
transmitted over a wide area network.CCE-80170-4
if ! rpm -q --quiet "libreswan" ; then
yum install -y "libreswan"
fi
- name: Ensure libreswan is installed
package:
name: libreswan
state: present
tags:
- package_libreswan_installed
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80170-4
- PCI-DSS-Req-4.1
- NIST-800-53-CM-6(a)
include install_libreswan
class install_libreswan {
package { 'libreswan':
ensure => 'installed',
}
}
package --add=libreswan
Verify Any Configured IPSec Tunnel ConnectionsLibreswan provides an implementation of IPsec
and IKE, which permits the creation of secure tunnels over
untrusted networks. As such, IPsec can be used to circumvent certain
network requirements such as filtering. Verify that if any IPsec connection
(conn) configured in /etc/ipsec.conf and /etc/ipsec.d
exists is an approved organizational connection.11213141516184689APO01.06APO13.01DSS01.05DSS03.01DSS05.02DSS05.04DSS05.07DSS06.02CCI-000336164.308(a)(4)(i)164.308(b)(1)164.308(b)(3)164.310(b)164.312(e)(1)164.312(e)(2)(ii)4.2.3.44.3.3.44.4.3.3SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 7.1SR 7.6A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.12.1.1A.12.1.2A.13.1.1A.13.1.2A.13.1.3A.13.2.1A.13.2.2A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5AC-17(a)MA-4(6)CM-6(a)AC-4SC-8DE.AE-1ID.AM-3PR.AC-5PR.DS-5PR.PT-4SRG-OS-000480-GPOS-00227RHEL-07-040820SV-86941r2_ruleIP tunneling mechanisms can be used to bypass network filtering.CCE-80171-2iptables and ip6tablesA host-based firewall called netfilter is included as
part of the Linux kernel distributed with the system. It is
activated by default. This firewall is controlled by the program
iptables, and the entire capability is frequently referred to by
this name. An analogous program called ip6tables handles filtering
for IPv6.
Unlike TCP Wrappers, which depends on the network server
program to support and respect the rules written, netfilter
filtering occurs at the kernel level, before a program can even
process the data from the network packet. As such, any program on
the system is affected by the rules written.
This section provides basic information about strengthening
the iptables and ip6tables configurations included with the system.
For more complete information that may allow the construction of a
sophisticated ruleset tailored to your environment, please consult
the references at the end of this section.Install iptables PackageThe iptables package can be installed with the following command:
$ sudo yum install iptablesCM-6(a)SRG-OS-000480-GPOS-00227iptables controls the Linux kernel network packet filtering
code. iptables allows system operators to set up firewalls and IP
masquerading, etc.CCE-82983-8
if ! rpm -q --quiet "iptables" ; then
yum install -y "iptables"
fi
- name: Ensure iptables is installed
package:
name: iptables
state: present
tags:
- package_iptables_installed
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82983-8
- NIST-800-53-CM-6(a)
include install_iptables
class install_iptables {
package { 'iptables':
ensure => 'installed',
}
}
package --add=iptables
Inspect and Activate Default RulesView the currently-enforced iptables rules by running
the command:
$ sudo iptables -nL --line-numbers
The command is analogous for ip6tables.
If the firewall does not appear to be active (i.e., no rules
appear), activate it and ensure that it starts at boot by issuing
the following commands (and analogously for ip6tables):
$ sudo service iptables restart
The default iptables rules are:
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
5 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
The ip6tables default rules are essentially the same.Verify ip6tables Enabled if Using IPv6 The ip6tables service can be enabled with the following command: $ sudo systemctl enable ip6tables.service11112131415161834689APO01.06APO13.01BAI10.01BAI10.02BAI10.03BAI10.05DSS01.05DSS03.01DSS05.02DSS05.04DSS05.05DSS05.07DSS06.02DSS06.064.2.3.44.3.3.44.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.34.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 7.1SR 7.6A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.12.1.1A.12.1.2A.12.5.1A.12.6.2A.13.1.1A.13.1.2A.13.1.3A.13.2.1A.13.2.2A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.14.2.2A.14.2.3A.14.2.4A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5AC-4CM-7(b)CA-3(5)SC-7(21)CM-6(a)DE.AE-1ID.AM-3PR.AC-5PR.DS-5PR.IP-1PR.PT-3PR.PT-4The ip6tables service provides the system's host-based firewalling
capability for IPv6 and ICMPv6.
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" start 'ip6tables.service'
"$SYSTEMCTL_EXEC" enable 'ip6tables.service'
- name: Enable service ip6tables
block:
- name: Gather the package facts
package_facts:
manager: auto
- name: Enable service ip6tables
service:
name: ip6tables
enabled: 'yes'
state: started
when:
- '"iptables-ipv6" in ansible_facts.packages'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_ip6tables_enabled
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- NIST-800-53-AC-4
- NIST-800-53-CM-7(b)
- NIST-800-53-CA-3(5)
- NIST-800-53-SC-7(21)
- NIST-800-53-CM-6(a)
include enable_ip6tables
class enable_ip6tables {
service {'ip6tables':
enable => true,
ensure => 'running',
}
}
Verify iptables Enabled The iptables service can be enabled with the following command: $ sudo systemctl enable iptables.service11112131415161834689APO01.06APO13.01BAI10.01BAI10.02BAI10.03BAI10.05DSS01.05DSS03.01DSS05.02DSS05.04DSS05.05DSS05.07DSS06.02DSS06.064.2.3.44.3.3.44.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.34.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 7.1SR 7.6A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.12.1.1A.12.1.2A.12.5.1A.12.6.2A.13.1.1A.13.1.2A.13.1.3A.13.2.1A.13.2.2A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.14.2.2A.14.2.3A.14.2.4A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5AC-4CM-7(b)CA-3(5)SC-7(21)CM-6(a)DE.AE-1ID.AM-3PR.AC-5PR.DS-5PR.IP-1PR.PT-3PR.PT-4The iptables service provides the system's host-based firewalling
capability for IPv4 and ICMP.
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" start 'iptables.service'
"$SYSTEMCTL_EXEC" enable 'iptables.service'
- name: Enable service iptables
block:
- name: Gather the package facts
package_facts:
manager: auto
- name: Enable service iptables
service:
name: iptables
enabled: 'yes'
state: started
when:
- '"iptables" in ansible_facts.packages'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_iptables_enabled
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- NIST-800-53-AC-4
- NIST-800-53-CM-7(b)
- NIST-800-53-CA-3(5)
- NIST-800-53-SC-7(21)
- NIST-800-53-CM-6(a)
include enable_iptables
class enable_iptables {
service {'iptables':
enable => true,
ensure => 'running',
}
}
Set Default ip6tables Policy for Incoming PacketsTo set the default policy to DROP (instead of ACCEPT) for
the built-in INPUT chain which processes incoming packets,
add or correct the following line in
/etc/sysconfig/ip6tables:
:INPUT DROP [0:0]
If changes were required, reload the ip6tables rules:
$ sudo service ip6tables reload111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.064.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2AC-4CM-7(b)CA-3(5)SC-7(21)CM-6(a)PR.IP-1PR.PT-3In ip6tables, the default policy is applied only after all
the applicable rules in the table are examined for a match. Setting the
default policy to DROP implements proper design for a firewall, i.e.
any packets which are not explicitly permitted should not be
accepted.Strengthen the Default RulesetThe default rules can be strengthened. The system
scripts that activate the firewall rules expect them to be defined
in the configuration files iptables and ip6tables in the directory
/etc/sysconfig. Many of the lines in these files are similar
to the command line arguments that would be provided to the programs
/sbin/iptables or /sbin/ip6tables - but some are quite
different.
The following recommendations describe how to strengthen the
default ruleset configuration file. An alternative to editing this
configuration file is to create a shell script that makes calls to
the iptables program to load in rules, and then invokes service
iptables save to write those loaded rules to
/etc/sysconfig/iptables.
The following alterations can be made directly to
/etc/sysconfig/iptables and /etc/sysconfig/ip6tables.
Instructions apply to both unless otherwise noted. Language and address
conventions for regular iptables are used throughout this section;
configuration for ip6tables will be either analogous or explicitly
covered.The program system-config-securitylevel
allows additional services to penetrate the default firewall rules
and automatically adjusts /etc/sysconfig/iptables. This program
is only useful if the default ruleset meets your security
requirements. Otherwise, this program should not be used to make
changes to the firewall configuration because it re-writes the
saved configuration file.Set Default iptables Policy for Forwarded PacketsTo set the default policy to DROP (instead of ACCEPT) for
the built-in FORWARD chain which processes packets that will be forwarded from
one interface to another,
add or correct the following line in
/etc/sysconfig/iptables:
:FORWARD DROP [0:0]111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.064.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CA-3(5)CM-7(b)SC-7(23)CM-6(a)PR.IP-1PR.PT-3In iptables, the default policy is applied only after all
the applicable rules in the table are examined for a match. Setting the
default policy to DROP implements proper design for a firewall, i.e.
any packets which are not explicitly permitted should not be
accepted.Set Default iptables Policy for Incoming PacketsTo set the default policy to DROP (instead of ACCEPT) for
the built-in INPUT chain which processes incoming packets,
add or correct the following line in
/etc/sysconfig/iptables:
:INPUT DROP [0:0]111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.064.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CA-3(5)CM-7(b)SC-7(23)CM-6(a)PR.IP-1PR.PT-3In iptables the default policy is applied only after all
the applicable rules in the table are examined for a match. Setting the
default policy to DROP implements proper design for a firewall, i.e.
any packets which are not explicitly permitted should not be
accepted.Restrict ICMP Message TypesIn /etc/sysconfig/iptables, the accepted ICMP messages
types can be restricted. To accept only ICMP echo reply, destination
unreachable, and time exceeded messages, remove the line:-A INPUT -p icmp --icmp-type any -j ACCEPT
and insert the lines:
-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
To allow the system to respond to pings, also insert the following line:
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
Ping responses can also be limited to certain networks or hosts by using the -s
option in the previous rule. Because IPv6 depends so heavily on ICMPv6, it is
preferable to deny the ICMPv6 packets you know you don't need (e.g. ping
requests) in /etc/sysconfig/ip6tables, while letting everything else
through:
-A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
If you are going to statically configure the system's address, it should
ignore Router Advertisements which could add another IPv6 address to the
interface or alter important network settings:
-A INPUT -p icmpv6 --icmpv6-type router-advertisement -j DROP
Restricting ICMPv6 message types in /etc/sysconfig/ip6tables is not
recommended because the operation of IPv6 depends heavily on ICMPv6. Thus, great
care must be taken if any other ICMPv6 types are blocked.Log and Drop Packets with Suspicious Source AddressesPackets with non-routable source addresses should be rejected, as they may indicate spoofing. Because the
modified policy will reject non-matching packets, you only need to add these rules if you are interested in also
logging these spoofing or suspicious attempts before they are dropped. If you do choose to log various suspicious
traffic, add identical rules with a target of DROP after each LOG.
To log and then drop these IPv4 packets, insert the following rules in /etc/sysconfig/iptables (excepting
any that are intentionally used):
-A INPUT -s 10.0.0.0/8 -j LOG --log-prefix "IP DROP SPOOF A: "
-A INPUT -s 172.16.0.0/12 -j LOG --log-prefix "IP DROP SPOOF B: "
-A INPUT -s 192.168.0.0/16 -j LOG --log-prefix "IP DROP SPOOF C: "
-A INPUT -s 224.0.0.0/4 -j LOG --log-prefix "IP DROP MULTICAST D: "
-A INPUT -s 240.0.0.0/5 -j LOG --log-prefix "IP DROP SPOOF E: "
-A INPUT -d 127.0.0.0/8 -j LOG --log-prefix "IP DROP LOOPBACK: "
Similarly, you might wish to log packets containing some IPv6 reserved addresses if they are not expected
on your network:
-A INPUT -i eth0 -s ::1 -j LOG --log-prefix "IPv6 DROP LOOPBACK: "
-A INPUT -s 2002:E000::/20 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: "
-A INPUT -s 2002:7F00::/24 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: "
-A INPUT -s 2002:0000::/24 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: "
-A INPUT -s 2002:FF00::/24 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: "
-A INPUT -s 2002:0A00::/24 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: "
-A INPUT -s 2002:AC10::/28 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: "
-A INPUT -s 2002:C0A8::/32 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: "
If you are not expecting to see site-local multicast or auto-tunneled traffic, you can log those:
-A INPUT -s FF05::/16 -j LOG --log-prefix "IPv6 SITE-LOCAL MULTICAST: "
-A INPUT -s ::0.0.0.0/96 -j LOG --log-prefix "IPv4 COMPATIBLE IPv6 ADDR: "
If you wish to block multicasts to all link-local nodes (e.g. if you are not using router auto-configuration and
do not plan to have any services that multicast to the entire local network), you can block the link-local
all-nodes multicast address (before accepting incoming ICMPv6):
-A INPUT -d FF02::1 -j LOG --log-prefix "Link-local All-Nodes Multicast: "
However, if you're going to allow IPv4 compatible IPv6 addresses (of the form ::0.0.0.0/96), you should
then consider logging the non-routable IPv4-compatible addresses:
-A INPUT -s ::0.0.0.0/104 -j LOG --log-prefix "IP NON-ROUTABLE ADDR: "
-A INPUT -s ::127.0.0.0/104 -j LOG --log-prefix "IP DROP LOOPBACK: "
-A INPUT -s ::224.0.0.0.0/100 -j LOG --log-prefix "IP DROP MULTICAST D: "
-A INPUT -s ::255.0.0.0/104 -j LOG --log-prefix "IP BROADCAST: "
If you are not expecting to see any IPv4 (or IPv4-compatible) traffic on your network, consider logging it before it gets dropped:
-A INPUT -s ::FFFF:0.0.0.0/96 -j LOG --log-prefix "IPv4 MAPPED IPv6 ADDR: "
-A INPUT -s 2002::/16 -j LOG --log-prefix "IPv6 6to4 ADDR: "
The following rule will log all traffic originating from a site-local address, which is deprecated address space:
-A INPUT -s FEC0::/10 -j LOG --log-prefix "SITE-LOCAL ADDRESS TRAFFIC: "firewalldThe dynamic firewall daemon firewalld provides a
dynamically managed firewall with support for network “zones” to assign
a level of trust to a network and its associated connections and interfaces.
It has support for IPv4 and IPv6 firewall settings. It supports Ethernet
bridges and has a separation of runtime and permanent configuration options.
It also has an interface for services or applications to add firewall rules
directly.
A graphical configuration tool, firewall-config, is used to configure
firewalld, which in turn uses iptables tool to communicate
with Netfilter in the kernel which implements packet filtering.
The firewall service provided by firewalld is dynamic rather than
static because changes to the configuration can be made at anytime and are
immediately implemented. There is no need to save or apply the changes. No
unintended disruption of existing network connections occurs as no part of
the firewall has to be reloaded.Inspect and Activate Default firewalld RulesFirewalls can be used to separate networks into different zones
based on the level of trust the user has decided to place on the devices and
traffic within that network. NetworkManager informs firewalld to which
zone an interface belongs. An interface's assigned zone can be changed by
NetworkManager or via the firewall-config tool.
The zone settings in /etc/firewalld/ are a range of preset settings
which can be quickly applied to a network interface. These are the zones
provided by firewalld sorted according to the default trust level of the
zones from untrusted to trusted:
dropAny incoming network packets are dropped, there is no
reply. Only outgoing network connections are possible.blockAny incoming network connections are rejected with an
icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited
for IPv6. Only network connections initiated from within the system are
possible.publicFor use in public areas. You do not trust the other
computers on the network to not harm your computer. Only selected incoming
connections are accepted.externalFor use on external networks with masquerading enabled
especially for routers. You do not trust the other computers on the network to
not harm your computer. Only selected incoming connections are accepted.dmzFor computers in your demilitarized zone that are
publicly-accessible with limited access to your internal network. Only selected
incoming connections are accepted.workFor use in work areas. You mostly trust the other computers
on networks to not harm your computer. Only selected incoming connections are
accepted.homeFor use in home areas. You mostly trust the other computers
on networks to not harm your computer. Only selected incoming connections are
accepted.internalFor use on internal networks. You mostly trust the
other computers on the networks to not harm your computer. Only selected
incoming connections are accepted.trustedAll network connections are accepted.
It is possible to designate one of these zones to be the default zone. When
interface connections are added to NetworkManager, they are assigned
to the default zone. On installation, the default zone in firewalld is set to
be the public zone.
To find out all the settings of a zone, for example the public zone,
enter the following command as root:
# firewall-cmd --zone=public --list-all
Example output of this command might look like the following:
# firewall-cmd --zone=public --list-all
public
interfaces:
services: mdns dhcpv6-client ssh
ports:
forward-ports:
icmp-blocks: source-quench
To view the network zones currently active, enter the following command as root:
# firewall-cmd --get-service
The following listing displays the result of this command
on common Red Hat Enterprise Linux 7 system:
# firewall-cmd --get-service
amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp
high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd
ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn
pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind
samba samba-client smtp ssh telnet tftp tftp-client transmission-client
vnc-server wbem-https
Finally to view the network zones that will be active after the next firewalld
service reload, enter the following command as root:
# firewall-cmd --get-service --permanentInstall firewalld PackageThe firewalld package can be installed with the following command:
$ sudo yum install firewalldCM-6(a)SRG-OS-000480-GPOS-00227SRG-OS-000298-GPOS-00116The firewalld package should be installed to provide access control methods.CCE-82999-4
if ! rpm -q --quiet "firewalld" ; then
yum install -y "firewalld"
fi
- name: Ensure firewalld is installed
package:
name: firewalld
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- package_firewalld_installed
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82999-4
- NIST-800-53-CM-6(a)
include install_firewalld
class install_firewalld {
package { 'firewalld':
ensure => 'installed',
}
}
package --add=firewalld
Verify firewalld Enabled The firewalld service can be enabled with the following command: $ sudo systemctl enable firewalld.service4.71139BAI10.01BAI10.02BAI10.03BAI10.053.1.33.4.7CCI-0003664.3.4.3.24.3.4.3.3SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4AC-4CM-7(b)CA-3(5)SC-7(21)CM-6(a)PR.IP-1FMT_MOF_EXT.1SRG-OS-000480-GPOS-00227RHEL-07-040520SV-86897r2_ruleAccess control methods provide the ability to enhance system security posture
by restricting services and known good IP addresses and address ranges. This
prevents connections from unknown hosts and protocols.CCE-80998-8
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" start 'firewalld.service'
"$SYSTEMCTL_EXEC" enable 'firewalld.service'
- name: Enable service firewalld
block:
- name: Gather the package facts
package_facts:
manager: auto
- name: Enable service firewalld
service:
name: firewalld
enabled: 'yes'
state: started
when:
- '"firewalld" in ansible_facts.packages'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_firewalld_enabled
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80998-8
- DISA-STIG-RHEL-07-040520
- NIST-800-171-3.1.3
- NIST-800-171-3.4.7
- NIST-800-53-AC-4
- NIST-800-53-CM-7(b)
- NIST-800-53-CA-3(5)
- NIST-800-53-SC-7(21)
- NIST-800-53-CM-6(a)
include enable_firewalld
class enable_firewalld {
service {'firewalld':
enable => true,
ensure => 'running',
}
}
Strengthen the Default RulesetThe default rules can be strengthened. The system
scripts that activate the firewall rules expect them to be defined
in configuration files under the /etc/firewalld/services
and /etc/firewalld/zones directories.
The following recommendations describe how to strengthen the
default ruleset configuration file. An alternative to editing this
configuration file is to create a shell script that makes calls to
the firewall-cmd program to load in rules under the /etc/firewalld/services
and /etc/firewalld/zones directories.
Instructions apply to both unless otherwise noted. Language and address
conventions for regular firewalld rules are used throughout this section.The program firewall-config
allows additional services to penetrate the default firewall rules
and automatically adjusts the firewalld ruleset(s).Set Default firewalld Zone for Incoming PacketsTo set the default zone to drop for
the built-in default zone which processes incoming IPv4 and IPv6 packets,
modify the following line in
/etc/firewalld/firewalld.conf to be:
DefaultZone=dropTo prevent denying any access to the system, automatic remediation
of this control is not available. Remediation must be automated as
a component of machine provisioning, or followed manually as outlined
above.1114395.10.1BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.063.1.33.4.73.13.6CCI-0003664.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CA-3(5)CM-7(b)SC-7(23)CM-6(a)PR.IP-1PR.PT-3FMT_MOF_EXT.1SRG-OS-000480-GPOS-00227RHEL-07-040810SV-86939r3_ruleSRG-OS-000480-VMM-002000In firewalld the default zone is applied only after all
the applicable rules in the table are examined for a match. Setting the
default zone to drop implements proper design for a firewall, i.e.
any packets which are not explicitly permitted should not be
accepted.CCE-27349-0Configure the Firewalld PortsConfigure the firewalld ports to allow approved
services to have access to the system. To configure firewalld
to open ports, run the following command:
$ sudo firewall-cmd --permanent --add-port=port_number/tcp
or
$ sudo firewall-cmd --permanent --add-port=service_name
Run the command list above for each of the ports listed below:
To configure firewalld to allow access, run the following command(s):
firewall-cmd --permanent --add-service=ssh11121415389APO13.01BAI10.01BAI10.02BAI10.03BAI10.05DSS01.04DSS05.02DSS05.03DSS05.05DSS06.06CCI-000382CCI-0023144.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 7.1SR 7.6A.11.2.6A.12.1.2A.12.5.1A.12.6.2A.13.1.1A.13.2.1A.14.1.3A.14.2.2A.14.2.3A.14.2.4A.6.2.1A.6.2.2A.9.1.2AC-4CM-7(b)CA-3(5)SC-7(21)CM-6(a)PR.AC-3PR.IP-1PR.PT-3PR.PT-4SRG-OS-000096-GPOS-00050SRG-OS-000297-GPOS-00115RHEL-07-040100SV-86843r2_ruleSRG-OS-000096-VMM-000490SRG-OS-000480-VMM-002000In order to prevent unauthorized connection of devices, unauthorized
transfer of information, or unauthorized tunneling (i.e., embedding of data
types within data types), organizations must disable or restrict unused or
unnecessary physical and logical ports/protocols on information systems.
Operating systems are capable of providing a wide variety of functions and
services. Some of the functions and services provided by default may not be
necessary to support essential organizational operations.
Additionally, it is sometimes convenient to provide multiple services from
a single component (e.g., VPN and IPS); however, doing so increases risk
over limiting the services provided by any one component.
To support the requirements and principles of least functionality, the
operating system must support the organizational requirements, providing
only essential capabilities and limiting the use of ports, protocols,
and/or services to only those required, authorized, and approved to conduct
official business or to address authorized quality of life issues.CCE-80447-6
if ! rpm -q --quiet "firewalld" ; then
yum install -y "firewalld"
fi
firewalld_sshd_zone=""
# This assumes that firewalld_sshd_zone is one of the pre-defined zones
if [ ! -f /etc/firewalld/zones/${firewalld_sshd_zone}.xml ]; then
cp /usr/lib/firewalld/zones/${firewalld_sshd_zone}.xml /etc/firewalld/zones/${firewalld_sshd_zone}.xml
fi
if ! grep -q 'service name="ssh"' /etc/firewalld/zones/${firewalld_sshd_zone}.xml; then
sed -i '/<\/description>/a \
<service name="ssh"/>' /etc/firewalld/zones/${firewalld_sshd_zone}.xml
fi
# Check if any eth interface is bounded to the zone with SSH service enabled
nic_bound=false
eth_interface_list=$(ip link show up | cut -d ' ' -f2 | cut -d ':' -s -f1 | grep -E '^(en|eth)')
for interface in $eth_interface_list; do
if grep -q "ZONE=$firewalld_sshd_zone" /etc/sysconfig/network-scripts/ifcfg-$interface; then
nic_bound=true
break;
fi
done
if [ $nic_bound = false ];then
# Add first NIC to SSH enabled zone
if ! firewall-cmd --state -q; then
replace_or_append "/etc/sysconfig/network-scripts/ifcfg-${eth_interface_list[0]}" '^ZONE=' "$firewalld_sshd_zone" 'CCE-80447-6' '%s=%s'
else
# If firewalld service is running, we need to do this step with firewall-cmd
# Otherwise firewalld will comunicate with NetworkManage and will revert assigned zone
# of NetworkManager managed interfaces upon reload
firewall-cmd --permanent --zone=$firewalld_sshd_zone --add-interface=${eth_interface_list[0]}
firewall-cmd --reload
fi
fi
Configure firewalld To Rate Limit ConnectionsCreate a direct firewall rule to protect against DoS attacks with the following
command:
$ sudo firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp -m limit --limit 25/minute --limit-burst 100 -j INPUT_ZONESCCI-002385SC-5SC-5(1)SC-5(2)SC-5(3)(a)CM-6(a)SRG-OS-000420-GPOS-00186RHEL-07-040510SRG-OS-000420-VMM-001690DoS is a condition when a resource is not available for legitimate users. When
this occurs, the organization either cannot accomplish its mission or must
operate at degraded capacity.
This requirement addresses the configuration of
the operating system to mitigate the impact of DoS attacks that have occurred or
are ongoing on system availability. For each system, known and potential DoS
attacks must be identified and solutions for each type implemented. A variety of
technologies exist to limit or, in some cases, eliminate the effects of DoS
attacks (e.g., limiting processes or establishing memory partitions). Employing
increased capacity and bandwidth, combined with service redundancy, may reduce
the susceptibility to some DoS attacks.CCE-80542-4
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp -m limit --limit 25/minute --limit-burst 100 -j INPUT_ZONES
firewall-cmd --reload
- name: Configure rate limiting direct rule for firewalld
command: firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT_direct 0
-p tcp -m limit --limit 25/minute --limit-burst 100 -j INPUT_ZONES
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- configure_firewalld_rate_limiting
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80542-4
- DISA-STIG-RHEL-07-040510
- NIST-800-53-SC-5
- NIST-800-53-SC-5(1)
- NIST-800-53-SC-5(2)
- NIST-800-53-SC-5(3)(a)
- NIST-800-53-CM-6(a)
Kernel Parameters Which Affect NetworkingThe sysctl utility is used to set
parameters which affect the operation of the Linux kernel. Kernel parameters
which affect networking and have security implications are described here.Network Related Kernel Runtime Parameters for Hosts and RoutersCertain kernel parameters should be set for systems which are
acting as either hosts or routers to improve the system's ability defend
against certain types of IPv4 protocol attacks.net.ipv4.conf.all.secure_redirectsEnable to prevent hijacking of routing path by only
allowing redirects from gateways known in routing
table. Disable to refuse acceptance of secure ICMP redirected packets on all interfaces.001net.ipv4.conf.default.secure_redirectsEnable to prevent hijacking of routing path by only
allowing redirects from gateways known in routing
table. Disable to refuse acceptance of secure ICMP redirected packages by default.001net.ipv4.conf.all.accept_source_routeTrackers could be using source-routed packets to
generate traffic that seems to be intra-net, but actually was
created outside and has been redirected.001net.ipv4.tcp_invalid_ratelimitConfigure the maximal rate for sending duplicate acknowledgments in
response to incoming invalid TCP packets.5001000500100250net.ipv4.icmp_ignore_bogus_error_responsesEnable to prevent unnecessary logging101net.ipv4.conf.default.accept_redirectsDisable ICMP Redirect Acceptance?001net.ipv4.conf.all.log_martiansDisable so you don't Log Spoofed Packets, Source
Routed Packets, Redirect Packets101net.ipv4.conf.default.accept_source_routeDisable IP source routing?001net.ipv4.conf.default.rp_filterEnables source route verification101net.ipv4.tcp_syncookiesEnable to turn on TCP SYN Cookie
Protection101net.ipv4.icmp_echo_ignore_broadcastsIgnore all ICMP ECHO and TIMESTAMP requests sent to it
via broadcast/multicast101net.ipv4.conf.all.accept_redirectsDisable ICMP Redirect Acceptance001net.ipv4.conf.all.rp_filterEnable to enforce sanity checking, also called ingress
filtering or egress filtering. The point is to drop a packet if the
source and destination IP addresses in the IP header do not make
sense when considered in light of the physical interface on which
it arrived.101net.ipv4.conf.default.log_martiansDisable so you don't Log Spoofed Packets, Source
Routed Packets, Redirect Packets101Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by DefaultTo set the runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0
If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.accept_source_route = 0NT28(R22)3.2.111112131415161823467895.10.1.1APO01.06APO13.01BAI04.04BAI10.01BAI10.02BAI10.03BAI10.05DSS01.03DSS01.05DSS03.01DSS03.05DSS05.02DSS05.04DSS05.05DSS05.07DSS06.02DSS06.063.1.20CCI-000366CCI-0015514.2.3.44.3.3.44.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.34.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.2SR 7.1SR 7.2SR 7.6A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.12.1.1A.12.1.2A.12.1.3A.12.5.1A.12.6.2A.13.1.1A.13.1.2A.13.1.3A.13.2.1A.13.2.2A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.14.2.2A.14.2.3A.14.2.4A.17.2.1A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-7(a)CM-7(b)SC-5SC-7(a)DE.AE-1DE.CM-1ID.AM-3PR.AC-5PR.DS-4PR.DS-5PR.IP-1PR.PT-3PR.PT-4SRG-OS-000480-GPOS-00227RHEL-07-040620SV-86909r2_ruleSource-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router,
which can be used to bypass network security measures.
Accepting source-routed packets in the IPv4 protocol has few legitimate
uses. It should be disabled unless it is absolutely required, such as when
IPv4 forwarding is enabled and the system is legitimately functioning as a
router.CCE-80162-1
sysctl_net_ipv4_conf_default_accept_source_route_value=""
#
# Set runtime for net.ipv4.conf.default.accept_source_route
#
/sbin/sysctl -q -n -w net.ipv4.conf.default.accept_source_route="$sysctl_net_ipv4_conf_default_accept_source_route_value"
#
# If net.ipv4.conf.default.accept_source_route present in /etc/sysctl.conf, change value to appropriate value
# else, add "net.ipv4.conf.default.accept_source_route = value" to /etc/sysctl.conf
#
replace_or_append '/etc/sysctl.conf' '^net.ipv4.conf.default.accept_source_route' "$sysctl_net_ipv4_conf_default_accept_source_route_value" 'CCE-80162-1'
- name: XCCDF Value sysctl_net_ipv4_conf_default_accept_source_route_value # promote to variable
set_fact:
sysctl_net_ipv4_conf_default_accept_source_route_value: !!str
tags:
- always
- name: Ensure sysctl net.ipv4.conf.default.accept_source_route is set
sysctl:
name: net.ipv4.conf.default.accept_source_route
value: '{{ sysctl_net_ipv4_conf_default_accept_source_route_value }}'
state: present
reload: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sysctl_net_ipv4_conf_default_accept_source_route
- medium_severity
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- CCE-80162-1
- DISA-STIG-RHEL-07-040620
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- CJIS-5.10.1.1
Configure Kernel to Rate Limit Sending of Duplicate TCP AcknowledgmentsMake sure that the system is configured to limit the maximal rate for sending
duplicate acknowledgments in response to incoming TCP packets that are for
an existing connection but that are invalid due to any of these reasons:
(a) out-of-window sequence number, (b) out-of-window acknowledgment number,
or (c) PAWS (Protection Against Wrapped Sequence numbers) check failure
This measure protects against or limits effects of DoS attacks against the system.
Set the system to implement rate-limiting measures by adding the following line to
/etc/sysctl.conf or a configuration file in the /etc/sysctl.d/ directory
(or modify the line to have the required value):
net.ipv4.tcp_invalid_ratelimit =
Issue the following command to make the changes take effect:
# sysctl --systemCCI-002385SC-5SRG-OS-000420-GPOS-00186RHEL-07-040510SRG-OS-000420-VMM-001690Denial of Service (DoS) is a condition when a resource is not available for legitimate users. When
this occurs, the organization either cannot accomplish its mission or must
operate at degraded capacity.
This can help mitigate simple “ack loop” DoS attacks, wherein a buggy or
malicious middlebox or man-in-the-middle can rewrite TCP header fields in
manner that causes each endpoint to think that the other is sending invalid
TCP segments, thus causing each side to send an unterminating stream of
duplicate acknowledgments for invalid segments.CCE-82893-9
sysctl_net_ipv4_tcp_invalid_ratelimit_value=""
#
# Set runtime for net.ipv4.tcp_invalid_ratelimit
#
/sbin/sysctl -q -n -w net.ipv4.tcp_invalid_ratelimit="$sysctl_net_ipv4_tcp_invalid_ratelimit_value"
#
# If net.ipv4.tcp_invalid_ratelimit present in /etc/sysctl.conf, change value to appropriate value
# else, add "net.ipv4.tcp_invalid_ratelimit = value" to /etc/sysctl.conf
#
replace_or_append '/etc/sysctl.conf' '^net.ipv4.tcp_invalid_ratelimit' "$sysctl_net_ipv4_tcp_invalid_ratelimit_value" 'CCE-82893-9'
- name: XCCDF Value sysctl_net_ipv4_tcp_invalid_ratelimit_value # promote to variable
set_fact:
sysctl_net_ipv4_tcp_invalid_ratelimit_value: !!str
tags:
- always
- name: Ensure sysctl net.ipv4.tcp_invalid_ratelimit is set
sysctl:
name: net.ipv4.tcp_invalid_ratelimit
value: '{{ sysctl_net_ipv4_tcp_invalid_ratelimit_value }}'
state: present
reload: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sysctl_net_ipv4_tcp_invalid_ratelimit
- medium_severity
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- CCE-82893-9
- DISA-STIG-RHEL-07-040510
- NIST-800-53-SC-5
Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by DefaultTo set the runtime status of the net.ipv4.conf.default.log_martians kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.log_martians=1
If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.log_martians = 13.2.4111121314151623789APO13.01BAI04.04BAI10.01BAI10.02BAI10.03BAI10.05DSS01.03DSS01.04DSS03.05DSS05.02DSS05.03DSS05.05DSS05.07DSS06.063.1.20CCI-0001264.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.2SR 7.1SR 7.2SR 7.6A.11.2.6A.12.1.2A.12.1.3A.12.5.1A.12.6.2A.13.1.1A.13.2.1A.14.1.3A.14.2.2A.14.2.3A.14.2.4A.17.2.1A.6.2.1A.6.2.2A.9.1.2CM-7(a)CM-7(b)SC-5(3)(a)DE.CM-1PR.AC-3PR.DS-4PR.IP-1PR.PT-3PR.PT-4SRG-OS-000480-GPOS-00227The presence of "martian" packets (which have impossible addresses)
as well as spoofed packets, source-routed packets, and redirects could be a
sign of nefarious network activity. Logging these packets enables this activity
to be detected.CCE-80161-3
sysctl_net_ipv4_conf_default_log_martians_value=""
#
# Set runtime for net.ipv4.conf.default.log_martians
#
/sbin/sysctl -q -n -w net.ipv4.conf.default.log_martians="$sysctl_net_ipv4_conf_default_log_martians_value"
#
# If net.ipv4.conf.default.log_martians present in /etc/sysctl.conf, change value to appropriate value
# else, add "net.ipv4.conf.default.log_martians = value" to /etc/sysctl.conf
#
replace_or_append '/etc/sysctl.conf' '^net.ipv4.conf.default.log_martians' "$sysctl_net_ipv4_conf_default_log_martians_value" 'CCE-80161-3'
- name: XCCDF Value sysctl_net_ipv4_conf_default_log_martians_value # promote to variable
set_fact:
sysctl_net_ipv4_conf_default_log_martians_value: !!str
tags:
- always
- name: Ensure sysctl net.ipv4.conf.default.log_martians is set
sysctl:
name: net.ipv4.conf.default.log_martians
value: '{{ sysctl_net_ipv4_conf_default_log_martians_value }}'
state: present
reload: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sysctl_net_ipv4_conf_default_log_martians
- unknown_severity
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- CCE-80161-3
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5(3)(a)
Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 InterfacesTo set the runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.icmp_ignore_bogus_error_responses = 1NT28(R22)3.2.6111121314151623789APO13.01BAI04.04BAI10.01BAI10.02BAI10.03BAI10.05DSS01.03DSS03.05DSS05.02DSS05.05DSS05.07DSS06.063.1.204.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 6.2SR 7.1SR 7.2SR 7.6A.12.1.2A.12.1.3A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.17.2.1A.9.1.2CM-7(a)CM-7(b)SC-5DE.CM-1PR.DS-4PR.IP-1PR.PT-3SRG-OS-000480-GPOS-00227Ignoring bogus ICMP error responses reduces
log size, although some activity would not be logged.CCE-80166-2
sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=""
#
# Set runtime for net.ipv4.icmp_ignore_bogus_error_responses
#
/sbin/sysctl -q -n -w net.ipv4.icmp_ignore_bogus_error_responses="$sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value"
#
# If net.ipv4.icmp_ignore_bogus_error_responses present in /etc/sysctl.conf, change value to appropriate value
# else, add "net.ipv4.icmp_ignore_bogus_error_responses = value" to /etc/sysctl.conf
#
replace_or_append '/etc/sysctl.conf' '^net.ipv4.icmp_ignore_bogus_error_responses' "$sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value" 'CCE-80166-2'
- name: XCCDF Value sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value # promote to variable
set_fact:
sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value: !!str
tags:
- always
- name: Ensure sysctl net.ipv4.icmp_ignore_bogus_error_responses is set
sysctl:
name: net.ipv4.icmp_ignore_bogus_error_responses
value: '{{ sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value }}'
state: present
reload: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sysctl_net_ipv4_icmp_ignore_bogus_error_responses
- unknown_severity
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- CCE-80166-2
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by DefaultTo set the runtime status of the net.ipv4.conf.default.rp_filter kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.rp_filter=1
If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.rp_filter = 1NT28(R22)3.2.71121314151618246789APO01.06APO13.01BAI04.04DSS01.03DSS01.05DSS03.01DSS03.05DSS05.02DSS05.04DSS05.07DSS06.023.1.204.2.3.44.3.3.44.4.3.3SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.2SR 7.1SR 7.2SR 7.6A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.12.1.1A.12.1.2A.12.1.3A.13.1.1A.13.1.2A.13.1.3A.13.2.1A.13.2.2A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.17.2.1A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-7(a)CM-7(b)CM-6(a)SC-7(a)DE.AE-1DE.CM-1ID.AM-3PR.AC-5PR.DS-4PR.DS-5PR.PT-4SRG-OS-000480-GPOS-00227Enabling reverse path filtering drops packets with source addresses
that should not have been able to be received on the interface they were
received on. It should not be used on systems which are routers for
complicated networks, but is helpful for end hosts and routers serving small
networks.CCE-80168-8
sysctl_net_ipv4_conf_default_rp_filter_value=""
#
# Set runtime for net.ipv4.conf.default.rp_filter
#
/sbin/sysctl -q -n -w net.ipv4.conf.default.rp_filter="$sysctl_net_ipv4_conf_default_rp_filter_value"
#
# If net.ipv4.conf.default.rp_filter present in /etc/sysctl.conf, change value to appropriate value
# else, add "net.ipv4.conf.default.rp_filter = value" to /etc/sysctl.conf
#
replace_or_append '/etc/sysctl.conf' '^net.ipv4.conf.default.rp_filter' "$sysctl_net_ipv4_conf_default_rp_filter_value" 'CCE-80168-8'
- name: XCCDF Value sysctl_net_ipv4_conf_default_rp_filter_value # promote to variable
set_fact:
sysctl_net_ipv4_conf_default_rp_filter_value: !!str
tags:
- always
- name: Ensure sysctl net.ipv4.conf.default.rp_filter is set
sysctl:
name: net.ipv4.conf.default.rp_filter
value: '{{ sysctl_net_ipv4_conf_default_rp_filter_value }}'
state: present
reload: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sysctl_net_ipv4_conf_default_rp_filter
- medium_severity
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- CCE-80168-8
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-7(a)
Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 InterfacesTo set the runtime status of the net.ipv4.conf.all.secure_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.secure_redirects=0
If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.secure_redirects = 0NT28(R22)3.2.31111213141516182346789APO01.06APO13.01BAI04.04BAI10.01BAI10.02BAI10.03BAI10.05DSS01.03DSS01.05DSS03.01DSS03.05DSS05.02DSS05.04DSS05.05DSS05.07DSS06.02DSS06.063.1.20CCI-001503CCI-0015514.2.3.44.3.3.44.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.34.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.2SR 7.1SR 7.2SR 7.6A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.12.1.1A.12.1.2A.12.1.3A.12.5.1A.12.6.2A.13.1.1A.13.1.2A.13.1.3A.13.2.1A.13.2.2A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.14.2.2A.14.2.3A.14.2.4A.17.2.1A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-7(a)CM-7(b)CM-6(a)SC-7(a)DE.AE-1DE.CM-1ID.AM-3PR.AC-5PR.DS-4PR.DS-5PR.IP-1PR.PT-3PR.PT-4SRG-OS-000480-GPOS-00227Accepting "secure" ICMP redirects (from those gateways listed as
default gateways) has few legitimate uses. It should be disabled unless it is
absolutely required.CCE-80159-7
sysctl_net_ipv4_conf_all_secure_redirects_value=""
#
# Set runtime for net.ipv4.conf.all.secure_redirects
#
/sbin/sysctl -q -n -w net.ipv4.conf.all.secure_redirects="$sysctl_net_ipv4_conf_all_secure_redirects_value"
#
# If net.ipv4.conf.all.secure_redirects present in /etc/sysctl.conf, change value to appropriate value
# else, add "net.ipv4.conf.all.secure_redirects = value" to /etc/sysctl.conf
#
replace_or_append '/etc/sysctl.conf' '^net.ipv4.conf.all.secure_redirects' "$sysctl_net_ipv4_conf_all_secure_redirects_value" 'CCE-80159-7'
- name: XCCDF Value sysctl_net_ipv4_conf_all_secure_redirects_value # promote to variable
set_fact:
sysctl_net_ipv4_conf_all_secure_redirects_value: !!str
tags:
- always
- name: Ensure sysctl net.ipv4.conf.all.secure_redirects is set
sysctl:
name: net.ipv4.conf.all.secure_redirects
value: '{{ sysctl_net_ipv4_conf_all_secure_redirects_value }}'
state: present
reload: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sysctl_net_ipv4_conf_all_secure_redirects
- medium_severity
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- CCE-80159-7
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-7(a)
Configure Kernel Parameter for Accepting Secure Redirects By DefaultTo set the runtime status of the net.ipv4.conf.default.secure_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.secure_redirects=0
If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.secure_redirects = 0NT28(R22)3.2.31111213141516182346789APO01.06APO13.01BAI04.04BAI10.01BAI10.02BAI10.03BAI10.05DSS01.03DSS01.05DSS03.01DSS03.05DSS05.02DSS05.04DSS05.05DSS05.07DSS06.02DSS06.063.1.20CCI-0015514.2.3.44.3.3.44.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.34.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.2SR 7.1SR 7.2SR 7.6A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.12.1.1A.12.1.2A.12.1.3A.12.5.1A.12.6.2A.13.1.1A.13.1.2A.13.1.3A.13.2.1A.13.2.2A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.14.2.2A.14.2.3A.14.2.4A.17.2.1A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-7(a)CM-7(b)SC-5SC-7(a)DE.AE-1DE.CM-1ID.AM-3PR.AC-5PR.DS-4PR.DS-5PR.IP-1PR.PT-3PR.PT-4SRG-OS-000480-GPOS-00227Accepting "secure" ICMP redirects (from those gateways listed as
default gateways) has few legitimate uses. It should be disabled unless it is
absolutely required.CCE-80164-7
sysctl_net_ipv4_conf_default_secure_redirects_value=""
#
# Set runtime for net.ipv4.conf.default.secure_redirects
#
/sbin/sysctl -q -n -w net.ipv4.conf.default.secure_redirects="$sysctl_net_ipv4_conf_default_secure_redirects_value"
#
# If net.ipv4.conf.default.secure_redirects present in /etc/sysctl.conf, change value to appropriate value
# else, add "net.ipv4.conf.default.secure_redirects = value" to /etc/sysctl.conf
#
replace_or_append '/etc/sysctl.conf' '^net.ipv4.conf.default.secure_redirects' "$sysctl_net_ipv4_conf_default_secure_redirects_value" 'CCE-80164-7'
- name: XCCDF Value sysctl_net_ipv4_conf_default_secure_redirects_value # promote to variable
set_fact:
sysctl_net_ipv4_conf_default_secure_redirects_value: !!str
tags:
- always
- name: Ensure sysctl net.ipv4.conf.default.secure_redirects is set
sysctl:
name: net.ipv4.conf.default.secure_redirects
value: '{{ sysctl_net_ipv4_conf_default_secure_redirects_value }}'
state: present
reload: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sysctl_net_ipv4_conf_default_secure_redirects
- medium_severity
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- CCE-80164-7
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
Disable Accepting ICMP Redirects for All IPv4 InterfacesTo set the runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0
If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.accept_redirects = 0NT28(R22)3.2.21111213141516237895.10.1.1APO13.01BAI04.04BAI10.01BAI10.02BAI10.03BAI10.05DSS01.03DSS03.05DSS05.02DSS05.05DSS05.07DSS06.063.1.20CCI-000366CCI-001503CCI-0015514.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 6.2SR 7.1SR 7.2SR 7.6A.12.1.2A.12.1.3A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.17.2.1A.9.1.2CM-7(a)CM-7(b)CM-6(a)SC-7(a)DE.CM-1PR.DS-4PR.IP-1PR.PT-3SRG-OS-000480-GPOS-00227RHEL-07-040641SV-87827r4_ruleICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages modify the
host's route table and are unauthenticated. An illicit ICMP redirect
message could result in a man-in-the-middle attack.
This feature of the IPv4 protocol has few legitimate uses. It should be
disabled unless absolutely required."CCE-80158-9
sysctl_net_ipv4_conf_all_accept_redirects_value=""
#
# Set runtime for net.ipv4.conf.all.accept_redirects
#
/sbin/sysctl -q -n -w net.ipv4.conf.all.accept_redirects="$sysctl_net_ipv4_conf_all_accept_redirects_value"
#
# If net.ipv4.conf.all.accept_redirects present in /etc/sysctl.conf, change value to appropriate value
# else, add "net.ipv4.conf.all.accept_redirects = value" to /etc/sysctl.conf
#
replace_or_append '/etc/sysctl.conf' '^net.ipv4.conf.all.accept_redirects' "$sysctl_net_ipv4_conf_all_accept_redirects_value" 'CCE-80158-9'
- name: XCCDF Value sysctl_net_ipv4_conf_all_accept_redirects_value # promote to variable
set_fact:
sysctl_net_ipv4_conf_all_accept_redirects_value: !!str
tags:
- always
- name: Ensure sysctl net.ipv4.conf.all.accept_redirects is set
sysctl:
name: net.ipv4.conf.all.accept_redirects
value: '{{ sysctl_net_ipv4_conf_all_accept_redirects_value }}'
state: present
reload: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sysctl_net_ipv4_conf_all_accept_redirects
- medium_severity
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- CCE-80158-9
- DISA-STIG-RHEL-07-040641
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-7(a)
- CJIS-5.10.1.1
Enable Kernel Parameter to Log Martian Packets on all IPv4 InterfacesTo set the runtime status of the net.ipv4.conf.all.log_martians kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.log_martians=1
If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.log_martians = 1NT28(R22)3.2.4111121314151623789APO13.01BAI04.04BAI10.01BAI10.02BAI10.03BAI10.05DSS01.03DSS01.04DSS03.05DSS05.02DSS05.03DSS05.05DSS05.07DSS06.063.1.20CCI-0001264.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.2SR 7.1SR 7.2SR 7.6A.11.2.6A.12.1.2A.12.1.3A.12.5.1A.12.6.2A.13.1.1A.13.2.1A.14.1.3A.14.2.2A.14.2.3A.14.2.4A.17.2.1A.6.2.1A.6.2.2A.9.1.2CM-7(a)CM-7(b)SC-5(3)(a)DE.CM-1PR.AC-3PR.DS-4PR.IP-1PR.PT-3PR.PT-4SRG-OS-000480-GPOS-00227The presence of "martian" packets (which have impossible addresses)
as well as spoofed packets, source-routed packets, and redirects could be a
sign of nefarious network activity. Logging these packets enables this activity
to be detected.CCE-80160-5
sysctl_net_ipv4_conf_all_log_martians_value=""
#
# Set runtime for net.ipv4.conf.all.log_martians
#
/sbin/sysctl -q -n -w net.ipv4.conf.all.log_martians="$sysctl_net_ipv4_conf_all_log_martians_value"
#
# If net.ipv4.conf.all.log_martians present in /etc/sysctl.conf, change value to appropriate value
# else, add "net.ipv4.conf.all.log_martians = value" to /etc/sysctl.conf
#
replace_or_append '/etc/sysctl.conf' '^net.ipv4.conf.all.log_martians' "$sysctl_net_ipv4_conf_all_log_martians_value" 'CCE-80160-5'
- name: XCCDF Value sysctl_net_ipv4_conf_all_log_martians_value # promote to variable
set_fact:
sysctl_net_ipv4_conf_all_log_martians_value: !!str
tags:
- always
- name: Ensure sysctl net.ipv4.conf.all.log_martians is set
sysctl:
name: net.ipv4.conf.all.log_martians
value: '{{ sysctl_net_ipv4_conf_all_log_martians_value }}'
state: present
reload: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sysctl_net_ipv4_conf_all_log_martians
- unknown_severity
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- CCE-80160-5
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5(3)(a)
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 InterfacesTo set the runtime status of the net.ipv4.conf.all.rp_filter kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.rp_filter=1
If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.rp_filter = 1NT28(R22)3.2.71121314151618246789APO01.06APO13.01BAI04.04DSS01.03DSS01.05DSS03.01DSS03.05DSS05.02DSS05.04DSS05.07DSS06.023.1.20CCI-0015514.2.3.44.3.3.44.4.3.3SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.2SR 7.1SR 7.2SR 7.6A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.12.1.1A.12.1.2A.12.1.3A.13.1.1A.13.1.2A.13.1.3A.13.2.1A.13.2.2A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.17.2.1A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-7(a)CM-7(b)CM-6(a)SC-7(a)DE.AE-1DE.CM-1ID.AM-3PR.AC-5PR.DS-4PR.DS-5PR.PT-4SRG-OS-000480-GPOS-00227Enabling reverse path filtering drops packets with source addresses
that should not have been able to be received on the interface they were
received on. It should not be used on systems which are routers for
complicated networks, but is helpful for end hosts and routers serving small
networks.CCE-80167-0
sysctl_net_ipv4_conf_all_rp_filter_value=""
#
# Set runtime for net.ipv4.conf.all.rp_filter
#
/sbin/sysctl -q -n -w net.ipv4.conf.all.rp_filter="$sysctl_net_ipv4_conf_all_rp_filter_value"
#
# If net.ipv4.conf.all.rp_filter present in /etc/sysctl.conf, change value to appropriate value
# else, add "net.ipv4.conf.all.rp_filter = value" to /etc/sysctl.conf
#
replace_or_append '/etc/sysctl.conf' '^net.ipv4.conf.all.rp_filter' "$sysctl_net_ipv4_conf_all_rp_filter_value" 'CCE-80167-0'
- name: XCCDF Value sysctl_net_ipv4_conf_all_rp_filter_value # promote to variable
set_fact:
sysctl_net_ipv4_conf_all_rp_filter_value: !!str
tags:
- always
- name: Ensure sysctl net.ipv4.conf.all.rp_filter is set
sysctl:
name: net.ipv4.conf.all.rp_filter
value: '{{ sysctl_net_ipv4_conf_all_rp_filter_value }}'
state: present
reload: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sysctl_net_ipv4_conf_all_rp_filter
- medium_severity
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- CCE-80167-0
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-7(a)
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 InterfacesTo set the runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.icmp_echo_ignore_broadcasts = 13.2.511112131415161823467895.10.1.1APO01.06APO13.01BAI04.04BAI10.01BAI10.02BAI10.03BAI10.05DSS01.03DSS01.05DSS03.01DSS03.05DSS05.02DSS05.04DSS05.05DSS05.07DSS06.02DSS06.063.1.20CCI-0003664.2.3.44.3.3.44.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.34.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.2SR 7.1SR 7.2SR 7.6A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.12.1.1A.12.1.2A.12.1.3A.12.5.1A.12.6.2A.13.1.1A.13.1.2A.13.1.3A.13.2.1A.13.2.2A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.14.2.2A.14.2.3A.14.2.4A.17.2.1A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-7(a)CM-7(b)SC-5DE.AE-1DE.CM-1ID.AM-3PR.AC-5PR.DS-4PR.DS-5PR.IP-1PR.PT-3PR.PT-4SRG-OS-000480-GPOS-00227RHEL-07-040630SV-86911r2_ruleResponding to broadcast (ICMP) echoes facilitates network mapping
and provides a vector for amplification attacks.
Ignoring ICMP echo requests (pings) sent to broadcast or multicast
addresses makes the system slightly more difficult to enumerate on the network.CCE-80165-4
sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=""
#
# Set runtime for net.ipv4.icmp_echo_ignore_broadcasts
#
/sbin/sysctl -q -n -w net.ipv4.icmp_echo_ignore_broadcasts="$sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value"
#
# If net.ipv4.icmp_echo_ignore_broadcasts present in /etc/sysctl.conf, change value to appropriate value
# else, add "net.ipv4.icmp_echo_ignore_broadcasts = value" to /etc/sysctl.conf
#
replace_or_append '/etc/sysctl.conf' '^net.ipv4.icmp_echo_ignore_broadcasts' "$sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value" 'CCE-80165-4'
- name: XCCDF Value sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value # promote to variable
set_fact:
sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value: !!str
tags:
- always
- name: Ensure sysctl net.ipv4.icmp_echo_ignore_broadcasts is set
sysctl:
name: net.ipv4.icmp_echo_ignore_broadcasts
value: '{{ sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value }}'
state: present
reload: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sysctl_net_ipv4_icmp_echo_ignore_broadcasts
- medium_severity
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- CCE-80165-4
- DISA-STIG-RHEL-07-040630
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- CJIS-5.10.1.1
Enable Kernel Parameter to Use TCP Syncookies on IPv4 InterfacesTo set the runtime status of the net.ipv4.tcp_syncookies kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.tcp_syncookies=1
If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.tcp_syncookies = 1NT28(R22)3.2.811213141516182467895.10.1.1APO01.06APO13.01BAI04.04DSS01.03DSS01.05DSS03.01DSS03.05DSS05.02DSS05.04DSS05.07DSS06.023.1.20CCI-0003664.2.3.44.3.3.44.4.3.3SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.2SR 7.1SR 7.2SR 7.6A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.12.1.1A.12.1.2A.12.1.3A.13.1.1A.13.1.2A.13.1.3A.13.2.1A.13.2.2A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.17.2.1A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-7(a)CM-7(b)SC-5(1)SC-5(2)SC-5(3)(a)CM-6(a)DE.AE-1DE.CM-1ID.AM-3PR.AC-5PR.DS-4PR.DS-5PR.PT-4SRG-OS-000480-GPOS-00227SRG-OS-000420-GPOS-00186SRG-OS-000142-GPOS-00071A TCP SYN flood attack can cause a denial of service by filling a
system's TCP connection table with connections in the SYN_RCVD state.
Syncookies can be used to track a connection when a subsequent ACK is received,
verifying the initiator is attempting a valid connection and is not a flood
source. This feature is activated when a flood condition is detected, and
enables the system to continue servicing valid connection requests.CCE-27495-1
sysctl_net_ipv4_tcp_syncookies_value=""
#
# Set runtime for net.ipv4.tcp_syncookies
#
/sbin/sysctl -q -n -w net.ipv4.tcp_syncookies="$sysctl_net_ipv4_tcp_syncookies_value"
#
# If net.ipv4.tcp_syncookies present in /etc/sysctl.conf, change value to appropriate value
# else, add "net.ipv4.tcp_syncookies = value" to /etc/sysctl.conf
#
replace_or_append '/etc/sysctl.conf' '^net.ipv4.tcp_syncookies' "$sysctl_net_ipv4_tcp_syncookies_value" 'CCE-27495-1'
- name: XCCDF Value sysctl_net_ipv4_tcp_syncookies_value # promote to variable
set_fact:
sysctl_net_ipv4_tcp_syncookies_value: !!str
tags:
- always
- name: Ensure sysctl net.ipv4.tcp_syncookies is set
sysctl:
name: net.ipv4.tcp_syncookies
value: '{{ sysctl_net_ipv4_tcp_syncookies_value }}'
state: present
reload: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sysctl_net_ipv4_tcp_syncookies
- medium_severity
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- CCE-27495-1
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5(1)
- NIST-800-53-SC-5(2)
- NIST-800-53-SC-5(3)(a)
- NIST-800-53-CM-6(a)
- CJIS-5.10.1.1
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 InterfacesTo set the runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0
If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.accept_source_route = 0NT28(R22)3.2.11111213141516182346789APO01.06APO13.01BAI04.04BAI10.01BAI10.02BAI10.03BAI10.05DSS01.03DSS01.05DSS03.01DSS03.05DSS05.02DSS05.04DSS05.05DSS05.07DSS06.02DSS06.063.1.20CCI-0003664.2.3.44.3.3.44.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.34.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.2SR 7.1SR 7.2SR 7.6A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.12.1.1A.12.1.2A.12.1.3A.12.5.1A.12.6.2A.13.1.1A.13.1.2A.13.1.3A.13.2.1A.13.2.2A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.14.2.2A.14.2.3A.14.2.4A.17.2.1A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-7(a)CM-7(b)SC-5CM-6(a)SC-7(a)DE.AE-1DE.CM-1ID.AM-3PR.AC-5PR.DS-4PR.DS-5PR.IP-1PR.PT-3PR.PT-4SRG-OS-000480-GPOS-00227RHEL-07-040610SV-86907r2_ruleSource-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router,
which can be used to bypass network security measures. This requirement
applies only to the forwarding of source-routerd traffic, such as when IPv4
forwarding is enabled and the system is functioning as a router.
Accepting source-routed packets in the IPv4 protocol has few legitimate
uses. It should be disabled unless it is absolutely required.CCE-27434-0
sysctl_net_ipv4_conf_all_accept_source_route_value=""
#
# Set runtime for net.ipv4.conf.all.accept_source_route
#
/sbin/sysctl -q -n -w net.ipv4.conf.all.accept_source_route="$sysctl_net_ipv4_conf_all_accept_source_route_value"
#
# If net.ipv4.conf.all.accept_source_route present in /etc/sysctl.conf, change value to appropriate value
# else, add "net.ipv4.conf.all.accept_source_route = value" to /etc/sysctl.conf
#
replace_or_append '/etc/sysctl.conf' '^net.ipv4.conf.all.accept_source_route' "$sysctl_net_ipv4_conf_all_accept_source_route_value" 'CCE-27434-0'
- name: XCCDF Value sysctl_net_ipv4_conf_all_accept_source_route_value # promote to variable
set_fact:
sysctl_net_ipv4_conf_all_accept_source_route_value: !!str
tags:
- always
- name: Ensure sysctl net.ipv4.conf.all.accept_source_route is set
sysctl:
name: net.ipv4.conf.all.accept_source_route
value: '{{ sysctl_net_ipv4_conf_all_accept_source_route_value }}'
state: present
reload: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sysctl_net_ipv4_conf_all_accept_source_route
- medium_severity
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- CCE-27434-0
- DISA-STIG-RHEL-07-040610
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5CM-6(a)
- NIST-800-53-SC-7(a)
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 InterfacesTo set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.accept_redirects = 0NT28(R22)3.2.211112131415161823467895.10.1.1APO01.06APO13.01BAI04.04BAI10.01BAI10.02BAI10.03BAI10.05DSS01.03DSS01.05DSS03.01DSS03.05DSS05.02DSS05.04DSS05.05DSS05.07DSS06.02DSS06.063.1.20CCI-0015514.2.3.44.3.3.44.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.34.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.2SR 7.1SR 7.2SR 7.6A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.12.1.1A.12.1.2A.12.1.3A.12.5.1A.12.6.2A.13.1.1A.13.1.2A.13.1.3A.13.2.1A.13.2.2A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.14.2.2A.14.2.3A.14.2.4A.17.2.1A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-7(a)CM-7(b)CM-6(a)SC-7(a)DE.AE-1DE.CM-1ID.AM-3PR.AC-5PR.DS-4PR.DS-5PR.IP-1PR.PT-3PR.PT-4SRG-OS-000480-GPOS-00227RHEL-07-040640SV-86913r3_ruleICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages modify the
host's route table and are unauthenticated. An illicit ICMP redirect
message could result in a man-in-the-middle attack.
This feature of the IPv4 protocol has few legitimate uses. It should
be disabled unless absolutely required.CCE-80163-9
sysctl_net_ipv4_conf_default_accept_redirects_value=""
#
# Set runtime for net.ipv4.conf.default.accept_redirects
#
/sbin/sysctl -q -n -w net.ipv4.conf.default.accept_redirects="$sysctl_net_ipv4_conf_default_accept_redirects_value"
#
# If net.ipv4.conf.default.accept_redirects present in /etc/sysctl.conf, change value to appropriate value
# else, add "net.ipv4.conf.default.accept_redirects = value" to /etc/sysctl.conf
#
replace_or_append '/etc/sysctl.conf' '^net.ipv4.conf.default.accept_redirects' "$sysctl_net_ipv4_conf_default_accept_redirects_value" 'CCE-80163-9'
- name: XCCDF Value sysctl_net_ipv4_conf_default_accept_redirects_value # promote to variable
set_fact:
sysctl_net_ipv4_conf_default_accept_redirects_value: !!str
tags:
- always
- name: Ensure sysctl net.ipv4.conf.default.accept_redirects is set
sysctl:
name: net.ipv4.conf.default.accept_redirects
value: '{{ sysctl_net_ipv4_conf_default_accept_redirects_value }}'
state: present
reload: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sysctl_net_ipv4_conf_default_accept_redirects
- medium_severity
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- CCE-80163-9
- DISA-STIG-RHEL-07-040640
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-7(a)
- CJIS-5.10.1.1
Network Parameters for Hosts OnlyIf the system is not going to be used as a router, then setting certain
kernel parameters ensure that the host will not perform routing
of network traffic.Disable Kernel Parameter for IP Forwarding on IPv4 InterfacesTo set the runtime status of the net.ipv4.ip_forward kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.ip_forward=0
If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.ip_forward = 0Certain technologies such as virtual machines, containers, etc. rely on IPv4 forwarding to enable and use networking.
Disabling IPv4 forwarding would cause those technologies to stop working. Therefore, this rule should not be used in
profiles or benchmarks that target usage of IPv4 forwarding.NT28(R22)3.1.1111121314151623789APO13.01BAI04.04BAI10.01BAI10.02BAI10.03BAI10.05DSS01.03DSS03.05DSS05.02DSS05.05DSS05.07DSS06.063.1.20CCI-0003664.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.2SR 7.1SR 7.2SR 7.6A.12.1.2A.12.1.3A.12.5.1A.12.6.2A.13.1.1A.13.2.1A.14.1.3A.14.2.2A.14.2.3A.14.2.4A.17.2.1A.9.1.2CM-7(a)CM-7(b)SC-5CM-6(a)SC-7(a)DE.CM-1PR.DS-4PR.IP-1PR.PT-3PR.PT-4SRG-OS-000480-GPOS-00227RHEL-07-040740SV-86933r2_ruleRouting protocol daemons are typically used on routers to exchange
network topology information with other routers. If this capability is used when
not required, system network information may be unnecessarily transmitted across
the network.CCE-80157-1
#
# Set runtime for net.ipv4.ip_forward
#
/sbin/sysctl -q -n -w net.ipv4.ip_forward="0"
#
# If net.ipv4.ip_forward present in /etc/sysctl.conf, change value to "0"
# else, add "net.ipv4.ip_forward = 0" to /etc/sysctl.conf
#
replace_or_append '/etc/sysctl.conf' '^net.ipv4.ip_forward' "0" 'CCE-80157-1'
- name: Ensure sysctl net.ipv4.ip_forward is set to 0
sysctl:
name: net.ipv4.ip_forward
value: '0'
state: present
reload: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sysctl_net_ipv4_ip_forward
- medium_severity
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- CCE-80157-1
- DISA-STIG-RHEL-07-040740
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5CM-6(a)
- NIST-800-53-SC-7(a)
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 InterfacesTo set the runtime status of the net.ipv4.conf.all.send_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.send_redirects=0
If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.send_redirects = 0NT28(R22)3.1.211112131415161823467895.10.1.1APO01.06APO13.01BAI04.04BAI10.01BAI10.02BAI10.03BAI10.05DSS01.03DSS01.05DSS03.01DSS03.05DSS05.02DSS05.04DSS05.05DSS05.07DSS06.02DSS06.063.1.20CCI-0003664.2.3.44.3.3.44.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.34.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.2SR 7.1SR 7.2SR 7.6A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.12.1.1A.12.1.2A.12.1.3A.12.5.1A.12.6.2A.13.1.1A.13.1.2A.13.1.3A.13.2.1A.13.2.2A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.14.2.2A.14.2.3A.14.2.4A.17.2.1A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-7(a)CM-7(b)SC-5CM-6(a)SC-7(a)DE.AE-1DE.CM-1ID.AM-3PR.AC-5PR.DS-4PR.DS-5PR.IP-1PR.PT-3PR.PT-4SRG-OS-000480-GPOS-00227RHEL-07-040660SV-86917r3_ruleICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages contain information
from the system's route table possibly revealing portions of the network topology.
The ability to send ICMP redirects is only appropriate for systems acting as routers.CCE-80156-3
#
# Set runtime for net.ipv4.conf.all.send_redirects
#
/sbin/sysctl -q -n -w net.ipv4.conf.all.send_redirects="0"
#
# If net.ipv4.conf.all.send_redirects present in /etc/sysctl.conf, change value to "0"
# else, add "net.ipv4.conf.all.send_redirects = 0" to /etc/sysctl.conf
#
replace_or_append '/etc/sysctl.conf' '^net.ipv4.conf.all.send_redirects' "0" 'CCE-80156-3'
- name: Ensure sysctl net.ipv4.conf.all.send_redirects is set to 0
sysctl:
name: net.ipv4.conf.all.send_redirects
value: '0'
state: present
reload: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sysctl_net_ipv4_conf_all_send_redirects
- medium_severity
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- CCE-80156-3
- DISA-STIG-RHEL-07-040660
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5CM-6(a)
- NIST-800-53-SC-7(a)
- CJIS-5.10.1.1
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by DefaultTo set the runtime status of the net.ipv4.conf.default.send_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.send_redirects=0
If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.send_redirects = 0NT28(R22)3.1.211112131415161823467895.10.1.1APO01.06APO13.01BAI04.04BAI10.01BAI10.02BAI10.03BAI10.05DSS01.03DSS01.05DSS03.01DSS03.05DSS05.02DSS05.04DSS05.05DSS05.07DSS06.02DSS06.063.1.20CCI-0003664.2.3.44.3.3.44.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.34.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.2SR 7.1SR 7.2SR 7.6A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.12.1.1A.12.1.2A.12.1.3A.12.5.1A.12.6.2A.13.1.1A.13.1.2A.13.1.3A.13.2.1A.13.2.2A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.14.2.2A.14.2.3A.14.2.4A.17.2.1A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-7(a)CM-7(b)SC-5CM-6(a)SC-7(a)DE.AE-1DE.CM-1ID.AM-3PR.AC-5PR.DS-4PR.DS-5PR.IP-1PR.PT-3PR.PT-4SRG-OS-000480-GPOS-00227RHEL-07-040650SV-86915r4_ruleICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages contain information
from the system's route table possibly revealing portions of the network topology.
The ability to send ICMP redirects is only appropriate for systems acting as routers.CCE-80999-6
#
# Set runtime for net.ipv4.conf.default.send_redirects
#
/sbin/sysctl -q -n -w net.ipv4.conf.default.send_redirects="0"
#
# If net.ipv4.conf.default.send_redirects present in /etc/sysctl.conf, change value to "0"
# else, add "net.ipv4.conf.default.send_redirects = 0" to /etc/sysctl.conf
#
replace_or_append '/etc/sysctl.conf' '^net.ipv4.conf.default.send_redirects' "0" 'CCE-80999-6'
- name: Ensure sysctl net.ipv4.conf.default.send_redirects is set to 0
sysctl:
name: net.ipv4.conf.default.send_redirects
value: '0'
state: present
reload: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sysctl_net_ipv4_conf_default_send_redirects
- medium_severity
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- CCE-80999-6
- DISA-STIG-RHEL-07-040650
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5CM-6(a)
- NIST-800-53-SC-7(a)
- CJIS-5.10.1.1
Transport Layer Security SupportSupport for Transport Layer Security (TLS), and its predecessor, the Secure
Sockets Layer (SSL), is included in Red Hat Enterprise Linux in the OpenSSL software (RPM package
openssl). TLS provides encrypted and authenticated network
communications, and many network services include support for it. TLS or SSL
can be leveraged to avoid any plaintext transmission of sensitive data.
For information on how to use OpenSSL, see
http://www.openssl.org/docs/. Information on FIPS validation
of OpenSSL is available at http://www.openssl.org/docs/fips.html
and http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm.
For information on how to use and implement OpenSSL on Red Hat Enterprise Linux, see
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_OpenSSL.htmlDisable Unused InterfacesNetwork interfaces expand the attack surface of the
system. Unused interfaces are not monitored or controlled, and
should be disabled.
If the system does not require network communications but still
needs to use the loopback interface, remove all files of the form
ifcfg-interface except for ifcfg-lo from
/etc/sysconfig/network-scripts:
$ sudo rm /etc/sysconfig/network-scripts/ifcfg-interface
If the system is a standalone machine with no need for network access or even
communication over the loopback device, then disable this service.
The network service can be disabled with the following command: $ sudo systemctl disable network.service The network service can be masked with the following command: $ sudo systemctl mask network.serviceUncommon Network ProtocolsThe system includes support for several network protocols which are not commonly used.
Although security vulnerabilities in kernel networking code are not frequently discovered,
the consequences can be dramatic. Ensuring uncommon network protocols are disabled
reduces the system's risk to attacks targeted at its implementation of those protocols.Although these protocols are not commonly used, avoid disruption
in your network environment by ensuring they are not needed
prior to disabling them.Disable DCCP SupportThe Datagram Congestion Control Protocol (DCCP) is a
relatively new transport layer protocol, designed to support
streaming media and telephony.
To configure the system to prevent the dccp
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install dccp /bin/true3.5.11114395.10.1BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.063.4.6CCI-0019584.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.IP-1PR.PT-3SRG-OS-000096-GPOS-00050RHEL-07-020101SV-92517r3_ruleDisabling DCCP protects
the system against exploitation of any flaws in its implementation.CCE-82024-1if LC_ALL=C grep -q -m 1 "^install dccp" /etc/modprobe.d/dccp.conf ; then
sed -i 's/^install dccp.*/install dccp /bin/true/g' /etc/modprobe.d/dccp.conf
else
echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/dccp.conf
echo "install dccp /bin/true" >> /etc/modprobe.d/dccp.conf
fi
- name: Ensure kernel module 'dccp' is disabled
lineinfile:
create: true
dest: /etc/modprobe.d/dccp.conf
regexp: dccp
line: install dccp /bin/true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- kernel_module_dccp_disabled
- medium_severity
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- CCE-82024-1
- DISA-STIG-RHEL-07-020101
- NIST-800-171-3.4.6
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- CJIS-5.10.1
Disable ATM SupportThe Asynchronous Transfer Mode (ATM) is a protocol operating on
network, data link, and physical layers, based on virtual circuits
and virtual paths.
To configure the system to prevent the atm
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install atm /bin/trueFMT_SMF_EXT.1SRG-OS-000095-GPOS-00049Disabling ATM protects the system against exploitation of any
flaws in its implementation.CCE-82162-9if LC_ALL=C grep -q -m 1 "^install atm" /etc/modprobe.d/atm.conf ; then
sed -i 's/^install atm.*/install atm /bin/true/g' /etc/modprobe.d/atm.conf
else
echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/atm.conf
echo "install atm /bin/true" >> /etc/modprobe.d/atm.conf
fi
- name: Ensure kernel module 'atm' is disabled
lineinfile:
create: true
dest: /etc/modprobe.d/atm.conf
regexp: atm
line: install atm /bin/true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- kernel_module_atm_disabled
- medium_severity
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- CCE-82162-9
Disable IEEE 1394 (FireWire) SupportThe IEEE 1394 (FireWire) is a serial bus standard for
high-speed real-time communication.
To configure the system to prevent the firewire-core
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install firewire-core /bin/trueFMT_SMF_EXT.1SRG-OS-000095-GPOS-00049Disabling FireWire protects the system against exploitation of any
flaws in its implementation.CCE-82160-3if LC_ALL=C grep -q -m 1 "^install firewire-core" /etc/modprobe.d/firewire-core.conf ; then
sed -i 's/^install firewire-core.*/install firewire-core /bin/true/g' /etc/modprobe.d/firewire-core.conf
else
echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/firewire-core.conf
echo "install firewire-core /bin/true" >> /etc/modprobe.d/firewire-core.conf
fi
- name: Ensure kernel module 'firewire-core' is disabled
lineinfile:
create: true
dest: /etc/modprobe.d/firewire-core.conf
regexp: firewire-core
line: install firewire-core /bin/true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- kernel_module_firewire-core_disabled
- medium_severity
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- CCE-82160-3
Disable TIPC SupportThe Transparent Inter-Process Communication (TIPC) protocol
is designed to provide communications between nodes in a
cluster.
To configure the system to prevent the tipc
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install tipc /bin/trueThis configuration baseline was created to deploy the base operating system for general purpose
workloads. When the operating system is configured for certain purposes, such as
a node in High Performance Computing cluster, it is expected that
the tipc kernel module will be loaded.111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.064.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.IP-1PR.PT-3FMT_SMF_EXT.1SRG-OS-000095-GPOS-00049Disabling TIPC protects
the system against exploitation of any flaws in its implementation.if LC_ALL=C grep -q -m 1 "^install tipc" /etc/modprobe.d/tipc.conf ; then
sed -i 's/^install tipc.*/install tipc /bin/true/g' /etc/modprobe.d/tipc.conf
else
echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/tipc.conf
echo "install tipc /bin/true" >> /etc/modprobe.d/tipc.conf
fi
- name: Ensure kernel module 'tipc' is disabled
lineinfile:
create: true
dest: /etc/modprobe.d/tipc.conf
regexp: tipc
line: install tipc /bin/true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- kernel_module_tipc_disabled
- medium_severity
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
Disable SCTP SupportThe Stream Control Transmission Protocol (SCTP) is a
transport layer protocol, designed to support the idea of
message-oriented communication, with several streams of messages
within one connection.
To configure the system to prevent the sctp
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install sctp /bin/true3.5.21114395.10.1BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.063.4.64.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.IP-1PR.PT-3SRG-OS-000095-GPOS-00049Disabling SCTP protects
the system against exploitation of any flaws in its implementation.CCE-82044-9if LC_ALL=C grep -q -m 1 "^install sctp" /etc/modprobe.d/sctp.conf ; then
sed -i 's/^install sctp.*/install sctp /bin/true/g' /etc/modprobe.d/sctp.conf
else
echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/sctp.conf
echo "install sctp /bin/true" >> /etc/modprobe.d/sctp.conf
fi
- name: Ensure kernel module 'sctp' is disabled
lineinfile:
create: true
dest: /etc/modprobe.d/sctp.conf
regexp: sctp
line: install sctp /bin/true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- kernel_module_sctp_disabled
- medium_severity
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- CCE-82044-9
- NIST-800-171-3.4.6
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- CJIS-5.10.1
Disable RDS SupportThe Reliable Datagram Sockets (RDS) protocol is a transport
layer protocol designed to provide reliable high- bandwidth,
low-latency communications between nodes in a cluster.
To configure the system to prevent the rds
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install rds /bin/true111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.064.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.IP-1PR.PT-3Disabling RDS protects
the system against exploitation of any flaws in its implementation.if LC_ALL=C grep -q -m 1 "^install rds" /etc/modprobe.d/rds.conf ; then
sed -i 's/^install rds.*/install rds /bin/true/g' /etc/modprobe.d/rds.conf
else
echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/rds.conf
echo "install rds /bin/true" >> /etc/modprobe.d/rds.conf
fi
- name: Ensure kernel module 'rds' is disabled
lineinfile:
create: true
dest: /etc/modprobe.d/rds.conf
regexp: rds
line: install rds /bin/true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- kernel_module_rds_disabled
- unknown_severity
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
Disable CAN SupportThe Controller Area Network (CAN) is a serial communications
protocol which was initially developed for automotive and
is now also used in marine, industrial, and medical applications.
To configure the system to prevent the can
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install can /bin/trueFMT_SMF_EXT.1SRG-OS-000095-GPOS-00049Disabling CAN protects the system against exploitation of any
flaws in its implementation.CCE-82164-5if LC_ALL=C grep -q -m 1 "^install can" /etc/modprobe.d/can.conf ; then
sed -i 's/^install can.*/install can /bin/true/g' /etc/modprobe.d/can.conf
else
echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/can.conf
echo "install can /bin/true" >> /etc/modprobe.d/can.conf
fi
- name: Ensure kernel module 'can' is disabled
lineinfile:
create: true
dest: /etc/modprobe.d/can.conf
regexp: can
line: install can /bin/true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- kernel_module_can_disabled
- medium_severity
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- CCE-82164-5
Wireless NetworkingWireless networking, such as 802.11
(WiFi) and Bluetooth, can present a security risk to sensitive or
classified systems and networks. Wireless networking hardware is
much more likely to be included in laptop or portable systems than
in desktops or servers.
Removal of hardware provides the greatest assurance that the wireless
capability remains disabled. Acquisition policies often include provisions to
prevent the purchase of equipment that will be used in sensitive spaces and
includes wireless capabilities. If it is impractical to remove the wireless
hardware, and policy permits the device to enter sensitive spaces as long
as wireless is disabled, efforts should instead focus on disabling wireless capability
via software.Disable Wireless Through Software ConfigurationIf it is impossible to remove the wireless hardware
from the device in question, disable as much of it as possible
through software. The following methods can disable software
support for wireless networking, but note that these methods do not
prevent malicious software or careless users from re-activating the
devices.Disable Bluetooth Service
The bluetooth service can be disabled with the following command:
$ sudo systemctl disable bluetooth.service
The bluetooth service can be masked with the following command:
$ sudo systemctl mask bluetooth.service$ sudo service bluetooth stop11121415389APO13.01BAI10.01BAI10.02BAI10.03BAI10.05DSS01.04DSS05.02DSS05.03DSS05.05DSS06.063.1.16CCI-000085CCI-0015514.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 7.1SR 7.6A.11.2.6A.12.1.2A.12.5.1A.12.6.2A.13.1.1A.13.2.1A.14.1.3A.14.2.2A.14.2.3A.14.2.4A.6.2.1A.6.2.2A.9.1.2AC-18(a)AC-18(3)CM-7(a)CM-7(b)CM-6(a)MP-7PR.AC-3PR.IP-1PR.PT-3PR.PT-4Disabling the bluetooth service prevents the system from attempting
connections to Bluetooth devices, which entails some security risk.
Nevertheless, variation in this risk decision may be expected due to the
utility of Bluetooth connectivity and its limited range.CCE-27328-4
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'bluetooth.service'
"$SYSTEMCTL_EXEC" disable 'bluetooth.service'
"$SYSTEMCTL_EXEC" mask 'bluetooth.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^bluetooth.socket'; then
"$SYSTEMCTL_EXEC" stop 'bluetooth.socket'
"$SYSTEMCTL_EXEC" disable 'bluetooth.socket'
"$SYSTEMCTL_EXEC" mask 'bluetooth.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'bluetooth.service' || true
- name: Disable service bluetooth
block:
- name: Gather the service facts
service_facts: null
- name: Disable service bluetooth
systemd:
name: bluetooth.service
enabled: 'no'
state: stopped
masked: 'yes'
when: '"bluetooth.service" in ansible_facts.services'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_bluetooth_disabled
- medium_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27328-4
- NIST-800-171-3.1.16
- NIST-800-53-AC-18(a)
- NIST-800-53-AC-18(3)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-MP-7
- name: Unit Socket Exists - bluetooth.socket
command: systemctl list-unit-files bluetooth.socket
args:
warn: false
register: socket_file_exists
changed_when: false
ignore_errors: true
check_mode: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_bluetooth_disabled
- medium_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27328-4
- NIST-800-171-3.1.16
- NIST-800-53-AC-18(a)
- NIST-800-53-AC-18(3)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-MP-7
- name: Disable socket bluetooth
systemd:
name: bluetooth.socket
enabled: 'no'
state: stopped
masked: 'yes'
when:
- '"bluetooth.socket" in socket_file_exists.stdout_lines[1]'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_bluetooth_disabled
- medium_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27328-4
- NIST-800-171-3.1.16
- NIST-800-53-AC-18(a)
- NIST-800-53-AC-18(3)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-MP-7
include disable_bluetooth
class disable_bluetooth {
service {'bluetooth':
enable => false,
ensure => 'stopped',
}
}
Disable Bluetooth Kernel ModuleThe kernel's module loading system can be configured to prevent
loading of the Bluetooth module. Add the following to
the appropriate /etc/modprobe.d configuration file
to prevent the loading of the Bluetooth module:
install bluetooth /bin/true111214153895.13.1.3APO13.01BAI10.01BAI10.02BAI10.03BAI10.05DSS01.04DSS05.02DSS05.03DSS05.05DSS06.063.1.16CCI-000085CCI-0015514.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 7.1SR 7.6A.11.2.6A.12.1.2A.12.5.1A.12.6.2A.13.1.1A.13.2.1A.14.1.3A.14.2.2A.14.2.3A.14.2.4A.6.2.1A.6.2.2A.9.1.2AC-18(a)AC-18(3)CM-7(a)CM-7(b)CM-6(a)MP-7PR.AC-3PR.IP-1PR.PT-3PR.PT-4SRG-OS-000095-GPOS-00049If Bluetooth functionality must be disabled, preventing the kernel
from loading the kernel module provides an additional safeguard against its
activation.CCE-27327-6if LC_ALL=C grep -q -m 1 "^install bluetooth" /etc/modprobe.d/bluetooth.conf ; then
sed -i 's/^install bluetooth.*/install bluetooth /bin/true/g' /etc/modprobe.d/bluetooth.conf
else
echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/bluetooth.conf
echo "install bluetooth /bin/true" >> /etc/modprobe.d/bluetooth.conf
fi
- name: Ensure kernel module 'bluetooth' is disabled
lineinfile:
create: true
dest: /etc/modprobe.d/bluetooth.conf
regexp: bluetooth
line: install bluetooth /bin/true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- kernel_module_bluetooth_disabled
- medium_severity
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- CCE-27327-6
- NIST-800-171-3.1.16
- NIST-800-53-AC-18(a)
- NIST-800-53-AC-18(3)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-MP-7
- CJIS-5.13.1.3
Disable WiFi or Bluetooth in BIOSSome machines that include built-in wireless support offer the
ability to disable the device through the BIOS. This is hardware-specific;
consult your hardware manual or explore the BIOS setup during
boot.11121415389APO13.01BAI10.01BAI10.02BAI10.03BAI10.05DSS01.04DSS05.02DSS05.03DSS05.05DSS06.06CCI-0000854.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 7.1SR 7.6A.11.2.6A.12.1.2A.12.5.1A.12.6.2A.13.1.1A.13.2.1A.14.1.3A.14.2.2A.14.2.3A.14.2.4A.6.2.1A.6.2.2A.9.1.2AC-18(a)AC-18(3)CM-7(a)CM-7(b)CM-6(a)MP-7PR.AC-3PR.IP-1PR.PT-3PR.PT-4Disabling wireless support in the BIOS prevents easy
activation of the wireless interface, generally requiring administrators
to reboot the system first.CCE-27397-9Deactivate Wireless Network InterfacesDeactivating wireless network interfaces should prevent
normal usage of the wireless capability.
Configure the system to disable all wireless network interfaces with the
following command:
$ sudo nmcli radio wifi off4.3.111121415389APO13.01BAI10.01BAI10.02BAI10.03BAI10.05DSS01.04DSS05.02DSS05.03DSS05.05DSS06.063.1.16CCI-000085CCI-0024184.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 7.1SR 7.6A.11.2.6A.12.1.2A.12.5.1A.12.6.2A.13.1.1A.13.2.1A.14.1.3A.14.2.2A.14.2.3A.14.2.4A.6.2.1A.6.2.2A.9.1.2AC-18(a)AC-18(3)CM-7(a)CM-7(b)CM-6(a)MP-7PR.AC-3PR.IP-1PR.PT-3PR.PT-4SRG-OS-000424-GPOS-00188RHEL-07-041010SV-87829r2_ruleThe use of wireless networking can introduce many different attack vectors into
the organization's network. Common attack vectors such as malicious association
and ad hoc networks will allow an attacker to spoof a wireless access point
(AP), allowing validated systems to connect to the malicious AP and enabling the
attacker to monitor and record network traffic. These malicious APs can also
serve to create a man-in-the-middle attack or be used to create a denial of
service to valid network resources.CCE-27358-1GRUB2 bootloader configurationDuring the boot process, the boot loader is
responsible for starting the execution of the kernel and passing
options to it. The boot loader allows for the selection of
different kernels - possibly on different partitions or media.
The default Red Hat Enterprise Linux 7 boot loader for x86 systems is called GRUB2.
Options it can pass to the kernel include single-user mode, which
provides root access without any authentication, and the ability to
disable SELinux. To prevent local users from modifying the boot
parameters and endangering security, protect the boot loader configuration
with a password and ensure its configuration file's permissions
are set properly.Set Boot Loader Password in grub2The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
To do so, select a superuser account name and password and and modify the
/etc/grub.d/01_users configuration file with the new account name.
Since plaintext passwords are a security risk, generate a hash for the pasword
by running the following command:
$ grub2-setpassword
When prompted, enter the password that was selected.
NOTE: It is recommended not to use common administrator account names like root,
admin, or administrator for the grub2 superuser account.
Change the superuser to a different username (The default is 'root').
$ sed -i s/root/bootuser/g /etc/grub.d/01_users
To meet FISMA Moderate, the bootloader superuser account and password MUST
differ from the root account and password.
Once the superuser account and password have been added,
update the
grub.cfg file by running:
grub2-mkconfig -o /boot/grub2/grub.cfg
NOTE: Do NOT manually add the superuser account and password to the
grub.cfg file as the grub2-mkconfig command overwrites this file.To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation
must be automated as a component of machine provisioning, or followed manually as outlined above.NT28(R17)1.4.2111121415161835DSS05.02DSS05.04DSS05.05DSS05.07DSS05.10DSS06.03DSS06.06DSS06.103.4.5CCI-000213164.308(a)(1)(ii)(B)164.308(a)(7)(i)164.308(a)(7)(ii)(A)164.310(a)(1)164.310(a)(2)(i)164.310(a)(2)(ii)164.310(a)(2)(iii)164.310(b)164.310(c)164.310(d)(1)164.310(d)(2)(iii)4.3.3.2.24.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.4SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7A.18.1.4A.6.1.2A.7.1.1A.9.1.2A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.2.6A.9.3.1A.9.4.1A.9.4.2A.9.4.3A.9.4.4A.9.4.5CM-6(a)PR.AC-1PR.AC-4PR.AC-6PR.AC-7PR.PT-3FIA_AFL.1SRG-OS-000080-GPOS-00048RHEL-07-010480SV-86585r6_rulePassword protection on the boot loader configuration ensures
users with physical access cannot trivially alter
important bootloader settings. These include which kernel to use,
and whether to enter single-user mode.
For more information on how to configure the grub2 superuser account and password,
please refer to
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-Protecting_GRUB_2_with_a_Password.html.
CCE-27309-4Verify /boot/grub2/grub.cfg PermissionsFile permissions for /boot/grub2/grub.cfg should be set to 600.
To properly set the permissions of /boot/grub2/grub.cfg, run the command:
$ sudo chmod 600 /boot/grub2/grub.cfg1.4.112131415161835APO01.06DSS05.04DSS05.07DSS06.023.4.5CCI-000225164.308(a)(1)(ii)(B)164.308(a)(7)(i)164.308(a)(7)(ii)(A)164.310(a)(1)164.310(a)(2)(i)164.310(a)(2)(ii)164.310(a)(2)(iii)164.310(b)164.310(c)164.310(d)(1)164.310(d)(2)(iii)4.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)AC-6(1)PR.AC-4PR.DS-5Proper permissions ensure that only the root user can modify important boot
parameters.CCE-82039-9
chmod 0600 /boot/grub2/grub.cfg
- name: Test for existence /boot/grub2/grub.cfg
stat:
path: /boot/grub2/grub.cfg
register: file_exists
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- file_permissions_grub2_cfg
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82039-9
- NIST-800-171-3.4.5
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- name: Ensure permission 0600 on /boot/grub2/grub.cfg
file:
path: /boot/grub2/grub.cfg
mode: '0600'
when:
- file_exists.stat is defined and file_exists.stat.exists
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- file_permissions_grub2_cfg
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82039-9
- NIST-800-171-3.4.5
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
Verify /boot/grub2/grub.cfg User OwnershipThe file /boot/grub2/grub.cfg should
be owned by the root user to prevent destruction
or modification of the file.
To properly set the owner of /boot/grub2/grub.cfg, run the command:
$ sudo chown root /boot/grub2/grub.cfg 1.4.1121314151618355.5.2.2APO01.06DSS05.04DSS05.07DSS06.023.4.5CCI-000225164.308(a)(1)(ii)(B)164.308(a)(7)(i)164.308(a)(7)(ii)(A)164.310(a)(1)164.310(a)(2)(i)164.310(a)(2)(ii)164.310(a)(2)(iii)164.310(b)164.310(c)164.310(d)(1)164.310(d)(2)(iii)4.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)AC-6(1)PR.AC-4PR.DS-5Req-7.1Only root should be able to modify important boot parameters.CCE-82026-6
chown 0 /boot/grub2/grub.cfg
- name: Test for existence /boot/grub2/grub.cfg
stat:
path: /boot/grub2/grub.cfg
register: file_exists
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- file_owner_grub2_cfg
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82026-6
- PCI-DSS-Req-7.1
- NIST-800-171-3.4.5
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- CJIS-5.5.2.2
- name: Ensure owner 0 on /boot/grub2/grub.cfg
file:
path: /boot/grub2/grub.cfg
owner: '0'
when:
- file_exists.stat is defined and file_exists.stat.exists
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- file_owner_grub2_cfg
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82026-6
- PCI-DSS-Req-7.1
- NIST-800-171-3.4.5
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- CJIS-5.5.2.2
Boot Loader Is Not Installed On Removeable MediaThe system must not allow removable media to be used as the boot loader.
Remove alternate methods of booting the system from removable media.
usb0, cd, fd0, etc. are some examples of removeable
media which should not exist in the line:
set root='hd0,msdos1'CCI-001814SRG-OS-000364-GPOS-00151RHEL-07-021700SV-86699r2_ruleMalicious users with removable boot media can gain access to a system
configured to use removable media as the boot loader.CCE-80517-6Set the UEFI Boot Loader PasswordThe grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
To do so, select a superuser account name and password and and modify the
/etc/grub.d/01_users configuration file with the new account name.
Since plaintext passwords are a security risk, generate a hash for the pasword
by running the following command:
$ grub2-setpassword
When prompted, enter the password that was selected.
NOTE: It is recommended not to use common administrator account names like root,
admin, or administrator for the grub2 superuser account.
Change the superuser to a different username (The default is 'root').
$ sed -i s/root/bootuser/g /etc/grub.d/01_users
To meet FISMA Moderate, the bootloader superuser account and password MUST
differ from the root account and password.
Once the superuser account and password have been added,
update the
grub.cfg file by running:
grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
NOTE: Do NOT manually add the superuser account and password to the
grub.cfg file as the grub2-mkconfig command overwrites this file.To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation
must be automated as a component of machine provisioning, or followed manually as outlined above.NT28(R17)1.4.211121415161835DSS05.02DSS05.04DSS05.05DSS05.07DSS06.03DSS06.063.4.5CCI-000213164.308(a)(1)(ii)(B)164.308(a)(7)(i)164.308(a)(7)(ii)(A)164.310(a)(1)164.310(a)(2)(i)164.310(a)(2)(ii)164.310(a)(2)(iii)164.310(b)164.310(c)164.310(d)(1)164.310(d)(2)(iii)4.3.3.2.24.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.4SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7A.6.1.2A.7.1.1A.9.1.2A.9.2.1A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)PR.AC-4PR.AC-6PR.PT-3FIA_AFL.1SRG-OS-000080-GPOS-00048RHEL-07-010490SV-86587r4_rulePassword protection on the boot loader configuration ensures
users with physical access cannot trivially alter
important bootloader settings. These include which kernel to use,
and whether to enter single-user mode.
For more information on how to configure the grub2 superuser account and password,
please refer to
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-Protecting_GRUB_2_with_a_Password.html.
CCE-80354-4Verify the UEFI Boot Loader grub.cfg Group OwnershipThe file /boot/efi/EFI/redhat/grub.cfg should
be group-owned by the root group to prevent
destruction or modification of the file.
To properly set the group owner of /boot/efi/EFI/redhat/grub.cfg, run the command:
$ sudo chgrp root /boot/efi/EFI/redhat/grub.cfg1.4.1121314151618355.5.2.2APO01.06DSS05.04DSS05.07DSS06.023.4.5CCI-0002254.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)AC-6(1)PR.AC-4PR.DS-5Req-7.1The root group is a highly-privileged group. Furthermore, the group-owner of this
file should not have any access privileges anyway.
chgrp 0 /boot/efi/EFI/redhat/grub.cfg
- name: Test for existence /boot/efi/EFI/redhat/grub.cfg
stat:
path: /boot/efi/EFI/redhat/grub.cfg
register: file_exists
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- file_groupowner_efi_grub2_cfg
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- PCI-DSS-Req-7.1
- NIST-800-171-3.4.5
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- CJIS-5.5.2.2
- name: Ensure group owner 0 on /boot/efi/EFI/redhat/grub.cfg
file:
path: /boot/efi/EFI/redhat/grub.cfg
group: '0'
when:
- file_exists.stat is defined and file_exists.stat.exists
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- file_groupowner_efi_grub2_cfg
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- PCI-DSS-Req-7.1
- NIST-800-171-3.4.5
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- CJIS-5.5.2.2
IOMMU configuration directiveOn x86 architecture supporting VT-d, the IOMMU manages the access control policy between the hardware devices and some
of the system critical units such as the memory.NT28(R11)On x86 architectures, activating the I/OMMU prevents the system from arbritrary accesses potentially made by
hardware devices.CCE-82351-8Verify /boot/grub2/grub.cfg Group OwnershipThe file /boot/grub2/grub.cfg should
be group-owned by the root group to prevent
destruction or modification of the file.
To properly set the group owner of /boot/grub2/grub.cfg, run the command:
$ sudo chgrp root /boot/grub2/grub.cfg1.4.1121314151618355.5.2.2APO01.06DSS05.04DSS05.07DSS06.023.4.5CCI-000225164.308(a)(1)(ii)(B)164.308(a)(7)(i)164.308(a)(7)(ii)(A)164.310(a)(1)164.310(a)(2)(i)164.310(a)(2)(ii)164.310(a)(2)(iii)164.310(b)164.310(c)164.310(d)(1)164.310(d)(2)(iii)4.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)AC-6(1)PR.AC-4PR.DS-5Req-7.1The root group is a highly-privileged group. Furthermore, the group-owner of this
file should not have any access privileges anyway.CCE-82023-3
chgrp 0 /boot/grub2/grub.cfg
- name: Test for existence /boot/grub2/grub.cfg
stat:
path: /boot/grub2/grub.cfg
register: file_exists
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- file_groupowner_grub2_cfg
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82023-3
- PCI-DSS-Req-7.1
- NIST-800-171-3.4.5
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- CJIS-5.5.2.2
- name: Ensure group owner 0 on /boot/grub2/grub.cfg
file:
path: /boot/grub2/grub.cfg
group: '0'
when:
- file_exists.stat is defined and file_exists.stat.exists
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- file_groupowner_grub2_cfg
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82023-3
- PCI-DSS-Req-7.1
- NIST-800-171-3.4.5
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- CJIS-5.5.2.2
UEFI Boot Loader Is Not Installed On Removeable MediaThe system must not allow removable media to be used as the boot loader.
Remove alternate methods of booting the system from removable media.
usb0, cd, fd0, etc. are some examples of removeable
media which should not exist in the line:
set root='hd0,msdos1'CCI-001814SRG-OS-000364-GPOS-00151Malicious users with removable boot media can gain access to a system
configured to use removable media as the boot loader.CCE-80518-4Verify the UEFI Boot Loader grub.cfg User OwnershipThe file /boot/efi/EFI/redhat/grub.cfg should
be owned by the root user to prevent destruction
or modification of the file.
To properly set the owner of /boot/efi/EFI/redhat/grub.cfg, run the command:
$ sudo chown root /boot/efi/EFI/redhat/grub.cfg 1.4.1121314151618355.5.2.2APO01.06DSS05.04DSS05.07DSS06.023.4.5CCI-0002254.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)AC-6(1)PR.AC-4PR.DS-5Req-7.1Only root should be able to modify important boot parameters.
chown 0 /boot/efi/EFI/redhat/grub.cfg
- name: Test for existence /boot/efi/EFI/redhat/grub.cfg
stat:
path: /boot/efi/EFI/redhat/grub.cfg
register: file_exists
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- file_owner_efi_grub2_cfg
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- PCI-DSS-Req-7.1
- NIST-800-171-3.4.5
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- CJIS-5.5.2.2
- name: Ensure owner 0 on /boot/efi/EFI/redhat/grub.cfg
file:
path: /boot/efi/EFI/redhat/grub.cfg
owner: '0'
when:
- file_exists.stat is defined and file_exists.stat.exists
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- file_owner_efi_grub2_cfg
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- PCI-DSS-Req-7.1
- NIST-800-171-3.4.5
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- CJIS-5.5.2.2
Verify the UEFI Boot Loader grub.cfg PermissionsFile permissions for /boot/efi/EFI/redhat/grub.cfg should be set to 700.
To properly set the permissions of /boot/efi/EFI/redhat/grub.cfg, run the command:
$ sudo chmod 700 /boot/efi/EFI/redhat/grub.cfg1.4.112131415161835APO01.06DSS05.04DSS05.07DSS06.023.4.5CCI-0002254.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)AC-6(1)PR.AC-4PR.DS-5Proper permissions ensure that only the root user can modify important boot
parameters.chmod 700 /boot/efi/EFI/redhat/grub.cfg
- name: Test for existence /boot/efi/EFI/redhat/grub.cfg
stat:
path: /boot/efi/EFI/redhat/grub.cfg
register: file_exists
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- file_permissions_efi_grub2_cfg
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- NIST-800-171-3.4.5
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- name: Ensure permission 0700 on /boot/efi/EFI/redhat/grub.cfg
file:
path: /boot/efi/EFI/redhat/grub.cfg
mode: '0700'
when:
- file_exists.stat is defined and file_exists.stat.exists
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- file_permissions_efi_grub2_cfg
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- NIST-800-171-3.4.5
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
SELinuxSELinux is a feature of the Linux kernel which can be
used to guard against misconfigured or compromised programs.
SELinux enforces the idea that programs should be limited in what
files they can access and what actions they can take.
The default SELinux policy, as configured on Red Hat Enterprise Linux 7, has been
sufficiently developed and debugged that it should be usable on
almost any system with minimal configuration and a small
amount of system administrator training. This policy prevents
system services - including most of the common network-visible
services such as mail servers, FTP servers, and DNS servers - from
accessing files which those services have no valid reason to
access. This action alone prevents a huge amount of possible damage
from network attacks against services, from trojaned software, and
so forth.
This guide recommends that SELinux be enabled using the
default (targeted) policy on every Red Hat Enterprise Linux 7 system, unless that
system has unusual requirements which make a stronger policy
appropriate.
For more information on SELinux, see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide.SELinux stateenforcing - SELinux security policy is enforced.
permissive - SELinux prints warnings instead of enforcing.
disabled - SELinux is fully disabled.enforcingdisabledenforcingpermissiveSELinux policyType of policy in use. Possible values are:
targeted - Only targeted network daemons are protected.
strict - Full SELinux protection.
mls - Multiple levels of securitytargetedmlstargetedInstall policycoreutils PackageThe policycoreutils package can be installed with the following command:
$ sudo yum install policycoreutilsSRG-OS-000480-GPOS-00227Security-enhanced Linux is a feature of the Linux kernel and a number of utilities
with enhanced security functionality designed to add mandatory access controls to Linux.
The Security-enhanced Linux kernel contains new architectural components originally
developed to improve security of the Flask operating system. These architectural components
provide general support for the enforcement of many kinds of mandatory access control
policies, including those based on the concepts of Type Enforcement, Role-based Access
Control, and Multi-level Security.
policycoreutils contains the policy core utilities that are required for
basic operation of an SELinux-enabled system. These utilities include load_policy
to load SELinux policies, setfiles to label filesystems, newrole to
switch roles, and run_init to run /etc/init.d scripts in the proper
context.CCE-82977-0
if ! rpm -q --quiet "policycoreutils" ; then
yum install -y "policycoreutils"
fi
- name: Ensure policycoreutils is installed
package:
name: policycoreutils
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- package_policycoreutils_installed
- high_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82977-0
include install_policycoreutils
class install_policycoreutils {
package { 'policycoreutils':
ensure => 'installed',
}
}
package --add=policycoreutils
Uninstall mcstrans PackageThe mcstransd daemon provides category label information
to client processes requesting information. The label translations are defined
in /etc/selinux/targeted/setrans.conf.
The mcstrans package can be removed with the following command:
$ sudo yum erase mcstrans1.6.1.5Since this service is not used very often, disable it to reduce the
amount of potentially vulnerable code running on the system.
NOTE: This rule was added in support of the CIS RHEL6 v1.2.0 benchmark. Please
note that Red Hat does not feel this rule is security relevant.CCE-80445-0
# CAUTION: This remediation script will remove mcstrans
# from the system, and may remove any packages
# that depend on mcstrans. Execute this
# remediation AFTER testing on a non-production
# system!
if rpm -q --quiet "mcstrans" ; then
yum remove -y "mcstrans"
fi
- name: Ensure mcstrans is removed
package:
name: mcstrans
state: absent
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- package_mcstrans_removed
- unknown_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80445-0
include remove_mcstrans
class remove_mcstrans {
package { 'mcstrans':
ensure => 'purged',
}
}
package --remove=mcstrans
Uninstall setroubleshoot PackageThe SETroubleshoot service notifies desktop users of SELinux
denials. The service provides information around configuration errors,
unauthorized intrusions, and other potential errors.
The setroubleshoot package can be removed with the following command:
$ sudo yum erase setroubleshootNT28(R68)1.6.1.4The SETroubleshoot service is an unnecessary daemon to
have running on a serverCCE-80444-3
# CAUTION: This remediation script will remove setroubleshoot
# from the system, and may remove any packages
# that depend on setroubleshoot. Execute this
# remediation AFTER testing on a non-production
# system!
if rpm -q --quiet "setroubleshoot" ; then
yum remove -y "setroubleshoot"
fi
- name: Ensure setroubleshoot is removed
package:
name: setroubleshoot
state: absent
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- package_setroubleshoot_removed
- unknown_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80444-3
include remove_setroubleshoot
class remove_setroubleshoot {
package { 'setroubleshoot':
ensure => 'purged',
}
}
package --remove=setroubleshoot
Ensure SELinux Not Disabled in /etc/default/grubSELinux can be disabled at boot time by an argument in
/etc/default/grub.
Remove any instances of selinux=0 from the kernel arguments in that
file to prevent SELinux from being disabled at boot.1.6.1.1111121314151618345689APO01.06APO11.04APO13.01BAI03.05DSS01.05DSS03.01DSS05.02DSS05.04DSS05.05DSS05.07DSS06.02DSS06.03DSS06.06MEA02.013.1.23.7.2CCI-000022CCI-000032164.308(a)(1)(ii)(D)164.308(a)(3)164.308(a)(4)164.310(b)164.310(c)164.312(a)164.312(e)4.2.3.44.3.3.2.24.3.3.3.94.3.3.44.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.4.74.4.2.14.4.2.24.4.2.44.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.10SR 2.11SR 2.12SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 7.1SR 7.6A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.12.1.1A.12.1.2A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.1.2A.13.1.3A.13.2.1A.13.2.2A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.1A.9.2.3A.9.4.1A.9.4.4A.9.4.5AC-3AC-3(3)(a)DE.AE-1ID.AM-3PR.AC-4PR.AC-5PR.AC-6PR.DS-5PR.PT-1PR.PT-3PR.PT-4SRG-OS-000445-VMM-001780Disabling a major host protection feature, such as SELinux, at boot time prevents
it from confining system services at boot time. Further, it increases
the chances that it will remain off during system operation.CCE-26961-3
sed -i --follow-symlinks "s/selinux=0//gI" /etc/default/grub /etc/grub2.cfg /etc/grub.d/*
sed -i --follow-symlinks "s/enforcing=0//gI" /etc/default/grub /etc/grub2.cfg /etc/grub.d/*
- name: Ensure SELinux Not Disabled in /etc/default/grub
replace:
dest: /etc/default/grub
regexp: selinux=0
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- grub2_enable_selinux
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-26961-3
- NIST-800-171-3.1.2
- NIST-800-171-3.7.2
- NIST-800-53-AC-3
- NIST-800-53-AC-3(3)(a)
Configure SELinux PolicyThe SELinux targeted policy is appropriate for
general-purpose desktops and servers, as well as systems in many other roles.
To configure the system to use this policy, add or correct the following line
in /etc/selinux/config:
SELINUXTYPE=
Other policies, such as mls, provide additional security labeling
and greater confinement but are not compatible with many general-purpose
use cases.NT28(R66)1.6.1.3111121314151618345689APO01.06APO11.04APO13.01BAI03.05DSS01.05DSS03.01DSS05.02DSS05.04DSS05.05DSS05.07DSS06.02DSS06.03DSS06.06MEA02.013.1.23.7.2CCI-002696164.308(a)(1)(ii)(D)164.308(a)(3)164.308(a)(4)164.310(b)164.310(c)164.312(a)164.312(e)4.2.3.44.3.3.2.24.3.3.3.94.3.3.44.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.4.74.4.2.14.4.2.24.4.2.44.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.10SR 2.11SR 2.12SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 7.1SR 7.6A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.12.1.1A.12.1.2A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.1.2A.13.1.3A.13.2.1A.13.2.2A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.1A.9.2.3A.9.4.1A.9.4.4A.9.4.5AC-3AC-3(3)(a)AU-9SC-7(21)DE.AE-1ID.AM-3PR.AC-4PR.AC-5PR.AC-6PR.DS-5PR.PT-1PR.PT-3PR.PT-4SRG-OS-000445-GPOS-00199RHEL-07-020220SV-86615r5_ruleSRG-OS-000445-VMM-001780Setting the SELinux policy to targeted or a more specialized policy
ensures the system will confine processes that are likely to be
targeted for exploitation, such as network or system services.
Note: During the development or debugging of SELinux modules, it is common to
temporarily place non-production systems in permissive mode. In such
temporary cases, SELinux policies should be developed, and once work
is completed, the system should be reconfigured to
.CCE-27279-9
var_selinux_policy_name=""
replace_or_append '/etc/sysconfig/selinux' '^SELINUXTYPE=' $var_selinux_policy_name 'CCE-27279-9' '%s=%s'
- name: XCCDF Value var_selinux_policy_name # promote to variable
set_fact:
var_selinux_policy_name: !!str
tags:
- always
- name: Configure SELinux Policy
lineinfile:
path: /etc/sysconfig/selinux
regexp: ^SELINUXTYPE=
line: SELINUXTYPE={{ var_selinux_policy_name }}
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- selinux_policytype
- high_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27279-9
- DISA-STIG-RHEL-07-020220
- NIST-800-171-3.1.2
- NIST-800-171-3.7.2
- NIST-800-53-AC-3
- NIST-800-53-AC-3(3)(a)
- NIST-800-53-AU-9
- NIST-800-53-SC-7(21)
Ensure No Daemons are Unconfined by SELinuxDaemons for which the SELinux policy does not contain rules will inherit the
context of the parent process. Because daemons are launched during
startup and descend from the init process, they inherit the initrc_t context.
To check for unconfined daemons, run the following command:
$ sudo ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }'
It should produce no output in a well-configured system.Automatic remediation of this control is not available. Remediation
can be achieved by amending SELinux policy or stopping the unconfined
daemons as outlined above.1.6.1.61111213141516183569APO01.06APO11.04BAI03.05BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.04DSS05.05DSS05.07DSS06.02DSS06.06MEA02.013.1.23.1.53.7.2164.308(a)(1)(ii)(D)164.308(a)(3)164.308(a)(4)164.310(b)164.310(c)164.312(a)164.312(e)4.3.3.3.94.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.34.3.4.4.74.4.2.14.4.2.24.4.2.4SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.10SR 2.11SR 2.12SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 2.8SR 2.9SR 5.2SR 7.6A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.12.1.2A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.5.1A.12.6.2A.12.7.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.14.2.2A.14.2.3A.14.2.4A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-7(a)CM-7(b)CM-6(a)AC-3(3)(a)AC-6PR.AC-4PR.DS-5PR.IP-1PR.PT-1PR.PT-3Daemons which run with the initrc_t context may cause AVC denials,
or allow privileges that the daemon does not require.CCE-27288-0Ensure No Device Files are Unlabeled by SELinuxDevice files, which are used for communication with important system
resources, should be labeled with proper SELinux types. If any device
files do not carry the SELinux type device_t, report the bug so
that policy can be corrected. Supply information about what the device is
and what programs use it.
To check for unlabeled device files, run the following command:
$ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n"
It should produce no output in a well-configured system.Automatic remediation of this control is not available. The remediation
can be achieved by amending SELinux policy.1111213141516182356789APO01.06APO11.04BAI01.06BAI03.05BAI06.01BAI10.01BAI10.02BAI10.03BAI10.05DSS01.03DSS03.05DSS05.02DSS05.04DSS05.05DSS05.07DSS06.02DSS06.06MEA02.013.1.23.1.53.7.2CCI-000022CCI-000032CCI-000368CCI-000318CCI-001812CCI-001813CCI-0018144.3.3.3.94.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.34.3.4.4.74.4.2.14.4.2.24.4.2.4SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.10SR 2.11SR 2.12SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 2.8SR 2.9SR 5.2SR 6.2SR 7.6A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.12.1.2A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.5.1A.12.6.2A.12.7.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.14.2.2A.14.2.3A.14.2.4A.14.2.7A.15.2.1A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-7(a)CM-7(b)CM-6(a)AC-3(3)(a)AC-6DE.CM-1DE.CM-7PR.AC-4PR.DS-5PR.IP-1PR.IP-3PR.PT-1PR.PT-3SRG-OS-000480-GPOS-00227RHEL-07-020900SV-86663r2_ruleIf a device file carries the SELinux type device_t, then SELinux
cannot properly restrict access to the device file.CCE-27326-8Map System Users To The Appropriate SELinux RoleConfigure the operating system to prevent non-privileged users from executing
privileged functions to include disabling, circumventing, or altering
implemented security safeguards/countermeasures. All administrators must be
mapped to the sysadm_u or staff_u users with the
appropriate domains (sysadm_t and staff_t).
$ sudo semanage login -m -s sysadm_u USER or
$ sudo semanage login -m -s staff_u USER
All authorized non-administrative
users must be mapped to the user_u role or the appropriate domain
(user_t).
$ sudo semanage login -m -s user_u USERCCI-002235SRG-OS-000324-GPOS-00125RHEL-07-020020SV-86595r2_rulePreventing non-privileged users from executing privileged functions mitigates
the risk that unauthorized individuals or processes may gain unnecessary access
to information or privileges.
Privileged functions include, for example,
establishing accounts, performing system integrity checks, or administering
cryptographic key management activities. Non-privileged users are individuals
who do not possess appropriate authorizations. Circumventing intrusion detection
and prevention mechanisms or malicious code protection mechanisms are examples
of privileged functions that require protection from non-privileged users.CCE-80543-2Ensure SELinux State is EnforcingThe SELinux state should be set to at
system boot time. In the file /etc/selinux/config, add or correct the
following line to configure the system to boot into enforcing mode:
SELINUX=NT28(R4)1.6.1.2111121314151618345689APO01.06APO11.04APO13.01BAI03.05DSS01.05DSS03.01DSS05.02DSS05.04DSS05.05DSS05.07DSS06.02DSS06.03DSS06.06MEA02.013.1.23.7.2CCI-002165CCI-002696164.308(a)(1)(ii)(D)164.308(a)(3)164.308(a)(4)164.310(b)164.310(c)164.312(a)164.312(e)4.2.3.44.3.3.2.24.3.3.3.94.3.3.44.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.4.74.4.2.14.4.2.24.4.2.44.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.10SR 2.11SR 2.12SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 7.1SR 7.6A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.12.1.1A.12.1.2A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.1.2A.13.1.3A.13.2.1A.13.2.2A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.1A.9.2.3A.9.4.1A.9.4.4A.9.4.5AC-3AC-3(3)(a)AU-9SC-7(21)DE.AE-1ID.AM-3PR.AC-4PR.AC-5PR.AC-6PR.DS-5PR.PT-1PR.PT-3PR.PT-4SRG-OS-000445-GPOS-00199RHEL-07-020210SV-86613r3_ruleSRG-OS-000445-VMM-001780Setting the SELinux state to enforcing ensures SELinux is able to confine
potentially compromised processes to the security policy, which is designed to
prevent them from causing damage to the system or further elevating their
privileges.CCE-27334-2
var_selinux_state=""
replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state 'CCE-27334-2' '%s=%s'
fixfiles onboot
fixfiles -f relabel
- name: XCCDF Value var_selinux_state # promote to variable
set_fact:
var_selinux_state: !!str
tags:
- always
- name: Ensure SELinux State is Enforcing
lineinfile:
path: /etc/sysconfig/selinux
regexp: ^SELINUX=
line: SELINUX={{ var_selinux_state }}
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- selinux_state
- high_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27334-2
- DISA-STIG-RHEL-07-020210
- NIST-800-171-3.1.2
- NIST-800-171-3.7.2
- NIST-800-53-AC-3
- NIST-800-53-AC-3(3)(a)
- NIST-800-53-AU-9
- NIST-800-53-SC-7(21)
SELinux - BooleansEnable or Disable runtime customization of SELinux system policies
without having to reload or recompile the SELinux policy.virt_rw_qemu_ga_data SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsemysql_connect_any SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsenamed_tcp_bind_http_port SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalseftpd_use_fusefs SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalseantivirus_use_jit SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsemcelog_exec_scripts SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.truetruefalsehttpd_can_connect_ldap SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalseselinuxuser_udp_server SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalseminidlna_read_generic_user_content SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsemcelog_server SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsehttpd_setrlimit SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsesge_use_nfs SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsepolipo_session_users SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsexguest_connect_network SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.truetruefalsessh_chroot_rw_homedirs SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsegit_system_use_cifs SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsegluster_export_all_ro SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsecobbler_use_nfs SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsedbadm_exec_content SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.truetruefalseftpd_connect_all_unreserved SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsevirt_use_nfs SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsenagios_run_pnp4nagios SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalseprosody_bind_http_port SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsesamba_enable_home_dirs SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsesamba_share_fusefs SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsezabbix_can_network SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalseunconfined_login SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.truetruefalseabrt_upload_watch_anon_write SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.truetruefalselogrotate_use_nfs SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsehttpd_use_cifs SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalseftpd_connect_db SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsegluster_export_all_rw SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.truetruefalsemount_anyfile SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.truetruefalsecron_can_relabel SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalseuser_exec_content SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.truetruefalsehttpd_use_gpg SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsegluster_anon_write SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalseselinuxuser_execstack SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsestaff_use_svirt SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsehttpd_sys_script_anon_write SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsehttpd_run_stickshift SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsehttpd_ssi_exec SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsegssd_read_tmp SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.truetruefalsefcron_crond SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalseopenvpn_enable_homedirs SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.truetruefalsepppd_for_user SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsepolipo_use_nfs SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsedbadm_read_user_files SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalseselinuxuser_ping SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.truetruefalsezoneminder_run_sudo SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalseirssi_use_full_network SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalselogging_syslogd_can_sendmail SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalseunconfined_chrome_sandbox_transition SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.truetruefalsexdm_exec_bootloader SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsehttpd_tmp_exec SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsepolipo_use_cifs SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalseuse_lpd_server SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsenfsd_anon_write SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsetmpreaper_use_nfs SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsetelepathy_tcp_connect_generic_network_ports SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.truetruefalsemozilla_plugin_can_network_connect SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalseicecast_use_any_tcp_ports SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalseselinuxuser_share_music SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsepostfix_local_write_mail_spool SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.truetruefalsevirt_sandbox_use_all_caps SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.truetruefalsecobbler_use_cifs SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalseantivirus_can_scan_system SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsemock_enable_homedirs SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalselogging_syslogd_run_nagios_plugins SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsecron_system_cronjob_use_shares SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsehttpd_can_network_connect SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsehttpd_can_connect_mythtv SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalseunprivuser_use_svirt SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsenfs_export_all_ro SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.truetruefalsesaslauthd_read_shadow SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsexdm_bind_vnc_tcp_port SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsexend_run_qemu SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.truetruefalsehttpd_can_check_spam SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsecvs_read_shadow SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsecups_execmem SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsesecure_mode_policyload SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsepppd_can_insmod SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsesamba_domain_controller SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsedhcpc_exec_iptables SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsevirt_use_usb SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.truetruefalsehttpd_can_sendmail SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsedomain_fd_use SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.truetruefalsevirt_sandbox_use_mknod SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsezebra_write_config SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalseexim_can_connect_db SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsehttpd_use_sasl SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalseabrt_handle_event SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsehttpd_can_network_relay SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsecobbler_can_network_connect SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalseunconfined_mozilla_plugin_transition SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.truetruefalsepcp_bind_all_unreserved_ports SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsenagios_run_sudo SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsevirt_sandbox_use_netlink SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsehttpd_unified SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsenis_enabled SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsehttpd_graceful_shutdown SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.truetruefalsestaff_exec_content SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.truetruefalsemailman_use_fusefs SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalseopenshift_use_nfs SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsepostgresql_selinux_transmit_client_label SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsehttpd_dbus_avahi SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsenamed_write_master_zones SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalseexim_read_user_files SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsesamba_run_unconfined SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalselsmd_plugin_connect_any SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalseuse_nfs_home_dirs SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsexend_run_blktap SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.truetruefalsedaemons_use_tcp_wrapper SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalseauthlogin_yubikey SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalseentropyd_use_audio SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.truetruefalsehttpd_enable_cgi SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.truetruefalsezoneminder_anon_write SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsedaemons_dump_core SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalseglance_api_can_network SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsedeny_ptrace SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalselogwatch_can_network_connect_mail SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalseauthlogin_nsswitch_use_ldap SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsecdrecord_read_content SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsenfs_export_all_rw SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.truetruefalsexen_use_nfs SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalseglance_use_execmem SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalseuse_fusefs_home_dirs SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalseglance_use_fusefs SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsepolipo_connect_all_unreserved SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsersync_client SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsehttpd_can_network_connect_cobbler SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsemozilla_plugin_use_spice SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalseselinuxuser_execheap SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsempd_use_nfs SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsehttpd_mod_auth_ntlm_winbind SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsevirt_use_comm SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsevarnishd_connect_any SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalseselinuxuser_execmod SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.truetruefalsefenced_can_ssh SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsewebadm_manage_user_files SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalseawstats_purge_apache_log_files SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalseopenvpn_can_network_connect SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.truetruefalsesanlock_use_samba SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalseexim_manage_user_files SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsexdm_write_home SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalseselinuxuser_mysql_connect_enabled SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsexguest_exec_content SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.truetruefalsegit_system_enable_homedirs SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsemmap_low_allowed SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalseftpd_use_nfs SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsehttpd_manage_ipa SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsepostgresql_selinux_unconfined_dbadm SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.truetruefalsegit_session_bind_all_unreserved_ports SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsessh_keysign SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsehttpd_serve_cobbler_files SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsesamba_export_all_rw SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsepostgresql_can_rsync SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsewine_mmap_zero_ignore SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsekdumpgui_run_bootloader SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsecluster_can_network_connect SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsevirt_sandbox_use_audit SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.truetruefalsehttpd_can_network_connect_db SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsersync_export_all_ro SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalseconman_can_network SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsevirt_read_qemu_ga_data SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalseftpd_anon_write SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsehttpd_builtin_scripting SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.truetruefalsemcelog_client SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalseauditadm_exec_content SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.truetruefalsevirt_use_xserver SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsesamba_export_all_ro SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsexserver_object_manager SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsecobbler_anon_write SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsetftp_home_dir SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsempd_enable_homedirs SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalseselinuxuser_postgresql_connect_enabled SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsetor_can_network_relay SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsedbadm_manage_user_files SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsegitosis_can_sendmail SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsersync_anon_write SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsezarafa_setrlimit SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsetor_bind_all_unreserved_ports SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsehttpd_verify_dns SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsehaproxy_connect_any SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsevirt_transition_userdomain SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsewebadm_read_user_files SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsespamassassin_can_network SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsekerberos_enabled SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.truetruefalsehttpd_run_ipa SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsesge_domain_can_network_connect SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsepcp_read_generic_logs SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsehttpd_mod_auth_pam SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalseselinuxuser_tcp_server SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsesanlock_use_nfs SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsesamba_portmapper SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalseselinuxuser_rw_noexattrfile SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.truetruefalseracoon_read_shadow SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsehttpd_use_openstack SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsefips_mode SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.truetruefalsehttpd_execmem SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsedhcpd_use_ldap SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsehttpd_use_nfs SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsepiranha_lvs_can_network_connect SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalseopenvpn_run_unconfined SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsetmpreaper_use_samba SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalseksmtuned_use_nfs SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalseksmtuned_use_cifs SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsexserver_clients_write_xshm SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsepolipo_session_bind_all_unreserved_ports SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsesquid_connect_any SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.truetruefalsehttpd_use_fusefs SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalseauthlogin_radius SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsexguest_use_bluetooth SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.truetruefalsecollectd_tcp_network_connect SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsexdm_sysadm_login SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsedaemons_use_tty SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalseuse_ecryptfs_home_dirs SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsegpg_web_anon_write SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsefenced_can_network_connect SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsedaemons_enable_cluster_mode SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsedeny_execmem SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalseuse_samba_home_dirs SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsevirt_sandbox_use_sys_admin SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalselogin_console_enabled SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.truetruefalsecondor_tcp_network_connect SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsehttpd_can_connect_ftp SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalselogging_syslogd_use_tty SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.truetruefalsepolyinstantiation_enabled SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsemozilla_plugin_bind_unreserved_ports SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsehttpd_anon_write SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsesamba_share_nfs SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsesmartmon_3ware SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalseftpd_use_cifs SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsehttpd_enable_ftp_server SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalseselinuxuser_direct_dri_enabled SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.truetruefalsehttpd_dbus_sssd SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsegit_session_users SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsehttpd_can_network_memcache SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsempd_use_cifs SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsegit_cgi_enable_homedirs SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsesamba_create_home_dirs SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsegit_cgi_use_nfs SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsetelepathy_connect_all_ports SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsegit_system_use_nfs SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsetftp_anon_write SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalseboinc_execmem SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.truetruefalsessh_sysadm_login SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsesanlock_use_fusefs SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsevirt_use_sanlock SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsevirt_use_samba SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsepostgresql_selinux_users_ddl SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.truetruefalseirc_use_any_tcp_ports SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsevirt_use_execmem SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsexserver_execmem SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsemozilla_plugin_use_gps SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsedomain_kernel_load_modules SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalseswift_can_network SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalseftpd_full_access SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalseglobal_ssp SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsehttpd_dontaudit_search_dirs SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsehttpd_enable_homedirs SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsevirt_use_rawip SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsesquid_use_tproxy SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsehttpd_read_user_content SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsenscd_use_shm SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.truetruefalsecluster_use_execmem SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsehttpd_run_preupgrade SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsesamba_load_libgfapi SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsemozilla_plugin_use_bluejeans SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalseftpd_use_passive_mode SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsehttpd_can_connect_zabbix SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsesecure_mode_insmod SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsexguest_mount_media SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.truetruefalsecontainer_connect_any SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsevirt_use_fusefs SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsesecadm_exec_content SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.truetruefalsehttpd_tty_comm SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsesecure_mode SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsemplayer_execstack SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalseneutron_can_network SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsepuppetmaster_use_db SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsesmbd_anon_write SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsepuppetagent_manage_all_files SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsecron_userdomain_transition SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.truetruefalseabrt_anon_write SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalseguest_exec_content SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.truetruefalsemozilla_read_content SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsesysadm_exec_content SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.truetruefalsecluster_manage_all_files SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalseprivoxy_connect_any SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.truetruefalsersync_full_access SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsemcelog_foreground SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalseselinuxuser_use_ssh_chroot SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalsespamd_enable_home_dirs SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.truetruefalselogadm_exec_content SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.truetruefalsegit_cgi_use_cifs SELinux Booleandefault - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.falsetruefalseDisable the openvpn_can_network_connect SELinux BooleanBy default, the SELinux boolean openvpn_can_network_connect is enabled.
This setting should be disabled.
To disable the openvpn_can_network_connect SELinux boolean, run the following command:
$ sudo setsebool -P openvpn_can_network_connect off
var_openvpn_can_network_connect=""
setsebool -P openvpn_can_network_connect $var_openvpn_can_network_connect
- name: XCCDF Value var_openvpn_can_network_connect # promote to variable
set_fact:
var_openvpn_can_network_connect: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_openvpn_can_network_connect
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean openvpn_can_network_connect accordingly
seboolean:
name: openvpn_can_network_connect
state: '{{ var_openvpn_can_network_connect }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_openvpn_can_network_connect
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the pcp_bind_all_unreserved_ports SELinux BooleanBy default, the SELinux boolean pcp_bind_all_unreserved_ports is disabled.
If this setting is enabled, it should be disabled.
To disable the pcp_bind_all_unreserved_ports SELinux boolean, run the following command:
$ sudo setsebool -P pcp_bind_all_unreserved_ports off
var_pcp_bind_all_unreserved_ports=""
setsebool -P pcp_bind_all_unreserved_ports $var_pcp_bind_all_unreserved_ports
- name: XCCDF Value var_pcp_bind_all_unreserved_ports # promote to variable
set_fact:
var_pcp_bind_all_unreserved_ports: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_pcp_bind_all_unreserved_ports
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean pcp_bind_all_unreserved_ports accordingly
seboolean:
name: pcp_bind_all_unreserved_ports
state: '{{ var_pcp_bind_all_unreserved_ports }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_pcp_bind_all_unreserved_ports
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the ssh_sysadm_login SELinux BooleanBy default, the SELinux boolean ssh_sysadm_login is disabled.
If this setting is enabled, it should be disabled.
To disable the ssh_sysadm_login SELinux boolean, run the following command:
$ sudo setsebool -P ssh_sysadm_login offNT28(R67)CCE-82327-8
var_ssh_sysadm_login=""
setsebool -P ssh_sysadm_login $var_ssh_sysadm_login
- name: XCCDF Value var_ssh_sysadm_login # promote to variable
set_fact:
var_ssh_sysadm_login: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_ssh_sysadm_login
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82327-8
- name: Set SELinux boolean ssh_sysadm_login accordingly
seboolean:
name: ssh_sysadm_login
state: '{{ var_ssh_sysadm_login }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_ssh_sysadm_login
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82327-8
Disable the polipo_connect_all_unreserved SELinux BooleanBy default, the SELinux boolean polipo_connect_all_unreserved is disabled.
If this setting is enabled, it should be disabled.
To disable the polipo_connect_all_unreserved SELinux boolean, run the following command:
$ sudo setsebool -P polipo_connect_all_unreserved off
var_polipo_connect_all_unreserved=""
setsebool -P polipo_connect_all_unreserved $var_polipo_connect_all_unreserved
- name: XCCDF Value var_polipo_connect_all_unreserved # promote to variable
set_fact:
var_polipo_connect_all_unreserved: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_polipo_connect_all_unreserved
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean polipo_connect_all_unreserved accordingly
seboolean:
name: polipo_connect_all_unreserved
state: '{{ var_polipo_connect_all_unreserved }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_polipo_connect_all_unreserved
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Enable the login_console_enabled SELinux BooleanBy default, the SELinux boolean login_console_enabled is enabled.
If this setting is disabled, it should be enabled as it allows login from
/dev/console to a console session.
To enable the login_console_enabled SELinux boolean, run the following command:
$ sudo setsebool -P login_console_enabled onCCE-82301-3
var_login_console_enabled=""
setsebool -P login_console_enabled $var_login_console_enabled
- name: XCCDF Value var_login_console_enabled # promote to variable
set_fact:
var_login_console_enabled: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_login_console_enabled
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82301-3
- name: Set SELinux boolean login_console_enabled accordingly
seboolean:
name: login_console_enabled
state: '{{ var_login_console_enabled }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_login_console_enabled
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82301-3
Disable the httpd_run_stickshift SELinux BooleanBy default, the SELinux boolean httpd_run_stickshift is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_run_stickshift SELinux boolean, run the following command:
$ sudo setsebool -P httpd_run_stickshift off
var_httpd_run_stickshift=""
setsebool -P httpd_run_stickshift $var_httpd_run_stickshift
- name: XCCDF Value var_httpd_run_stickshift # promote to variable
set_fact:
var_httpd_run_stickshift: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_run_stickshift
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean httpd_run_stickshift accordingly
seboolean:
name: httpd_run_stickshift
state: '{{ var_httpd_run_stickshift }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_run_stickshift
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the minidlna_read_generic_user_content SELinux BooleanBy default, the SELinux boolean minidlna_read_generic_user_content is disabled.
If this setting is enabled, it should be disabled.
To disable the minidlna_read_generic_user_content SELinux boolean, run the following command:
$ sudo setsebool -P minidlna_read_generic_user_content off
var_minidlna_read_generic_user_content=""
setsebool -P minidlna_read_generic_user_content $var_minidlna_read_generic_user_content
- name: XCCDF Value var_minidlna_read_generic_user_content # promote to variable
set_fact:
var_minidlna_read_generic_user_content: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_minidlna_read_generic_user_content
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean minidlna_read_generic_user_content accordingly
seboolean:
name: minidlna_read_generic_user_content
state: '{{ var_minidlna_read_generic_user_content }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_minidlna_read_generic_user_content
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Enable the auditadm_exec_content SELinux BooleanBy default, the SELinux boolean auditadm_exec_content is enabled.
If this setting is disabled, it should be enabled.
To enable the auditadm_exec_content SELinux boolean, run the following command:
$ sudo setsebool -P auditadm_exec_content on80424-5CCE-80424-5
var_auditadm_exec_content=""
setsebool -P auditadm_exec_content $var_auditadm_exec_content
- name: XCCDF Value var_auditadm_exec_content # promote to variable
set_fact:
var_auditadm_exec_content: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_auditadm_exec_content
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80424-5
- NIST-800-171-80424-5
- name: Set SELinux boolean auditadm_exec_content accordingly
seboolean:
name: auditadm_exec_content
state: '{{ var_auditadm_exec_content }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_auditadm_exec_content
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80424-5
- NIST-800-171-80424-5
Disable the authlogin_radius SELinux BooleanBy default, the SELinux boolean authlogin_radius is disabled.
If this setting is enabled, it should be disabled.
To disable the authlogin_radius SELinux boolean, run the following command:
$ sudo setsebool -P authlogin_radius off3.7.2CCE-80426-0
var_authlogin_radius=""
setsebool -P authlogin_radius $var_authlogin_radius
- name: XCCDF Value var_authlogin_radius # promote to variable
set_fact:
var_authlogin_radius: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_authlogin_radius
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80426-0
- NIST-800-171-3.7.2
- name: Set SELinux boolean authlogin_radius accordingly
seboolean:
name: authlogin_radius
state: '{{ var_authlogin_radius }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_authlogin_radius
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80426-0
- NIST-800-171-3.7.2
Disable the logwatch_can_network_connect_mail SELinux BooleanBy default, the SELinux boolean logwatch_can_network_connect_mail is disabled.
If this setting is enabled, it should be disabled.
To disable the logwatch_can_network_connect_mail SELinux boolean, run the following command:
$ sudo setsebool -P logwatch_can_network_connect_mail off
var_logwatch_can_network_connect_mail=""
setsebool -P logwatch_can_network_connect_mail $var_logwatch_can_network_connect_mail
- name: XCCDF Value var_logwatch_can_network_connect_mail # promote to variable
set_fact:
var_logwatch_can_network_connect_mail: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_logwatch_can_network_connect_mail
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean logwatch_can_network_connect_mail accordingly
seboolean:
name: logwatch_can_network_connect_mail
state: '{{ var_logwatch_can_network_connect_mail }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_logwatch_can_network_connect_mail
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the logrotate_use_nfs SELinux BooleanBy default, the SELinux boolean logrotate_use_nfs is disabled.
If this setting is enabled, it should be disabled.
To disable the logrotate_use_nfs SELinux boolean, run the following command:
$ sudo setsebool -P logrotate_use_nfs off
var_logrotate_use_nfs=""
setsebool -P logrotate_use_nfs $var_logrotate_use_nfs
- name: XCCDF Value var_logrotate_use_nfs # promote to variable
set_fact:
var_logrotate_use_nfs: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_logrotate_use_nfs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean logrotate_use_nfs accordingly
seboolean:
name: logrotate_use_nfs
state: '{{ var_logrotate_use_nfs }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_logrotate_use_nfs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the git_cgi_use_cifs SELinux BooleanBy default, the SELinux boolean git_cgi_use_cifs is disabled.
If this setting is enabled, it should be disabled.
To disable the git_cgi_use_cifs SELinux boolean, run the following command:
$ sudo setsebool -P git_cgi_use_cifs off
var_git_cgi_use_cifs=""
setsebool -P git_cgi_use_cifs $var_git_cgi_use_cifs
- name: XCCDF Value var_git_cgi_use_cifs # promote to variable
set_fact:
var_git_cgi_use_cifs: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_git_cgi_use_cifs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean git_cgi_use_cifs accordingly
seboolean:
name: git_cgi_use_cifs
state: '{{ var_git_cgi_use_cifs }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_git_cgi_use_cifs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
disable the selinuxuser_execstack SELinux BooleanBy default, the SELinux boolean selinuxuser_execstack is enabled.
This setting should be disabled as unconfined executables should not be able
to make their stack executable.
To disable the selinuxuser_execstack SELinux boolean, run the following command:
$ sudo setsebool -P selinuxuser_execstack off164.308(a)(1)(ii)(D)164.308(a)(3)164.308(a)(4)164.310(b)164.310(c)164.312(a)164.312(e)CCE-82314-6
var_selinuxuser_execstack=""
setsebool -P selinuxuser_execstack $var_selinuxuser_execstack
- name: XCCDF Value var_selinuxuser_execstack # promote to variable
set_fact:
var_selinuxuser_execstack: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_selinuxuser_execstack
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82314-6
- name: Set SELinux boolean selinuxuser_execstack accordingly
seboolean:
name: selinuxuser_execstack
state: '{{ var_selinuxuser_execstack }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_selinuxuser_execstack
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82314-6
Disable the entropyd_use_audio SELinux BooleanBy default, the SELinux boolean entropyd_use_audio is enabled.
This setting should be disabled as it uses audit input to generate entropy.
To disable the entropyd_use_audio SELinux boolean, run the following command:
$ sudo setsebool -P entropyd_use_audio off
var_entropyd_use_audio=""
setsebool -P entropyd_use_audio $var_entropyd_use_audio
- name: XCCDF Value var_entropyd_use_audio # promote to variable
set_fact:
var_entropyd_use_audio: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_entropyd_use_audio
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean entropyd_use_audio accordingly
seboolean:
name: entropyd_use_audio
state: '{{ var_entropyd_use_audio }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_entropyd_use_audio
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the gpg_web_anon_write SELinux BooleanBy default, the SELinux boolean gpg_web_anon_write is disabled.
If this setting is enabled, it should be disabled.
To disable the gpg_web_anon_write SELinux boolean, run the following command:
$ sudo setsebool -P gpg_web_anon_write offCCE-82294-0
var_gpg_web_anon_write=""
setsebool -P gpg_web_anon_write $var_gpg_web_anon_write
- name: XCCDF Value var_gpg_web_anon_write # promote to variable
set_fact:
var_gpg_web_anon_write: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_gpg_web_anon_write
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82294-0
- name: Set SELinux boolean gpg_web_anon_write accordingly
seboolean:
name: gpg_web_anon_write
state: '{{ var_gpg_web_anon_write }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_gpg_web_anon_write
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82294-0
Enable the mount_anyfile SELinux BooleanBy default, the SELinux boolean mount_anyfile is enabled.
If this setting is disabled, it should be enabled to allow any file
or directory to be mounted.
To enable the mount_anyfile SELinux boolean, run the following command:
$ sudo setsebool -P mount_anyfile onCCE-82304-7
var_mount_anyfile=""
setsebool -P mount_anyfile $var_mount_anyfile
- name: XCCDF Value var_mount_anyfile # promote to variable
set_fact:
var_mount_anyfile: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_mount_anyfile
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82304-7
- name: Set SELinux boolean mount_anyfile accordingly
seboolean:
name: mount_anyfile
state: '{{ var_mount_anyfile }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_mount_anyfile
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82304-7
Disable the smartmon_3ware SELinux BooleanBy default, the SELinux boolean smartmon_3ware is disabled.
If this setting is enabled, it should be disabled.
To disable the smartmon_3ware SELinux boolean, run the following command:
$ sudo setsebool -P smartmon_3ware off
var_smartmon_3ware=""
setsebool -P smartmon_3ware $var_smartmon_3ware
- name: XCCDF Value var_smartmon_3ware # promote to variable
set_fact:
var_smartmon_3ware: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_smartmon_3ware
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean smartmon_3ware accordingly
seboolean:
name: smartmon_3ware
state: '{{ var_smartmon_3ware }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_smartmon_3ware
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the git_cgi_enable_homedirs SELinux BooleanBy default, the SELinux boolean git_cgi_enable_homedirs is disabled.
If this setting is enabled, it should be disabled.
To disable the git_cgi_enable_homedirs SELinux boolean, run the following command:
$ sudo setsebool -P git_cgi_enable_homedirs off
var_git_cgi_enable_homedirs=""
setsebool -P git_cgi_enable_homedirs $var_git_cgi_enable_homedirs
- name: XCCDF Value var_git_cgi_enable_homedirs # promote to variable
set_fact:
var_git_cgi_enable_homedirs: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_git_cgi_enable_homedirs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean git_cgi_enable_homedirs accordingly
seboolean:
name: git_cgi_enable_homedirs
state: '{{ var_git_cgi_enable_homedirs }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_git_cgi_enable_homedirs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the httpd_sys_script_anon_write SELinux BooleanBy default, the SELinux boolean httpd_sys_script_anon_write is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_sys_script_anon_write SELinux boolean, run the following command:
$ sudo setsebool -P httpd_sys_script_anon_write off
var_httpd_sys_script_anon_write=""
setsebool -P httpd_sys_script_anon_write $var_httpd_sys_script_anon_write
- name: XCCDF Value var_httpd_sys_script_anon_write # promote to variable
set_fact:
var_httpd_sys_script_anon_write: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_sys_script_anon_write
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean httpd_sys_script_anon_write accordingly
seboolean:
name: httpd_sys_script_anon_write
state: '{{ var_httpd_sys_script_anon_write }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_sys_script_anon_write
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the httpd_can_check_spam SELinux BooleanBy default, the SELinux boolean httpd_can_check_spam is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_can_check_spam SELinux boolean, run the following command:
$ sudo setsebool -P httpd_can_check_spam off
var_httpd_can_check_spam=""
setsebool -P httpd_can_check_spam $var_httpd_can_check_spam
- name: XCCDF Value var_httpd_can_check_spam # promote to variable
set_fact:
var_httpd_can_check_spam: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_can_check_spam
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean httpd_can_check_spam accordingly
seboolean:
name: httpd_can_check_spam
state: '{{ var_httpd_can_check_spam }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_can_check_spam
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the fenced_can_ssh SELinux BooleanBy default, the SELinux boolean fenced_can_ssh is disabled.
If this setting is enabled, it should be disabled.
To disable the fenced_can_ssh SELinux boolean, run the following command:
$ sudo setsebool -P fenced_can_ssh off
var_fenced_can_ssh=""
setsebool -P fenced_can_ssh $var_fenced_can_ssh
- name: XCCDF Value var_fenced_can_ssh # promote to variable
set_fact:
var_fenced_can_ssh: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_fenced_can_ssh
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean fenced_can_ssh accordingly
seboolean:
name: fenced_can_ssh
state: '{{ var_fenced_can_ssh }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_fenced_can_ssh
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the dbadm_read_user_files SELinux BooleanBy default, the SELinux boolean dbadm_read_user_files is disabled.
If this setting is enabled, it should be disabled.
To disable the dbadm_read_user_files SELinux boolean, run the following command:
$ sudo setsebool -P dbadm_read_user_files off
var_dbadm_read_user_files=""
setsebool -P dbadm_read_user_files $var_dbadm_read_user_files
- name: XCCDF Value var_dbadm_read_user_files # promote to variable
set_fact:
var_dbadm_read_user_files: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_dbadm_read_user_files
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean dbadm_read_user_files accordingly
seboolean:
name: dbadm_read_user_files
state: '{{ var_dbadm_read_user_files }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_dbadm_read_user_files
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the httpd_can_network_connect SELinux BooleanBy default, the SELinux boolean httpd_can_network_connect is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_can_network_connect SELinux boolean, run the following command:
$ sudo setsebool -P httpd_can_network_connect off
var_httpd_can_network_connect=""
setsebool -P httpd_can_network_connect $var_httpd_can_network_connect
- name: XCCDF Value var_httpd_can_network_connect # promote to variable
set_fact:
var_httpd_can_network_connect: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_can_network_connect
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean httpd_can_network_connect accordingly
seboolean:
name: httpd_can_network_connect
state: '{{ var_httpd_can_network_connect }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_can_network_connect
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the mozilla_plugin_can_network_connect SELinux BooleanBy default, the SELinux boolean mozilla_plugin_can_network_connect is disabled.
If this setting is enabled, it should be disabled.
To disable the mozilla_plugin_can_network_connect SELinux boolean, run the following command:
$ sudo setsebool -P mozilla_plugin_can_network_connect off
var_mozilla_plugin_can_network_connect=""
setsebool -P mozilla_plugin_can_network_connect $var_mozilla_plugin_can_network_connect
- name: XCCDF Value var_mozilla_plugin_can_network_connect # promote to variable
set_fact:
var_mozilla_plugin_can_network_connect: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_mozilla_plugin_can_network_connect
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean mozilla_plugin_can_network_connect accordingly
seboolean:
name: mozilla_plugin_can_network_connect
state: '{{ var_mozilla_plugin_can_network_connect }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_mozilla_plugin_can_network_connect
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the git_session_bind_all_unreserved_ports SELinux BooleanBy default, the SELinux boolean git_session_bind_all_unreserved_ports is disabled.
If this setting is enabled, it should be disabled.
To disable the git_session_bind_all_unreserved_ports SELinux boolean, run the following command:
$ sudo setsebool -P git_session_bind_all_unreserved_ports off
var_git_session_bind_all_unreserved_ports=""
setsebool -P git_session_bind_all_unreserved_ports $var_git_session_bind_all_unreserved_ports
- name: XCCDF Value var_git_session_bind_all_unreserved_ports # promote to variable
set_fact:
var_git_session_bind_all_unreserved_ports: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_git_session_bind_all_unreserved_ports
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean git_session_bind_all_unreserved_ports accordingly
seboolean:
name: git_session_bind_all_unreserved_ports
state: '{{ var_git_session_bind_all_unreserved_ports }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_git_session_bind_all_unreserved_ports
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the tmpreaper_use_samba SELinux BooleanBy default, the SELinux boolean tmpreaper_use_samba is disabled.
If this setting is enabled, it should be disabled.
To disable the tmpreaper_use_samba SELinux boolean, run the following command:
$ sudo setsebool -P tmpreaper_use_samba off
var_tmpreaper_use_samba=""
setsebool -P tmpreaper_use_samba $var_tmpreaper_use_samba
- name: XCCDF Value var_tmpreaper_use_samba # promote to variable
set_fact:
var_tmpreaper_use_samba: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_tmpreaper_use_samba
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean tmpreaper_use_samba accordingly
seboolean:
name: tmpreaper_use_samba
state: '{{ var_tmpreaper_use_samba }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_tmpreaper_use_samba
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the httpd_can_connect_zabbix SELinux BooleanBy default, the SELinux boolean httpd_can_connect_zabbix is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_can_connect_zabbix SELinux boolean, run the following command:
$ sudo setsebool -P httpd_can_connect_zabbix off
var_httpd_can_connect_zabbix=""
setsebool -P httpd_can_connect_zabbix $var_httpd_can_connect_zabbix
- name: XCCDF Value var_httpd_can_connect_zabbix # promote to variable
set_fact:
var_httpd_can_connect_zabbix: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_can_connect_zabbix
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean httpd_can_connect_zabbix accordingly
seboolean:
name: httpd_can_connect_zabbix
state: '{{ var_httpd_can_connect_zabbix }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_can_connect_zabbix
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the httpd_anon_write SELinux BooleanBy default, the SELinux boolean httpd_anon_write is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_anon_write SELinux boolean, run the following command:
$ sudo setsebool -P httpd_anon_write off
var_httpd_anon_write=""
setsebool -P httpd_anon_write $var_httpd_anon_write
- name: XCCDF Value var_httpd_anon_write # promote to variable
set_fact:
var_httpd_anon_write: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_anon_write
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean httpd_anon_write accordingly
seboolean:
name: httpd_anon_write
state: '{{ var_httpd_anon_write }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_anon_write
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the httpd_can_connect_ldap SELinux BooleanBy default, the SELinux boolean httpd_can_connect_ldap is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_can_connect_ldap SELinux boolean, run the following command:
$ sudo setsebool -P httpd_can_connect_ldap off
var_httpd_can_connect_ldap=""
setsebool -P httpd_can_connect_ldap $var_httpd_can_connect_ldap
- name: XCCDF Value var_httpd_can_connect_ldap # promote to variable
set_fact:
var_httpd_can_connect_ldap: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_can_connect_ldap
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean httpd_can_connect_ldap accordingly
seboolean:
name: httpd_can_connect_ldap
state: '{{ var_httpd_can_connect_ldap }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_can_connect_ldap
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the httpd_dbus_avahi SELinux BooleanBy default, the SELinux boolean httpd_dbus_avahi is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_dbus_avahi SELinux boolean, run the following command:
$ sudo setsebool -P httpd_dbus_avahi off
var_httpd_dbus_avahi=""
setsebool -P httpd_dbus_avahi $var_httpd_dbus_avahi
- name: XCCDF Value var_httpd_dbus_avahi # promote to variable
set_fact:
var_httpd_dbus_avahi: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_dbus_avahi
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean httpd_dbus_avahi accordingly
seboolean:
name: httpd_dbus_avahi
state: '{{ var_httpd_dbus_avahi }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_dbus_avahi
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the dhcpc_exec_iptables SELinux BooleanBy default, the SELinux boolean dhcpc_exec_iptables is disabled.
If this setting is enabled, it should be disabled.
To disable the dhcpc_exec_iptables SELinux boolean, run the following command:
$ sudo setsebool -P dhcpc_exec_iptables off
var_dhcpc_exec_iptables=""
setsebool -P dhcpc_exec_iptables $var_dhcpc_exec_iptables
- name: XCCDF Value var_dhcpc_exec_iptables # promote to variable
set_fact:
var_dhcpc_exec_iptables: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_dhcpc_exec_iptables
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean dhcpc_exec_iptables accordingly
seboolean:
name: dhcpc_exec_iptables
state: '{{ var_dhcpc_exec_iptables }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_dhcpc_exec_iptables
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the xdm_exec_bootloader SELinux BooleanBy default, the SELinux boolean xdm_exec_bootloader is disabled.
If this setting is enabled, it should be disabled.
To disable the xdm_exec_bootloader SELinux boolean, run the following command:
$ sudo setsebool -P xdm_exec_bootloader offCCE-82334-4
var_xdm_exec_bootloader=""
setsebool -P xdm_exec_bootloader $var_xdm_exec_bootloader
- name: XCCDF Value var_xdm_exec_bootloader # promote to variable
set_fact:
var_xdm_exec_bootloader: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_xdm_exec_bootloader
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82334-4
- name: Set SELinux boolean xdm_exec_bootloader accordingly
seboolean:
name: xdm_exec_bootloader
state: '{{ var_xdm_exec_bootloader }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_xdm_exec_bootloader
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82334-4
Disable the ftpd_connect_db SELinux BooleanBy default, the SELinux boolean ftpd_connect_db is disabled.
If this setting is enabled, it should be disabled.
To disable the ftpd_connect_db SELinux boolean, run the following command:
$ sudo setsebool -P ftpd_connect_db off
var_ftpd_connect_db=""
setsebool -P ftpd_connect_db $var_ftpd_connect_db
- name: XCCDF Value var_ftpd_connect_db # promote to variable
set_fact:
var_ftpd_connect_db: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_ftpd_connect_db
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean ftpd_connect_db accordingly
seboolean:
name: ftpd_connect_db
state: '{{ var_ftpd_connect_db }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_ftpd_connect_db
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the zoneminder_run_sudo SELinux BooleanBy default, the SELinux boolean zoneminder_run_sudo is disabled.
If this setting is enabled, it should be disabled.
To disable the zoneminder_run_sudo SELinux boolean, run the following command:
$ sudo setsebool -P zoneminder_run_sudo off
var_zoneminder_run_sudo=""
setsebool -P zoneminder_run_sudo $var_zoneminder_run_sudo
- name: XCCDF Value var_zoneminder_run_sudo # promote to variable
set_fact:
var_zoneminder_run_sudo: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_zoneminder_run_sudo
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean zoneminder_run_sudo accordingly
seboolean:
name: zoneminder_run_sudo
state: '{{ var_zoneminder_run_sudo }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_zoneminder_run_sudo
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the cron_can_relabel SELinux BooleanBy default, the SELinux boolean cron_can_relabel is disabled.
If this setting is enabled, it should be disabled.
To disable the cron_can_relabel SELinux boolean, run the following command:
$ sudo setsebool -P cron_can_relabel offCCE-82284-1
var_cron_can_relabel=""
setsebool -P cron_can_relabel $var_cron_can_relabel
- name: XCCDF Value var_cron_can_relabel # promote to variable
set_fact:
var_cron_can_relabel: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_cron_can_relabel
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82284-1
- name: Set SELinux boolean cron_can_relabel accordingly
seboolean:
name: cron_can_relabel
state: '{{ var_cron_can_relabel }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_cron_can_relabel
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82284-1
Disable the openvpn_run_unconfined SELinux BooleanBy default, the SELinux boolean openvpn_run_unconfined is disabled.
If this setting is enabled, it should be disabled.
To disable the openvpn_run_unconfined SELinux boolean, run the following command:
$ sudo setsebool -P openvpn_run_unconfined off
var_openvpn_run_unconfined=""
setsebool -P openvpn_run_unconfined $var_openvpn_run_unconfined
- name: XCCDF Value var_openvpn_run_unconfined # promote to variable
set_fact:
var_openvpn_run_unconfined: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_openvpn_run_unconfined
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean openvpn_run_unconfined accordingly
seboolean:
name: openvpn_run_unconfined
state: '{{ var_openvpn_run_unconfined }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_openvpn_run_unconfined
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the zebra_write_config SELinux BooleanBy default, the SELinux boolean zebra_write_config is disabled.
If this setting is enabled, it should be disabled.
To disable the zebra_write_config SELinux boolean, run the following command:
$ sudo setsebool -P zebra_write_config off
var_zebra_write_config=""
setsebool -P zebra_write_config $var_zebra_write_config
- name: XCCDF Value var_zebra_write_config # promote to variable
set_fact:
var_zebra_write_config: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_zebra_write_config
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean zebra_write_config accordingly
seboolean:
name: zebra_write_config
state: '{{ var_zebra_write_config }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_zebra_write_config
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the sge_use_nfs SELinux BooleanBy default, the SELinux boolean sge_use_nfs is disabled.
If this setting is enabled, it should be disabled.
To disable the sge_use_nfs SELinux boolean, run the following command:
$ sudo setsebool -P sge_use_nfs off
var_sge_use_nfs=""
setsebool -P sge_use_nfs $var_sge_use_nfs
- name: XCCDF Value var_sge_use_nfs # promote to variable
set_fact:
var_sge_use_nfs: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_sge_use_nfs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean sge_use_nfs accordingly
seboolean:
name: sge_use_nfs
state: '{{ var_sge_use_nfs }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_sge_use_nfs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the telepathy_tcp_connect_generic_network_ports SELinux BooleanBy default, the SELinux boolean telepathy_tcp_connect_generic_network_ports is enabled.
This setting should be disabled as telepathy should not connect to any generic network
ports.
To disable the telepathy_tcp_connect_generic_network_ports SELinux boolean, run the following command:
$ sudo setsebool -P telepathy_tcp_connect_generic_network_ports off
var_telepathy_tcp_connect_generic_network_ports=""
setsebool -P telepathy_tcp_connect_generic_network_ports $var_telepathy_tcp_connect_generic_network_ports
- name: XCCDF Value var_telepathy_tcp_connect_generic_network_ports # promote to variable
set_fact:
var_telepathy_tcp_connect_generic_network_ports: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_telepathy_tcp_connect_generic_network_ports
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean telepathy_tcp_connect_generic_network_ports accordingly
seboolean:
name: telepathy_tcp_connect_generic_network_ports
state: '{{ var_telepathy_tcp_connect_generic_network_ports }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_telepathy_tcp_connect_generic_network_ports
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the rsync_export_all_ro SELinux BooleanBy default, the SELinux boolean rsync_export_all_ro is disabled.
If this setting is enabled, it should be disabled.
To disable the rsync_export_all_ro SELinux boolean, run the following command:
$ sudo setsebool -P rsync_export_all_ro off
var_rsync_export_all_ro=""
setsebool -P rsync_export_all_ro $var_rsync_export_all_ro
- name: XCCDF Value var_rsync_export_all_ro # promote to variable
set_fact:
var_rsync_export_all_ro: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_rsync_export_all_ro
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean rsync_export_all_ro accordingly
seboolean:
name: rsync_export_all_ro
state: '{{ var_rsync_export_all_ro }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_rsync_export_all_ro
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the fcron_crond SELinux BooleanBy default, the SELinux boolean fcron_crond is disabled.
If this setting is enabled, it should be disabled.
To disable the fcron_crond SELinux boolean, run the following command:
$ sudo setsebool -P fcron_crond off
var_fcron_crond=""
setsebool -P fcron_crond $var_fcron_crond
- name: XCCDF Value var_fcron_crond # promote to variable
set_fact:
var_fcron_crond: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_fcron_crond
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean fcron_crond accordingly
seboolean:
name: fcron_crond
state: '{{ var_fcron_crond }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_fcron_crond
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the nfsd_anon_write SELinux BooleanBy default, the SELinux boolean nfsd_anon_write is disabled.
If this setting is enabled, it should be disabled.
To disable the nfsd_anon_write SELinux boolean, run the following command:
$ sudo setsebool -P nfsd_anon_write off
var_nfsd_anon_write=""
setsebool -P nfsd_anon_write $var_nfsd_anon_write
- name: XCCDF Value var_nfsd_anon_write # promote to variable
set_fact:
var_nfsd_anon_write: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_nfsd_anon_write
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean nfsd_anon_write accordingly
seboolean:
name: nfsd_anon_write
state: '{{ var_nfsd_anon_write }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_nfsd_anon_write
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the webadm_read_user_files SELinux BooleanBy default, the SELinux boolean webadm_read_user_files is disabled.
If this setting is enabled, it should be disabled.
To disable the webadm_read_user_files SELinux boolean, run the following command:
$ sudo setsebool -P webadm_read_user_files off
var_webadm_read_user_files=""
setsebool -P webadm_read_user_files $var_webadm_read_user_files
- name: XCCDF Value var_webadm_read_user_files # promote to variable
set_fact:
var_webadm_read_user_files: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_webadm_read_user_files
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean webadm_read_user_files accordingly
seboolean:
name: webadm_read_user_files
state: '{{ var_webadm_read_user_files }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_webadm_read_user_files
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the httpd_dbus_sssd SELinux BooleanBy default, the SELinux boolean httpd_dbus_sssd is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_dbus_sssd SELinux boolean, run the following command:
$ sudo setsebool -P httpd_dbus_sssd off
var_httpd_dbus_sssd=""
setsebool -P httpd_dbus_sssd $var_httpd_dbus_sssd
- name: XCCDF Value var_httpd_dbus_sssd # promote to variable
set_fact:
var_httpd_dbus_sssd: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_dbus_sssd
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean httpd_dbus_sssd accordingly
seboolean:
name: httpd_dbus_sssd
state: '{{ var_httpd_dbus_sssd }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_dbus_sssd
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the xguest_connect_network SELinux BooleanBy default, the SELinux boolean xguest_connect_network is enabled.
This setting should be disabled as guest users should not be able to configure
NetworkManager.
To disable the xguest_connect_network SELinux boolean, run the following command:
$ sudo setsebool -P xguest_connect_network offCCE-82337-7
var_xguest_connect_network=""
setsebool -P xguest_connect_network $var_xguest_connect_network
- name: XCCDF Value var_xguest_connect_network # promote to variable
set_fact:
var_xguest_connect_network: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_xguest_connect_network
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82337-7
- name: Set SELinux boolean xguest_connect_network accordingly
seboolean:
name: xguest_connect_network
state: '{{ var_xguest_connect_network }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_xguest_connect_network
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82337-7
Disable the httpd_manage_ipa SELinux BooleanBy default, the SELinux boolean httpd_manage_ipa is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_manage_ipa SELinux boolean, run the following command:
$ sudo setsebool -P httpd_manage_ipa off
var_httpd_manage_ipa=""
setsebool -P httpd_manage_ipa $var_httpd_manage_ipa
- name: XCCDF Value var_httpd_manage_ipa # promote to variable
set_fact:
var_httpd_manage_ipa: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_manage_ipa
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean httpd_manage_ipa accordingly
seboolean:
name: httpd_manage_ipa
state: '{{ var_httpd_manage_ipa }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_manage_ipa
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the haproxy_connect_any SELinux BooleanBy default, the SELinux boolean haproxy_connect_any is disabled.
If this setting is enabled, it should be disabled.
To disable the haproxy_connect_any SELinux boolean, run the following command:
$ sudo setsebool -P haproxy_connect_any off
var_haproxy_connect_any=""
setsebool -P haproxy_connect_any $var_haproxy_connect_any
- name: XCCDF Value var_haproxy_connect_any # promote to variable
set_fact:
var_haproxy_connect_any: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_haproxy_connect_any
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean haproxy_connect_any accordingly
seboolean:
name: haproxy_connect_any
state: '{{ var_haproxy_connect_any }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_haproxy_connect_any
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the httpd_setrlimit SELinux BooleanBy default, the SELinux boolean httpd_setrlimit is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_setrlimit SELinux boolean, run the following command:
$ sudo setsebool -P httpd_setrlimit off
var_httpd_setrlimit=""
setsebool -P httpd_setrlimit $var_httpd_setrlimit
- name: XCCDF Value var_httpd_setrlimit # promote to variable
set_fact:
var_httpd_setrlimit: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_setrlimit
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean httpd_setrlimit accordingly
seboolean:
name: httpd_setrlimit
state: '{{ var_httpd_setrlimit }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_setrlimit
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the antivirus_use_jit SELinux BooleanBy default, the SELinux boolean antivirus_use_jit is disabled.
If this setting is enabled, it should be disabled.
To disable the antivirus_use_jit SELinux boolean, run the following command:
$ sudo setsebool -P antivirus_use_jit off3.7.2CCE-80423-7
var_antivirus_use_jit=""
setsebool -P antivirus_use_jit $var_antivirus_use_jit
- name: XCCDF Value var_antivirus_use_jit # promote to variable
set_fact:
var_antivirus_use_jit: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_antivirus_use_jit
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80423-7
- NIST-800-171-3.7.2
- name: Set SELinux boolean antivirus_use_jit accordingly
seboolean:
name: antivirus_use_jit
state: '{{ var_antivirus_use_jit }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_antivirus_use_jit
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80423-7
- NIST-800-171-3.7.2
Disable the rsync_full_access SELinux BooleanBy default, the SELinux boolean rsync_full_access is disabled.
If this setting is enabled, it should be disabled.
To disable the rsync_full_access SELinux boolean, run the following command:
$ sudo setsebool -P rsync_full_access off
var_rsync_full_access=""
setsebool -P rsync_full_access $var_rsync_full_access
- name: XCCDF Value var_rsync_full_access # promote to variable
set_fact:
var_rsync_full_access: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_rsync_full_access
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean rsync_full_access accordingly
seboolean:
name: rsync_full_access
state: '{{ var_rsync_full_access }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_rsync_full_access
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the httpd_can_network_memcache SELinux BooleanBy default, the SELinux boolean httpd_can_network_memcache is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_can_network_memcache SELinux boolean, run the following command:
$ sudo setsebool -P httpd_can_network_memcache off
var_httpd_can_network_memcache=""
setsebool -P httpd_can_network_memcache $var_httpd_can_network_memcache
- name: XCCDF Value var_httpd_can_network_memcache # promote to variable
set_fact:
var_httpd_can_network_memcache: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_can_network_memcache
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean httpd_can_network_memcache accordingly
seboolean:
name: httpd_can_network_memcache
state: '{{ var_httpd_can_network_memcache }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_can_network_memcache
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the httpd_execmem SELinux BooleanBy default, the SELinux boolean httpd_execmem is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_execmem SELinux boolean, run the following command:
$ sudo setsebool -P httpd_execmem off
var_httpd_execmem=""
setsebool -P httpd_execmem $var_httpd_execmem
- name: XCCDF Value var_httpd_execmem # promote to variable
set_fact:
var_httpd_execmem: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_execmem
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean httpd_execmem accordingly
seboolean:
name: httpd_execmem
state: '{{ var_httpd_execmem }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_execmem
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the selinuxuser_use_ssh_chroot SELinux BooleanBy default, the SELinux boolean selinuxuser_use_ssh_chroot is disabled.
If this setting is enabled, it should be disabled.
To disable the selinuxuser_use_ssh_chroot SELinux boolean, run the following command:
$ sudo setsebool -P selinuxuser_use_ssh_chroot offCCE-82324-5
var_selinuxuser_use_ssh_chroot=""
setsebool -P selinuxuser_use_ssh_chroot $var_selinuxuser_use_ssh_chroot
- name: XCCDF Value var_selinuxuser_use_ssh_chroot # promote to variable
set_fact:
var_selinuxuser_use_ssh_chroot: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_selinuxuser_use_ssh_chroot
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82324-5
- name: Set SELinux boolean selinuxuser_use_ssh_chroot accordingly
seboolean:
name: selinuxuser_use_ssh_chroot
state: '{{ var_selinuxuser_use_ssh_chroot }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_selinuxuser_use_ssh_chroot
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82324-5
Enable the user_exec_content SELinux BooleanBy default, the SELinux boolean user_exec_content is enabled.
If this setting is disabled, it should be enabled.
To enable the user_exec_content SELinux boolean, run the following command:
$ sudo setsebool -P user_exec_content onCCE-82332-8
var_user_exec_content=""
setsebool -P user_exec_content $var_user_exec_content
- name: XCCDF Value var_user_exec_content # promote to variable
set_fact:
var_user_exec_content: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_user_exec_content
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82332-8
- name: Set SELinux boolean user_exec_content accordingly
seboolean:
name: user_exec_content
state: '{{ var_user_exec_content }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_user_exec_content
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82332-8
Disable the condor_tcp_network_connect SELinux BooleanBy default, the SELinux boolean condor_tcp_network_connect is disabled.
If this setting is enabled, it should be disabled.
To disable the condor_tcp_network_connect SELinux boolean, run the following command:
$ sudo setsebool -P condor_tcp_network_connect off
var_condor_tcp_network_connect=""
setsebool -P condor_tcp_network_connect $var_condor_tcp_network_connect
- name: XCCDF Value var_condor_tcp_network_connect # promote to variable
set_fact:
var_condor_tcp_network_connect: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_condor_tcp_network_connect
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean condor_tcp_network_connect accordingly
seboolean:
name: condor_tcp_network_connect
state: '{{ var_condor_tcp_network_connect }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_condor_tcp_network_connect
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the pppd_can_insmod SELinux BooleanBy default, the SELinux boolean pppd_can_insmod is disabled.
If this setting is enabled, it should be disabled.
To disable the pppd_can_insmod SELinux boolean, run the following command:
$ sudo setsebool -P pppd_can_insmod off
var_pppd_can_insmod=""
setsebool -P pppd_can_insmod $var_pppd_can_insmod
- name: XCCDF Value var_pppd_can_insmod # promote to variable
set_fact:
var_pppd_can_insmod: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_pppd_can_insmod
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean pppd_can_insmod accordingly
seboolean:
name: pppd_can_insmod
state: '{{ var_pppd_can_insmod }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_pppd_can_insmod
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the mozilla_plugin_use_spice SELinux BooleanBy default, the SELinux boolean mozilla_plugin_use_spice is disabled.
If this setting is enabled, it should be disabled.
To disable the mozilla_plugin_use_spice SELinux boolean, run the following command:
$ sudo setsebool -P mozilla_plugin_use_spice off
var_mozilla_plugin_use_spice=""
setsebool -P mozilla_plugin_use_spice $var_mozilla_plugin_use_spice
- name: XCCDF Value var_mozilla_plugin_use_spice # promote to variable
set_fact:
var_mozilla_plugin_use_spice: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_mozilla_plugin_use_spice
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean mozilla_plugin_use_spice accordingly
seboolean:
name: mozilla_plugin_use_spice
state: '{{ var_mozilla_plugin_use_spice }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_mozilla_plugin_use_spice
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the mpd_use_nfs SELinux BooleanBy default, the SELinux boolean mpd_use_nfs is disabled.
If this setting is enabled, it should be disabled.
To disable the mpd_use_nfs SELinux boolean, run the following command:
$ sudo setsebool -P mpd_use_nfs off
var_mpd_use_nfs=""
setsebool -P mpd_use_nfs $var_mpd_use_nfs
- name: XCCDF Value var_mpd_use_nfs # promote to variable
set_fact:
var_mpd_use_nfs: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_mpd_use_nfs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean mpd_use_nfs accordingly
seboolean:
name: mpd_use_nfs
state: '{{ var_mpd_use_nfs }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_mpd_use_nfs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the httpd_read_user_content SELinux BooleanBy default, the SELinux boolean httpd_read_user_content is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_read_user_content SELinux boolean, run the following command:
$ sudo setsebool -P httpd_read_user_content off
var_httpd_read_user_content=""
setsebool -P httpd_read_user_content $var_httpd_read_user_content
- name: XCCDF Value var_httpd_read_user_content # promote to variable
set_fact:
var_httpd_read_user_content: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_read_user_content
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean httpd_read_user_content accordingly
seboolean:
name: httpd_read_user_content
state: '{{ var_httpd_read_user_content }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_read_user_content
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the rsync_client SELinux BooleanBy default, the SELinux boolean rsync_client is disabled.
If this setting is enabled, it should be disabled.
To disable the rsync_client SELinux boolean, run the following command:
$ sudo setsebool -P rsync_client off
var_rsync_client=""
setsebool -P rsync_client $var_rsync_client
- name: XCCDF Value var_rsync_client # promote to variable
set_fact:
var_rsync_client: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_rsync_client
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean rsync_client accordingly
seboolean:
name: rsync_client
state: '{{ var_rsync_client }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_rsync_client
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the nagios_run_pnp4nagios SELinux BooleanBy default, the SELinux boolean nagios_run_pnp4nagios is disabled.
If this setting is enabled, it should be disabled.
To disable the nagios_run_pnp4nagios SELinux boolean, run the following command:
$ sudo setsebool -P nagios_run_pnp4nagios off
var_nagios_run_pnp4nagios=""
setsebool -P nagios_run_pnp4nagios $var_nagios_run_pnp4nagios
- name: XCCDF Value var_nagios_run_pnp4nagios # promote to variable
set_fact:
var_nagios_run_pnp4nagios: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_nagios_run_pnp4nagios
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean nagios_run_pnp4nagios accordingly
seboolean:
name: nagios_run_pnp4nagios
state: '{{ var_nagios_run_pnp4nagios }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_nagios_run_pnp4nagios
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the deny_ptrace SELinux BooleanBy default, the SELinux boolean deny_ptrace is disabled.
If this setting is enabled, it should be disabled.
To disable the deny_ptrace SELinux boolean, run the following command:
$ sudo setsebool -P deny_ptrace offCCE-82291-6
var_deny_ptrace=""
setsebool -P deny_ptrace $var_deny_ptrace
- name: XCCDF Value var_deny_ptrace # promote to variable
set_fact:
var_deny_ptrace: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_deny_ptrace
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82291-6
- name: Set SELinux boolean deny_ptrace accordingly
seboolean:
name: deny_ptrace
state: '{{ var_deny_ptrace }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_deny_ptrace
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82291-6
Enable the nfs_export_all_rw SELinux BooleanBy default, the SELinux boolean nfs_export_all_rw is enabled.
If this setting is disabled, it should be enabled as it allows NFS to
export read/write mounts.
To enable the nfs_export_all_rw SELinux boolean, run the following command:
$ sudo setsebool -P nfs_export_all_rw on
var_nfs_export_all_rw=""
setsebool -P nfs_export_all_rw $var_nfs_export_all_rw
- name: XCCDF Value var_nfs_export_all_rw # promote to variable
set_fact:
var_nfs_export_all_rw: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_nfs_export_all_rw
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean nfs_export_all_rw accordingly
seboolean:
name: nfs_export_all_rw
state: '{{ var_nfs_export_all_rw }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_nfs_export_all_rw
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the guest_exec_content SELinux BooleanBy default, the SELinux boolean guest_exec_content is enabled.
This setting should be disabled as no guest accounts should be used.
To disable the guest_exec_content SELinux boolean, run the following command:
$ sudo setsebool -P guest_exec_content offCCE-82295-7
var_guest_exec_content=""
setsebool -P guest_exec_content $var_guest_exec_content
- name: XCCDF Value var_guest_exec_content # promote to variable
set_fact:
var_guest_exec_content: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_guest_exec_content
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82295-7
- name: Set SELinux boolean guest_exec_content accordingly
seboolean:
name: guest_exec_content
state: '{{ var_guest_exec_content }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_guest_exec_content
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82295-7
Disable the httpd_run_ipa SELinux BooleanBy default, the SELinux boolean httpd_run_ipa is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_run_ipa SELinux boolean, run the following command:
$ sudo setsebool -P httpd_run_ipa off
var_httpd_run_ipa=""
setsebool -P httpd_run_ipa $var_httpd_run_ipa
- name: XCCDF Value var_httpd_run_ipa # promote to variable
set_fact:
var_httpd_run_ipa: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_run_ipa
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean httpd_run_ipa accordingly
seboolean:
name: httpd_run_ipa
state: '{{ var_httpd_run_ipa }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_run_ipa
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Enable the virt_sandbox_use_audit SELinux BooleanBy default, the SELinux boolean virt_sandbox_use_audit is enabled.
If this setting is disabled, it should be enabled to allow sandboxed containers
to send audit messages.
To enable the virt_sandbox_use_audit SELinux boolean, run the following command:
$ sudo setsebool -P virt_sandbox_use_audit on
var_virt_sandbox_use_audit=""
setsebool -P virt_sandbox_use_audit $var_virt_sandbox_use_audit
- name: XCCDF Value var_virt_sandbox_use_audit # promote to variable
set_fact:
var_virt_sandbox_use_audit: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_virt_sandbox_use_audit
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean virt_sandbox_use_audit accordingly
seboolean:
name: virt_sandbox_use_audit
state: '{{ var_virt_sandbox_use_audit }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_virt_sandbox_use_audit
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the mozilla_read_content SELinux BooleanBy default, the SELinux boolean mozilla_read_content is disabled.
If this setting is enabled, it should be disabled.
To disable the mozilla_read_content SELinux boolean, run the following command:
$ sudo setsebool -P mozilla_read_content off
var_mozilla_read_content=""
setsebool -P mozilla_read_content $var_mozilla_read_content
- name: XCCDF Value var_mozilla_read_content # promote to variable
set_fact:
var_mozilla_read_content: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_mozilla_read_content
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean mozilla_read_content accordingly
seboolean:
name: mozilla_read_content
state: '{{ var_mozilla_read_content }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_mozilla_read_content
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the xserver_object_manager SELinux BooleanBy default, the SELinux boolean xserver_object_manager is disabled.
If this setting is enabled, it should be disabled.
To disable the xserver_object_manager SELinux boolean, run the following command:
$ sudo setsebool -P xserver_object_manager offCCE-82346-8
var_xserver_object_manager=""
setsebool -P xserver_object_manager $var_xserver_object_manager
- name: XCCDF Value var_xserver_object_manager # promote to variable
set_fact:
var_xserver_object_manager: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_xserver_object_manager
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82346-8
- name: Set SELinux boolean xserver_object_manager accordingly
seboolean:
name: xserver_object_manager
state: '{{ var_xserver_object_manager }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_xserver_object_manager
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82346-8
Disable the virt_transition_userdomain SELinux BooleanBy default, the SELinux boolean virt_transition_userdomain is disabled.
If this setting is enabled, it should be disabled.
To disable the virt_transition_userdomain SELinux boolean, run the following command:
$ sudo setsebool -P virt_transition_userdomain off
var_virt_transition_userdomain=""
setsebool -P virt_transition_userdomain $var_virt_transition_userdomain
- name: XCCDF Value var_virt_transition_userdomain # promote to variable
set_fact:
var_virt_transition_userdomain: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_virt_transition_userdomain
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean virt_transition_userdomain accordingly
seboolean:
name: virt_transition_userdomain
state: '{{ var_virt_transition_userdomain }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_virt_transition_userdomain
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the httpd_tty_comm SELinux BooleanBy default, the SELinux boolean httpd_tty_comm is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_tty_comm SELinux boolean, run the following command:
$ sudo setsebool -P httpd_tty_comm off
var_httpd_tty_comm=""
setsebool -P httpd_tty_comm $var_httpd_tty_comm
- name: XCCDF Value var_httpd_tty_comm # promote to variable
set_fact:
var_httpd_tty_comm: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_tty_comm
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean httpd_tty_comm accordingly
seboolean:
name: httpd_tty_comm
state: '{{ var_httpd_tty_comm }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_tty_comm
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the collectd_tcp_network_connect SELinux BooleanBy default, the SELinux boolean collectd_tcp_network_connect is disabled.
If this setting is enabled, it should be disabled.
To disable the collectd_tcp_network_connect SELinux boolean, run the following command:
$ sudo setsebool -P collectd_tcp_network_connect off
var_collectd_tcp_network_connect=""
setsebool -P collectd_tcp_network_connect $var_collectd_tcp_network_connect
- name: XCCDF Value var_collectd_tcp_network_connect # promote to variable
set_fact:
var_collectd_tcp_network_connect: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_collectd_tcp_network_connect
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean collectd_tcp_network_connect accordingly
seboolean:
name: collectd_tcp_network_connect
state: '{{ var_collectd_tcp_network_connect }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_collectd_tcp_network_connect
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the xdm_sysadm_login SELinux BooleanBy default, the SELinux boolean xdm_sysadm_login is disabled.
If this setting is enabled, it should be disabled.
To disable the xdm_sysadm_login SELinux boolean, run the following command:
$ sudo setsebool -P xdm_sysadm_login offCCE-82335-1
var_xdm_sysadm_login=""
setsebool -P xdm_sysadm_login $var_xdm_sysadm_login
- name: XCCDF Value var_xdm_sysadm_login # promote to variable
set_fact:
var_xdm_sysadm_login: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_xdm_sysadm_login
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82335-1
- name: Set SELinux boolean xdm_sysadm_login accordingly
seboolean:
name: xdm_sysadm_login
state: '{{ var_xdm_sysadm_login }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_xdm_sysadm_login
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82335-1
Disable the pcp_read_generic_logs SELinux BooleanBy default, the SELinux boolean pcp_read_generic_logs is disabled.
If this setting is enabled, it should be disabled.
To disable the pcp_read_generic_logs SELinux boolean, run the following command:
$ sudo setsebool -P pcp_read_generic_logs off
var_pcp_read_generic_logs=""
setsebool -P pcp_read_generic_logs $var_pcp_read_generic_logs
- name: XCCDF Value var_pcp_read_generic_logs # promote to variable
set_fact:
var_pcp_read_generic_logs: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_pcp_read_generic_logs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean pcp_read_generic_logs accordingly
seboolean:
name: pcp_read_generic_logs
state: '{{ var_pcp_read_generic_logs }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_pcp_read_generic_logs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the polipo_session_bind_all_unreserved_ports SELinux BooleanBy default, the SELinux boolean polipo_session_bind_all_unreserved_ports is disabled.
If this setting is enabled, it should be disabled.
To disable the polipo_session_bind_all_unreserved_ports SELinux boolean, run the following command:
$ sudo setsebool -P polipo_session_bind_all_unreserved_ports off
var_polipo_session_bind_all_unreserved_ports=""
setsebool -P polipo_session_bind_all_unreserved_ports $var_polipo_session_bind_all_unreserved_ports
- name: XCCDF Value var_polipo_session_bind_all_unreserved_ports # promote to variable
set_fact:
var_polipo_session_bind_all_unreserved_ports: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_polipo_session_bind_all_unreserved_ports
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean polipo_session_bind_all_unreserved_ports accordingly
seboolean:
name: polipo_session_bind_all_unreserved_ports
state: '{{ var_polipo_session_bind_all_unreserved_ports }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_polipo_session_bind_all_unreserved_ports
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Enable the postgresql_selinux_users_ddl SELinux BooleanBy default, the SELinux boolean postgresql_selinux_users_ddl is enabled.
If this setting is disabled, it should be enabled as it allows Database Administrators to
execute Data Definition Language (DDL) statements.
To enable the postgresql_selinux_users_ddl SELinux boolean, run the following command:
$ sudo setsebool -P postgresql_selinux_users_ddl on
var_postgresql_selinux_users_ddl=""
setsebool -P postgresql_selinux_users_ddl $var_postgresql_selinux_users_ddl
- name: XCCDF Value var_postgresql_selinux_users_ddl # promote to variable
set_fact:
var_postgresql_selinux_users_ddl: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_postgresql_selinux_users_ddl
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean postgresql_selinux_users_ddl accordingly
seboolean:
name: postgresql_selinux_users_ddl
state: '{{ var_postgresql_selinux_users_ddl }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_postgresql_selinux_users_ddl
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the spamassassin_can_network SELinux BooleanBy default, the SELinux boolean spamassassin_can_network is disabled.
If this setting is enabled, it should be disabled.
To disable the spamassassin_can_network SELinux boolean, run the following command:
$ sudo setsebool -P spamassassin_can_network off
var_spamassassin_can_network=""
setsebool -P spamassassin_can_network $var_spamassassin_can_network
- name: XCCDF Value var_spamassassin_can_network # promote to variable
set_fact:
var_spamassassin_can_network: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_spamassassin_can_network
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean spamassassin_can_network accordingly
seboolean:
name: spamassassin_can_network
state: '{{ var_spamassassin_can_network }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_spamassassin_can_network
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the ftpd_use_passive_mode SELinux BooleanBy default, the SELinux boolean ftpd_use_passive_mode is disabled.
If this setting is enabled, it should be disabled.
To disable the ftpd_use_passive_mode SELinux boolean, run the following command:
$ sudo setsebool -P ftpd_use_passive_mode off
var_ftpd_use_passive_mode=""
setsebool -P ftpd_use_passive_mode $var_ftpd_use_passive_mode
- name: XCCDF Value var_ftpd_use_passive_mode # promote to variable
set_fact:
var_ftpd_use_passive_mode: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_ftpd_use_passive_mode
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean ftpd_use_passive_mode accordingly
seboolean:
name: ftpd_use_passive_mode
state: '{{ var_ftpd_use_passive_mode }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_ftpd_use_passive_mode
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the git_system_use_nfs SELinux BooleanBy default, the SELinux boolean git_system_use_nfs is disabled.
If this setting is enabled, it should be disabled.
To disable the git_system_use_nfs SELinux boolean, run the following command:
$ sudo setsebool -P git_system_use_nfs off
var_git_system_use_nfs=""
setsebool -P git_system_use_nfs $var_git_system_use_nfs
- name: XCCDF Value var_git_system_use_nfs # promote to variable
set_fact:
var_git_system_use_nfs: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_git_system_use_nfs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean git_system_use_nfs accordingly
seboolean:
name: git_system_use_nfs
state: '{{ var_git_system_use_nfs }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_git_system_use_nfs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the virt_use_usb SELinux BooleanBy default, the SELinux boolean virt_use_usb is enabled.
This setting should be disabled.
To disable the virt_use_usb SELinux boolean, run the following command:
$ sudo setsebool -P virt_use_usb off
var_virt_use_usb=""
setsebool -P virt_use_usb $var_virt_use_usb
- name: XCCDF Value var_virt_use_usb # promote to variable
set_fact:
var_virt_use_usb: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_virt_use_usb
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean virt_use_usb accordingly
seboolean:
name: virt_use_usb
state: '{{ var_virt_use_usb }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_virt_use_usb
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the nis_enabled SELinux BooleanBy default, the SELinux boolean nis_enabled is disabled.
If this setting is enabled, it should be disabled.
To disable the nis_enabled SELinux boolean, run the following command:
$ sudo setsebool -P nis_enabled off
var_nis_enabled=""
setsebool -P nis_enabled $var_nis_enabled
- name: XCCDF Value var_nis_enabled # promote to variable
set_fact:
var_nis_enabled: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_nis_enabled
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean nis_enabled accordingly
seboolean:
name: nis_enabled
state: '{{ var_nis_enabled }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_nis_enabled
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the selinuxuser_mysql_connect_enabled SELinux BooleanBy default, the SELinux boolean selinuxuser_mysql_connect_enabled is disabled.
If this setting is enabled, it should be disabled.
To disable the selinuxuser_mysql_connect_enabled SELinux boolean, run the following command:
$ sudo setsebool -P selinuxuser_mysql_connect_enabled offCCE-82317-9
var_selinuxuser_mysql_connect_enabled=""
setsebool -P selinuxuser_mysql_connect_enabled $var_selinuxuser_mysql_connect_enabled
- name: XCCDF Value var_selinuxuser_mysql_connect_enabled # promote to variable
set_fact:
var_selinuxuser_mysql_connect_enabled: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_selinuxuser_mysql_connect_enabled
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82317-9
- name: Set SELinux boolean selinuxuser_mysql_connect_enabled accordingly
seboolean:
name: selinuxuser_mysql_connect_enabled
state: '{{ var_selinuxuser_mysql_connect_enabled }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_selinuxuser_mysql_connect_enabled
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82317-9
Disable the samba_share_fusefs SELinux BooleanBy default, the SELinux boolean samba_share_fusefs is disabled.
If this setting is enabled, it should be disabled.
To disable the samba_share_fusefs SELinux boolean, run the following command:
$ sudo setsebool -P samba_share_fusefs off
var_samba_share_fusefs=""
setsebool -P samba_share_fusefs $var_samba_share_fusefs
- name: XCCDF Value var_samba_share_fusefs # promote to variable
set_fact:
var_samba_share_fusefs: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_samba_share_fusefs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean samba_share_fusefs accordingly
seboolean:
name: samba_share_fusefs
state: '{{ var_samba_share_fusefs }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_samba_share_fusefs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the httpd_enable_ftp_server SELinux BooleanBy default, the SELinux boolean httpd_enable_ftp_server is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_enable_ftp_server SELinux boolean, run the following command:
$ sudo setsebool -P httpd_enable_ftp_server off
var_httpd_enable_ftp_server=""
setsebool -P httpd_enable_ftp_server $var_httpd_enable_ftp_server
- name: XCCDF Value var_httpd_enable_ftp_server # promote to variable
set_fact:
var_httpd_enable_ftp_server: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_enable_ftp_server
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean httpd_enable_ftp_server accordingly
seboolean:
name: httpd_enable_ftp_server
state: '{{ var_httpd_enable_ftp_server }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_enable_ftp_server
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the pppd_for_user SELinux BooleanBy default, the SELinux boolean pppd_for_user is disabled.
If this setting is enabled, it should be disabled.
To disable the pppd_for_user SELinux boolean, run the following command:
$ sudo setsebool -P pppd_for_user off
var_pppd_for_user=""
setsebool -P pppd_for_user $var_pppd_for_user
- name: XCCDF Value var_pppd_for_user # promote to variable
set_fact:
var_pppd_for_user: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_pppd_for_user
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean pppd_for_user accordingly
seboolean:
name: pppd_for_user
state: '{{ var_pppd_for_user }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_pppd_for_user
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the virt_sandbox_use_all_caps SELinux BooleanBy default, the SELinux boolean virt_sandbox_use_all_caps is enabled.
This setting is disabled as containers should not run with privileges.
To disable the virt_sandbox_use_all_caps SELinux boolean, run the following command:
$ sudo setsebool -P virt_sandbox_use_all_caps off
var_virt_sandbox_use_all_caps=""
setsebool -P virt_sandbox_use_all_caps $var_virt_sandbox_use_all_caps
- name: XCCDF Value var_virt_sandbox_use_all_caps # promote to variable
set_fact:
var_virt_sandbox_use_all_caps: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_virt_sandbox_use_all_caps
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean virt_sandbox_use_all_caps accordingly
seboolean:
name: virt_sandbox_use_all_caps
state: '{{ var_virt_sandbox_use_all_caps }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_virt_sandbox_use_all_caps
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the mozilla_plugin_use_gps SELinux BooleanBy default, the SELinux boolean mozilla_plugin_use_gps is disabled.
If this setting is enabled, it should be disabled.
To disable the mozilla_plugin_use_gps SELinux boolean, run the following command:
$ sudo setsebool -P mozilla_plugin_use_gps off
var_mozilla_plugin_use_gps=""
setsebool -P mozilla_plugin_use_gps $var_mozilla_plugin_use_gps
- name: XCCDF Value var_mozilla_plugin_use_gps # promote to variable
set_fact:
var_mozilla_plugin_use_gps: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_mozilla_plugin_use_gps
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean mozilla_plugin_use_gps accordingly
seboolean:
name: mozilla_plugin_use_gps
state: '{{ var_mozilla_plugin_use_gps }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_mozilla_plugin_use_gps
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the samba_domain_controller SELinux BooleanBy default, the SELinux boolean samba_domain_controller is disabled.
If this setting is enabled, it should be disabled.
To disable the samba_domain_controller SELinux boolean, run the following command:
$ sudo setsebool -P samba_domain_controller off
var_samba_domain_controller=""
setsebool -P samba_domain_controller $var_samba_domain_controller
- name: XCCDF Value var_samba_domain_controller # promote to variable
set_fact:
var_samba_domain_controller: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_samba_domain_controller
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean samba_domain_controller accordingly
seboolean:
name: samba_domain_controller
state: '{{ var_samba_domain_controller }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_samba_domain_controller
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the boinc_execmem SELinux BooleanBy default, the SELinux boolean boinc_execmem is enabled.
This setting should be disabled.
To disable the boinc_execmem SELinux boolean, run the following command:
$ sudo setsebool -P boinc_execmem off3.7.2CCE-80429-4
var_boinc_execmem=""
setsebool -P boinc_execmem $var_boinc_execmem
- name: XCCDF Value var_boinc_execmem # promote to variable
set_fact:
var_boinc_execmem: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_boinc_execmem
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80429-4
- NIST-800-171-3.7.2
- name: Set SELinux boolean boinc_execmem accordingly
seboolean:
name: boinc_execmem
state: '{{ var_boinc_execmem }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_boinc_execmem
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80429-4
- NIST-800-171-3.7.2
Disable the awstats_purge_apache_log_files SELinux BooleanBy default, the SELinux boolean awstats_purge_apache_log_files is disabled.
If this setting is enabled, it should be disabled.
To disable the awstats_purge_apache_log_files SELinux boolean, run the following command:
$ sudo setsebool -P awstats_purge_apache_log_files off3.7.2CCE-80428-6
var_awstats_purge_apache_log_files=""
setsebool -P awstats_purge_apache_log_files $var_awstats_purge_apache_log_files
- name: XCCDF Value var_awstats_purge_apache_log_files # promote to variable
set_fact:
var_awstats_purge_apache_log_files: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_awstats_purge_apache_log_files
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80428-6
- NIST-800-171-3.7.2
- name: Set SELinux boolean awstats_purge_apache_log_files accordingly
seboolean:
name: awstats_purge_apache_log_files
state: '{{ var_awstats_purge_apache_log_files }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_awstats_purge_apache_log_files
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80428-6
- NIST-800-171-3.7.2
Disable the tmpreaper_use_nfs SELinux BooleanBy default, the SELinux boolean tmpreaper_use_nfs is disabled.
If this setting is enabled, it should be disabled.
To disable the tmpreaper_use_nfs SELinux boolean, run the following command:
$ sudo setsebool -P tmpreaper_use_nfs off
var_tmpreaper_use_nfs=""
setsebool -P tmpreaper_use_nfs $var_tmpreaper_use_nfs
- name: XCCDF Value var_tmpreaper_use_nfs # promote to variable
set_fact:
var_tmpreaper_use_nfs: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_tmpreaper_use_nfs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean tmpreaper_use_nfs accordingly
seboolean:
name: tmpreaper_use_nfs
state: '{{ var_tmpreaper_use_nfs }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_tmpreaper_use_nfs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the httpd_can_network_relay SELinux BooleanBy default, the SELinux boolean httpd_can_network_relay is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_can_network_relay SELinux boolean, run the following command:
$ sudo setsebool -P httpd_can_network_relay off
var_httpd_can_network_relay=""
setsebool -P httpd_can_network_relay $var_httpd_can_network_relay
- name: XCCDF Value var_httpd_can_network_relay # promote to variable
set_fact:
var_httpd_can_network_relay: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_can_network_relay
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean httpd_can_network_relay accordingly
seboolean:
name: httpd_can_network_relay
state: '{{ var_httpd_can_network_relay }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_can_network_relay
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the ssh_keysign SELinux BooleanBy default, the SELinux boolean ssh_keysign is disabled.
If this setting is enabled, it should be disabled.
To disable the ssh_keysign SELinux boolean, run the following command:
$ sudo setsebool -P ssh_keysign offCCE-82326-0
var_ssh_keysign=""
setsebool -P ssh_keysign $var_ssh_keysign
- name: XCCDF Value var_ssh_keysign # promote to variable
set_fact:
var_ssh_keysign: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_ssh_keysign
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82326-0
- name: Set SELinux boolean ssh_keysign accordingly
seboolean:
name: ssh_keysign
state: '{{ var_ssh_keysign }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_ssh_keysign
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82326-0
Disable the httpd_tmp_exec SELinux BooleanBy default, the SELinux boolean httpd_tmp_exec is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_tmp_exec SELinux boolean, run the following command:
$ sudo setsebool -P httpd_tmp_exec off
var_httpd_tmp_exec=""
setsebool -P httpd_tmp_exec $var_httpd_tmp_exec
- name: XCCDF Value var_httpd_tmp_exec # promote to variable
set_fact:
var_httpd_tmp_exec: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_tmp_exec
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean httpd_tmp_exec accordingly
seboolean:
name: httpd_tmp_exec
state: '{{ var_httpd_tmp_exec }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_tmp_exec
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the httpd_use_fusefs SELinux BooleanBy default, the SELinux boolean httpd_use_fusefs is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_use_fusefs SELinux boolean, run the following command:
$ sudo setsebool -P httpd_use_fusefs off
var_httpd_use_fusefs=""
setsebool -P httpd_use_fusefs $var_httpd_use_fusefs
- name: XCCDF Value var_httpd_use_fusefs # promote to variable
set_fact:
var_httpd_use_fusefs: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_use_fusefs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean httpd_use_fusefs accordingly
seboolean:
name: httpd_use_fusefs
state: '{{ var_httpd_use_fusefs }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_use_fusefs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Enable the staff_exec_content SELinux BooleanBy default, the SELinux boolean staff_exec_content is enabled.
If this setting is disabled, it should be enabled.
To enable the staff_exec_content SELinux boolean, run the following command:
$ sudo setsebool -P staff_exec_content onCCE-82328-6
var_staff_exec_content=""
setsebool -P staff_exec_content $var_staff_exec_content
- name: XCCDF Value var_staff_exec_content # promote to variable
set_fact:
var_staff_exec_content: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_staff_exec_content
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82328-6
- name: Set SELinux boolean staff_exec_content accordingly
seboolean:
name: staff_exec_content
state: '{{ var_staff_exec_content }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_staff_exec_content
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82328-6
Disable the sge_domain_can_network_connect SELinux BooleanBy default, the SELinux boolean sge_domain_can_network_connect is disabled.
If this setting is enabled, it should be disabled.
To disable the sge_domain_can_network_connect SELinux boolean, run the following command:
$ sudo setsebool -P sge_domain_can_network_connect off
var_sge_domain_can_network_connect=""
setsebool -P sge_domain_can_network_connect $var_sge_domain_can_network_connect
- name: XCCDF Value var_sge_domain_can_network_connect # promote to variable
set_fact:
var_sge_domain_can_network_connect: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_sge_domain_can_network_connect
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean sge_domain_can_network_connect accordingly
seboolean:
name: sge_domain_can_network_connect
state: '{{ var_sge_domain_can_network_connect }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_sge_domain_can_network_connect
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the global_ssp SELinux BooleanBy default, the SELinux boolean global_ssp is disabled.
If this setting is enabled, it should be disabled.
To disable the global_ssp SELinux boolean, run the following command:
$ sudo setsebool -P global_ssp off
var_global_ssp=""
setsebool -P global_ssp $var_global_ssp
- name: XCCDF Value var_global_ssp # promote to variable
set_fact:
var_global_ssp: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_global_ssp
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean global_ssp accordingly
seboolean:
name: global_ssp
state: '{{ var_global_ssp }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_global_ssp
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the virt_use_fusefs SELinux BooleanBy default, the SELinux boolean virt_use_fusefs is disabled.
If this setting is enabled, it should be disabled.
To disable the virt_use_fusefs SELinux boolean, run the following command:
$ sudo setsebool -P virt_use_fusefs off
var_virt_use_fusefs=""
setsebool -P virt_use_fusefs $var_virt_use_fusefs
- name: XCCDF Value var_virt_use_fusefs # promote to variable
set_fact:
var_virt_use_fusefs: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_virt_use_fusefs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean virt_use_fusefs accordingly
seboolean:
name: virt_use_fusefs
state: '{{ var_virt_use_fusefs }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_virt_use_fusefs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the gluster_anon_write SELinux BooleanBy default, the SELinux boolean gluster_anon_write is disabled.
If this setting is enabled, it should be disabled.
To disable the gluster_anon_write SELinux boolean, run the following command:
$ sudo setsebool -P gluster_anon_write off
var_gluster_anon_write=""
setsebool -P gluster_anon_write $var_gluster_anon_write
- name: XCCDF Value var_gluster_anon_write # promote to variable
set_fact:
var_gluster_anon_write: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_gluster_anon_write
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean gluster_anon_write accordingly
seboolean:
name: gluster_anon_write
state: '{{ var_gluster_anon_write }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_gluster_anon_write
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the wine_mmap_zero_ignore SELinux BooleanBy default, the SELinux boolean wine_mmap_zero_ignore is disabled.
If this setting is enabled, it should be disabled.
To disable the wine_mmap_zero_ignore SELinux boolean, run the following command:
$ sudo setsebool -P wine_mmap_zero_ignore off
var_wine_mmap_zero_ignore=""
setsebool -P wine_mmap_zero_ignore $var_wine_mmap_zero_ignore
- name: XCCDF Value var_wine_mmap_zero_ignore # promote to variable
set_fact:
var_wine_mmap_zero_ignore: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_wine_mmap_zero_ignore
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean wine_mmap_zero_ignore accordingly
seboolean:
name: wine_mmap_zero_ignore
state: '{{ var_wine_mmap_zero_ignore }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_wine_mmap_zero_ignore
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the fenced_can_network_connect SELinux BooleanBy default, the SELinux boolean fenced_can_network_connect is disabled.
If this setting is enabled, it should be disabled.
To disable the fenced_can_network_connect SELinux boolean, run the following command:
$ sudo setsebool -P fenced_can_network_connect off
var_fenced_can_network_connect=""
setsebool -P fenced_can_network_connect $var_fenced_can_network_connect
- name: XCCDF Value var_fenced_can_network_connect # promote to variable
set_fact:
var_fenced_can_network_connect: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_fenced_can_network_connect
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean fenced_can_network_connect accordingly
seboolean:
name: fenced_can_network_connect
state: '{{ var_fenced_can_network_connect }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_fenced_can_network_connect
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the rsync_anon_write SELinux BooleanBy default, the SELinux boolean rsync_anon_write is disabled.
If this setting is enabled, it should be disabled.
To disable the rsync_anon_write SELinux boolean, run the following command:
$ sudo setsebool -P rsync_anon_write off
var_rsync_anon_write=""
setsebool -P rsync_anon_write $var_rsync_anon_write
- name: XCCDF Value var_rsync_anon_write # promote to variable
set_fact:
var_rsync_anon_write: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_rsync_anon_write
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean rsync_anon_write accordingly
seboolean:
name: rsync_anon_write
state: '{{ var_rsync_anon_write }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_rsync_anon_write
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the zabbix_can_network SELinux BooleanBy default, the SELinux boolean zabbix_can_network is disabled.
If this setting is enabled, it should be disabled.
To disable the zabbix_can_network SELinux boolean, run the following command:
$ sudo setsebool -P zabbix_can_network off
var_zabbix_can_network=""
setsebool -P zabbix_can_network $var_zabbix_can_network
- name: XCCDF Value var_zabbix_can_network # promote to variable
set_fact:
var_zabbix_can_network: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_zabbix_can_network
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean zabbix_can_network accordingly
seboolean:
name: zabbix_can_network
state: '{{ var_zabbix_can_network }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_zabbix_can_network
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the virt_use_nfs SELinux BooleanBy default, the SELinux boolean virt_use_nfs is disabled.
If this setting is enabled, it should be disabled.
To disable the virt_use_nfs SELinux boolean, run the following command:
$ sudo setsebool -P virt_use_nfs off
var_virt_use_nfs=""
setsebool -P virt_use_nfs $var_virt_use_nfs
- name: XCCDF Value var_virt_use_nfs # promote to variable
set_fact:
var_virt_use_nfs: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_virt_use_nfs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean virt_use_nfs accordingly
seboolean:
name: virt_use_nfs
state: '{{ var_virt_use_nfs }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_virt_use_nfs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the prosody_bind_http_port SELinux BooleanBy default, the SELinux boolean prosody_bind_http_port is disabled.
If this setting is enabled, it should be disabled.
To disable the prosody_bind_http_port SELinux boolean, run the following command:
$ sudo setsebool -P prosody_bind_http_port off
var_prosody_bind_http_port=""
setsebool -P prosody_bind_http_port $var_prosody_bind_http_port
- name: XCCDF Value var_prosody_bind_http_port # promote to variable
set_fact:
var_prosody_bind_http_port: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_prosody_bind_http_port
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean prosody_bind_http_port accordingly
seboolean:
name: prosody_bind_http_port
state: '{{ var_prosody_bind_http_port }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_prosody_bind_http_port
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the xen_use_nfs SELinux BooleanBy default, the SELinux boolean xen_use_nfs is disabled.
If this setting is enabled, it should be disabled.
To disable the xen_use_nfs SELinux boolean, run the following command:
$ sudo setsebool -P xen_use_nfs off
var_xen_use_nfs=""
setsebool -P xen_use_nfs $var_xen_use_nfs
- name: XCCDF Value var_xen_use_nfs # promote to variable
set_fact:
var_xen_use_nfs: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_xen_use_nfs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean xen_use_nfs accordingly
seboolean:
name: xen_use_nfs
state: '{{ var_xen_use_nfs }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_xen_use_nfs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Enable the cron_userdomain_transition SELinux BooleanBy default, the SELinux boolean cron_userdomain_transition is enabled.
This setting should be enabled as end user cron jobs run in their default
associated user domain(s) instead of the general cronjob domain.
To enable the cron_userdomain_transition SELinux boolean, run the following command:
$ sudo setsebool -P cron_userdomain_transition onCCE-82286-6
var_cron_userdomain_transition=""
setsebool -P cron_userdomain_transition $var_cron_userdomain_transition
- name: XCCDF Value var_cron_userdomain_transition # promote to variable
set_fact:
var_cron_userdomain_transition: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_cron_userdomain_transition
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82286-6
- name: Set SELinux boolean cron_userdomain_transition accordingly
seboolean:
name: cron_userdomain_transition
state: '{{ var_cron_userdomain_transition }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_cron_userdomain_transition
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82286-6
Disable the container_connect_any SELinux BooleanBy default, the SELinux boolean container_connect_any is disabled.
If this setting is enabled, it should be disabled.
To disable the container_connect_any SELinux boolean, run the following command:
$ sudo setsebool -P container_connect_any off
var_container_connect_any=""
setsebool -P container_connect_any $var_container_connect_any
- name: XCCDF Value var_container_connect_any # promote to variable
set_fact:
var_container_connect_any: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_container_connect_any
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean container_connect_any accordingly
seboolean:
name: container_connect_any
state: '{{ var_container_connect_any }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_container_connect_any
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the git_cgi_use_nfs SELinux BooleanBy default, the SELinux boolean git_cgi_use_nfs is disabled.
If this setting is enabled, it should be disabled.
To disable the git_cgi_use_nfs SELinux boolean, run the following command:
$ sudo setsebool -P git_cgi_use_nfs off
var_git_cgi_use_nfs=""
setsebool -P git_cgi_use_nfs $var_git_cgi_use_nfs
- name: XCCDF Value var_git_cgi_use_nfs # promote to variable
set_fact:
var_git_cgi_use_nfs: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_git_cgi_use_nfs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean git_cgi_use_nfs accordingly
seboolean:
name: git_cgi_use_nfs
state: '{{ var_git_cgi_use_nfs }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_git_cgi_use_nfs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the xguest_mount_media SELinux BooleanBy default, the SELinux boolean xguest_mount_media is enabled.
This setting should be disabled as guest users should not be able to mount
any media.
To disable the xguest_mount_media SELinux boolean, run the following command:
$ sudo setsebool -P xguest_mount_media offCCE-82339-3
var_xguest_mount_media=""
setsebool -P xguest_mount_media $var_xguest_mount_media
- name: XCCDF Value var_xguest_mount_media # promote to variable
set_fact:
var_xguest_mount_media: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_xguest_mount_media
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82339-3
- name: Set SELinux boolean xguest_mount_media accordingly
seboolean:
name: xguest_mount_media
state: '{{ var_xguest_mount_media }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_xguest_mount_media
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82339-3
Disable the mysql_connect_any SELinux BooleanBy default, the SELinux boolean mysql_connect_any is disabled.
If this setting is enabled, it should be disabled.
To disable the mysql_connect_any SELinux boolean, run the following command:
$ sudo setsebool -P mysql_connect_any off
var_mysql_connect_any=""
setsebool -P mysql_connect_any $var_mysql_connect_any
- name: XCCDF Value var_mysql_connect_any # promote to variable
set_fact:
var_mysql_connect_any: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_mysql_connect_any
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean mysql_connect_any accordingly
seboolean:
name: mysql_connect_any
state: '{{ var_mysql_connect_any }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_mysql_connect_any
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the lsmd_plugin_connect_any SELinux BooleanBy default, the SELinux boolean lsmd_plugin_connect_any is disabled.
If this setting is enabled, it should be disabled.
To disable the lsmd_plugin_connect_any SELinux boolean, run the following command:
$ sudo setsebool -P lsmd_plugin_connect_any off
var_lsmd_plugin_connect_any=""
setsebool -P lsmd_plugin_connect_any $var_lsmd_plugin_connect_any
- name: XCCDF Value var_lsmd_plugin_connect_any # promote to variable
set_fact:
var_lsmd_plugin_connect_any: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_lsmd_plugin_connect_any
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean lsmd_plugin_connect_any accordingly
seboolean:
name: lsmd_plugin_connect_any
state: '{{ var_lsmd_plugin_connect_any }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_lsmd_plugin_connect_any
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the samba_load_libgfapi SELinux BooleanBy default, the SELinux boolean samba_load_libgfapi is disabled.
If this setting is enabled, it should be disabled.
To disable the samba_load_libgfapi SELinux boolean, run the following command:
$ sudo setsebool -P samba_load_libgfapi off
var_samba_load_libgfapi=""
setsebool -P samba_load_libgfapi $var_samba_load_libgfapi
- name: XCCDF Value var_samba_load_libgfapi # promote to variable
set_fact:
var_samba_load_libgfapi: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_samba_load_libgfapi
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean samba_load_libgfapi accordingly
seboolean:
name: samba_load_libgfapi
state: '{{ var_samba_load_libgfapi }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_samba_load_libgfapi
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the samba_portmapper SELinux BooleanBy default, the SELinux boolean samba_portmapper is disabled.
If this setting is enabled, it should be disabled.
To disable the samba_portmapper SELinux boolean, run the following command:
$ sudo setsebool -P samba_portmapper off
var_samba_portmapper=""
setsebool -P samba_portmapper $var_samba_portmapper
- name: XCCDF Value var_samba_portmapper # promote to variable
set_fact:
var_samba_portmapper: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_samba_portmapper
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean samba_portmapper accordingly
seboolean:
name: samba_portmapper
state: '{{ var_samba_portmapper }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_samba_portmapper
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the httpd_run_preupgrade SELinux BooleanBy default, the SELinux boolean httpd_run_preupgrade is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_run_preupgrade SELinux boolean, run the following command:
$ sudo setsebool -P httpd_run_preupgrade off
var_httpd_run_preupgrade=""
setsebool -P httpd_run_preupgrade $var_httpd_run_preupgrade
- name: XCCDF Value var_httpd_run_preupgrade # promote to variable
set_fact:
var_httpd_run_preupgrade: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_run_preupgrade
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean httpd_run_preupgrade accordingly
seboolean:
name: httpd_run_preupgrade
state: '{{ var_httpd_run_preupgrade }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_run_preupgrade
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the virt_use_xserver SELinux BooleanBy default, the SELinux boolean virt_use_xserver is disabled.
If this setting is enabled, it should be disabled.
To disable the virt_use_xserver SELinux boolean, run the following command:
$ sudo setsebool -P virt_use_xserver off
var_virt_use_xserver=""
setsebool -P virt_use_xserver $var_virt_use_xserver
- name: XCCDF Value var_virt_use_xserver # promote to variable
set_fact:
var_virt_use_xserver: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_virt_use_xserver
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean virt_use_xserver accordingly
seboolean:
name: virt_use_xserver
state: '{{ var_virt_use_xserver }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_virt_use_xserver
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the samba_run_unconfined SELinux BooleanBy default, the SELinux boolean samba_run_unconfined is disabled.
If this setting is enabled, it should be disabled.
To disable the samba_run_unconfined SELinux boolean, run the following command:
$ sudo setsebool -P samba_run_unconfined off
var_samba_run_unconfined=""
setsebool -P samba_run_unconfined $var_samba_run_unconfined
- name: XCCDF Value var_samba_run_unconfined # promote to variable
set_fact:
var_samba_run_unconfined: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_samba_run_unconfined
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean samba_run_unconfined accordingly
seboolean:
name: samba_run_unconfined
state: '{{ var_samba_run_unconfined }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_samba_run_unconfined
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the mplayer_execstack SELinux BooleanBy default, the SELinux boolean mplayer_execstack is disabled.
If this setting is enabled, it should be disabled.
To disable the mplayer_execstack SELinux boolean, run the following command:
$ sudo setsebool -P mplayer_execstack off
var_mplayer_execstack=""
setsebool -P mplayer_execstack $var_mplayer_execstack
- name: XCCDF Value var_mplayer_execstack # promote to variable
set_fact:
var_mplayer_execstack: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_mplayer_execstack
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean mplayer_execstack accordingly
seboolean:
name: mplayer_execstack
state: '{{ var_mplayer_execstack }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_mplayer_execstack
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the selinuxuser_rw_noexattrfile SELinux BooleanBy default, the SELinux boolean selinuxuser_rw_noexattrfile is enabled.
This setting should be disabled as users should not be able to read/write files
on filesystems that do not have extended attributes e.g. FAT, CDROM, FLOPPY, etc.
To disable the selinuxuser_rw_noexattrfile SELinux boolean, run the following command:
$ sudo setsebool -P selinuxuser_rw_noexattrfile offCCE-82320-3
var_selinuxuser_rw_noexattrfile=""
setsebool -P selinuxuser_rw_noexattrfile $var_selinuxuser_rw_noexattrfile
- name: XCCDF Value var_selinuxuser_rw_noexattrfile # promote to variable
set_fact:
var_selinuxuser_rw_noexattrfile: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_selinuxuser_rw_noexattrfile
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82320-3
- name: Set SELinux boolean selinuxuser_rw_noexattrfile accordingly
seboolean:
name: selinuxuser_rw_noexattrfile
state: '{{ var_selinuxuser_rw_noexattrfile }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_selinuxuser_rw_noexattrfile
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82320-3
Disable the neutron_can_network SELinux BooleanBy default, the SELinux boolean neutron_can_network is disabled.
If this setting is enabled, it should be disabled.
To disable the neutron_can_network SELinux boolean, run the following command:
$ sudo setsebool -P neutron_can_network off
var_neutron_can_network=""
setsebool -P neutron_can_network $var_neutron_can_network
- name: XCCDF Value var_neutron_can_network # promote to variable
set_fact:
var_neutron_can_network: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_neutron_can_network
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean neutron_can_network accordingly
seboolean:
name: neutron_can_network
state: '{{ var_neutron_can_network }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_neutron_can_network
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the ftpd_full_access SELinux BooleanBy default, the SELinux boolean ftpd_full_access is disabled.
If this setting is enabled, it should be disabled.
To disable the ftpd_full_access SELinux boolean, run the following command:
$ sudo setsebool -P ftpd_full_access off
var_ftpd_full_access=""
setsebool -P ftpd_full_access $var_ftpd_full_access
- name: XCCDF Value var_ftpd_full_access # promote to variable
set_fact:
var_ftpd_full_access: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_ftpd_full_access
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean ftpd_full_access accordingly
seboolean:
name: ftpd_full_access
state: '{{ var_ftpd_full_access }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_ftpd_full_access
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the ftpd_use_fusefs SELinux BooleanBy default, the SELinux boolean ftpd_use_fusefs is disabled.
If this setting is enabled, it should be disabled.
To disable the ftpd_use_fusefs SELinux boolean, run the following command:
$ sudo setsebool -P ftpd_use_fusefs off
var_ftpd_use_fusefs=""
setsebool -P ftpd_use_fusefs $var_ftpd_use_fusefs
- name: XCCDF Value var_ftpd_use_fusefs # promote to variable
set_fact:
var_ftpd_use_fusefs: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_ftpd_use_fusefs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean ftpd_use_fusefs accordingly
seboolean:
name: ftpd_use_fusefs
state: '{{ var_ftpd_use_fusefs }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_ftpd_use_fusefs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the deny_execmem SELinux BooleanBy default, the SELinux boolean deny_execmem is disabled.
If this setting is enabled, it should be disabled.
To disable the deny_execmem SELinux boolean, run the following command:
$ sudo setsebool -P deny_execmem offCCE-82290-8
var_deny_execmem=""
setsebool -P deny_execmem $var_deny_execmem
- name: XCCDF Value var_deny_execmem # promote to variable
set_fact:
var_deny_execmem: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_deny_execmem
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82290-8
- name: Set SELinux boolean deny_execmem accordingly
seboolean:
name: deny_execmem
state: '{{ var_deny_execmem }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_deny_execmem
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82290-8
Disable the ssh_chroot_rw_homedirs SELinux BooleanBy default, the SELinux boolean ssh_chroot_rw_homedirs is disabled.
If this setting is enabled, it should be disabled.
To disable the ssh_chroot_rw_homedirs SELinux boolean, run the following command:
$ sudo setsebool -P ssh_chroot_rw_homedirs offCCE-82325-2
var_ssh_chroot_rw_homedirs=""
setsebool -P ssh_chroot_rw_homedirs $var_ssh_chroot_rw_homedirs
- name: XCCDF Value var_ssh_chroot_rw_homedirs # promote to variable
set_fact:
var_ssh_chroot_rw_homedirs: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_ssh_chroot_rw_homedirs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82325-2
- name: Set SELinux boolean ssh_chroot_rw_homedirs accordingly
seboolean:
name: ssh_chroot_rw_homedirs
state: '{{ var_ssh_chroot_rw_homedirs }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_ssh_chroot_rw_homedirs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82325-2
Disable the httpd_mod_auth_pam SELinux BooleanBy default, the SELinux boolean httpd_mod_auth_pam is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_mod_auth_pam SELinux boolean, run the following command:
$ sudo setsebool -P httpd_mod_auth_pam off
var_httpd_mod_auth_pam=""
setsebool -P httpd_mod_auth_pam $var_httpd_mod_auth_pam
- name: XCCDF Value var_httpd_mod_auth_pam # promote to variable
set_fact:
var_httpd_mod_auth_pam: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_mod_auth_pam
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean httpd_mod_auth_pam accordingly
seboolean:
name: httpd_mod_auth_pam
state: '{{ var_httpd_mod_auth_pam }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_mod_auth_pam
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the authlogin_yubikey SELinux BooleanBy default, the SELinux boolean authlogin_yubikey is disabled.
If this setting is enabled, it should be disabled.
To disable the authlogin_yubikey SELinux boolean, run the following command:
$ sudo setsebool -P authlogin_yubikey off3.7.2CCE-80427-8
var_authlogin_yubikey=""
setsebool -P authlogin_yubikey $var_authlogin_yubikey
- name: XCCDF Value var_authlogin_yubikey # promote to variable
set_fact:
var_authlogin_yubikey: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_authlogin_yubikey
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80427-8
- NIST-800-171-3.7.2
- name: Set SELinux boolean authlogin_yubikey accordingly
seboolean:
name: authlogin_yubikey
state: '{{ var_authlogin_yubikey }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_authlogin_yubikey
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80427-8
- NIST-800-171-3.7.2
Disable the virt_use_samba SELinux BooleanBy default, the SELinux boolean virt_use_samba is disabled.
If this setting is enabled, it should be disabled.
To disable the virt_use_samba SELinux boolean, run the following command:
$ sudo setsebool -P virt_use_samba off
var_virt_use_samba=""
setsebool -P virt_use_samba $var_virt_use_samba
- name: XCCDF Value var_virt_use_samba # promote to variable
set_fact:
var_virt_use_samba: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_virt_use_samba
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean virt_use_samba accordingly
seboolean:
name: virt_use_samba
state: '{{ var_virt_use_samba }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_virt_use_samba
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the httpd_can_connect_ftp SELinux BooleanBy default, the SELinux boolean httpd_can_connect_ftp is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_can_connect_ftp SELinux boolean, run the following command:
$ sudo setsebool -P httpd_can_connect_ftp off
var_httpd_can_connect_ftp=""
setsebool -P httpd_can_connect_ftp $var_httpd_can_connect_ftp
- name: XCCDF Value var_httpd_can_connect_ftp # promote to variable
set_fact:
var_httpd_can_connect_ftp: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_can_connect_ftp
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean httpd_can_connect_ftp accordingly
seboolean:
name: httpd_can_connect_ftp
state: '{{ var_httpd_can_connect_ftp }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_can_connect_ftp
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the abrt_anon_write SELinux BooleanBy default, the SELinux boolean abrt_anon_write is disabled.
If this setting is enabled, it should be disabled.
To disable the abrt_anon_write SELinux boolean, run the following command:
$ sudo setsebool -P abrt_anon_write off3.7.2CCE-80419-5
var_abrt_anon_write=""
setsebool -P abrt_anon_write $var_abrt_anon_write
- name: XCCDF Value var_abrt_anon_write # promote to variable
set_fact:
var_abrt_anon_write: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_abrt_anon_write
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80419-5
- NIST-800-171-3.7.2
- name: Set SELinux boolean abrt_anon_write accordingly
seboolean:
name: abrt_anon_write
state: '{{ var_abrt_anon_write }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_abrt_anon_write
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80419-5
- NIST-800-171-3.7.2
Disable the named_tcp_bind_http_port SELinux BooleanBy default, the SELinux boolean named_tcp_bind_http_port is disabled.
If this setting is enabled, it should be disabled.
To disable the named_tcp_bind_http_port SELinux boolean, run the following command:
$ sudo setsebool -P named_tcp_bind_http_port off
var_named_tcp_bind_http_port=""
setsebool -P named_tcp_bind_http_port $var_named_tcp_bind_http_port
- name: XCCDF Value var_named_tcp_bind_http_port # promote to variable
set_fact:
var_named_tcp_bind_http_port: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_named_tcp_bind_http_port
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean named_tcp_bind_http_port accordingly
seboolean:
name: named_tcp_bind_http_port
state: '{{ var_named_tcp_bind_http_port }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_named_tcp_bind_http_port
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the squid_use_tproxy SELinux BooleanBy default, the SELinux boolean squid_use_tproxy is disabled.
If this setting is enabled, it should be disabled.
To disable the squid_use_tproxy SELinux boolean, run the following command:
$ sudo setsebool -P squid_use_tproxy off
var_squid_use_tproxy=""
setsebool -P squid_use_tproxy $var_squid_use_tproxy
- name: XCCDF Value var_squid_use_tproxy # promote to variable
set_fact:
var_squid_use_tproxy: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_squid_use_tproxy
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean squid_use_tproxy accordingly
seboolean:
name: squid_use_tproxy
state: '{{ var_squid_use_tproxy }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_squid_use_tproxy
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the dhcpd_use_ldap SELinux BooleanBy default, the SELinux boolean dhcpd_use_ldap is disabled.
If this setting is enabled, it should be disabled.
To disable the dhcpd_use_ldap SELinux boolean, run the following command:
$ sudo setsebool -P dhcpd_use_ldap off
var_dhcpd_use_ldap=""
setsebool -P dhcpd_use_ldap $var_dhcpd_use_ldap
- name: XCCDF Value var_dhcpd_use_ldap # promote to variable
set_fact:
var_dhcpd_use_ldap: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_dhcpd_use_ldap
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean dhcpd_use_ldap accordingly
seboolean:
name: dhcpd_use_ldap
state: '{{ var_dhcpd_use_ldap }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_dhcpd_use_ldap
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Configure the httpd_builtin_scripting SELinux BooleanBy default, the SELinux boolean httpd_builtin_scripting is enabled.
This setting should be disabled if httpd is not running php
or some similary scripting language.
To disable the httpd_builtin_scripting SELinux boolean, run the following command:
$ sudo setsebool -P httpd_builtin_scripting off
var_httpd_builtin_scripting=""
setsebool -P httpd_builtin_scripting $var_httpd_builtin_scripting
- name: XCCDF Value var_httpd_builtin_scripting # promote to variable
set_fact:
var_httpd_builtin_scripting: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_builtin_scripting
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean httpd_builtin_scripting accordingly
seboolean:
name: httpd_builtin_scripting
state: '{{ var_httpd_builtin_scripting }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_builtin_scripting
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the samba_share_nfs SELinux BooleanBy default, the SELinux boolean samba_share_nfs is disabled.
If this setting is enabled, it should be disabled.
To disable the samba_share_nfs SELinux boolean, run the following command:
$ sudo setsebool -P samba_share_nfs off
var_samba_share_nfs=""
setsebool -P samba_share_nfs $var_samba_share_nfs
- name: XCCDF Value var_samba_share_nfs # promote to variable
set_fact:
var_samba_share_nfs: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_samba_share_nfs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean samba_share_nfs accordingly
seboolean:
name: samba_share_nfs
state: '{{ var_samba_share_nfs }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_samba_share_nfs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the glance_use_fusefs SELinux BooleanBy default, the SELinux boolean glance_use_fusefs is disabled.
If this setting is enabled, it should be disabled.
To disable the glance_use_fusefs SELinux boolean, run the following command:
$ sudo setsebool -P glance_use_fusefs off
var_glance_use_fusefs=""
setsebool -P glance_use_fusefs $var_glance_use_fusefs
- name: XCCDF Value var_glance_use_fusefs # promote to variable
set_fact:
var_glance_use_fusefs: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_glance_use_fusefs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean glance_use_fusefs accordingly
seboolean:
name: glance_use_fusefs
state: '{{ var_glance_use_fusefs }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_glance_use_fusefs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the sanlock_use_nfs SELinux BooleanBy default, the SELinux boolean sanlock_use_nfs is disabled.
If this setting is enabled, it should be disabled.
To disable the sanlock_use_nfs SELinux boolean, run the following command:
$ sudo setsebool -P sanlock_use_nfs off
var_sanlock_use_nfs=""
setsebool -P sanlock_use_nfs $var_sanlock_use_nfs
- name: XCCDF Value var_sanlock_use_nfs # promote to variable
set_fact:
var_sanlock_use_nfs: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_sanlock_use_nfs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean sanlock_use_nfs accordingly
seboolean:
name: sanlock_use_nfs
state: '{{ var_sanlock_use_nfs }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_sanlock_use_nfs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Configure the gluster_export_all_rw SELinux BooleanBy default, the SELinux boolean gluster_export_all_rw is enabled.
If GlusterFS is in use, this setting should be enabled. Otherwise,
disable it.
To disable the gluster_export_all_rw SELinux boolean, run the following command:
$ sudo setsebool -P gluster_export_all_rw off
var_gluster_export_all_rw=""
setsebool -P gluster_export_all_rw $var_gluster_export_all_rw
- name: XCCDF Value var_gluster_export_all_rw # promote to variable
set_fact:
var_gluster_export_all_rw: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_gluster_export_all_rw
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean gluster_export_all_rw accordingly
seboolean:
name: gluster_export_all_rw
state: '{{ var_gluster_export_all_rw }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_gluster_export_all_rw
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the mozilla_plugin_bind_unreserved_ports SELinux BooleanBy default, the SELinux boolean mozilla_plugin_bind_unreserved_ports is disabled.
If this setting is enabled, it should be disabled.
To disable the mozilla_plugin_bind_unreserved_ports SELinux boolean, run the following command:
$ sudo setsebool -P mozilla_plugin_bind_unreserved_ports off
var_mozilla_plugin_bind_unreserved_ports=""
setsebool -P mozilla_plugin_bind_unreserved_ports $var_mozilla_plugin_bind_unreserved_ports
- name: XCCDF Value var_mozilla_plugin_bind_unreserved_ports # promote to variable
set_fact:
var_mozilla_plugin_bind_unreserved_ports: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_mozilla_plugin_bind_unreserved_ports
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean mozilla_plugin_bind_unreserved_ports accordingly
seboolean:
name: mozilla_plugin_bind_unreserved_ports
state: '{{ var_mozilla_plugin_bind_unreserved_ports }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_mozilla_plugin_bind_unreserved_ports
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Enable the logging_syslogd_use_tty SELinux BooleanBy default, the SELinux boolean logging_syslogd_use_tty is enabled.
If this setting is disabled, it should be enabled as it allows syslog
the ability to read/write to terminal.
To enable the logging_syslogd_use_tty SELinux boolean, run the following command:
$ sudo setsebool -P logging_syslogd_use_tty onCCE-82300-5
var_logging_syslogd_use_tty=""
setsebool -P logging_syslogd_use_tty $var_logging_syslogd_use_tty
- name: XCCDF Value var_logging_syslogd_use_tty # promote to variable
set_fact:
var_logging_syslogd_use_tty: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_logging_syslogd_use_tty
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82300-5
- name: Set SELinux boolean logging_syslogd_use_tty accordingly
seboolean:
name: logging_syslogd_use_tty
state: '{{ var_logging_syslogd_use_tty }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_logging_syslogd_use_tty
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82300-5
Disable the glance_api_can_network SELinux BooleanBy default, the SELinux boolean glance_api_can_network is disabled.
If this setting is enabled, it should be disabled.
To disable the glance_api_can_network SELinux boolean, run the following command:
$ sudo setsebool -P glance_api_can_network off
var_glance_api_can_network=""
setsebool -P glance_api_can_network $var_glance_api_can_network
- name: XCCDF Value var_glance_api_can_network # promote to variable
set_fact:
var_glance_api_can_network: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_glance_api_can_network
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean glance_api_can_network accordingly
seboolean:
name: glance_api_can_network
state: '{{ var_glance_api_can_network }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_glance_api_can_network
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the abrt_handle_event SELinux BooleanBy default, the SELinux boolean abrt_handle_event is disabled.
If this setting is enabled, it should be disabled.
To disable the abrt_handle_event SELinux boolean, run the following command:
$ sudo setsebool -P abrt_handle_event off3.7.2CCE-80420-3
var_abrt_handle_event=""
setsebool -P abrt_handle_event $var_abrt_handle_event
- name: XCCDF Value var_abrt_handle_event # promote to variable
set_fact:
var_abrt_handle_event: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_abrt_handle_event
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80420-3
- NIST-800-171-3.7.2
- name: Set SELinux boolean abrt_handle_event accordingly
seboolean:
name: abrt_handle_event
state: '{{ var_abrt_handle_event }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_abrt_handle_event
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80420-3
- NIST-800-171-3.7.2
Disable the gluster_export_all_ro SELinux BooleanBy default, the SELinux boolean gluster_export_all_ro is disabled.
If this setting is enabled, it should be disabled.
To disable the gluster_export_all_ro SELinux boolean, run the following command:
$ sudo setsebool -P gluster_export_all_ro off
var_gluster_export_all_ro=""
setsebool -P gluster_export_all_ro $var_gluster_export_all_ro
- name: XCCDF Value var_gluster_export_all_ro # promote to variable
set_fact:
var_gluster_export_all_ro: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_gluster_export_all_ro
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean gluster_export_all_ro accordingly
seboolean:
name: gluster_export_all_ro
state: '{{ var_gluster_export_all_ro }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_gluster_export_all_ro
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the ksmtuned_use_nfs SELinux BooleanBy default, the SELinux boolean ksmtuned_use_nfs is disabled.
If this setting is enabled, it should be disabled.
To disable the ksmtuned_use_nfs SELinux boolean, run the following command:
$ sudo setsebool -P ksmtuned_use_nfs off
var_ksmtuned_use_nfs=""
setsebool -P ksmtuned_use_nfs $var_ksmtuned_use_nfs
- name: XCCDF Value var_ksmtuned_use_nfs # promote to variable
set_fact:
var_ksmtuned_use_nfs: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_ksmtuned_use_nfs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean ksmtuned_use_nfs accordingly
seboolean:
name: ksmtuned_use_nfs
state: '{{ var_ksmtuned_use_nfs }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_ksmtuned_use_nfs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the puppetagent_manage_all_files SELinux BooleanBy default, the SELinux boolean puppetagent_manage_all_files is disabled.
If this setting is enabled, it should be disabled.
To disable the puppetagent_manage_all_files SELinux boolean, run the following command:
$ sudo setsebool -P puppetagent_manage_all_files off
var_puppetagent_manage_all_files=""
setsebool -P puppetagent_manage_all_files $var_puppetagent_manage_all_files
- name: XCCDF Value var_puppetagent_manage_all_files # promote to variable
set_fact:
var_puppetagent_manage_all_files: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_puppetagent_manage_all_files
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean puppetagent_manage_all_files accordingly
seboolean:
name: puppetagent_manage_all_files
state: '{{ var_puppetagent_manage_all_files }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_puppetagent_manage_all_files
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the httpd_dontaudit_search_dirs SELinux BooleanBy default, the SELinux boolean httpd_dontaudit_search_dirs is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_dontaudit_search_dirs SELinux boolean, run the following command:
$ sudo setsebool -P httpd_dontaudit_search_dirs off
var_httpd_dontaudit_search_dirs=""
setsebool -P httpd_dontaudit_search_dirs $var_httpd_dontaudit_search_dirs
- name: XCCDF Value var_httpd_dontaudit_search_dirs # promote to variable
set_fact:
var_httpd_dontaudit_search_dirs: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_dontaudit_search_dirs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean httpd_dontaudit_search_dirs accordingly
seboolean:
name: httpd_dontaudit_search_dirs
state: '{{ var_httpd_dontaudit_search_dirs }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_dontaudit_search_dirs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the httpd_can_network_connect_db SELinux BooleanBy default, the SELinux boolean httpd_can_network_connect_db is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_can_network_connect_db SELinux boolean, run the following command:
$ sudo setsebool -P httpd_can_network_connect_db off
var_httpd_can_network_connect_db=""
setsebool -P httpd_can_network_connect_db $var_httpd_can_network_connect_db
- name: XCCDF Value var_httpd_can_network_connect_db # promote to variable
set_fact:
var_httpd_can_network_connect_db: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_can_network_connect_db
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean httpd_can_network_connect_db accordingly
seboolean:
name: httpd_can_network_connect_db
state: '{{ var_httpd_can_network_connect_db }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_can_network_connect_db
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the cron_system_cronjob_use_shares SELinux BooleanBy default, the SELinux boolean cron_system_cronjob_use_shares is disabled.
If this setting is enabled, it should be disabled.
To disable the cron_system_cronjob_use_shares SELinux boolean, run the following command:
$ sudo setsebool -P cron_system_cronjob_use_shares offCCE-82285-8
var_cron_system_cronjob_use_shares=""
setsebool -P cron_system_cronjob_use_shares $var_cron_system_cronjob_use_shares
- name: XCCDF Value var_cron_system_cronjob_use_shares # promote to variable
set_fact:
var_cron_system_cronjob_use_shares: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_cron_system_cronjob_use_shares
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82285-8
- name: Set SELinux boolean cron_system_cronjob_use_shares accordingly
seboolean:
name: cron_system_cronjob_use_shares
state: '{{ var_cron_system_cronjob_use_shares }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_cron_system_cronjob_use_shares
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82285-8
Disable the mozilla_plugin_use_bluejeans SELinux BooleanBy default, the SELinux boolean mozilla_plugin_use_bluejeans is disabled.
If this setting is enabled, it should be disabled.
To disable the mozilla_plugin_use_bluejeans SELinux boolean, run the following command:
$ sudo setsebool -P mozilla_plugin_use_bluejeans off
var_mozilla_plugin_use_bluejeans=""
setsebool -P mozilla_plugin_use_bluejeans $var_mozilla_plugin_use_bluejeans
- name: XCCDF Value var_mozilla_plugin_use_bluejeans # promote to variable
set_fact:
var_mozilla_plugin_use_bluejeans: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_mozilla_plugin_use_bluejeans
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean mozilla_plugin_use_bluejeans accordingly
seboolean:
name: mozilla_plugin_use_bluejeans
state: '{{ var_mozilla_plugin_use_bluejeans }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_mozilla_plugin_use_bluejeans
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the postgresql_can_rsync SELinux BooleanBy default, the SELinux boolean postgresql_can_rsync is disabled.
If this setting is enabled, it should be disabled.
To disable the postgresql_can_rsync SELinux boolean, run the following command:
$ sudo setsebool -P postgresql_can_rsync off
var_postgresql_can_rsync=""
setsebool -P postgresql_can_rsync $var_postgresql_can_rsync
- name: XCCDF Value var_postgresql_can_rsync # promote to variable
set_fact:
var_postgresql_can_rsync: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_postgresql_can_rsync
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean postgresql_can_rsync accordingly
seboolean:
name: postgresql_can_rsync
state: '{{ var_postgresql_can_rsync }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_postgresql_can_rsync
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the secure_mode_policyload SELinux BooleanBy default, the SELinux boolean secure_mode_policyload is disabled.
If this setting is enabled, it should be disabled.
To disable the secure_mode_policyload SELinux boolean, run the following command:
$ sudo setsebool -P secure_mode_policyload offCCE-82310-4
var_secure_mode_policyload=""
setsebool -P secure_mode_policyload $var_secure_mode_policyload
- name: XCCDF Value var_secure_mode_policyload # promote to variable
set_fact:
var_secure_mode_policyload: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_secure_mode_policyload
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82310-4
- name: Set SELinux boolean secure_mode_policyload accordingly
seboolean:
name: secure_mode_policyload
state: '{{ var_secure_mode_policyload }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_secure_mode_policyload
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82310-4
Disable the mcelog_server SELinux BooleanBy default, the SELinux boolean mcelog_server is disabled.
If this setting is enabled, it should be disabled.
To disable the mcelog_server SELinux boolean, run the following command:
$ sudo setsebool -P mcelog_server off
var_mcelog_server=""
setsebool -P mcelog_server $var_mcelog_server
- name: XCCDF Value var_mcelog_server # promote to variable
set_fact:
var_mcelog_server: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_mcelog_server
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean mcelog_server accordingly
seboolean:
name: mcelog_server
state: '{{ var_mcelog_server }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_mcelog_server
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Enable the mcelog_exec_scripts SELinux BooleanBy default, the SELinux boolean mcelog_exec_scripts is enabled.
If this setting is disabled, it should be enabled.
To enable the mcelog_exec_scripts SELinux boolean, run the following command:
$ sudo setsebool -P mcelog_exec_scripts on
var_mcelog_exec_scripts=""
setsebool -P mcelog_exec_scripts $var_mcelog_exec_scripts
- name: XCCDF Value var_mcelog_exec_scripts # promote to variable
set_fact:
var_mcelog_exec_scripts: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_mcelog_exec_scripts
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean mcelog_exec_scripts accordingly
seboolean:
name: mcelog_exec_scripts
state: '{{ var_mcelog_exec_scripts }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_mcelog_exec_scripts
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the virt_rw_qemu_ga_data SELinux BooleanBy default, the SELinux boolean virt_rw_qemu_ga_data is disabled.
If this setting is enabled, it should be disabled.
To disable the virt_rw_qemu_ga_data SELinux boolean, run the following command:
$ sudo setsebool -P virt_rw_qemu_ga_data off
var_virt_rw_qemu_ga_data=""
setsebool -P virt_rw_qemu_ga_data $var_virt_rw_qemu_ga_data
- name: XCCDF Value var_virt_rw_qemu_ga_data # promote to variable
set_fact:
var_virt_rw_qemu_ga_data: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_virt_rw_qemu_ga_data
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean virt_rw_qemu_ga_data accordingly
seboolean:
name: virt_rw_qemu_ga_data
state: '{{ var_virt_rw_qemu_ga_data }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_virt_rw_qemu_ga_data
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the tor_bind_all_unreserved_ports SELinux BooleanBy default, the SELinux boolean tor_bind_all_unreserved_ports is disabled.
If this setting is enabled, it should be disabled.
To disable the tor_bind_all_unreserved_ports SELinux boolean, run the following command:
$ sudo setsebool -P tor_bind_all_unreserved_ports off
var_tor_bind_all_unreserved_ports=""
setsebool -P tor_bind_all_unreserved_ports $var_tor_bind_all_unreserved_ports
- name: XCCDF Value var_tor_bind_all_unreserved_ports # promote to variable
set_fact:
var_tor_bind_all_unreserved_ports: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_tor_bind_all_unreserved_ports
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean tor_bind_all_unreserved_ports accordingly
seboolean:
name: tor_bind_all_unreserved_ports
state: '{{ var_tor_bind_all_unreserved_ports }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_tor_bind_all_unreserved_ports
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the piranha_lvs_can_network_connect SELinux BooleanBy default, the SELinux boolean piranha_lvs_can_network_connect is disabled.
If this setting is enabled, it should be disabled.
To disable the piranha_lvs_can_network_connect SELinux boolean, run the following command:
$ sudo setsebool -P piranha_lvs_can_network_connect off
var_piranha_lvs_can_network_connect=""
setsebool -P piranha_lvs_can_network_connect $var_piranha_lvs_can_network_connect
- name: XCCDF Value var_piranha_lvs_can_network_connect # promote to variable
set_fact:
var_piranha_lvs_can_network_connect: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_piranha_lvs_can_network_connect
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean piranha_lvs_can_network_connect accordingly
seboolean:
name: piranha_lvs_can_network_connect
state: '{{ var_piranha_lvs_can_network_connect }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_piranha_lvs_can_network_connect
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the git_system_use_cifs SELinux BooleanBy default, the SELinux boolean git_system_use_cifs is disabled.
If this setting is enabled, it should be disabled.
To disable the git_system_use_cifs SELinux boolean, run the following command:
$ sudo setsebool -P git_system_use_cifs off
var_git_system_use_cifs=""
setsebool -P git_system_use_cifs $var_git_system_use_cifs
- name: XCCDF Value var_git_system_use_cifs # promote to variable
set_fact:
var_git_system_use_cifs: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_git_system_use_cifs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean git_system_use_cifs accordingly
seboolean:
name: git_system_use_cifs
state: '{{ var_git_system_use_cifs }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_git_system_use_cifs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the exim_manage_user_files SELinux BooleanBy default, the SELinux boolean exim_manage_user_files is disabled.
If this setting is enabled, it should be disabled.
To disable the exim_manage_user_files SELinux boolean, run the following command:
$ sudo setsebool -P exim_manage_user_files off
var_exim_manage_user_files=""
setsebool -P exim_manage_user_files $var_exim_manage_user_files
- name: XCCDF Value var_exim_manage_user_files # promote to variable
set_fact:
var_exim_manage_user_files: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_exim_manage_user_files
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean exim_manage_user_files accordingly
seboolean:
name: exim_manage_user_files
state: '{{ var_exim_manage_user_files }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_exim_manage_user_files
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the virt_sandbox_use_netlink SELinux BooleanBy default, the SELinux boolean virt_sandbox_use_netlink is disabled.
If this setting is enabled, it should be disabled.
To disable the virt_sandbox_use_netlink SELinux boolean, run the following command:
$ sudo setsebool -P virt_sandbox_use_netlink off
var_virt_sandbox_use_netlink=""
setsebool -P virt_sandbox_use_netlink $var_virt_sandbox_use_netlink
- name: XCCDF Value var_virt_sandbox_use_netlink # promote to variable
set_fact:
var_virt_sandbox_use_netlink: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_virt_sandbox_use_netlink
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean virt_sandbox_use_netlink accordingly
seboolean:
name: virt_sandbox_use_netlink
state: '{{ var_virt_sandbox_use_netlink }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_virt_sandbox_use_netlink
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Enable the unconfined_chrome_sandbox_transition SELinux BooleanBy default, the SELinux boolean unconfined_chrome_sandbox_transition is enabled.
If this setting is disabled, it should be enabled.
To enable the unconfined_chrome_sandbox_transition SELinux boolean, run the following command:
$ sudo setsebool -P unconfined_chrome_sandbox_transition on
var_unconfined_chrome_sandbox_transition=""
setsebool -P unconfined_chrome_sandbox_transition $var_unconfined_chrome_sandbox_transition
- name: XCCDF Value var_unconfined_chrome_sandbox_transition # promote to variable
set_fact:
var_unconfined_chrome_sandbox_transition: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_unconfined_chrome_sandbox_transition
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean unconfined_chrome_sandbox_transition accordingly
seboolean:
name: unconfined_chrome_sandbox_transition
state: '{{ var_unconfined_chrome_sandbox_transition }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_unconfined_chrome_sandbox_transition
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the httpd_ssi_exec SELinux BooleanBy default, the SELinux boolean httpd_ssi_exec is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_ssi_exec SELinux boolean, run the following command:
$ sudo setsebool -P httpd_ssi_exec off
var_httpd_ssi_exec=""
setsebool -P httpd_ssi_exec $var_httpd_ssi_exec
- name: XCCDF Value var_httpd_ssi_exec # promote to variable
set_fact:
var_httpd_ssi_exec: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_ssi_exec
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean httpd_ssi_exec accordingly
seboolean:
name: httpd_ssi_exec
state: '{{ var_httpd_ssi_exec }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_ssi_exec
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the virt_read_qemu_ga_data SELinux BooleanBy default, the SELinux boolean virt_read_qemu_ga_data is disabled.
If this setting is enabled, it should be disabled.
To disable the virt_read_qemu_ga_data SELinux boolean, run the following command:
$ sudo setsebool -P virt_read_qemu_ga_data off
var_virt_read_qemu_ga_data=""
setsebool -P virt_read_qemu_ga_data $var_virt_read_qemu_ga_data
- name: XCCDF Value var_virt_read_qemu_ga_data # promote to variable
set_fact:
var_virt_read_qemu_ga_data: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_virt_read_qemu_ga_data
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean virt_read_qemu_ga_data accordingly
seboolean:
name: virt_read_qemu_ga_data
state: '{{ var_virt_read_qemu_ga_data }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_virt_read_qemu_ga_data
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the glance_use_execmem SELinux BooleanBy default, the SELinux boolean glance_use_execmem is disabled.
If this setting is enabled, it should be disabled.
To disable the glance_use_execmem SELinux boolean, run the following command:
$ sudo setsebool -P glance_use_execmem off
var_glance_use_execmem=""
setsebool -P glance_use_execmem $var_glance_use_execmem
- name: XCCDF Value var_glance_use_execmem # promote to variable
set_fact:
var_glance_use_execmem: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_glance_use_execmem
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean glance_use_execmem accordingly
seboolean:
name: glance_use_execmem
state: '{{ var_glance_use_execmem }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_glance_use_execmem
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the httpd_can_sendmail SELinux BooleanBy default, the SELinux boolean httpd_can_sendmail is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_can_sendmail SELinux boolean, run the following command:
$ sudo setsebool -P httpd_can_sendmail off
var_httpd_can_sendmail=""
setsebool -P httpd_can_sendmail $var_httpd_can_sendmail
- name: XCCDF Value var_httpd_can_sendmail # promote to variable
set_fact:
var_httpd_can_sendmail: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_can_sendmail
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean httpd_can_sendmail accordingly
seboolean:
name: httpd_can_sendmail
state: '{{ var_httpd_can_sendmail }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_can_sendmail
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the httpd_enable_homedirs SELinux BooleanBy default, the SELinux boolean httpd_enable_homedirs is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_enable_homedirs SELinux boolean, run the following command:
$ sudo setsebool -P httpd_enable_homedirs off
var_httpd_enable_homedirs=""
setsebool -P httpd_enable_homedirs $var_httpd_enable_homedirs
- name: XCCDF Value var_httpd_enable_homedirs # promote to variable
set_fact:
var_httpd_enable_homedirs: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_enable_homedirs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean httpd_enable_homedirs accordingly
seboolean:
name: httpd_enable_homedirs
state: '{{ var_httpd_enable_homedirs }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_enable_homedirs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the cdrecord_read_content SELinux BooleanBy default, the SELinux boolean cdrecord_read_content is disabled.
If this setting is enabled, it should be disabled.
To disable the cdrecord_read_content SELinux boolean, run the following command:
$ sudo setsebool -P cdrecord_read_content off
var_cdrecord_read_content=""
setsebool -P cdrecord_read_content $var_cdrecord_read_content
- name: XCCDF Value var_cdrecord_read_content # promote to variable
set_fact:
var_cdrecord_read_content: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_cdrecord_read_content
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean cdrecord_read_content accordingly
seboolean:
name: cdrecord_read_content
state: '{{ var_cdrecord_read_content }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_cdrecord_read_content
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Enable the unconfined_login SELinux BooleanBy default, the SELinux boolean unconfined_login is enabled.
If this setting is disabled, it should be enabled.
To enable the unconfined_login SELinux boolean, run the following command:
$ sudo setsebool -P unconfined_login onCCE-82330-2
var_unconfined_login=""
setsebool -P unconfined_login $var_unconfined_login
- name: XCCDF Value var_unconfined_login # promote to variable
set_fact:
var_unconfined_login: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_unconfined_login
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82330-2
- name: Set SELinux boolean unconfined_login accordingly
seboolean:
name: unconfined_login
state: '{{ var_unconfined_login }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_unconfined_login
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82330-2
Disable the logging_syslogd_can_sendmail SELinux BooleanBy default, the SELinux boolean logging_syslogd_can_sendmail is disabled.
If this setting is enabled, it should be disabled.
To disable the logging_syslogd_can_sendmail SELinux boolean, run the following command:
$ sudo setsebool -P logging_syslogd_can_sendmail offCCE-82299-9
var_logging_syslogd_can_sendmail=""
setsebool -P logging_syslogd_can_sendmail $var_logging_syslogd_can_sendmail
- name: XCCDF Value var_logging_syslogd_can_sendmail # promote to variable
set_fact:
var_logging_syslogd_can_sendmail: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_logging_syslogd_can_sendmail
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82299-9
- name: Set SELinux boolean logging_syslogd_can_sendmail accordingly
seboolean:
name: logging_syslogd_can_sendmail
state: '{{ var_logging_syslogd_can_sendmail }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_logging_syslogd_can_sendmail
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82299-9
Disable the gitosis_can_sendmail SELinux BooleanBy default, the SELinux boolean gitosis_can_sendmail is disabled.
If this setting is enabled, it should be disabled.
To disable the gitosis_can_sendmail SELinux boolean, run the following command:
$ sudo setsebool -P gitosis_can_sendmail off
var_gitosis_can_sendmail=""
setsebool -P gitosis_can_sendmail $var_gitosis_can_sendmail
- name: XCCDF Value var_gitosis_can_sendmail # promote to variable
set_fact:
var_gitosis_can_sendmail: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_gitosis_can_sendmail
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean gitosis_can_sendmail accordingly
seboolean:
name: gitosis_can_sendmail
state: '{{ var_gitosis_can_sendmail }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_gitosis_can_sendmail
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the httpd_use_sasl SELinux BooleanBy default, the SELinux boolean httpd_use_sasl is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_use_sasl SELinux boolean, run the following command:
$ sudo setsebool -P httpd_use_sasl off
var_httpd_use_sasl=""
setsebool -P httpd_use_sasl $var_httpd_use_sasl
- name: XCCDF Value var_httpd_use_sasl # promote to variable
set_fact:
var_httpd_use_sasl: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_use_sasl
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean httpd_use_sasl accordingly
seboolean:
name: httpd_use_sasl
state: '{{ var_httpd_use_sasl }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_use_sasl
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the staff_use_svirt SELinux BooleanBy default, the SELinux boolean staff_use_svirt is disabled.
If this setting is enabled, it should be disabled.
To disable the staff_use_svirt SELinux boolean, run the following command:
$ sudo setsebool -P staff_use_svirt off
var_staff_use_svirt=""
setsebool -P staff_use_svirt $var_staff_use_svirt
- name: XCCDF Value var_staff_use_svirt # promote to variable
set_fact:
var_staff_use_svirt: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_staff_use_svirt
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean staff_use_svirt accordingly
seboolean:
name: staff_use_svirt
state: '{{ var_staff_use_svirt }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_staff_use_svirt
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the virt_use_comm SELinux BooleanBy default, the SELinux boolean virt_use_comm is disabled.
If this setting is enabled, it should be disabled.
To disable the virt_use_comm SELinux boolean, run the following command:
$ sudo setsebool -P virt_use_comm off
var_virt_use_comm=""
setsebool -P virt_use_comm $var_virt_use_comm
- name: XCCDF Value var_virt_use_comm # promote to variable
set_fact:
var_virt_use_comm: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_virt_use_comm
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean virt_use_comm accordingly
seboolean:
name: virt_use_comm
state: '{{ var_virt_use_comm }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_virt_use_comm
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the selinuxuser_postgresql_connect_enabled SELinux BooleanBy default, the SELinux boolean selinuxuser_postgresql_connect_enabled is disabled.
If this setting is enabled, it should be disabled.
To disable the selinuxuser_postgresql_connect_enabled SELinux boolean, run the following command:
$ sudo setsebool -P selinuxuser_postgresql_connect_enabled offCCE-82319-5
var_selinuxuser_postgresql_connect_enabled=""
setsebool -P selinuxuser_postgresql_connect_enabled $var_selinuxuser_postgresql_connect_enabled
- name: XCCDF Value var_selinuxuser_postgresql_connect_enabled # promote to variable
set_fact:
var_selinuxuser_postgresql_connect_enabled: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_selinuxuser_postgresql_connect_enabled
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82319-5
- name: Set SELinux boolean selinuxuser_postgresql_connect_enabled accordingly
seboolean:
name: selinuxuser_postgresql_connect_enabled
state: '{{ var_selinuxuser_postgresql_connect_enabled }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_selinuxuser_postgresql_connect_enabled
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82319-5
Disable the httpd_use_gpg SELinux BooleanBy default, the SELinux boolean httpd_use_gpg is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_use_gpg SELinux boolean, run the following command:
$ sudo setsebool -P httpd_use_gpg off
var_httpd_use_gpg=""
setsebool -P httpd_use_gpg $var_httpd_use_gpg
- name: XCCDF Value var_httpd_use_gpg # promote to variable
set_fact:
var_httpd_use_gpg: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_use_gpg
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean httpd_use_gpg accordingly
seboolean:
name: httpd_use_gpg
state: '{{ var_httpd_use_gpg }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_use_gpg
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the dbadm_manage_user_files SELinux BooleanBy default, the SELinux boolean dbadm_manage_user_files is disabled.
If this setting is enabled, it should be disabled.
To disable the dbadm_manage_user_files SELinux boolean, run the following command:
$ sudo setsebool -P dbadm_manage_user_files off
var_dbadm_manage_user_files=""
setsebool -P dbadm_manage_user_files $var_dbadm_manage_user_files
- name: XCCDF Value var_dbadm_manage_user_files # promote to variable
set_fact:
var_dbadm_manage_user_files: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_dbadm_manage_user_files
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean dbadm_manage_user_files accordingly
seboolean:
name: dbadm_manage_user_files
state: '{{ var_dbadm_manage_user_files }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_dbadm_manage_user_files
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the daemons_use_tcp_wrapper SELinux BooleanBy default, the SELinux boolean daemons_use_tcp_wrapper is disabled.
If this setting is enabled, it should be disabled.
To disable the daemons_use_tcp_wrapper SELinux boolean, run the following command:
$ sudo setsebool -P daemons_use_tcp_wrapper offCCE-82288-2
var_daemons_use_tcp_wrapper=""
setsebool -P daemons_use_tcp_wrapper $var_daemons_use_tcp_wrapper
- name: XCCDF Value var_daemons_use_tcp_wrapper # promote to variable
set_fact:
var_daemons_use_tcp_wrapper: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_daemons_use_tcp_wrapper
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82288-2
- name: Set SELinux boolean daemons_use_tcp_wrapper accordingly
seboolean:
name: daemons_use_tcp_wrapper
state: '{{ var_daemons_use_tcp_wrapper }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_daemons_use_tcp_wrapper
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82288-2
Configure the httpd_enable_cgi SELinux BooleanBy default, the SELinux boolean httpd_enable_cgi is enabled.
This setting should be disabled unless httpd is used with CGI
scripting.
To disable the httpd_enable_cgi SELinux boolean, run the following command:
$ sudo setsebool -P httpd_enable_cgi off
var_httpd_enable_cgi=""
setsebool -P httpd_enable_cgi $var_httpd_enable_cgi
- name: XCCDF Value var_httpd_enable_cgi # promote to variable
set_fact:
var_httpd_enable_cgi: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_enable_cgi
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean httpd_enable_cgi accordingly
seboolean:
name: httpd_enable_cgi
state: '{{ var_httpd_enable_cgi }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_enable_cgi
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Enable the antivirus_can_scan_system SELinux BooleanBy default, the SELinux boolean antivirus_can_scan_system is disabled.
This setting should be enabled as it allows antivirus programs to read non-security
files on a system.
To enable the antivirus_can_scan_system SELinux boolean, run the following command:
$ sudo setsebool -P antivirus_can_scan_system on3.7.2CCE-80422-9
var_antivirus_can_scan_system=""
setsebool -P antivirus_can_scan_system $var_antivirus_can_scan_system
- name: XCCDF Value var_antivirus_can_scan_system # promote to variable
set_fact:
var_antivirus_can_scan_system: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_antivirus_can_scan_system
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80422-9
- NIST-800-171-3.7.2
- name: Set SELinux boolean antivirus_can_scan_system accordingly
seboolean:
name: antivirus_can_scan_system
state: '{{ var_antivirus_can_scan_system }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_antivirus_can_scan_system
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80422-9
- NIST-800-171-3.7.2
Disable the zarafa_setrlimit SELinux BooleanBy default, the SELinux boolean zarafa_setrlimit is disabled.
If this setting is enabled, it should be disabled.
To disable the zarafa_setrlimit SELinux boolean, run the following command:
$ sudo setsebool -P zarafa_setrlimit off
var_zarafa_setrlimit=""
setsebool -P zarafa_setrlimit $var_zarafa_setrlimit
- name: XCCDF Value var_zarafa_setrlimit # promote to variable
set_fact:
var_zarafa_setrlimit: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_zarafa_setrlimit
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean zarafa_setrlimit accordingly
seboolean:
name: zarafa_setrlimit
state: '{{ var_zarafa_setrlimit }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_zarafa_setrlimit
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the samba_export_all_ro SELinux BooleanBy default, the SELinux boolean samba_export_all_ro is disabled.
If this setting is enabled, it should be disabled.
To disable the samba_export_all_ro SELinux boolean, run the following command:
$ sudo setsebool -P samba_export_all_ro off
var_samba_export_all_ro=""
setsebool -P samba_export_all_ro $var_samba_export_all_ro
- name: XCCDF Value var_samba_export_all_ro # promote to variable
set_fact:
var_samba_export_all_ro: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_samba_export_all_ro
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean samba_export_all_ro accordingly
seboolean:
name: samba_export_all_ro
state: '{{ var_samba_export_all_ro }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_samba_export_all_ro
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the zoneminder_anon_write SELinux BooleanBy default, the SELinux boolean zoneminder_anon_write is disabled.
If this setting is enabled, it should be disabled.
To disable the zoneminder_anon_write SELinux boolean, run the following command:
$ sudo setsebool -P zoneminder_anon_write off
var_zoneminder_anon_write=""
setsebool -P zoneminder_anon_write $var_zoneminder_anon_write
- name: XCCDF Value var_zoneminder_anon_write # promote to variable
set_fact:
var_zoneminder_anon_write: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_zoneminder_anon_write
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean zoneminder_anon_write accordingly
seboolean:
name: zoneminder_anon_write
state: '{{ var_zoneminder_anon_write }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_zoneminder_anon_write
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the daemons_enable_cluster_mode SELinux BooleanBy default, the SELinux boolean daemons_enable_cluster_mode is disabled.
If this setting is enabled, it should be disabled.
To disable the daemons_enable_cluster_mode SELinux boolean, run the following command:
$ sudo setsebool -P daemons_enable_cluster_mode off
var_daemons_enable_cluster_mode=""
setsebool -P daemons_enable_cluster_mode $var_daemons_enable_cluster_mode
- name: XCCDF Value var_daemons_enable_cluster_mode # promote to variable
set_fact:
var_daemons_enable_cluster_mode: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_daemons_enable_cluster_mode
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean daemons_enable_cluster_mode accordingly
seboolean:
name: daemons_enable_cluster_mode
state: '{{ var_daemons_enable_cluster_mode }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_daemons_enable_cluster_mode
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the use_fusefs_home_dirs SELinux BooleanBy default, the SELinux boolean use_fusefs_home_dirs is disabled.
If this setting is enabled, it should be disabled.
To disable the use_fusefs_home_dirs SELinux boolean, run the following command:
$ sudo setsebool -P use_fusefs_home_dirs off
var_use_fusefs_home_dirs=""
setsebool -P use_fusefs_home_dirs $var_use_fusefs_home_dirs
- name: XCCDF Value var_use_fusefs_home_dirs # promote to variable
set_fact:
var_use_fusefs_home_dirs: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_use_fusefs_home_dirs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean use_fusefs_home_dirs accordingly
seboolean:
name: use_fusefs_home_dirs
state: '{{ var_use_fusefs_home_dirs }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_use_fusefs_home_dirs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the sanlock_use_fusefs SELinux BooleanBy default, the SELinux boolean sanlock_use_fusefs is disabled.
If this setting is enabled, it should be disabled.
To disable the sanlock_use_fusefs SELinux boolean, run the following command:
$ sudo setsebool -P sanlock_use_fusefs off
var_sanlock_use_fusefs=""
setsebool -P sanlock_use_fusefs $var_sanlock_use_fusefs
- name: XCCDF Value var_sanlock_use_fusefs # promote to variable
set_fact:
var_sanlock_use_fusefs: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_sanlock_use_fusefs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean sanlock_use_fusefs accordingly
seboolean:
name: sanlock_use_fusefs
state: '{{ var_sanlock_use_fusefs }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_sanlock_use_fusefs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the tftp_home_dir SELinux BooleanBy default, the SELinux boolean tftp_home_dir is disabled.
If this setting is enabled, it should be disabled.
To disable the tftp_home_dir SELinux boolean, run the following command:
$ sudo setsebool -P tftp_home_dir off
var_tftp_home_dir=""
setsebool -P tftp_home_dir $var_tftp_home_dir
- name: XCCDF Value var_tftp_home_dir # promote to variable
set_fact:
var_tftp_home_dir: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_tftp_home_dir
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean tftp_home_dir accordingly
seboolean:
name: tftp_home_dir
state: '{{ var_tftp_home_dir }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_tftp_home_dir
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the privoxy_connect_any SELinux BooleanBy default, the SELinux boolean privoxy_connect_any is enabled.
This setting should be disabled.
To disable the privoxy_connect_any SELinux boolean, run the following command:
$ sudo setsebool -P privoxy_connect_any off
var_privoxy_connect_any=""
setsebool -P privoxy_connect_any $var_privoxy_connect_any
- name: XCCDF Value var_privoxy_connect_any # promote to variable
set_fact:
var_privoxy_connect_any: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_privoxy_connect_any
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean privoxy_connect_any accordingly
seboolean:
name: privoxy_connect_any
state: '{{ var_privoxy_connect_any }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_privoxy_connect_any
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the irc_use_any_tcp_ports SELinux BooleanBy default, the SELinux boolean irc_use_any_tcp_ports is disabled.
If this setting is enabled, it should be disabled.
To disable the irc_use_any_tcp_ports SELinux boolean, run the following command:
$ sudo setsebool -P irc_use_any_tcp_ports off
var_irc_use_any_tcp_ports=""
setsebool -P irc_use_any_tcp_ports $var_irc_use_any_tcp_ports
- name: XCCDF Value var_irc_use_any_tcp_ports # promote to variable
set_fact:
var_irc_use_any_tcp_ports: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_irc_use_any_tcp_ports
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean irc_use_any_tcp_ports accordingly
seboolean:
name: irc_use_any_tcp_ports
state: '{{ var_irc_use_any_tcp_ports }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_irc_use_any_tcp_ports
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the abrt_upload_watch_anon_write SELinux BooleanBy default, the SELinux boolean abrt_upload_watch_anon_write is enabled.
This setting should be disabled as it allows the Automatic Bug Report Tool (ABRT)
to modify public files used for public file transfer services.
To disable the abrt_upload_watch_anon_write SELinux boolean, run the following command:
$ sudo setsebool -P abrt_upload_watch_anon_write off3.7.2CCE-80421-1
var_abrt_upload_watch_anon_write=""
setsebool -P abrt_upload_watch_anon_write $var_abrt_upload_watch_anon_write
- name: XCCDF Value var_abrt_upload_watch_anon_write # promote to variable
set_fact:
var_abrt_upload_watch_anon_write: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_abrt_upload_watch_anon_write
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80421-1
- NIST-800-171-3.7.2
- name: Set SELinux boolean abrt_upload_watch_anon_write accordingly
seboolean:
name: abrt_upload_watch_anon_write
state: '{{ var_abrt_upload_watch_anon_write }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_abrt_upload_watch_anon_write
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80421-1
- NIST-800-171-3.7.2
Disable the openshift_use_nfs SELinux BooleanBy default, the SELinux boolean openshift_use_nfs is disabled.
If this setting is enabled, it should be disabled.
To disable the openshift_use_nfs SELinux boolean, run the following command:
$ sudo setsebool -P openshift_use_nfs off
var_openshift_use_nfs=""
setsebool -P openshift_use_nfs $var_openshift_use_nfs
- name: XCCDF Value var_openshift_use_nfs # promote to variable
set_fact:
var_openshift_use_nfs: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_openshift_use_nfs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean openshift_use_nfs accordingly
seboolean:
name: openshift_use_nfs
state: '{{ var_openshift_use_nfs }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_openshift_use_nfs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Enable the unconfined_mozilla_plugin_transition SELinux BooleanBy default, the SELinux boolean unconfined_mozilla_plugin_transition is enabled.
If this setting is disabled, it should be enabled.
To enable the unconfined_mozilla_plugin_transition SELinux boolean, run the following command:
$ sudo setsebool -P unconfined_mozilla_plugin_transition on
var_unconfined_mozilla_plugin_transition=""
setsebool -P unconfined_mozilla_plugin_transition $var_unconfined_mozilla_plugin_transition
- name: XCCDF Value var_unconfined_mozilla_plugin_transition # promote to variable
set_fact:
var_unconfined_mozilla_plugin_transition: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_unconfined_mozilla_plugin_transition
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean unconfined_mozilla_plugin_transition accordingly
seboolean:
name: unconfined_mozilla_plugin_transition
state: '{{ var_unconfined_mozilla_plugin_transition }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_unconfined_mozilla_plugin_transition
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the openvpn_enable_homedirs SELinux BooleanBy default, the SELinux boolean openvpn_enable_homedirs is enabled.
This setting should be disabled.
To disable the openvpn_enable_homedirs SELinux boolean, run the following command:
$ sudo setsebool -P openvpn_enable_homedirs off
var_openvpn_enable_homedirs=""
setsebool -P openvpn_enable_homedirs $var_openvpn_enable_homedirs
- name: XCCDF Value var_openvpn_enable_homedirs # promote to variable
set_fact:
var_openvpn_enable_homedirs: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_openvpn_enable_homedirs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean openvpn_enable_homedirs accordingly
seboolean:
name: openvpn_enable_homedirs
state: '{{ var_openvpn_enable_homedirs }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_openvpn_enable_homedirs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the conman_can_network SELinux BooleanBy default, the SELinux boolean conman_can_network is disabled.
If this setting is enabled, it should be disabled.
To disable the conman_can_network SELinux boolean, run the following command:
$ sudo setsebool -P conman_can_network off
var_conman_can_network=""
setsebool -P conman_can_network $var_conman_can_network
- name: XCCDF Value var_conman_can_network # promote to variable
set_fact:
var_conman_can_network: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_conman_can_network
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean conman_can_network accordingly
seboolean:
name: conman_can_network
state: '{{ var_conman_can_network }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_conman_can_network
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the cobbler_can_network_connect SELinux BooleanBy default, the SELinux boolean cobbler_can_network_connect is disabled.
If this setting is enabled, it should be disabled.
To disable the cobbler_can_network_connect SELinux boolean, run the following command:
$ sudo setsebool -P cobbler_can_network_connect off
var_cobbler_can_network_connect=""
setsebool -P cobbler_can_network_connect $var_cobbler_can_network_connect
- name: XCCDF Value var_cobbler_can_network_connect # promote to variable
set_fact:
var_cobbler_can_network_connect: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_cobbler_can_network_connect
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean cobbler_can_network_connect accordingly
seboolean:
name: cobbler_can_network_connect
state: '{{ var_cobbler_can_network_connect }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_cobbler_can_network_connect
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the daemons_use_tty SELinux BooleanBy default, the SELinux boolean daemons_use_tty is disabled.
If this setting is enabled, it should be disabled.
To disable the daemons_use_tty SELinux boolean, run the following command:
$ sudo setsebool -P daemons_use_tty offCCE-82289-0
var_daemons_use_tty=""
setsebool -P daemons_use_tty $var_daemons_use_tty
- name: XCCDF Value var_daemons_use_tty # promote to variable
set_fact:
var_daemons_use_tty: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_daemons_use_tty
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82289-0
- name: Set SELinux boolean daemons_use_tty accordingly
seboolean:
name: daemons_use_tty
state: '{{ var_daemons_use_tty }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_daemons_use_tty
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82289-0
Disable the ftpd_use_nfs SELinux BooleanBy default, the SELinux boolean ftpd_use_nfs is disabled.
If this setting is enabled, it should be disabled.
To disable the ftpd_use_nfs SELinux boolean, run the following command:
$ sudo setsebool -P ftpd_use_nfs off
var_ftpd_use_nfs=""
setsebool -P ftpd_use_nfs $var_ftpd_use_nfs
- name: XCCDF Value var_ftpd_use_nfs # promote to variable
set_fact:
var_ftpd_use_nfs: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_ftpd_use_nfs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean ftpd_use_nfs accordingly
seboolean:
name: ftpd_use_nfs
state: '{{ var_ftpd_use_nfs }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_ftpd_use_nfs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the mailman_use_fusefs SELinux BooleanBy default, the SELinux boolean mailman_use_fusefs is disabled.
If this setting is enabled, it should be disabled.
To disable the mailman_use_fusefs SELinux boolean, run the following command:
$ sudo setsebool -P mailman_use_fusefs off
var_mailman_use_fusefs=""
setsebool -P mailman_use_fusefs $var_mailman_use_fusefs
- name: XCCDF Value var_mailman_use_fusefs # promote to variable
set_fact:
var_mailman_use_fusefs: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_mailman_use_fusefs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean mailman_use_fusefs accordingly
seboolean:
name: mailman_use_fusefs
state: '{{ var_mailman_use_fusefs }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_mailman_use_fusefs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the smbd_anon_write SELinux BooleanBy default, the SELinux boolean smbd_anon_write is disabled.
If this setting is enabled, it should be disabled.
To disable the smbd_anon_write SELinux boolean, run the following command:
$ sudo setsebool -P smbd_anon_write off
var_smbd_anon_write=""
setsebool -P smbd_anon_write $var_smbd_anon_write
- name: XCCDF Value var_smbd_anon_write # promote to variable
set_fact:
var_smbd_anon_write: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_smbd_anon_write
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean smbd_anon_write accordingly
seboolean:
name: smbd_anon_write
state: '{{ var_smbd_anon_write }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_smbd_anon_write
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Enable the httpd_graceful_shutdown SELinux BooleanBy default, the SELinux boolean httpd_graceful_shutdown is enabled.
If this setting is disabled, it should be enabled.
To enable the httpd_graceful_shutdown SELinux boolean, run the following command:
$ sudo setsebool -P httpd_graceful_shutdown on
var_httpd_graceful_shutdown=""
setsebool -P httpd_graceful_shutdown $var_httpd_graceful_shutdown
- name: XCCDF Value var_httpd_graceful_shutdown # promote to variable
set_fact:
var_httpd_graceful_shutdown: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_graceful_shutdown
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean httpd_graceful_shutdown accordingly
seboolean:
name: httpd_graceful_shutdown
state: '{{ var_httpd_graceful_shutdown }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_graceful_shutdown
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the selinuxuser_tcp_server SELinux BooleanBy default, the SELinux boolean selinuxuser_tcp_server is disabled.
If this setting is enabled, it should be disabled.
To disable the selinuxuser_tcp_server SELinux boolean, run the following command:
$ sudo setsebool -P selinuxuser_tcp_server offCCE-82322-9
var_selinuxuser_tcp_server=""
setsebool -P selinuxuser_tcp_server $var_selinuxuser_tcp_server
- name: XCCDF Value var_selinuxuser_tcp_server # promote to variable
set_fact:
var_selinuxuser_tcp_server: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_selinuxuser_tcp_server
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82322-9
- name: Set SELinux boolean selinuxuser_tcp_server accordingly
seboolean:
name: selinuxuser_tcp_server
state: '{{ var_selinuxuser_tcp_server }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_selinuxuser_tcp_server
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82322-9
Disable the webadm_manage_user_files SELinux BooleanBy default, the SELinux boolean webadm_manage_user_files is disabled.
If this setting is enabled, it should be disabled.
To disable the webadm_manage_user_files SELinux boolean, run the following command:
$ sudo setsebool -P webadm_manage_user_files off
var_webadm_manage_user_files=""
setsebool -P webadm_manage_user_files $var_webadm_manage_user_files
- name: XCCDF Value var_webadm_manage_user_files # promote to variable
set_fact:
var_webadm_manage_user_files: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_webadm_manage_user_files
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean webadm_manage_user_files accordingly
seboolean:
name: webadm_manage_user_files
state: '{{ var_webadm_manage_user_files }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_webadm_manage_user_files
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the cobbler_use_cifs SELinux BooleanBy default, the SELinux boolean cobbler_use_cifs is disabled.
If this setting is enabled, it should be disabled.
To disable the cobbler_use_cifs SELinux boolean, run the following command:
$ sudo setsebool -P cobbler_use_cifs off
var_cobbler_use_cifs=""
setsebool -P cobbler_use_cifs $var_cobbler_use_cifs
- name: XCCDF Value var_cobbler_use_cifs # promote to variable
set_fact:
var_cobbler_use_cifs: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_cobbler_use_cifs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean cobbler_use_cifs accordingly
seboolean:
name: cobbler_use_cifs
state: '{{ var_cobbler_use_cifs }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_cobbler_use_cifs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the cluster_use_execmem SELinux BooleanBy default, the SELinux boolean cluster_use_execmem is disabled.
If this setting is enabled, it should be disabled.
To disable the cluster_use_execmem SELinux boolean, run the following command:
$ sudo setsebool -P cluster_use_execmem off
var_cluster_use_execmem=""
setsebool -P cluster_use_execmem $var_cluster_use_execmem
- name: XCCDF Value var_cluster_use_execmem # promote to variable
set_fact:
var_cluster_use_execmem: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_cluster_use_execmem
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean cluster_use_execmem accordingly
seboolean:
name: cluster_use_execmem
state: '{{ var_cluster_use_execmem }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_cluster_use_execmem
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the httpd_serve_cobbler_files SELinux BooleanBy default, the SELinux boolean httpd_serve_cobbler_files is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_serve_cobbler_files SELinux boolean, run the following command:
$ sudo setsebool -P httpd_serve_cobbler_files off
var_httpd_serve_cobbler_files=""
setsebool -P httpd_serve_cobbler_files $var_httpd_serve_cobbler_files
- name: XCCDF Value var_httpd_serve_cobbler_files # promote to variable
set_fact:
var_httpd_serve_cobbler_files: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_serve_cobbler_files
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean httpd_serve_cobbler_files accordingly
seboolean:
name: httpd_serve_cobbler_files
state: '{{ var_httpd_serve_cobbler_files }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_serve_cobbler_files
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the irssi_use_full_network SELinux BooleanBy default, the SELinux boolean irssi_use_full_network is disabled.
If this setting is enabled, it should be disabled.
To disable the irssi_use_full_network SELinux boolean, run the following command:
$ sudo setsebool -P irssi_use_full_network off
var_irssi_use_full_network=""
setsebool -P irssi_use_full_network $var_irssi_use_full_network
- name: XCCDF Value var_irssi_use_full_network # promote to variable
set_fact:
var_irssi_use_full_network: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_irssi_use_full_network
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean irssi_use_full_network accordingly
seboolean:
name: irssi_use_full_network
state: '{{ var_irssi_use_full_network }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_irssi_use_full_network
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Configure the selinuxuser_direct_dri_enabled SELinux BooleanBy default, the SELinux boolean selinuxuser_direct_dri_enabled is enabled.
If XWindows is not installed or used on the system, this setting should be disabled.
Otherwise, enable it.
To disable the selinuxuser_direct_dri_enabled SELinux boolean, run the following command:
$ sudo setsebool -P selinuxuser_direct_dri_enabled offCCE-82311-2
var_selinuxuser_direct_dri_enabled=""
setsebool -P selinuxuser_direct_dri_enabled $var_selinuxuser_direct_dri_enabled
- name: XCCDF Value var_selinuxuser_direct_dri_enabled # promote to variable
set_fact:
var_selinuxuser_direct_dri_enabled: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_selinuxuser_direct_dri_enabled
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82311-2
- name: Set SELinux boolean selinuxuser_direct_dri_enabled accordingly
seboolean:
name: selinuxuser_direct_dri_enabled
state: '{{ var_selinuxuser_direct_dri_enabled }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_selinuxuser_direct_dri_enabled
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82311-2
Disable the swift_can_network SELinux BooleanBy default, the SELinux boolean swift_can_network is disabled.
If this setting is enabled, it should be disabled.
To disable the swift_can_network SELinux boolean, run the following command:
$ sudo setsebool -P swift_can_network off
var_swift_can_network=""
setsebool -P swift_can_network $var_swift_can_network
- name: XCCDF Value var_swift_can_network # promote to variable
set_fact:
var_swift_can_network: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_swift_can_network
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean swift_can_network accordingly
seboolean:
name: swift_can_network
state: '{{ var_swift_can_network }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_swift_can_network
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Enable the spamd_enable_home_dirs SELinux BooleanBy default, the SELinux boolean spamd_enable_home_dirs is enabled.
If this setting is disabled, it should be enabled.
To enable the spamd_enable_home_dirs SELinux boolean, run the following command:
$ sudo setsebool -P spamd_enable_home_dirs on
var_spamd_enable_home_dirs=""
setsebool -P spamd_enable_home_dirs $var_spamd_enable_home_dirs
- name: XCCDF Value var_spamd_enable_home_dirs # promote to variable
set_fact:
var_spamd_enable_home_dirs: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_spamd_enable_home_dirs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean spamd_enable_home_dirs accordingly
seboolean:
name: spamd_enable_home_dirs
state: '{{ var_spamd_enable_home_dirs }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_spamd_enable_home_dirs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the virt_sandbox_use_sys_admin SELinux BooleanBy default, the SELinux boolean virt_sandbox_use_sys_admin is disabled.
If this setting is enabled, it should be disabled.
To disable the virt_sandbox_use_sys_admin SELinux boolean, run the following command:
$ sudo setsebool -P virt_sandbox_use_sys_admin off
var_virt_sandbox_use_sys_admin=""
setsebool -P virt_sandbox_use_sys_admin $var_virt_sandbox_use_sys_admin
- name: XCCDF Value var_virt_sandbox_use_sys_admin # promote to variable
set_fact:
var_virt_sandbox_use_sys_admin: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_virt_sandbox_use_sys_admin
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean virt_sandbox_use_sys_admin accordingly
seboolean:
name: virt_sandbox_use_sys_admin
state: '{{ var_virt_sandbox_use_sys_admin }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_virt_sandbox_use_sys_admin
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the xdm_bind_vnc_tcp_port SELinux BooleanBy default, the SELinux boolean xdm_bind_vnc_tcp_port is disabled.
If this setting is enabled, it should be disabled.
To disable the xdm_bind_vnc_tcp_port SELinux boolean, run the following command:
$ sudo setsebool -P xdm_bind_vnc_tcp_port offCCE-82333-6
var_xdm_bind_vnc_tcp_port=""
setsebool -P xdm_bind_vnc_tcp_port $var_xdm_bind_vnc_tcp_port
- name: XCCDF Value var_xdm_bind_vnc_tcp_port # promote to variable
set_fact:
var_xdm_bind_vnc_tcp_port: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_xdm_bind_vnc_tcp_port
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82333-6
- name: Set SELinux boolean xdm_bind_vnc_tcp_port accordingly
seboolean:
name: xdm_bind_vnc_tcp_port
state: '{{ var_xdm_bind_vnc_tcp_port }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_xdm_bind_vnc_tcp_port
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82333-6
Enable the nscd_use_shm SELinux BooleanBy default, the SELinux boolean nscd_use_shm is enabled.
If this setting is disabled, it should be enabled to allow nscd
to use shared memory.
To enable the nscd_use_shm SELinux boolean, run the following command:
$ sudo setsebool -P nscd_use_shm on
var_nscd_use_shm=""
setsebool -P nscd_use_shm $var_nscd_use_shm
- name: XCCDF Value var_nscd_use_shm # promote to variable
set_fact:
var_nscd_use_shm: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_nscd_use_shm
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean nscd_use_shm accordingly
seboolean:
name: nscd_use_shm
state: '{{ var_nscd_use_shm }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_nscd_use_shm
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the cluster_manage_all_files SELinux BooleanBy default, the SELinux boolean cluster_manage_all_files is disabled.
If this setting is enabled, it should be disabled.
To disable the cluster_manage_all_files SELinux boolean, run the following command:
$ sudo setsebool -P cluster_manage_all_files off
var_cluster_manage_all_files=""
setsebool -P cluster_manage_all_files $var_cluster_manage_all_files
- name: XCCDF Value var_cluster_manage_all_files # promote to variable
set_fact:
var_cluster_manage_all_files: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_cluster_manage_all_files
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean cluster_manage_all_files accordingly
seboolean:
name: cluster_manage_all_files
state: '{{ var_cluster_manage_all_files }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_cluster_manage_all_files
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the xserver_execmem SELinux BooleanBy default, the SELinux boolean xserver_execmem is disabled.
If this setting is enabled, it should be disabled.
To disable the xserver_execmem SELinux boolean, run the following command:
$ sudo setsebool -P xserver_execmem offCCE-82342-7
var_xserver_execmem=""
setsebool -P xserver_execmem $var_xserver_execmem
- name: XCCDF Value var_xserver_execmem # promote to variable
set_fact:
var_xserver_execmem: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_xserver_execmem
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82342-7
- name: Set SELinux boolean xserver_execmem accordingly
seboolean:
name: xserver_execmem
state: '{{ var_xserver_execmem }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_xserver_execmem
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82342-7
Disable the cobbler_use_nfs SELinux BooleanBy default, the SELinux boolean cobbler_use_nfs is disabled.
If this setting is enabled, it should be disabled.
To disable the cobbler_use_nfs SELinux boolean, run the following command:
$ sudo setsebool -P cobbler_use_nfs off
var_cobbler_use_nfs=""
setsebool -P cobbler_use_nfs $var_cobbler_use_nfs
- name: XCCDF Value var_cobbler_use_nfs # promote to variable
set_fact:
var_cobbler_use_nfs: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_cobbler_use_nfs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean cobbler_use_nfs accordingly
seboolean:
name: cobbler_use_nfs
state: '{{ var_cobbler_use_nfs }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_cobbler_use_nfs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the cups_execmem SELinux BooleanBy default, the SELinux boolean cups_execmem is disabled.
If this setting is enabled, it should be disabled.
To disable the cups_execmem SELinux boolean, run the following command:
$ sudo setsebool -P cups_execmem off
var_cups_execmem=""
setsebool -P cups_execmem $var_cups_execmem
- name: XCCDF Value var_cups_execmem # promote to variable
set_fact:
var_cups_execmem: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_cups_execmem
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean cups_execmem accordingly
seboolean:
name: cups_execmem
state: '{{ var_cups_execmem }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_cups_execmem
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the puppetmaster_use_db SELinux BooleanBy default, the SELinux boolean puppetmaster_use_db is disabled.
If this setting is enabled, it should be disabled.
To disable the puppetmaster_use_db SELinux boolean, run the following command:
$ sudo setsebool -P puppetmaster_use_db off
var_puppetmaster_use_db=""
setsebool -P puppetmaster_use_db $var_puppetmaster_use_db
- name: XCCDF Value var_puppetmaster_use_db # promote to variable
set_fact:
var_puppetmaster_use_db: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_puppetmaster_use_db
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean puppetmaster_use_db accordingly
seboolean:
name: puppetmaster_use_db
state: '{{ var_puppetmaster_use_db }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_puppetmaster_use_db
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the xserver_clients_write_xshm SELinux BooleanBy default, the SELinux boolean xserver_clients_write_xshm is disabled.
If this setting is enabled, it should be disabled.
To disable the xserver_clients_write_xshm SELinux boolean, run the following command:
$ sudo setsebool -P xserver_clients_write_xshm offCCE-82341-9
var_xserver_clients_write_xshm=""
setsebool -P xserver_clients_write_xshm $var_xserver_clients_write_xshm
- name: XCCDF Value var_xserver_clients_write_xshm # promote to variable
set_fact:
var_xserver_clients_write_xshm: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_xserver_clients_write_xshm
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82341-9
- name: Set SELinux boolean xserver_clients_write_xshm accordingly
seboolean:
name: xserver_clients_write_xshm
state: '{{ var_xserver_clients_write_xshm }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_xserver_clients_write_xshm
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82341-9
Disable the use_ecryptfs_home_dirs SELinux BooleanBy default, the SELinux boolean use_ecryptfs_home_dirs is disabled.
If this setting is enabled, it should be disabled.
To disable the use_ecryptfs_home_dirs SELinux boolean, run the following command:
$ sudo setsebool -P use_ecryptfs_home_dirs offCCE-82331-0
var_use_ecryptfs_home_dirs=""
setsebool -P use_ecryptfs_home_dirs $var_use_ecryptfs_home_dirs
- name: XCCDF Value var_use_ecryptfs_home_dirs # promote to variable
set_fact:
var_use_ecryptfs_home_dirs: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_use_ecryptfs_home_dirs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82331-0
- name: Set SELinux boolean use_ecryptfs_home_dirs accordingly
seboolean:
name: use_ecryptfs_home_dirs
state: '{{ var_use_ecryptfs_home_dirs }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_use_ecryptfs_home_dirs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82331-0
Enable the dbadm_exec_content SELinux BooleanBy default, the SELinux boolean dbadm_exec_content is enabled.
If this setting is disabled, it should be enabled.
To enable the dbadm_exec_content SELinux boolean, run the following command:
$ sudo setsebool -P dbadm_exec_content on
var_dbadm_exec_content=""
setsebool -P dbadm_exec_content $var_dbadm_exec_content
- name: XCCDF Value var_dbadm_exec_content # promote to variable
set_fact:
var_dbadm_exec_content: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_dbadm_exec_content
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean dbadm_exec_content accordingly
seboolean:
name: dbadm_exec_content
state: '{{ var_dbadm_exec_content }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_dbadm_exec_content
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the use_nfs_home_dirs SELinux BooleanBy default, the SELinux boolean use_nfs_home_dirs is disabled.
If this setting is enabled, it should be disabled.
To disable the use_nfs_home_dirs SELinux boolean, run the following command:
$ sudo setsebool -P use_nfs_home_dirs off
var_use_nfs_home_dirs=""
setsebool -P use_nfs_home_dirs $var_use_nfs_home_dirs
- name: XCCDF Value var_use_nfs_home_dirs # promote to variable
set_fact:
var_use_nfs_home_dirs: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_use_nfs_home_dirs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean use_nfs_home_dirs accordingly
seboolean:
name: use_nfs_home_dirs
state: '{{ var_use_nfs_home_dirs }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_use_nfs_home_dirs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the tor_can_network_relay SELinux BooleanBy default, the SELinux boolean tor_can_network_relay is disabled.
If this setting is enabled, it should be disabled.
To disable the tor_can_network_relay SELinux boolean, run the following command:
$ sudo setsebool -P tor_can_network_relay off
var_tor_can_network_relay=""
setsebool -P tor_can_network_relay $var_tor_can_network_relay
- name: XCCDF Value var_tor_can_network_relay # promote to variable
set_fact:
var_tor_can_network_relay: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_tor_can_network_relay
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean tor_can_network_relay accordingly
seboolean:
name: tor_can_network_relay
state: '{{ var_tor_can_network_relay }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_tor_can_network_relay
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the httpd_unified SELinux BooleanBy default, the SELinux boolean httpd_unified is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_unified SELinux boolean, run the following command:
$ sudo setsebool -P httpd_unified off
var_httpd_unified=""
setsebool -P httpd_unified $var_httpd_unified
- name: XCCDF Value var_httpd_unified # promote to variable
set_fact:
var_httpd_unified: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_unified
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean httpd_unified accordingly
seboolean:
name: httpd_unified
state: '{{ var_httpd_unified }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_unified
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the mock_enable_homedirs SELinux BooleanBy default, the SELinux boolean mock_enable_homedirs is disabled.
If this setting is enabled, it should be disabled.
To disable the mock_enable_homedirs SELinux boolean, run the following command:
$ sudo setsebool -P mock_enable_homedirs offCCE-82303-9
var_mock_enable_homedirs=""
setsebool -P mock_enable_homedirs $var_mock_enable_homedirs
- name: XCCDF Value var_mock_enable_homedirs # promote to variable
set_fact:
var_mock_enable_homedirs: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_mock_enable_homedirs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82303-9
- name: Set SELinux boolean mock_enable_homedirs accordingly
seboolean:
name: mock_enable_homedirs
state: '{{ var_mock_enable_homedirs }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_mock_enable_homedirs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82303-9
Disable the xguest_exec_content SELinux BooleanBy default, the SELinux boolean xguest_exec_content is enabled.
This setting should be disabled as guest users should not be able to run
executables.
To disable the xguest_exec_content SELinux boolean, run the following command:
$ sudo setsebool -P xguest_exec_content offCCE-82338-5
var_xguest_exec_content=""
setsebool -P xguest_exec_content $var_xguest_exec_content
- name: XCCDF Value var_xguest_exec_content # promote to variable
set_fact:
var_xguest_exec_content: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_xguest_exec_content
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82338-5
- name: Set SELinux boolean xguest_exec_content accordingly
seboolean:
name: xguest_exec_content
state: '{{ var_xguest_exec_content }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_xguest_exec_content
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82338-5
Disable the nagios_run_sudo SELinux BooleanBy default, the SELinux boolean nagios_run_sudo is disabled.
If this setting is enabled, it should be disabled.
To disable the nagios_run_sudo SELinux boolean, run the following command:
$ sudo setsebool -P nagios_run_sudo off
var_nagios_run_sudo=""
setsebool -P nagios_run_sudo $var_nagios_run_sudo
- name: XCCDF Value var_nagios_run_sudo # promote to variable
set_fact:
var_nagios_run_sudo: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_nagios_run_sudo
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean nagios_run_sudo accordingly
seboolean:
name: nagios_run_sudo
state: '{{ var_nagios_run_sudo }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_nagios_run_sudo
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the domain_kernel_load_modules SELinux BooleanBy default, the SELinux boolean domain_kernel_load_modules is disabled.
If this setting is enabled, it should be disabled.
To disable the domain_kernel_load_modules SELinux boolean, run the following command:
$ sudo setsebool -P domain_kernel_load_modules offCCE-82293-2
var_domain_kernel_load_modules=""
setsebool -P domain_kernel_load_modules $var_domain_kernel_load_modules
- name: XCCDF Value var_domain_kernel_load_modules # promote to variable
set_fact:
var_domain_kernel_load_modules: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_domain_kernel_load_modules
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82293-2
- name: Set SELinux boolean domain_kernel_load_modules accordingly
seboolean:
name: domain_kernel_load_modules
state: '{{ var_domain_kernel_load_modules }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_domain_kernel_load_modules
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82293-2
Disable the httpd_verify_dns SELinux BooleanBy default, the SELinux boolean httpd_verify_dns is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_verify_dns SELinux boolean, run the following command:
$ sudo setsebool -P httpd_verify_dns off
var_httpd_verify_dns=""
setsebool -P httpd_verify_dns $var_httpd_verify_dns
- name: XCCDF Value var_httpd_verify_dns # promote to variable
set_fact:
var_httpd_verify_dns: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_verify_dns
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean httpd_verify_dns accordingly
seboolean:
name: httpd_verify_dns
state: '{{ var_httpd_verify_dns }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_verify_dns
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the mpd_use_cifs SELinux BooleanBy default, the SELinux boolean mpd_use_cifs is disabled.
If this setting is enabled, it should be disabled.
To disable the mpd_use_cifs SELinux boolean, run the following command:
$ sudo setsebool -P mpd_use_cifs off
var_mpd_use_cifs=""
setsebool -P mpd_use_cifs $var_mpd_use_cifs
- name: XCCDF Value var_mpd_use_cifs # promote to variable
set_fact:
var_mpd_use_cifs: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_mpd_use_cifs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean mpd_use_cifs accordingly
seboolean:
name: mpd_use_cifs
state: '{{ var_mpd_use_cifs }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_mpd_use_cifs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the xdm_write_home SELinux BooleanBy default, the SELinux boolean xdm_write_home is disabled.
If this setting is enabled, it should be disabled.
To disable the xdm_write_home SELinux boolean, run the following command:
$ sudo setsebool -P xdm_write_home offCCE-82336-9
var_xdm_write_home=""
setsebool -P xdm_write_home $var_xdm_write_home
- name: XCCDF Value var_xdm_write_home # promote to variable
set_fact:
var_xdm_write_home: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_xdm_write_home
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82336-9
- name: Set SELinux boolean xdm_write_home accordingly
seboolean:
name: xdm_write_home
state: '{{ var_xdm_write_home }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_xdm_write_home
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82336-9
Disable the polipo_use_nfs SELinux BooleanBy default, the SELinux boolean polipo_use_nfs is disabled.
If this setting is enabled, it should be disabled.
To disable the polipo_use_nfs SELinux boolean, run the following command:
$ sudo setsebool -P polipo_use_nfs off
var_polipo_use_nfs=""
setsebool -P polipo_use_nfs $var_polipo_use_nfs
- name: XCCDF Value var_polipo_use_nfs # promote to variable
set_fact:
var_polipo_use_nfs: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_polipo_use_nfs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean polipo_use_nfs accordingly
seboolean:
name: polipo_use_nfs
state: '{{ var_polipo_use_nfs }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_polipo_use_nfs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the squid_connect_any SELinux BooleanBy default, the SELinux boolean squid_connect_any is enabled.
This setting should be disabled as squid should only connect on specified
ports.
To disable the squid_connect_any SELinux boolean, run the following command:
$ sudo setsebool -P squid_connect_any off
var_squid_connect_any=""
setsebool -P squid_connect_any $var_squid_connect_any
- name: XCCDF Value var_squid_connect_any # promote to variable
set_fact:
var_squid_connect_any: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_squid_connect_any
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean squid_connect_any accordingly
seboolean:
name: squid_connect_any
state: '{{ var_squid_connect_any }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_squid_connect_any
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the tftp_anon_write SELinux BooleanBy default, the SELinux boolean tftp_anon_write is disabled.
If this setting is enabled, it should be disabled.
To disable the tftp_anon_write SELinux boolean, run the following command:
$ sudo setsebool -P tftp_anon_write off
var_tftp_anon_write=""
setsebool -P tftp_anon_write $var_tftp_anon_write
- name: XCCDF Value var_tftp_anon_write # promote to variable
set_fact:
var_tftp_anon_write: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_tftp_anon_write
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean tftp_anon_write accordingly
seboolean:
name: tftp_anon_write
state: '{{ var_tftp_anon_write }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_tftp_anon_write
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the ftpd_connect_all_unreserved SELinux BooleanBy default, the SELinux boolean ftpd_connect_all_unreserved is disabled.
If this setting is enabled, it should be disabled.
To disable the ftpd_connect_all_unreserved SELinux boolean, run the following command:
$ sudo setsebool -P ftpd_connect_all_unreserved off
var_ftpd_connect_all_unreserved=""
setsebool -P ftpd_connect_all_unreserved $var_ftpd_connect_all_unreserved
- name: XCCDF Value var_ftpd_connect_all_unreserved # promote to variable
set_fact:
var_ftpd_connect_all_unreserved: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_ftpd_connect_all_unreserved
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean ftpd_connect_all_unreserved accordingly
seboolean:
name: ftpd_connect_all_unreserved
state: '{{ var_ftpd_connect_all_unreserved }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_ftpd_connect_all_unreserved
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the httpd_can_connect_mythtv SELinux BooleanBy default, the SELinux boolean httpd_can_connect_mythtv is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_can_connect_mythtv SELinux boolean, run the following command:
$ sudo setsebool -P httpd_can_connect_mythtv off
var_httpd_can_connect_mythtv=""
setsebool -P httpd_can_connect_mythtv $var_httpd_can_connect_mythtv
- name: XCCDF Value var_httpd_can_connect_mythtv # promote to variable
set_fact:
var_httpd_can_connect_mythtv: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_can_connect_mythtv
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean httpd_can_connect_mythtv accordingly
seboolean:
name: httpd_can_connect_mythtv
state: '{{ var_httpd_can_connect_mythtv }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_can_connect_mythtv
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the ksmtuned_use_cifs SELinux BooleanBy default, the SELinux boolean ksmtuned_use_cifs is disabled.
If this setting is enabled, it should be disabled.
To disable the ksmtuned_use_cifs SELinux boolean, run the following command:
$ sudo setsebool -P ksmtuned_use_cifs off
var_ksmtuned_use_cifs=""
setsebool -P ksmtuned_use_cifs $var_ksmtuned_use_cifs
- name: XCCDF Value var_ksmtuned_use_cifs # promote to variable
set_fact:
var_ksmtuned_use_cifs: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_ksmtuned_use_cifs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean ksmtuned_use_cifs accordingly
seboolean:
name: ksmtuned_use_cifs
state: '{{ var_ksmtuned_use_cifs }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_ksmtuned_use_cifs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the virt_use_rawip SELinux BooleanBy default, the SELinux boolean virt_use_rawip is disabled.
If this setting is enabled, it should be disabled.
To disable the virt_use_rawip SELinux boolean, run the following command:
$ sudo setsebool -P virt_use_rawip off
var_virt_use_rawip=""
setsebool -P virt_use_rawip $var_virt_use_rawip
- name: XCCDF Value var_virt_use_rawip # promote to variable
set_fact:
var_virt_use_rawip: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_virt_use_rawip
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean virt_use_rawip accordingly
seboolean:
name: virt_use_rawip
state: '{{ var_virt_use_rawip }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_virt_use_rawip
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Enable the domain_fd_use SELinux BooleanBy default, the SELinux boolean domain_fd_use is enabled.
If this setting is disabled, it should be enabled.
To enable the domain_fd_use SELinux boolean, run the following command:
$ sudo setsebool -P domain_fd_use onCCE-82292-4
var_domain_fd_use=""
setsebool -P domain_fd_use $var_domain_fd_use
- name: XCCDF Value var_domain_fd_use # promote to variable
set_fact:
var_domain_fd_use: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_domain_fd_use
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82292-4
- name: Set SELinux boolean domain_fd_use accordingly
seboolean:
name: domain_fd_use
state: '{{ var_domain_fd_use }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_domain_fd_use
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82292-4
Disable the polipo_use_cifs SELinux BooleanBy default, the SELinux boolean polipo_use_cifs is disabled.
If this setting is enabled, it should be disabled.
To disable the polipo_use_cifs SELinux boolean, run the following command:
$ sudo setsebool -P polipo_use_cifs off
var_polipo_use_cifs=""
setsebool -P polipo_use_cifs $var_polipo_use_cifs
- name: XCCDF Value var_polipo_use_cifs # promote to variable
set_fact:
var_polipo_use_cifs: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_polipo_use_cifs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean polipo_use_cifs accordingly
seboolean:
name: polipo_use_cifs
state: '{{ var_polipo_use_cifs }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_polipo_use_cifs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the samba_create_home_dirs SELinux BooleanBy default, the SELinux boolean samba_create_home_dirs is disabled.
If this setting is enabled, it should be disabled.
To disable the samba_create_home_dirs SELinux boolean, run the following command:
$ sudo setsebool -P samba_create_home_dirs off
var_samba_create_home_dirs=""
setsebool -P samba_create_home_dirs $var_samba_create_home_dirs
- name: XCCDF Value var_samba_create_home_dirs # promote to variable
set_fact:
var_samba_create_home_dirs: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_samba_create_home_dirs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean samba_create_home_dirs accordingly
seboolean:
name: samba_create_home_dirs
state: '{{ var_samba_create_home_dirs }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_samba_create_home_dirs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the mmap_low_allowed SELinux BooleanBy default, the SELinux boolean mmap_low_allowed is disabled.
If this setting is enabled, it should be disabled.
To disable the mmap_low_allowed SELinux boolean, run the following command:
$ sudo setsebool -P mmap_low_allowed offCCE-82302-1
var_mmap_low_allowed=""
setsebool -P mmap_low_allowed $var_mmap_low_allowed
- name: XCCDF Value var_mmap_low_allowed # promote to variable
set_fact:
var_mmap_low_allowed: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_mmap_low_allowed
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82302-1
- name: Set SELinux boolean mmap_low_allowed accordingly
seboolean:
name: mmap_low_allowed
state: '{{ var_mmap_low_allowed }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_mmap_low_allowed
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82302-1
Disable the selinuxuser_share_music SELinux BooleanBy default, the SELinux boolean selinuxuser_share_music is disabled.
If this setting is enabled, it should be disabled.
To disable the selinuxuser_share_music SELinux boolean, run the following command:
$ sudo setsebool -P selinuxuser_share_music offCCE-82321-1
var_selinuxuser_share_music=""
setsebool -P selinuxuser_share_music $var_selinuxuser_share_music
- name: XCCDF Value var_selinuxuser_share_music # promote to variable
set_fact:
var_selinuxuser_share_music: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_selinuxuser_share_music
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82321-1
- name: Set SELinux boolean selinuxuser_share_music accordingly
seboolean:
name: selinuxuser_share_music
state: '{{ var_selinuxuser_share_music }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_selinuxuser_share_music
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82321-1
Disable the ftpd_use_cifs SELinux BooleanBy default, the SELinux boolean ftpd_use_cifs is disabled.
If this setting is enabled, it should be disabled.
To disable the ftpd_use_cifs SELinux boolean, run the following command:
$ sudo setsebool -P ftpd_use_cifs off
var_ftpd_use_cifs=""
setsebool -P ftpd_use_cifs $var_ftpd_use_cifs
- name: XCCDF Value var_ftpd_use_cifs # promote to variable
set_fact:
var_ftpd_use_cifs: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_ftpd_use_cifs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean ftpd_use_cifs accordingly
seboolean:
name: ftpd_use_cifs
state: '{{ var_ftpd_use_cifs }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_ftpd_use_cifs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Enable the xend_run_blktap SELinux BooleanBy default, the SELinux boolean xend_run_blktap is enabled.
If this setting is disabled, it should be enabled.
To enable the xend_run_blktap SELinux boolean, run the following command:
$ sudo setsebool -P xend_run_blktap on
var_xend_run_blktap=""
setsebool -P xend_run_blktap $var_xend_run_blktap
- name: XCCDF Value var_xend_run_blktap # promote to variable
set_fact:
var_xend_run_blktap: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_xend_run_blktap
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean xend_run_blktap accordingly
seboolean:
name: xend_run_blktap
state: '{{ var_xend_run_blktap }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_xend_run_blktap
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the mcelog_client SELinux BooleanBy default, the SELinux boolean mcelog_client is disabled.
If this setting is enabled, it should be disabled.
To disable the mcelog_client SELinux boolean, run the following command:
$ sudo setsebool -P mcelog_client off
var_mcelog_client=""
setsebool -P mcelog_client $var_mcelog_client
- name: XCCDF Value var_mcelog_client # promote to variable
set_fact:
var_mcelog_client: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_mcelog_client
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean mcelog_client accordingly
seboolean:
name: mcelog_client
state: '{{ var_mcelog_client }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_mcelog_client
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the cluster_can_network_connect SELinux BooleanBy default, the SELinux boolean cluster_can_network_connect is disabled.
If this setting is enabled, it should be disabled.
To disable the cluster_can_network_connect SELinux boolean, run the following command:
$ sudo setsebool -P cluster_can_network_connect off
var_cluster_can_network_connect=""
setsebool -P cluster_can_network_connect $var_cluster_can_network_connect
- name: XCCDF Value var_cluster_can_network_connect # promote to variable
set_fact:
var_cluster_can_network_connect: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_cluster_can_network_connect
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean cluster_can_network_connect accordingly
seboolean:
name: cluster_can_network_connect
state: '{{ var_cluster_can_network_connect }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_cluster_can_network_connect
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Enable the selinuxuser_execmod SELinux BooleanBy default, the SELinux boolean selinuxuser_execmod is enabled.
If this setting is disabled, it should be enabled.
To enable the selinuxuser_execmod SELinux boolean, run the following command:
$ sudo setsebool -P selinuxuser_execmod on164.308(a)(1)(ii)(D)164.308(a)(3)164.308(a)(4)164.310(b)164.310(c)164.312(a)164.312(e)CCE-82313-8
var_selinuxuser_execmod=""
setsebool -P selinuxuser_execmod $var_selinuxuser_execmod
- name: XCCDF Value var_selinuxuser_execmod # promote to variable
set_fact:
var_selinuxuser_execmod: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_selinuxuser_execmod
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82313-8
- name: Set SELinux boolean selinuxuser_execmod accordingly
seboolean:
name: selinuxuser_execmod
state: '{{ var_selinuxuser_execmod }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_selinuxuser_execmod
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82313-8
Disable the httpd_use_nfs SELinux BooleanBy default, the SELinux boolean httpd_use_nfs is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_use_nfs SELinux boolean, run the following command:
$ sudo setsebool -P httpd_use_nfs off
var_httpd_use_nfs=""
setsebool -P httpd_use_nfs $var_httpd_use_nfs
- name: XCCDF Value var_httpd_use_nfs # promote to variable
set_fact:
var_httpd_use_nfs: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_use_nfs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean httpd_use_nfs accordingly
seboolean:
name: httpd_use_nfs
state: '{{ var_httpd_use_nfs }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_use_nfs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the cobbler_anon_write SELinux BooleanBy default, the SELinux boolean cobbler_anon_write is disabled.
If this setting is enabled, it should be disabled.
To disable the cobbler_anon_write SELinux boolean, run the following command:
$ sudo setsebool -P cobbler_anon_write off
var_cobbler_anon_write=""
setsebool -P cobbler_anon_write $var_cobbler_anon_write
- name: XCCDF Value var_cobbler_anon_write # promote to variable
set_fact:
var_cobbler_anon_write: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_cobbler_anon_write
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean cobbler_anon_write accordingly
seboolean:
name: cobbler_anon_write
state: '{{ var_cobbler_anon_write }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_cobbler_anon_write
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the selinuxuser_udp_server SELinux BooleanBy default, the SELinux boolean selinuxuser_udp_server is disabled.
If this setting is enabled, it should be disabled.
To disable the selinuxuser_udp_server SELinux boolean, run the following command:
$ sudo setsebool -P selinuxuser_udp_server offCCE-82323-7
var_selinuxuser_udp_server=""
setsebool -P selinuxuser_udp_server $var_selinuxuser_udp_server
- name: XCCDF Value var_selinuxuser_udp_server # promote to variable
set_fact:
var_selinuxuser_udp_server: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_selinuxuser_udp_server
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82323-7
- name: Set SELinux boolean selinuxuser_udp_server accordingly
seboolean:
name: selinuxuser_udp_server
state: '{{ var_selinuxuser_udp_server }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_selinuxuser_udp_server
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82323-7
Enable the gssd_read_tmp SELinux BooleanBy default, the SELinux boolean gssd_read_tmp is enabled.
This setting allows gssd processes to access Kerberos to read
TGTs in the temp directory. If this setting is disabled, it should
be enabled.
To enable the gssd_read_tmp SELinux boolean, run the following command:
$ sudo setsebool -P gssd_read_tmp on
var_gssd_read_tmp=""
setsebool -P gssd_read_tmp $var_gssd_read_tmp
- name: XCCDF Value var_gssd_read_tmp # promote to variable
set_fact:
var_gssd_read_tmp: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_gssd_read_tmp
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean gssd_read_tmp accordingly
seboolean:
name: gssd_read_tmp
state: '{{ var_gssd_read_tmp }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_gssd_read_tmp
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Enable the logadm_exec_content SELinux BooleanBy default, the SELinux boolean logadm_exec_content is enabled.
If this setting is disabled, it should be enabled.
To enable the logadm_exec_content SELinux boolean, run the following command:
$ sudo setsebool -P logadm_exec_content onCCE-82298-1
var_logadm_exec_content=""
setsebool -P logadm_exec_content $var_logadm_exec_content
- name: XCCDF Value var_logadm_exec_content # promote to variable
set_fact:
var_logadm_exec_content: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_logadm_exec_content
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82298-1
- name: Set SELinux boolean logadm_exec_content accordingly
seboolean:
name: logadm_exec_content
state: '{{ var_logadm_exec_content }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_logadm_exec_content
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82298-1
Disable the use_samba_home_dirs SELinux BooleanBy default, the SELinux boolean use_samba_home_dirs is disabled.
If this setting is enabled, it should be disabled.
To disable the use_samba_home_dirs SELinux boolean, run the following command:
$ sudo setsebool -P use_samba_home_dirs off
var_use_samba_home_dirs=""
setsebool -P use_samba_home_dirs $var_use_samba_home_dirs
- name: XCCDF Value var_use_samba_home_dirs # promote to variable
set_fact:
var_use_samba_home_dirs: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_use_samba_home_dirs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean use_samba_home_dirs accordingly
seboolean:
name: use_samba_home_dirs
state: '{{ var_use_samba_home_dirs }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_use_samba_home_dirs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the virt_use_execmem SELinux BooleanBy default, the SELinux boolean virt_use_execmem is disabled.
If this setting is enabled, it should be disabled.
To disable the virt_use_execmem SELinux boolean, run the following command:
$ sudo setsebool -P virt_use_execmem off
var_virt_use_execmem=""
setsebool -P virt_use_execmem $var_virt_use_execmem
- name: XCCDF Value var_virt_use_execmem # promote to variable
set_fact:
var_virt_use_execmem: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_virt_use_execmem
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean virt_use_execmem accordingly
seboolean:
name: virt_use_execmem
state: '{{ var_virt_use_execmem }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_virt_use_execmem
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the secure_mode SELinux BooleanBy default, the SELinux boolean secure_mode is disabled.
If this setting is enabled, it should be disabled.
To disable the secure_mode SELinux boolean, run the following command:
$ sudo setsebool -P secure_mode offCCE-82307-0
var_secure_mode=""
setsebool -P secure_mode $var_secure_mode
- name: XCCDF Value var_secure_mode # promote to variable
set_fact:
var_secure_mode: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_secure_mode
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82307-0
- name: Set SELinux boolean secure_mode accordingly
seboolean:
name: secure_mode
state: '{{ var_secure_mode }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_secure_mode
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82307-0
Disable the samba_enable_home_dirs SELinux BooleanBy default, the SELinux boolean samba_enable_home_dirs is disabled.
If this setting is enabled, it should be disabled.
To disable the samba_enable_home_dirs SELinux boolean, run the following command:
$ sudo setsebool -P samba_enable_home_dirs off
var_samba_enable_home_dirs=""
setsebool -P samba_enable_home_dirs $var_samba_enable_home_dirs
- name: XCCDF Value var_samba_enable_home_dirs # promote to variable
set_fact:
var_samba_enable_home_dirs: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_samba_enable_home_dirs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean samba_enable_home_dirs accordingly
seboolean:
name: samba_enable_home_dirs
state: '{{ var_samba_enable_home_dirs }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_samba_enable_home_dirs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the virt_use_sanlock SELinux BooleanBy default, the SELinux boolean virt_use_sanlock is disabled.
If this setting is enabled, it should be disabled.
To disable the virt_use_sanlock SELinux boolean, run the following command:
$ sudo setsebool -P virt_use_sanlock off
var_virt_use_sanlock=""
setsebool -P virt_use_sanlock $var_virt_use_sanlock
- name: XCCDF Value var_virt_use_sanlock # promote to variable
set_fact:
var_virt_use_sanlock: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_virt_use_sanlock
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean virt_use_sanlock accordingly
seboolean:
name: virt_use_sanlock
state: '{{ var_virt_use_sanlock }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_virt_use_sanlock
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the saslauthd_read_shadow SELinux BooleanBy default, the SELinux boolean saslauthd_read_shadow is disabled.
If this setting is enabled, it should be disabled.
To disable the saslauthd_read_shadow SELinux boolean, run the following command:
$ sudo setsebool -P saslauthd_read_shadow off
var_saslauthd_read_shadow=""
setsebool -P saslauthd_read_shadow $var_saslauthd_read_shadow
- name: XCCDF Value var_saslauthd_read_shadow # promote to variable
set_fact:
var_saslauthd_read_shadow: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_saslauthd_read_shadow
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean saslauthd_read_shadow accordingly
seboolean:
name: saslauthd_read_shadow
state: '{{ var_saslauthd_read_shadow }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_saslauthd_read_shadow
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the telepathy_connect_all_ports SELinux BooleanBy default, the SELinux boolean telepathy_connect_all_ports is disabled.
If this setting is enabled, it should be disabled.
To disable the telepathy_connect_all_ports SELinux boolean, run the following command:
$ sudo setsebool -P telepathy_connect_all_ports off
var_telepathy_connect_all_ports=""
setsebool -P telepathy_connect_all_ports $var_telepathy_connect_all_ports
- name: XCCDF Value var_telepathy_connect_all_ports # promote to variable
set_fact:
var_telepathy_connect_all_ports: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_telepathy_connect_all_ports
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean telepathy_connect_all_ports accordingly
seboolean:
name: telepathy_connect_all_ports
state: '{{ var_telepathy_connect_all_ports }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_telepathy_connect_all_ports
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the named_write_master_zones SELinux BooleanBy default, the SELinux boolean named_write_master_zones is disabled.
If this setting is enabled, it should be disabled.
To disable the named_write_master_zones SELinux boolean, run the following command:
$ sudo setsebool -P named_write_master_zones off
var_named_write_master_zones=""
setsebool -P named_write_master_zones $var_named_write_master_zones
- name: XCCDF Value var_named_write_master_zones # promote to variable
set_fact:
var_named_write_master_zones: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_named_write_master_zones
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean named_write_master_zones accordingly
seboolean:
name: named_write_master_zones
state: '{{ var_named_write_master_zones }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_named_write_master_zones
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the polipo_session_users SELinux BooleanBy default, the SELinux boolean polipo_session_users is disabled.
If this setting is enabled, it should be disabled.
To disable the polipo_session_users SELinux boolean, run the following command:
$ sudo setsebool -P polipo_session_users off
var_polipo_session_users=""
setsebool -P polipo_session_users $var_polipo_session_users
- name: XCCDF Value var_polipo_session_users # promote to variable
set_fact:
var_polipo_session_users: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_polipo_session_users
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean polipo_session_users accordingly
seboolean:
name: polipo_session_users
state: '{{ var_polipo_session_users }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_polipo_session_users
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Enable the sysadm_exec_content SELinux BooleanBy default, the SELinux boolean sysadm_exec_content is enabled.
If this setting is disabled, it should be enabled.
To enable the sysadm_exec_content SELinux boolean, run the following command:
$ sudo setsebool -P sysadm_exec_content onCCE-82329-4
var_sysadm_exec_content=""
setsebool -P sysadm_exec_content $var_sysadm_exec_content
- name: XCCDF Value var_sysadm_exec_content # promote to variable
set_fact:
var_sysadm_exec_content: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_sysadm_exec_content
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82329-4
- name: Set SELinux boolean sysadm_exec_content accordingly
seboolean:
name: sysadm_exec_content
state: '{{ var_sysadm_exec_content }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_sysadm_exec_content
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82329-4
Disable the xguest_use_bluetooth SELinux BooleanBy default, the SELinux boolean xguest_use_bluetooth is enabled.
This setting should be disabled as guests users should not be able to access
or use bluetooth.
To disable the xguest_use_bluetooth SELinux boolean, run the following command:
$ sudo setsebool -P xguest_use_bluetooth offCCE-82340-1
var_xguest_use_bluetooth=""
setsebool -P xguest_use_bluetooth $var_xguest_use_bluetooth
- name: XCCDF Value var_xguest_use_bluetooth # promote to variable
set_fact:
var_xguest_use_bluetooth: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_xguest_use_bluetooth
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82340-1
- name: Set SELinux boolean xguest_use_bluetooth accordingly
seboolean:
name: xguest_use_bluetooth
state: '{{ var_xguest_use_bluetooth }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_xguest_use_bluetooth
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82340-1
Disable the unprivuser_use_svirt SELinux BooleanBy default, the SELinux boolean unprivuser_use_svirt is disabled.
If this setting is enabled, it should be disabled.
To disable the unprivuser_use_svirt SELinux boolean, run the following command:
$ sudo setsebool -P unprivuser_use_svirt off
var_unprivuser_use_svirt=""
setsebool -P unprivuser_use_svirt $var_unprivuser_use_svirt
- name: XCCDF Value var_unprivuser_use_svirt # promote to variable
set_fact:
var_unprivuser_use_svirt: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_unprivuser_use_svirt
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean unprivuser_use_svirt accordingly
seboolean:
name: unprivuser_use_svirt
state: '{{ var_unprivuser_use_svirt }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_unprivuser_use_svirt
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Enable the kerberos_enabled SELinux BooleanBy default, the SELinux boolean kerberos_enabled is enabled.
If this setting is disabled, it should be enabled to allow confined
applications to run with Kerberos.
To enable the kerberos_enabled SELinux boolean, run the following command:
$ sudo setsebool -P kerberos_enabled onCCE-82296-5
var_kerberos_enabled=""
setsebool -P kerberos_enabled $var_kerberos_enabled
- name: XCCDF Value var_kerberos_enabled # promote to variable
set_fact:
var_kerberos_enabled: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_kerberos_enabled
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82296-5
- name: Set SELinux boolean kerberos_enabled accordingly
seboolean:
name: kerberos_enabled
state: '{{ var_kerberos_enabled }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_kerberos_enabled
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82296-5
Disable the use_lpd_server SELinux BooleanBy default, the SELinux boolean use_lpd_server is disabled.
If this setting is enabled, it should be disabled.
To disable the use_lpd_server SELinux boolean, run the following command:
$ sudo setsebool -P use_lpd_server off
var_use_lpd_server=""
setsebool -P use_lpd_server $var_use_lpd_server
- name: XCCDF Value var_use_lpd_server # promote to variable
set_fact:
var_use_lpd_server: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_use_lpd_server
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean use_lpd_server accordingly
seboolean:
name: use_lpd_server
state: '{{ var_use_lpd_server }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_use_lpd_server
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the sanlock_use_samba SELinux BooleanBy default, the SELinux boolean sanlock_use_samba is disabled.
If this setting is enabled, it should be disabled.
To disable the sanlock_use_samba SELinux boolean, run the following command:
$ sudo setsebool -P sanlock_use_samba off
var_sanlock_use_samba=""
setsebool -P sanlock_use_samba $var_sanlock_use_samba
- name: XCCDF Value var_sanlock_use_samba # promote to variable
set_fact:
var_sanlock_use_samba: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_sanlock_use_samba
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean sanlock_use_samba accordingly
seboolean:
name: sanlock_use_samba
state: '{{ var_sanlock_use_samba }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_sanlock_use_samba
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the ftpd_anon_write SELinux BooleanBy default, the SELinux boolean ftpd_anon_write is disabled.
If this setting is enabled, it should be disabled.
To disable the ftpd_anon_write SELinux boolean, run the following command:
$ sudo setsebool -P ftpd_anon_write off
var_ftpd_anon_write=""
setsebool -P ftpd_anon_write $var_ftpd_anon_write
- name: XCCDF Value var_ftpd_anon_write # promote to variable
set_fact:
var_ftpd_anon_write: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_ftpd_anon_write
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean ftpd_anon_write accordingly
seboolean:
name: ftpd_anon_write
state: '{{ var_ftpd_anon_write }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_ftpd_anon_write
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the selinuxuser_execheap SELinux BooleanBy default, the SELinux boolean selinuxuser_execheap is disabled.
If this setting is enabled, it should be disabled.
To disable the selinuxuser_execheap SELinux boolean, run the following command:
$ sudo setsebool -P selinuxuser_execheap off164.308(a)(1)(ii)(D)164.308(a)(3)164.308(a)(4)164.310(b)164.310(c)164.312(a)164.312(e)CCE-82312-0
var_selinuxuser_execheap=""
setsebool -P selinuxuser_execheap $var_selinuxuser_execheap
- name: XCCDF Value var_selinuxuser_execheap # promote to variable
set_fact:
var_selinuxuser_execheap: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_selinuxuser_execheap
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82312-0
- name: Set SELinux boolean selinuxuser_execheap accordingly
seboolean:
name: selinuxuser_execheap
state: '{{ var_selinuxuser_execheap }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_selinuxuser_execheap
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82312-0
Disable the mcelog_foreground SELinux BooleanBy default, the SELinux boolean mcelog_foreground is disabled.
If this setting is enabled, it should be disabled.
To disable the mcelog_foreground SELinux boolean, run the following command:
$ sudo setsebool -P mcelog_foreground off
var_mcelog_foreground=""
setsebool -P mcelog_foreground $var_mcelog_foreground
- name: XCCDF Value var_mcelog_foreground # promote to variable
set_fact:
var_mcelog_foreground: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_mcelog_foreground
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean mcelog_foreground accordingly
seboolean:
name: mcelog_foreground
state: '{{ var_mcelog_foreground }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_mcelog_foreground
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the varnishd_connect_any SELinux BooleanBy default, the SELinux boolean varnishd_connect_any is disabled.
If this setting is enabled, it should be disabled.
To disable the varnishd_connect_any SELinux boolean, run the following command:
$ sudo setsebool -P varnishd_connect_any off
var_varnishd_connect_any=""
setsebool -P varnishd_connect_any $var_varnishd_connect_any
- name: XCCDF Value var_varnishd_connect_any # promote to variable
set_fact:
var_varnishd_connect_any: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_varnishd_connect_any
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean varnishd_connect_any accordingly
seboolean:
name: varnishd_connect_any
state: '{{ var_varnishd_connect_any }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_varnishd_connect_any
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the httpd_mod_auth_ntlm_winbind SELinux BooleanBy default, the SELinux boolean httpd_mod_auth_ntlm_winbind is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_mod_auth_ntlm_winbind SELinux boolean, run the following command:
$ sudo setsebool -P httpd_mod_auth_ntlm_winbind off
var_httpd_mod_auth_ntlm_winbind=""
setsebool -P httpd_mod_auth_ntlm_winbind $var_httpd_mod_auth_ntlm_winbind
- name: XCCDF Value var_httpd_mod_auth_ntlm_winbind # promote to variable
set_fact:
var_httpd_mod_auth_ntlm_winbind: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_mod_auth_ntlm_winbind
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean httpd_mod_auth_ntlm_winbind accordingly
seboolean:
name: httpd_mod_auth_ntlm_winbind
state: '{{ var_httpd_mod_auth_ntlm_winbind }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_mod_auth_ntlm_winbind
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the httpd_use_openstack SELinux BooleanBy default, the SELinux boolean httpd_use_openstack is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_use_openstack SELinux boolean, run the following command:
$ sudo setsebool -P httpd_use_openstack off
var_httpd_use_openstack=""
setsebool -P httpd_use_openstack $var_httpd_use_openstack
- name: XCCDF Value var_httpd_use_openstack # promote to variable
set_fact:
var_httpd_use_openstack: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_use_openstack
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean httpd_use_openstack accordingly
seboolean:
name: httpd_use_openstack
state: '{{ var_httpd_use_openstack }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_use_openstack
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the httpd_use_cifs SELinux BooleanBy default, the SELinux boolean httpd_use_cifs is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_use_cifs SELinux boolean, run the following command:
$ sudo setsebool -P httpd_use_cifs off
var_httpd_use_cifs=""
setsebool -P httpd_use_cifs $var_httpd_use_cifs
- name: XCCDF Value var_httpd_use_cifs # promote to variable
set_fact:
var_httpd_use_cifs: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_use_cifs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean httpd_use_cifs accordingly
seboolean:
name: httpd_use_cifs
state: '{{ var_httpd_use_cifs }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_use_cifs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Enable the postgresql_selinux_unconfined_dbadm SELinux BooleanBy default, the SELinux boolean postgresql_selinux_unconfined_dbadm is enabled.
If this setting is disabled, it should be enabled as it allows Database Administrators to
execute Data Manipulation Language (DML) statements.
To enable the postgresql_selinux_unconfined_dbadm SELinux boolean, run the following command:
$ sudo setsebool -P postgresql_selinux_unconfined_dbadm on
var_postgresql_selinux_unconfined_dbadm=""
setsebool -P postgresql_selinux_unconfined_dbadm $var_postgresql_selinux_unconfined_dbadm
- name: XCCDF Value var_postgresql_selinux_unconfined_dbadm # promote to variable
set_fact:
var_postgresql_selinux_unconfined_dbadm: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_postgresql_selinux_unconfined_dbadm
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean postgresql_selinux_unconfined_dbadm accordingly
seboolean:
name: postgresql_selinux_unconfined_dbadm
state: '{{ var_postgresql_selinux_unconfined_dbadm }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_postgresql_selinux_unconfined_dbadm
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Enable the nfs_export_all_ro SELinux BooleanBy default, the SELinux boolean nfs_export_all_ro is enabled.
If this setting is disabled, it should be enabled as it allows NFS to
export read-only mounts.
To enable the nfs_export_all_ro SELinux boolean, run the following command:
$ sudo setsebool -P nfs_export_all_ro on
var_nfs_export_all_ro=""
setsebool -P nfs_export_all_ro $var_nfs_export_all_ro
- name: XCCDF Value var_nfs_export_all_ro # promote to variable
set_fact:
var_nfs_export_all_ro: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_nfs_export_all_ro
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean nfs_export_all_ro accordingly
seboolean:
name: nfs_export_all_ro
state: '{{ var_nfs_export_all_ro }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_nfs_export_all_ro
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the daemons_dump_core SELinux BooleanBy default, the SELinux boolean daemons_dump_core is disabled.
If this setting is enabled, it should be disabled.
To disable the daemons_dump_core SELinux boolean, run the following command:
$ sudo setsebool -P daemons_dump_core offCCE-82287-4
var_daemons_dump_core=""
setsebool -P daemons_dump_core $var_daemons_dump_core
- name: XCCDF Value var_daemons_dump_core # promote to variable
set_fact:
var_daemons_dump_core: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_daemons_dump_core
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82287-4
- name: Set SELinux boolean daemons_dump_core accordingly
seboolean:
name: daemons_dump_core
state: '{{ var_daemons_dump_core }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_daemons_dump_core
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82287-4
Enable the postfix_local_write_mail_spool SELinux BooleanBy default, the SELinux boolean postfix_local_write_mail_spool is enabled.
If this setting is disabled, it should be enabled as it allows Postfix to write
to the mail spool directories.
To enable the postfix_local_write_mail_spool SELinux boolean, run the following command:
$ sudo setsebool -P postfix_local_write_mail_spool on
var_postfix_local_write_mail_spool=""
setsebool -P postfix_local_write_mail_spool $var_postfix_local_write_mail_spool
- name: XCCDF Value var_postfix_local_write_mail_spool # promote to variable
set_fact:
var_postfix_local_write_mail_spool: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_postfix_local_write_mail_spool
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean postfix_local_write_mail_spool accordingly
seboolean:
name: postfix_local_write_mail_spool
state: '{{ var_postfix_local_write_mail_spool }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_postfix_local_write_mail_spool
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Enable the xend_run_qemu SELinux BooleanBy default, the SELinux boolean xend_run_qemu is enabled.
If this setting is disabled, it should be enabled.
To enable the xend_run_qemu SELinux boolean, run the following command:
$ sudo setsebool -P xend_run_qemu on
var_xend_run_qemu=""
setsebool -P xend_run_qemu $var_xend_run_qemu
- name: XCCDF Value var_xend_run_qemu # promote to variable
set_fact:
var_xend_run_qemu: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_xend_run_qemu
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean xend_run_qemu accordingly
seboolean:
name: xend_run_qemu
state: '{{ var_xend_run_qemu }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_xend_run_qemu
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the samba_export_all_rw SELinux BooleanBy default, the SELinux boolean samba_export_all_rw is disabled.
If this setting is enabled, it should be disabled.
To disable the samba_export_all_rw SELinux boolean, run the following command:
$ sudo setsebool -P samba_export_all_rw off
var_samba_export_all_rw=""
setsebool -P samba_export_all_rw $var_samba_export_all_rw
- name: XCCDF Value var_samba_export_all_rw # promote to variable
set_fact:
var_samba_export_all_rw: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_samba_export_all_rw
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean samba_export_all_rw accordingly
seboolean:
name: samba_export_all_rw
state: '{{ var_samba_export_all_rw }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_samba_export_all_rw
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the exim_read_user_files SELinux BooleanBy default, the SELinux boolean exim_read_user_files is disabled.
If this setting is enabled, it should be disabled.
To disable the exim_read_user_files SELinux boolean, run the following command:
$ sudo setsebool -P exim_read_user_files off
var_exim_read_user_files=""
setsebool -P exim_read_user_files $var_exim_read_user_files
- name: XCCDF Value var_exim_read_user_files # promote to variable
set_fact:
var_exim_read_user_files: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_exim_read_user_files
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean exim_read_user_files accordingly
seboolean:
name: exim_read_user_files
state: '{{ var_exim_read_user_files }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_exim_read_user_files
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the cvs_read_shadow SELinux BooleanBy default, the SELinux boolean cvs_read_shadow is disabled.
If this setting is enabled, it should be disabled.
To disable the cvs_read_shadow SELinux boolean, run the following command:
$ sudo setsebool -P cvs_read_shadow off
var_cvs_read_shadow=""
setsebool -P cvs_read_shadow $var_cvs_read_shadow
- name: XCCDF Value var_cvs_read_shadow # promote to variable
set_fact:
var_cvs_read_shadow: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_cvs_read_shadow
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean cvs_read_shadow accordingly
seboolean:
name: cvs_read_shadow
state: '{{ var_cvs_read_shadow }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_cvs_read_shadow
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the racoon_read_shadow SELinux BooleanBy default, the SELinux boolean racoon_read_shadow is disabled.
If this setting is enabled, it should be disabled.
To disable the racoon_read_shadow SELinux boolean, run the following command:
$ sudo setsebool -P racoon_read_shadow off
var_racoon_read_shadow=""
setsebool -P racoon_read_shadow $var_racoon_read_shadow
- name: XCCDF Value var_racoon_read_shadow # promote to variable
set_fact:
var_racoon_read_shadow: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_racoon_read_shadow
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean racoon_read_shadow accordingly
seboolean:
name: racoon_read_shadow
state: '{{ var_racoon_read_shadow }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_racoon_read_shadow
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the exim_can_connect_db SELinux BooleanBy default, the SELinux boolean exim_can_connect_db is disabled.
If this setting is enabled, it should be disabled.
To disable the exim_can_connect_db SELinux boolean, run the following command:
$ sudo setsebool -P exim_can_connect_db off
var_exim_can_connect_db=""
setsebool -P exim_can_connect_db $var_exim_can_connect_db
- name: XCCDF Value var_exim_can_connect_db # promote to variable
set_fact:
var_exim_can_connect_db: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_exim_can_connect_db
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean exim_can_connect_db accordingly
seboolean:
name: exim_can_connect_db
state: '{{ var_exim_can_connect_db }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_exim_can_connect_db
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the git_system_enable_homedirs SELinux BooleanBy default, the SELinux boolean git_system_enable_homedirs is disabled.
If this setting is enabled, it should be disabled.
To disable the git_system_enable_homedirs SELinux boolean, run the following command:
$ sudo setsebool -P git_system_enable_homedirs off
var_git_system_enable_homedirs=""
setsebool -P git_system_enable_homedirs $var_git_system_enable_homedirs
- name: XCCDF Value var_git_system_enable_homedirs # promote to variable
set_fact:
var_git_system_enable_homedirs: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_git_system_enable_homedirs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean git_system_enable_homedirs accordingly
seboolean:
name: git_system_enable_homedirs
state: '{{ var_git_system_enable_homedirs }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_git_system_enable_homedirs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Enable the fips_mode SELinux BooleanBy default, the SELinux boolean fips_mode is enabled.
This allows all SELinux domains to execute in fips_mode.
If this setting is disabled, it should be enabled.
To enable the fips_mode SELinux boolean, run the following command:
$ sudo setsebool -P fips_mode on13APO01.06DSS05.04DSS05.07DSS06.023.13.11SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5SC-12(2)SC-12(3)IA-7SC-13CM-6(a)SC-12PR.DS-5CCE-80418-7
var_fips_mode=""
setsebool -P fips_mode $var_fips_mode
- name: XCCDF Value var_fips_mode # promote to variable
set_fact:
var_fips_mode: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_fips_mode
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80418-7
- NIST-800-171-3.13.11
- NIST-800-53-SC-12(2)
- NIST-800-53-SC-12(3)
- NIST-800-53-IA-7
- NIST-800-53-SC-13
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-12
- name: Set SELinux boolean fips_mode accordingly
seboolean:
name: fips_mode
state: '{{ var_fips_mode }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_fips_mode
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80418-7
- NIST-800-171-3.13.11
- NIST-800-53-SC-12(2)
- NIST-800-53-SC-12(3)
- NIST-800-53-IA-7
- NIST-800-53-SC-13
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-12
Disable the httpd_can_network_connect_cobbler SELinux BooleanBy default, the SELinux boolean httpd_can_network_connect_cobbler is disabled.
If this setting is enabled, it should be disabled.
To disable the httpd_can_network_connect_cobbler SELinux boolean, run the following command:
$ sudo setsebool -P httpd_can_network_connect_cobbler off
var_httpd_can_network_connect_cobbler=""
setsebool -P httpd_can_network_connect_cobbler $var_httpd_can_network_connect_cobbler
- name: XCCDF Value var_httpd_can_network_connect_cobbler # promote to variable
set_fact:
var_httpd_can_network_connect_cobbler: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_can_network_connect_cobbler
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean httpd_can_network_connect_cobbler accordingly
seboolean:
name: httpd_can_network_connect_cobbler
state: '{{ var_httpd_can_network_connect_cobbler }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_httpd_can_network_connect_cobbler
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the polyinstantiation_enabled SELinux BooleanBy default, the SELinux boolean polyinstantiation_enabled is disabled.
If this setting is enabled, it should be disabled.
To disable the polyinstantiation_enabled SELinux boolean, run the following command:
$ sudo setsebool -P polyinstantiation_enabled offCCE-82305-4
var_polyinstantiation_enabled=""
setsebool -P polyinstantiation_enabled $var_polyinstantiation_enabled
- name: XCCDF Value var_polyinstantiation_enabled # promote to variable
set_fact:
var_polyinstantiation_enabled: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_polyinstantiation_enabled
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82305-4
- name: Set SELinux boolean polyinstantiation_enabled accordingly
seboolean:
name: polyinstantiation_enabled
state: '{{ var_polyinstantiation_enabled }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_polyinstantiation_enabled
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82305-4
Disable the icecast_use_any_tcp_ports SELinux BooleanBy default, the SELinux boolean icecast_use_any_tcp_ports is disabled.
If this setting is enabled, it should be disabled.
To disable the icecast_use_any_tcp_ports SELinux boolean, run the following command:
$ sudo setsebool -P icecast_use_any_tcp_ports off
var_icecast_use_any_tcp_ports=""
setsebool -P icecast_use_any_tcp_ports $var_icecast_use_any_tcp_ports
- name: XCCDF Value var_icecast_use_any_tcp_ports # promote to variable
set_fact:
var_icecast_use_any_tcp_ports: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_icecast_use_any_tcp_ports
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean icecast_use_any_tcp_ports accordingly
seboolean:
name: icecast_use_any_tcp_ports
state: '{{ var_icecast_use_any_tcp_ports }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_icecast_use_any_tcp_ports
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the secure_mode_insmod SELinux BooleanBy default, the SELinux boolean secure_mode_insmod is disabled.
If this setting is enabled, it should be disabled.
To disable the secure_mode_insmod SELinux boolean, run the following command:
$ sudo setsebool -P secure_mode_insmod offNT28(R67)CCE-82308-8
var_secure_mode_insmod=""
setsebool -P secure_mode_insmod $var_secure_mode_insmod
- name: XCCDF Value var_secure_mode_insmod # promote to variable
set_fact:
var_secure_mode_insmod: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_secure_mode_insmod
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82308-8
- name: Set SELinux boolean secure_mode_insmod accordingly
seboolean:
name: secure_mode_insmod
state: '{{ var_secure_mode_insmod }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_secure_mode_insmod
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82308-8
Disable the authlogin_nsswitch_use_ldap SELinux BooleanBy default, the SELinux boolean authlogin_nsswitch_use_ldap is disabled.
If this setting is enabled, it should be disabled.
To disable the authlogin_nsswitch_use_ldap SELinux boolean, run the following command:
$ sudo setsebool -P authlogin_nsswitch_use_ldap off3.7.2CCE-80425-2
var_authlogin_nsswitch_use_ldap=""
setsebool -P authlogin_nsswitch_use_ldap $var_authlogin_nsswitch_use_ldap
- name: XCCDF Value var_authlogin_nsswitch_use_ldap # promote to variable
set_fact:
var_authlogin_nsswitch_use_ldap: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_authlogin_nsswitch_use_ldap
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80425-2
- NIST-800-171-3.7.2
- name: Set SELinux boolean authlogin_nsswitch_use_ldap accordingly
seboolean:
name: authlogin_nsswitch_use_ldap
state: '{{ var_authlogin_nsswitch_use_ldap }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_authlogin_nsswitch_use_ldap
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80425-2
- NIST-800-171-3.7.2
Disable the virt_sandbox_use_mknod SELinux BooleanBy default, the SELinux boolean virt_sandbox_use_mknod is disabled.
If this setting is enabled, it should be disabled.
To disable the virt_sandbox_use_mknod SELinux boolean, run the following command:
$ sudo setsebool -P virt_sandbox_use_mknod off
var_virt_sandbox_use_mknod=""
setsebool -P virt_sandbox_use_mknod $var_virt_sandbox_use_mknod
- name: XCCDF Value var_virt_sandbox_use_mknod # promote to variable
set_fact:
var_virt_sandbox_use_mknod: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_virt_sandbox_use_mknod
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean virt_sandbox_use_mknod accordingly
seboolean:
name: virt_sandbox_use_mknod
state: '{{ var_virt_sandbox_use_mknod }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_virt_sandbox_use_mknod
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Enable the selinuxuser_ping SELinux BooleanBy default, the SELinux boolean selinuxuser_ping is enabled.
If this setting is disabled, it should be enabled as it allows confined users
to use ping and traceroute which is helpful for network troubleshooting.
To enable the selinuxuser_ping SELinux boolean, run the following command:
$ sudo setsebool -P selinuxuser_ping onCCE-82318-7
var_selinuxuser_ping=""
setsebool -P selinuxuser_ping $var_selinuxuser_ping
- name: XCCDF Value var_selinuxuser_ping # promote to variable
set_fact:
var_selinuxuser_ping: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_selinuxuser_ping
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82318-7
- name: Set SELinux boolean selinuxuser_ping accordingly
seboolean:
name: selinuxuser_ping
state: '{{ var_selinuxuser_ping }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_selinuxuser_ping
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82318-7
Disable the logging_syslogd_run_nagios_plugins SELinux BooleanBy default, the SELinux boolean logging_syslogd_run_nagios_plugins is disabled.
If this setting is enabled, it should be disabled.
To disable the logging_syslogd_run_nagios_plugins SELinux boolean, run the following command:
$ sudo setsebool -P logging_syslogd_run_nagios_plugins off
var_logging_syslogd_run_nagios_plugins=""
setsebool -P logging_syslogd_run_nagios_plugins $var_logging_syslogd_run_nagios_plugins
- name: XCCDF Value var_logging_syslogd_run_nagios_plugins # promote to variable
set_fact:
var_logging_syslogd_run_nagios_plugins: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_logging_syslogd_run_nagios_plugins
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean logging_syslogd_run_nagios_plugins accordingly
seboolean:
name: logging_syslogd_run_nagios_plugins
state: '{{ var_logging_syslogd_run_nagios_plugins }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_logging_syslogd_run_nagios_plugins
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the mpd_enable_homedirs SELinux BooleanBy default, the SELinux boolean mpd_enable_homedirs is disabled.
If this setting is enabled, it should be disabled.
To disable the mpd_enable_homedirs SELinux boolean, run the following command:
$ sudo setsebool -P mpd_enable_homedirs off
var_mpd_enable_homedirs=""
setsebool -P mpd_enable_homedirs $var_mpd_enable_homedirs
- name: XCCDF Value var_mpd_enable_homedirs # promote to variable
set_fact:
var_mpd_enable_homedirs: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_mpd_enable_homedirs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean mpd_enable_homedirs accordingly
seboolean:
name: mpd_enable_homedirs
state: '{{ var_mpd_enable_homedirs }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_mpd_enable_homedirs
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the kdumpgui_run_bootloader SELinux BooleanBy default, the SELinux boolean kdumpgui_run_bootloader is disabled.
If this setting is enabled, it should be disabled.
To disable the kdumpgui_run_bootloader SELinux boolean, run the following command:
$ sudo setsebool -P kdumpgui_run_bootloader off
var_kdumpgui_run_bootloader=""
setsebool -P kdumpgui_run_bootloader $var_kdumpgui_run_bootloader
- name: XCCDF Value var_kdumpgui_run_bootloader # promote to variable
set_fact:
var_kdumpgui_run_bootloader: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_kdumpgui_run_bootloader
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean kdumpgui_run_bootloader accordingly
seboolean:
name: kdumpgui_run_bootloader
state: '{{ var_kdumpgui_run_bootloader }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_kdumpgui_run_bootloader
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Enable the secadm_exec_content SELinux BooleanBy default, the SELinux boolean secadm_exec_content is enabled.
If this setting is disabled, it should be enabled.
To enable the secadm_exec_content SELinux boolean, run the following command:
$ sudo setsebool -P secadm_exec_content onCCE-82306-2
var_secadm_exec_content=""
setsebool -P secadm_exec_content $var_secadm_exec_content
- name: XCCDF Value var_secadm_exec_content # promote to variable
set_fact:
var_secadm_exec_content: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_secadm_exec_content
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82306-2
- name: Set SELinux boolean secadm_exec_content accordingly
seboolean:
name: secadm_exec_content
state: '{{ var_secadm_exec_content }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_secadm_exec_content
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82306-2
Disable the postgresql_selinux_transmit_client_label SELinux BooleanBy default, the SELinux boolean postgresql_selinux_transmit_client_label is disabled.
If this setting is enabled, it should be disabled.
To disable the postgresql_selinux_transmit_client_label SELinux boolean, run the following command:
$ sudo setsebool -P postgresql_selinux_transmit_client_label off
var_postgresql_selinux_transmit_client_label=""
setsebool -P postgresql_selinux_transmit_client_label $var_postgresql_selinux_transmit_client_label
- name: XCCDF Value var_postgresql_selinux_transmit_client_label # promote to variable
set_fact:
var_postgresql_selinux_transmit_client_label: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_postgresql_selinux_transmit_client_label
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean postgresql_selinux_transmit_client_label accordingly
seboolean:
name: postgresql_selinux_transmit_client_label
state: '{{ var_postgresql_selinux_transmit_client_label }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_postgresql_selinux_transmit_client_label
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Disable the git_session_users SELinux BooleanBy default, the SELinux boolean git_session_users is disabled.
If this setting is enabled, it should be disabled.
To disable the git_session_users SELinux boolean, run the following command:
$ sudo setsebool -P git_session_users off
var_git_session_users=""
setsebool -P git_session_users $var_git_session_users
- name: XCCDF Value var_git_session_users # promote to variable
set_fact:
var_git_session_users: !!str
tags:
- always
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_git_session_users
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Set SELinux boolean git_session_users accordingly
seboolean:
name: git_session_users
state: '{{ var_git_session_users }}'
persistent: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sebool_git_session_users
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Set Boot Loader PasswordDuring the boot process, the boot loader is
responsible for starting the execution of the kernel and passing
options to it. The boot loader allows for the selection of
different kernels - possibly on different partitions or media.
The default Red Hat Enterprise Linux boot loader for x86 systems is called GRUB.
Options it can pass to the kernel include single-user mode, which
provides root access without any authentication, and the ability to
disable SELinux. To prevent local users from modifying the boot
parameters and endangering security, protect the boot loader configuration
with a password and ensure its configuration file's permissions
are set properly.Account and Access ControlIn traditional Unix security, if an attacker gains
shell access to a certain login account, they can perform any action
or access any file to which that account has access. Therefore,
making it more difficult for unauthorized people to gain shell
access to accounts, particularly to privileged accounts, is a
necessary part of securing a system. This section introduces
mechanisms for restricting access to accounts under
Red Hat Enterprise Linux 7.Protect Accounts by Restricting Password-Based LoginConventionally, Unix shell accounts are accessed by
providing a username and password to a login program, which tests
these values for correctness using the /etc/passwd and
/etc/shadow files. Password-based login is vulnerable to
guessing of weak passwords, and to sniffing and man-in-the-middle
attacks against passwords entered over a network or at an insecure
console. Therefore, mechanisms for accessing accounts by entering
usernames and passwords should be restricted to those which are
operationally necessary.Restrict Root LoginsDirect root logins should be allowed only for emergency use.
In normal situations, the administrator should access the system
via a unique unprivileged account, and then use su or sudo to execute
privileged commands. Discouraging administrators from accessing the
root account directly ensures an audit trail in organizations with
multiple administrators. Locking down the channels through which
root can connect directly also reduces opportunities for
password-guessing against the root account. The login program
uses the file /etc/securetty to determine which interfaces
should allow root logins.
The virtual devices /dev/console
and /dev/tty* represent the system consoles (accessible via
the Ctrl-Alt-F1 through Ctrl-Alt-F6 keyboard sequences on a default
installation). The default securetty file also contains /dev/vc/*.
These are likely to be deprecated in most environments, but may be retained
for compatibility. Root should also be prohibited from connecting
via network protocols. Other sections of this document
include guidance describing how to prevent root from logging in via SSH.Ensure that System Accounts Are LockedSome accounts are not associated with a human user of the system, and exist to
perform some administrative function. An attacker should not be able to log into
these accounts.
System accounts are those user accounts with a user ID
less than UID_MIN, where value of the UID_MIN directive is set in
/etc/login.defs configuration file. In the default configuration UID_MIN is set
to 500, thus system accounts are those user accounts with a user ID less than
500. If any system account SYSACCT (other than root) has an unlocked password,
disable it with the command:
$ sudo passwd -l SYSACCTAC-6CM-6(a)Disabling authentication for default system accounts makes it more difficult
for attackers to make use of them to compromise a system.falseCCE-80650-5Root Path Must Be Vendor DefaultAssuming root shell is bash, edit the following files:
~/.profile~/.bashrc
Change any PATH variables to the vendor default for root and remove any
empty PATH entries or references to relative paths.18APO13.01BAI03.01BAI03.02BAI03.034.3.4.3.3A.14.1.1A.14.2.1A.14.2.5A.6.1.5CM-6(a)PR.IP-2The root account's executable search path must be the vendor default, and must
contain only absolute paths.CCE-80210-8Direct root Logins Not AllowedTo further limit access to the root account, administrators
can disable root logins at the console by editing the /etc/securetty file.
This file lists all devices the root user is allowed to login to. If the file does
not exist at all, the root user can login through any communication device on the
system, whether via the console or via a raw network interface. This is dangerous
as user can login to the system as root via Telnet, which sends the password in
plain text over the network. By default, Red Hat Enterprise Linux 7's
/etc/securetty file only allows the root user to login at the console
physically attached to the system. To prevent root from logging in, remove the
contents of this file. To prevent direct root logins, remove the contents of this
file by typing the following command:
$ sudo echo > /etc/securetty
NT28(R19)5.511215165DSS05.04DSS05.05DSS05.07DSS05.10DSS06.03DSS06.103.1.13.1.6164.308(a)(1)(ii)(B)164.308(a)(7)(i)164.308(a)(7)(ii)(A)164.310(a)(1)164.310(a)(2)(i)164.310(a)(2)(ii)164.310(a)(2)(iii)164.310(b)164.310(c)164.310(d)(1)164.310(d)(2)(iii)4.3.3.2.24.3.3.5.14.3.3.5.24.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.24.3.3.7.4SR 1.1SR 1.10SR 1.2SR 1.3SR 1.4SR 1.5SR 1.7SR 1.8SR 1.9SR 2.1A.18.1.4A.7.1.1A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.2.6A.9.3.1A.9.4.2A.9.4.3IA-2CM-6(a)PR.AC-1PR.AC-6PR.AC-7Disabling direct root logins ensures proper accountability and multifactor
authentication to privileged accounts. Users will first login, then escalate
to privileged (root) access via su / sudo. This is required for FISMA Low
and FISMA Moderate systems.CCE-27294-8echo > /etc/securetty
- name: Test for existence of /etc/securetty
stat:
path: /etc/securetty
register: securetty_empty
tags:
- no_direct_root_logins
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27294-8
- NIST-800-171-3.1.1
- NIST-800-171-3.1.6
- NIST-800-53-IA-2
- NIST-800-53-CM-6(a)
- name: Direct root Logins Not Allowed
copy:
dest: /etc/securetty
content: ''
when: securetty_empty.stat.size > 1
tags:
- no_direct_root_logins
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27294-8
- NIST-800-171-3.1.1
- NIST-800-171-3.1.6
- NIST-800-53-IA-2
- NIST-800-53-CM-6(a)
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
config:
ignition:
version: 2.2.0
storage:
files:
- contents:
source: data:,
filesystem: root
mode: 0600
path: /etc/securetty
Restrict Web Browser Use for Administrative AccountsEnforce policy requiring administrative accounts use web browsers only for
local service administration.If a browser vulnerability is exploited while running with administrative privileges,
the entire system could be compromised. Specific exceptions for local service
administration should be documented in site-defined policy.CCE-80209-0Ensure that System Accounts Do Not Run a Shell Upon LoginSome accounts are not associated with a human user of the system, and exist to
perform some administrative function. Should an attacker be able to log into
these accounts, they should not be granted access to a shell.
The login shell for each local account is stored in the last field of each line
in /etc/passwd. System accounts are those user accounts with a user ID
less than UID_MIN, where value of UID_MIN directive is set in
/etc/login.defs configuration file. In the default configuration UID_MIN is set
to 1000, thus system accounts are those user accounts with a user ID less than
1000. The user ID is stored in the third field. If any system account
SYSACCT (other than root) has a login shell, disable it with the
command: $ sudo usermod -s /sbin/nologin SYSACCTDo not perform the steps in this section on the root account. Doing so might
cause the system to become inaccessible.5.4.211213141516183578DSS01.03DSS03.05DSS05.04DSS05.05DSS05.07DSS06.034.3.3.2.24.3.3.5.14.3.3.5.24.3.3.7.24.3.3.7.34.3.3.7.4SR 1.1SR 1.2SR 1.3SR 1.4SR 1.5SR 1.7SR 1.8SR 1.9SR 2.1SR 6.2A.12.4.1A.12.4.3A.6.1.2A.7.1.1A.9.1.2A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.2.6A.9.3.1A.9.4.1A.9.4.2A.9.4.3A.9.4.4A.9.4.5AC-6CM-6(a)DE.CM-1DE.CM-3PR.AC-1PR.AC-4PR.AC-6Ensuring shells are not given to system accounts upon login makes it more
difficult for attackers to make use of system accounts.CCE-82015-9Restrict Virtual Console Root LoginsTo restrict root logins through the (deprecated) virtual console devices,
ensure lines of this form do not appear in /etc/securetty:
vc/1
vc/2
vc/3
vc/412131415161835APO01.06DSS05.04DSS05.07DSS06.023.1.13.1.5CCI-000770164.308(a)(1)(ii)(B)164.308(a)(7)(i)164.308(a)(7)(ii)(A)164.310(a)(1)164.310(a)(2)(i)164.310(a)(2)(ii)164.310(a)(2)(iii)164.310(b)164.310(c)164.310(d)(1)164.310(d)(2)(iii)4.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5AC-6CM-6(a)PR.AC-4PR.DS-5SRG-OS-000324-GPOS-00125Preventing direct root login to virtual console devices
helps ensure accountability for actions taken on the system
using the root account.CCE-27318-5sed -i '/^vc\//d' /etc/securetty
- name: Restrict Virtual Console Root Logins
lineinfile:
dest: /etc/securetty
regexp: ^vc
state: absent
tags:
- securetty_root_login_console_only
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27318-5
- NIST-800-171-3.1.1
- NIST-800-171-3.1.5
- NIST-800-53-AC-6
- NIST-800-53-CM-6(a)
Restrict Serial Port Root LoginsTo restrict root logins on serial ports,
ensure lines of this form do not appear in /etc/securetty:
ttyS0
ttyS112131415161835APO01.06DSS05.04DSS05.07DSS06.023.1.13.1.5CCI-000770164.308(a)(1)(ii)(B)164.308(a)(7)(i)164.308(a)(7)(ii)(A)164.310(a)(1)164.310(a)(2)(i)164.310(a)(2)(ii)164.310(a)(2)(iii)164.310(b)164.310(c)164.310(d)(1)164.310(d)(2)(iii)4.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5AC-6CM-6(a)PR.AC-4PR.DS-5Preventing direct root login to serial port interfaces
helps ensure accountability for actions taken on the systems
using the root account.CCE-27268-2sed -i '/ttyS/d' /etc/securetty
- name: Restrict Serial Port Root Logins
lineinfile:
dest: /etc/securetty
regexp: ttyS[0-9]
state: absent
tags:
- restrict_serial_port_logins
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27268-2
- NIST-800-171-3.1.1
- NIST-800-171-3.1.5
- NIST-800-53-AC-6
- NIST-800-53-CM-6(a)
Verify Only Root Has UID 0If any account other than root has a UID of 0, this misconfiguration should
be investigated and the accounts other than root should be removed or have
their UID changed.
If the account is associated with system commands or applications the UID
should be changed to one greater than "0" but less than "1000."
Otherwise assign a UID greater than "1000" that has not already been
assigned.6.2.5112131415161835APO01.06DSS05.04DSS05.05DSS05.07DSS05.10DSS06.02DSS06.03DSS06.103.1.13.1.5CCI-0003664.3.3.2.24.3.3.5.14.3.3.5.24.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.24.3.3.7.34.3.3.7.4SR 1.1SR 1.10SR 1.2SR 1.3SR 1.4SR 1.5SR 1.7SR 1.8SR 1.9SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.18.1.4A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.2.6A.9.3.1A.9.4.1A.9.4.2A.9.4.3A.9.4.4A.9.4.5IA-2AC-6(5)IA-4(b)PR.AC-1PR.AC-4PR.AC-6PR.AC-7PR.DS-5SRG-OS-000480-GPOS-00227RHEL-07-020310SV-86629r2_ruleAn account has root authority if it has a UID of 0. Multiple accounts
with a UID of 0 afford more opportunity for potential intruders to
guess a password for a privileged account. Proper configuration of
sudo is recommended to afford multiple system administrators
access to root privileges in an accountable manner.CCE-82054-8awk -F: '$3 == 0 && $1 != "root" { print $1 }' /etc/passwd | xargs passwd -l
Set Account Expiration ParametersAccounts can be configured to be automatically disabled
after a certain time period,
meaning that they will require administrator interaction to become usable again.
Expiration of accounts after inactivity can be set for all accounts by default
and also on a per-account basis, such as for accounts that are known to be temporary.
To configure automatic expiration of an account following
the expiration of its password (that is, after the password has expired and not been changed),
run the following command, substituting NUM_DAYS and USER appropriately:
$ sudo chage -I NUM_DAYS USER
Accounts, such as temporary accounts, can also be configured to expire on an explicitly-set date with the
-E option.
The file /etc/default/useradd controls
default settings for all newly-created accounts created with the system's
normal command line utilities.This will only apply to newly created accountsnumber of days after a password expires until the account is permanently disabledThe number of days to wait after a password expires, until the account will be permanently disabled.3503540180906030Use Centralized and Automated AuthenticationImplement an automated system for managing user accounts that minimizes the
risk of errors, either intentional or deliberate. This system
should integrate with an existing enterprise user management system, such as
one based on Identity Management tools such as Active Directory, Kerberos,
Directory Server, etc.A comprehensive account management process that includes automation helps to
ensure the accounts designated as requiring attention are consistently and
promptly addressed. Enterprise environments make user account management
challenging and complex. A user management process requiring administrators to
manually address account management functions adds risk of potential
oversight.Ensure All Accounts on the System Have Unique NamesChange usernames, or delete accounts, so each has a unique name.5.5.2CCI-000770CCI-000804Req-8.1.1Unique usernames allow for accountability on the system.CCE-80208-2Set Account Expiration Following InactivityTo specify the number of days after a password expires (which
signifies inactivity) until an account is permanently disabled, add or correct
the following lines in /etc/default/useradd, substituting
NUM_DAYS appropriately:
INACTIVE=
A value of 35 is recommended; however, this profile expects that the value is set to
.
If a password is currently on the
verge of expiration, then 35 days remain until the account is automatically
disabled. However, if the password will not expire for another 60 days, then 95
days could elapse until the account would be automatically disabled. See the
useradd man page for more information. Determining the inactivity
timeout must be done with careful consideration of the length of a "normal"
period of inactivity for users in the particular environment. Setting
the timeout too low incurs support costs and also has the potential to impact
availability of the system to legitimate users.112131415161835785.6.2.1.1DSS01.03DSS03.05DSS05.04DSS05.05DSS05.07DSS05.10DSS06.03DSS06.103.5.6CCI-000017CCI-0007954.3.3.2.24.3.3.5.14.3.3.5.24.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.24.3.3.7.34.3.3.7.4SR 1.1SR 1.10SR 1.2SR 1.3SR 1.4SR 1.5SR 1.7SR 1.8SR 1.9SR 2.1SR 6.2A.12.4.1A.12.4.3A.18.1.4A.6.1.2A.7.1.1A.9.1.2A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.2.6A.9.3.1A.9.4.1A.9.4.2A.9.4.3A.9.4.4A.9.4.5IA-4(e)AC-2(3)CM-6(a)DE.CM-1DE.CM-3PR.AC-1PR.AC-4PR.AC-6PR.AC-7Req-8.1.4SRG-OS-000118-GPOS-00060RHEL-07-010310SV-86565r2_ruleSRG-OS-000003-VMM-000030SRG-OS-000118-VMM-000590Disabling inactive accounts ensures that accounts which may not
have been responsibly removed are not available to attackers
who may have compromised their credentials.CCE-27355-7
var_account_disable_post_pw_expiration=""
replace_or_append '/etc/default/useradd' '^INACTIVE' "$var_account_disable_post_pw_expiration" 'CCE-27355-7' '%s=%s'
- name: XCCDF Value var_account_disable_post_pw_expiration # promote to variable
set_fact:
var_account_disable_post_pw_expiration: !!str
tags:
- always
- name: Set Account Expiration Following Inactivity
lineinfile:
create: true
dest: /etc/default/useradd
regexp: ^INACTIVE
line: INACTIVE={{ var_account_disable_post_pw_expiration }}
tags:
- account_disable_post_pw_expiration
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27355-7
- PCI-DSS-Req-8.1.4
- DISA-STIG-RHEL-07-010310
- NIST-800-171-3.5.6
- NIST-800-53-IA-4(e)
- NIST-800-53-AC-2(3)
- NIST-800-53-CM-6(a)
- CJIS-5.6.2.1.1
Assign Expiration Date to Temporary AccountsTemporary accounts are established as part of normal account activation
procedures when there is a need for short-term accounts. In the event
temporary or emergency accounts are required, configure the system to
terminate them after a documented time period. For every temporary and
emergency account, run the following command to set an expiration date on
it, substituting USER and YYYY-MM-DD
appropriately:
$ sudo chage -E YYYY-MM-DD USERYYYY-MM-DD indicates the documented expiration date for the
account. For U.S. Government systems, the operating system must be
configured to automatically terminate these types of accounts after a
period of 72 hours.11213141516183578DSS01.03DSS03.05DSS05.04DSS05.05DSS05.07DSS06.03CCI-000016CCI-0016824.3.3.2.24.3.3.5.14.3.3.5.24.3.3.7.24.3.3.7.34.3.3.7.4SR 1.1SR 1.2SR 1.3SR 1.4SR 1.5SR 1.7SR 1.8SR 1.9SR 2.1SR 6.2A.12.4.1A.12.4.3A.6.1.2A.7.1.1A.9.1.2A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.2.6A.9.3.1A.9.4.1A.9.4.2A.9.4.3A.9.4.4A.9.4.5AC-2(2)AC-2(3)CM-6(a)DE.CM-1DE.CM-3PR.AC-1PR.AC-4PR.AC-6SRG-OS-000123-GPOS-00064SRG-OS-000002-GPOS-00002SRG-OS-000002-VMM-000020SRG-OS-000123-VMM-000620If temporary user accounts remain active when no longer needed or for
an excessive period, these accounts may be used to gain unauthorized access.
To mitigate this risk, automated termination of all temporary accounts
must be set upon account creation.
CCE-81000-2Set Password Expiration ParametersThe file /etc/login.defs controls several
password-related settings. Programs such as passwd,
su, and
login consult /etc/login.defs to determine
behavior with regard to password aging, expiration warnings,
and length. See the man page login.defs(5) for more information.
Users should be forced to change their passwords, in order to
decrease the utility of compromised passwords. However, the need to
change passwords often should be balanced against the risk that
users will reuse or write down passwords if forced to change them
too often. Forcing password changes every 90-360 days, depending on
the environment, is recommended. Set the appropriate value as
PASS_MAX_DAYS and apply it to existing accounts with the
-M flag.
The PASS_MIN_DAYS (-m) setting prevents password
changes for 7 days after the first change, to discourage password
cycling. If you use this setting, train users to contact an administrator
for an emergency password change in case a new password becomes
compromised. The PASS_WARN_AGE (-W) setting gives
users 7 days of warnings at login time that their passwords are about to expire.
For example, for each existing human user USER, expiration parameters
could be adjusted to a 180 day maximum password age, 7 day minimum password
age, and 7 day warning period with the following command:
$ sudo chage -M 180 -m 7 -W 7 USERmaximum password ageMaximum age of password in daysThis will only apply to newly created accounts120180906060minimum password ageMinimum age of password in daysThis will only apply to newly created accounts125770minimum password lengthMinimum number of characters in passwordThis will only check new passwords156810121415warning days before password expiresThe number of days' warning given before a password expires.This will only apply to newly created accounts70147Set Password Minimum Length in login.defsTo specify password length requirements for new accounts, edit the file
/etc/login.defs and add or correct the following line:
PASS_MIN_LEN
The DoD requirement is 15.
The FISMA requirement is 12.
The profile requirement is
.
If a program consults /etc/login.defs and also another PAM module
(such as pam_pwquality) during a password change operation, then
the most restrictive must be satisfied. See PAM section for more
information about enforcing password quality requirements.112151655.6.2.1DSS05.04DSS05.05DSS05.07DSS05.10DSS06.03DSS06.103.5.74.3.3.2.24.3.3.5.14.3.3.5.24.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.24.3.3.7.4SR 1.1SR 1.10SR 1.2SR 1.3SR 1.4SR 1.5SR 1.7SR 1.8SR 1.9SR 2.1A.18.1.4A.7.1.1A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.2.6A.9.3.1A.9.4.2A.9.4.3IA-5(f)IA-5(1)(a)CM-6(a)PR.AC-1PR.AC-6PR.AC-7FMT_MOF_EXT.1SRG-OS-000078-GPOS-00046Requiring a minimum password length makes password
cracking attacks more difficult by ensuring a larger
search space. However, any security benefit from an onerous requirement
must be carefully weighed against usability problems, support costs, or counterproductive
behavior that may result.CCE-82049-8
declare var_accounts_password_minlen_login_defs
var_accounts_password_minlen_login_defs=""
grep -q ^PASS_MIN_LEN /etc/login.defs && \
sed -i "s/PASS_MIN_LEN.*/PASS_MIN_LEN\t$var_accounts_password_minlen_login_defs/g" /etc/login.defs
if ! [ $? -eq 0 ]
then
echo -e "PASS_MIN_LEN\t$var_accounts_password_minlen_login_defs" >> /etc/login.defs
fi
- name: XCCDF Value var_accounts_password_minlen_login_defs # promote to variable
set_fact:
var_accounts_password_minlen_login_defs: !!str
tags:
- always
- name: Set Password Minimum Length in login.defs
lineinfile:
dest: /etc/login.defs
regexp: ^PASS_MIN_LEN *[0-9]*
state: present
line: PASS_MIN_LEN {{ var_accounts_password_minlen_login_defs }}
create: true
tags:
- accounts_password_minlen_login_defs
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82049-8
- NIST-800-171-3.5.7
- NIST-800-53-IA-5(f)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-CM-6(a)
- CJIS-5.6.2.1
Set Password Warning AgeTo specify how many days prior to password
expiration that a warning will be issued to users,
edit the file /etc/login.defs and add or correct
the following line:
PASS_WARN_AGE
The DoD requirement is 7.
The profile requirement is .11213141516183578DSS01.03DSS03.05DSS05.04DSS05.05DSS05.07DSS05.10DSS06.03DSS06.103.5.84.3.3.2.24.3.3.5.14.3.3.5.24.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.24.3.3.7.34.3.3.7.4SR 1.1SR 1.10SR 1.2SR 1.3SR 1.4SR 1.5SR 1.7SR 1.8SR 1.9SR 2.1SR 6.2A.12.4.1A.12.4.3A.18.1.4A.6.1.2A.7.1.1A.9.1.2A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.2.6A.9.3.1A.9.4.1A.9.4.2A.9.4.3A.9.4.4A.9.4.5IA-5(f)IA-5(1)(d)CM-6(a)DE.CM-1DE.CM-3PR.AC-1PR.AC-4PR.AC-6PR.AC-7Setting the password warning age enables users to
make the change at a practical time.CCE-82016-7
var_accounts_password_warn_age_login_defs=""
grep -q ^PASS_WARN_AGE /etc/login.defs && \
sed -i "s/PASS_WARN_AGE.*/PASS_WARN_AGE $var_accounts_password_warn_age_login_defs/g" /etc/login.defs
if ! [ $? -eq 0 ]; then
echo "PASS_WARN_AGE $var_accounts_password_warn_age_login_defs" >> /etc/login.defs
fi
- name: XCCDF Value var_accounts_password_warn_age_login_defs # promote to variable
set_fact:
var_accounts_password_warn_age_login_defs: !!str
tags:
- always
- name: Set Password Warning Age
lineinfile:
dest: /etc/login.defs
regexp: ^PASS_WARN_AGE *[0-9]*
state: present
line: PASS_WARN_AGE {{ var_accounts_password_warn_age_login_defs }}
create: true
tags:
- accounts_password_warn_age_login_defs
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82016-7
- NIST-800-171-3.5.8
- NIST-800-53-IA-5(f)
- NIST-800-53-IA-5(1)(d)
- NIST-800-53-CM-6(a)
Set Password Minimum AgeTo specify password minimum age for new accounts,
edit the file /etc/login.defs
and add or correct the following line:
PASS_MIN_DAYS
A value of 1 day is considered sufficient for many
environments. The DoD requirement is 1.
The profile requirement is .112151655.6.2.1.1DSS05.04DSS05.05DSS05.07DSS05.10DSS06.03DSS06.103.5.8CCI-0001984.3.3.2.24.3.3.5.14.3.3.5.24.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.24.3.3.7.4SR 1.1SR 1.10SR 1.2SR 1.3SR 1.4SR 1.5SR 1.7SR 1.8SR 1.9SR 2.1A.18.1.4A.7.1.1A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.2.6A.9.3.1A.9.4.2A.9.4.3IA-5(f)IA-5(1)(d)CM-6(a)PR.AC-1PR.AC-6PR.AC-7SRG-OS-000075-GPOS-00043RHEL-07-010230SV-86549r2_ruleEnforcing a minimum password lifetime helps to prevent repeated password
changes to defeat the password reuse or history enforcement requirement. If
users are allowed to immediately and continually change their password,
then the password could be repeatedly changed in a short period of time to
defeat the organization's policy regarding password reuse.
Setting the minimum password age protects against users cycling back to a
favorite password after satisfying the password reuse requirement.CCE-82036-5
var_accounts_minimum_age_login_defs=""
grep -q ^PASS_MIN_DAYS /etc/login.defs && \
sed -i "s/PASS_MIN_DAYS.*/PASS_MIN_DAYS $var_accounts_minimum_age_login_defs/g" /etc/login.defs
if ! [ $? -eq 0 ]; then
echo "PASS_MIN_DAYS $var_accounts_minimum_age_login_defs" >> /etc/login.defs
fi
- name: XCCDF Value var_accounts_minimum_age_login_defs # promote to variable
set_fact:
var_accounts_minimum_age_login_defs: !!str
tags:
- always
- name: Set Password Minimum Age
lineinfile:
create: true
dest: /etc/login.defs
regexp: ^#?PASS_MIN_DAYS
line: PASS_MIN_DAYS {{ var_accounts_minimum_age_login_defs }}
tags:
- accounts_minimum_age_login_defs
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82036-5
- DISA-STIG-RHEL-07-010230
- NIST-800-171-3.5.8
- NIST-800-53-IA-5(f)
- NIST-800-53-IA-5(1)(d)
- NIST-800-53-CM-6(a)
- CJIS-5.6.2.1.1
Set Password Maximum AgeTo specify password maximum age for new accounts,
edit the file /etc/login.defs
and add or correct the following line:
PASS_MAX_DAYS
A value of 180 days is sufficient for many environments.
The DoD requirement is 60.
The profile requirement is .5.4.1.1112151655.6.2.1DSS05.04DSS05.05DSS05.07DSS05.10DSS06.03DSS06.103.5.6CCI-0001994.3.3.2.24.3.3.5.14.3.3.5.24.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.24.3.3.7.4SR 1.1SR 1.10SR 1.2SR 1.3SR 1.4SR 1.5SR 1.7SR 1.8SR 1.9SR 2.1A.18.1.4A.7.1.1A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.2.6A.9.3.1A.9.4.2A.9.4.3IA-5(f)IA-5(1)(d)CM-6(a)PR.AC-1PR.AC-6PR.AC-7Req-8.2.4SRG-OS-000076-GPOS-00044RHEL-07-010250SV-86553r2_ruleAny password, no matter how complex, can eventually be cracked. Therefore, passwords
need to be changed periodically. If the operating system does not limit the lifetime
of passwords and force users to change their passwords, there is the risk that the
operating system passwords could be compromised.
Setting the password maximum age ensures users are required to
periodically change their passwords. Requiring shorter password lifetimes
increases the risk of users writing down the password in a convenient
location subject to physical compromise.CCE-27051-2
var_accounts_maximum_age_login_defs=""
grep -q ^PASS_MAX_DAYS /etc/login.defs && \
sed -i "s/PASS_MAX_DAYS.*/PASS_MAX_DAYS $var_accounts_maximum_age_login_defs/g" /etc/login.defs
if ! [ $? -eq 0 ]; then
echo "PASS_MAX_DAYS $var_accounts_maximum_age_login_defs" >> /etc/login.defs
fi
- name: XCCDF Value var_accounts_maximum_age_login_defs # promote to variable
set_fact:
var_accounts_maximum_age_login_defs: !!str
tags:
- always
- name: Set Password Maximum Age
lineinfile:
create: true
dest: /etc/login.defs
regexp: ^#?PASS_MAX_DAYS
line: PASS_MAX_DAYS {{ var_accounts_maximum_age_login_defs }}
tags:
- accounts_maximum_age_login_defs
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27051-2
- PCI-DSS-Req-8.2.4
- DISA-STIG-RHEL-07-010250
- NIST-800-171-3.5.6
- NIST-800-53-IA-5(f)
- NIST-800-53-IA-5(1)(d)
- NIST-800-53-CM-6(a)
- CJIS-5.6.2.1
Set Existing Passwords Minimum AgeConfigure non-compliant accounts to enforce a 24 hours/1 day minimum password
lifetime by running the following command:
$ sudo chage -m 1 USERCCI-000198IA-5(f)IA-5(1)(d)CM-6(a)SRG-OS-000075-GPOS-00043RHEL-07-010240SV-86551r2_ruleSRG-OS-000075-VMM000420Enforcing a minimum password lifetime helps to prevent repeated password
changes to defeat the password reuse or history enforcement requirement. If
users are allowed to immediately and continually change their password, the
password could be repeatedly changed in a short period of time to defeat the
organization's policy regarding password reuse.CCE-80521-8Set Existing Passwords Maximum AgeConfigure non-compliant accounts to enforce a 60-day maximum password lifetime
restriction by running the following command:
$ sudo chage -M 60 USERCCI-000199IA-5(f)IA-5(1)(d)CM-6(a)SRG-OS-000076-GPOS-00044RHEL-07-010260SV-86555r3_ruleSRG-OS-000076-VMM-000430Any password, no matter how complex, can eventually be cracked. Therefore,
passwords need to be changed periodically. If the operating system does
not limit the lifetime of passwords and force users to change their
passwords, there is the risk that the operating system passwords could be
compromised.CCE-80522-6Verify Proper Storage and Existence of Password
HashesBy default, password hashes for local accounts are stored
in the second field (colon-separated) in
/etc/shadow. This file should be readable only by
processes running with root credentials, preventing users from
casually accessing others' password hashes and attempting
to crack them.
However, it remains possible to misconfigure the system
and store password hashes
in world-readable files such as /etc/passwd, or
to even store passwords themselves in plaintext on the system.
Using system-provided tools for password change/creation
should allow administrators to avoid such misconfiguration.Verify No netrc Files ExistThe .netrc files contain login information
used to auto-login into FTP servers and reside in the user's home
directory. These files may contain unencrypted passwords to
remote FTP servers making them susceptible to access by unauthorized
users and should not be used. Any .netrc files should be removed.111121415161835DSS05.02DSS05.04DSS05.05DSS05.07DSS05.10DSS06.03DSS06.06DSS06.10CCI-0001964.3.3.2.24.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.4SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7A.18.1.4A.6.1.2A.7.1.1A.9.1.2A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.2.6A.9.3.1A.9.4.1A.9.4.2A.9.4.3A.9.4.4A.9.4.5IA-5(h)IA-5(1)(c)CM-6(a)IA-5(7)PR.AC-1PR.AC-4PR.AC-6PR.AC-7PR.PT-3Unencrypted passwords for remote FTP servers may be stored in .netrc
files. DoD policy requires passwords be encrypted in storage and not used
in access scripts.CCE-80211-6Prevent Login to Accounts With Empty PasswordIf an account is configured for password authentication
but does not have an assigned password, it may be possible to log
into the account without authentication. Remove any instances of the nullok
option in /etc/pam.d/system-auth to
prevent logins with empty passwords.1121314151618355.5.2APO01.06DSS05.04DSS05.05DSS05.07DSS05.10DSS06.02DSS06.03DSS06.103.1.13.1.5CCI-000366164.308(a)(1)(ii)(B)164.308(a)(7)(i)164.308(a)(7)(ii)(A)164.310(a)(1)164.310(a)(2)(i)164.310(a)(2)(ii)164.310(a)(2)(iii)164.310(b)164.310(c)164.310(d)(1)164.310(d)(2)(iii)4.3.3.2.24.3.3.5.14.3.3.5.24.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.24.3.3.7.34.3.3.7.4SR 1.1SR 1.10SR 1.2SR 1.3SR 1.4SR 1.5SR 1.7SR 1.8SR 1.9SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.18.1.4A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.2.6A.9.3.1A.9.4.1A.9.4.2A.9.4.3A.9.4.4A.9.4.5IA-5(1)(a)IA-5(c)CM-6(a)PR.AC-1PR.AC-4PR.AC-6PR.AC-7PR.DS-5FIA_AFL.1Req-8.2.3SRG-OS-000480-GPOS-00227RHEL-07-010290SV-86561r3_ruleIf an account has an empty password, anyone could log in and
run commands with the privileges of that account. Accounts with
empty passwords should never be used in operational environments.CCE-27286-4sed --follow-symlinks -i 's/\<nullok\>//g' /etc/pam.d/system-auth
sed --follow-symlinks -i 's/\<nullok\>//g' /etc/pam.d/password-auth
- name: Prevent Log In to Accounts With Empty Password - system-auth
replace:
dest: /etc/pam.d/system-auth
follow: true
regexp: nullok
tags:
- no_empty_passwords
- high_severity
- configure_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-27286-4
- PCI-DSS-Req-8.2.3
- DISA-STIG-RHEL-07-010290
- NIST-800-171-3.1.1
- NIST-800-171-3.1.5
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(c)
- NIST-800-53-CM-6(a)
- CJIS-5.5.2
- name: Prevent Log In to Accounts With Empty Password - password-auth
replace:
dest: /etc/pam.d/password-auth
follow: true
regexp: nullok
tags:
- no_empty_passwords
- high_severity
- configure_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-27286-4
- PCI-DSS-Req-8.2.3
- DISA-STIG-RHEL-07-010290
- NIST-800-171-3.1.1
- NIST-800-171-3.1.5
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(c)
- NIST-800-53-CM-6(a)
- CJIS-5.5.2
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
config:
ignition:
version: 2.2.0
storage:
files:
- contents:
source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
filesystem: root
mode: 0644
path: /etc/pam.d/password-auth
- contents:
source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
filesystem: root
mode: 0644
path: /etc/pam.d/system-auth
Verify All Account Password Hashes are ShadowedIf any password hashes are stored in /etc/passwd (in the second field,
instead of an x or *), the cause of this misconfiguration should be
investigated. The account should have its password reset and the hash should be
properly stored, or the account should be deleted entirely.112151655.5.2DSS05.04DSS05.05DSS05.07DSS05.10DSS06.03DSS06.103.5.104.3.3.2.24.3.3.5.14.3.3.5.24.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.24.3.3.7.4SR 1.1SR 1.10SR 1.2SR 1.3SR 1.4SR 1.5SR 1.7SR 1.8SR 1.9SR 2.1A.18.1.4A.7.1.1A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.2.6A.9.3.1A.9.4.2A.9.4.3IA-5(h)CM-6(a)PR.AC-1PR.AC-6PR.AC-7Req-8.2.1The hashes for all user account passwords should be stored in
the file /etc/shadow and never in /etc/passwd,
which is readable by all users.CCE-27352-4All GIDs referenced in /etc/passwd must be defined in /etc/groupAdd a group to the system for each GID referenced without a corresponding group.112151655.5.2DSS05.04DSS05.05DSS05.07DSS05.10DSS06.03DSS06.10CCI-0007644.3.3.2.24.3.3.5.14.3.3.5.24.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.24.3.3.7.4SR 1.1SR 1.10SR 1.2SR 1.3SR 1.4SR 1.5SR 1.7SR 1.8SR 1.9SR 2.1A.18.1.4A.7.1.1A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.2.6A.9.3.1A.9.4.2A.9.4.3IA-2CM-6(a)PR.AC-1PR.AC-6PR.AC-7Req-8.5.aSRG-OS-000104-GPOS-00051RHEL-07-020300SV-86627r2_ruleIf a user is assigned the Group Identifier (GID) of a group not existing on the system, and a group
with the Gruop Identifier (GID) is subsequently created, the user may have unintended rights to
any files associated with the group.CCE-27503-2Protect Physical Console AccessIt is impossible to fully protect a system from an
attacker with physical access, so securing the space in which the
system is located should be considered a necessary step. However,
there are some steps which, if taken, make it more difficult for an
attacker to quickly or undetectably modify a system from its
console.Disable debug-shell SystemD ServiceSystemD's debug-shell service is intended to
diagnose SystemD related boot issues with various systemctl
commands. Once enabled and following a system reboot, the root shell
will be available on tty9 which is access by pressing
CTRL-ALT-F9. The debug-shell service should only be used
for SystemD related issues and should otherwise be disabled.
By default, the debug-shell SystemD service is already disabled.
The debug-shell service can be disabled with the following command:
$ sudo systemctl disable debug-shell.service
The debug-shell service can be masked with the following command:
$ sudo systemctl mask debug-shell.service3.4.5164.308(a)(1)(ii)(B)164.308(a)(7)(i)164.308(a)(7)(ii)(A)164.310(a)(1)164.310(a)(2)(i)164.310(a)(2)(ii)164.310(a)(2)(iii)164.310(b)164.310(c)164.310(d)(1)164.310(d)(2)(iii)FIA_AFL.1SRG-OS-000324-GPOS-00125This prevents attackers with physical access from trivially bypassing security
on the machine through valid troubleshooting configurations and gaining root
access when the system is rebooted.CCE-80206-6
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'debug-shell.service'
"$SYSTEMCTL_EXEC" disable 'debug-shell.service'
"$SYSTEMCTL_EXEC" mask 'debug-shell.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^debug-shell.socket'; then
"$SYSTEMCTL_EXEC" stop 'debug-shell.socket'
"$SYSTEMCTL_EXEC" disable 'debug-shell.socket'
"$SYSTEMCTL_EXEC" mask 'debug-shell.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'debug-shell.service' || true
- name: Disable service debug-shell
block:
- name: Gather the service facts
service_facts: null
- name: Disable service debug-shell
systemd:
name: debug-shell.service
enabled: 'no'
state: stopped
masked: 'yes'
when: '"debug-shell.service" in ansible_facts.services'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_debug-shell_disabled
- medium_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80206-6
- NIST-800-171-3.4.5
- name: Unit Socket Exists - debug-shell.socket
command: systemctl list-unit-files debug-shell.socket
args:
warn: false
register: socket_file_exists
changed_when: false
ignore_errors: true
check_mode: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_debug-shell_disabled
- medium_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80206-6
- NIST-800-171-3.4.5
- name: Disable socket debug-shell
systemd:
name: debug-shell.socket
enabled: 'no'
state: stopped
masked: 'yes'
when:
- '"debug-shell.socket" in socket_file_exists.stdout_lines[1]'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_debug-shell_disabled
- medium_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80206-6
- NIST-800-171-3.4.5
include disable_debug-shell
class disable_debug-shell {
service {'debug-shell':
enable => false,
ensure => 'stopped',
}
}
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
config:
ignition:
version: 2.2.0
systemd:
units:
enabled: false
name: debug-shell.service
Require Authentication for Single User ModeSingle-user mode is intended as a system recovery
method, providing a single user root access to the system by
providing a boot option at startup. By default, no authentication
is performed if single-user mode is selected.
By default, single-user mode is protected by requiring a password and is set
in /usr/lib/systemd/system/rescue.service.1.4.3111121415161835DSS05.02DSS05.04DSS05.05DSS05.07DSS05.10DSS06.03DSS06.06DSS06.103.1.13.4.5CCI-000213164.308(a)(1)(ii)(B)164.308(a)(7)(i)164.308(a)(7)(ii)(A)164.310(a)(1)164.310(a)(2)(i)164.310(a)(2)(ii)164.310(a)(2)(iii)164.310(b)164.310(c)164.310(d)(1)164.310(d)(2)(iii)4.3.3.2.24.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.4SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7A.18.1.4A.6.1.2A.7.1.1A.9.1.2A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.2.6A.9.3.1A.9.4.1A.9.4.2A.9.4.3A.9.4.4A.9.4.5IA-2AC-3CM-6(a)PR.AC-1PR.AC-4PR.AC-6PR.AC-7PR.PT-3FIA_AFL.1SRG-OS-000080-GPOS-00048RHEL-07-010481SV-92519r2_ruleThis prevents attackers with physical access from trivially bypassing security
on the machine and gaining root access. Such accesses are further prevented
by configuring the bootloader password.CCE-27287-2
service_file="/usr/lib/systemd/system/rescue.service"
sulogin='/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"'
if grep "^ExecStart=.*" "$service_file" ; then
sed -i "s%^ExecStart=.*%ExecStart=-$sulogin%" "$service_file"
else
echo "ExecStart=-$sulogin" >> "$service_file"
fi
- name: require single user mode password
lineinfile:
create: true
dest: /usr/lib/systemd/system/rescue.service
regexp: ^#?ExecStart=
line: ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block
default"
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- require_singleuser_auth
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27287-2
- DISA-STIG-RHEL-07-010481
- NIST-800-171-3.1.1
- NIST-800-171-3.4.5
- NIST-800-53-IA-2
- NIST-800-53-AC-3
- NIST-800-53-CM-6(a)
Require Authentication for Emergency Systemd TargetEmergency mode is intended as a system recovery
method, providing a single user root access to the system
during a failed boot sequence.
By default, Emergency mode is protected by requiring a password and is set
in /usr/lib/systemd/system/emergency.service.1.4.3111121415161835DSS05.02DSS05.04DSS05.05DSS05.07DSS05.10DSS06.03DSS06.06DSS06.103.1.13.4.5CCI-000213164.308(a)(1)(ii)(B)164.308(a)(7)(i)164.308(a)(7)(ii)(A)164.310(a)(1)164.310(a)(2)(i)164.310(a)(2)(ii)164.310(a)(2)(iii)164.310(b)164.310(c)164.310(d)(1)164.310(d)(2)(iii)4.3.3.2.24.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.4SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7A.18.1.4A.6.1.2A.7.1.1A.9.1.2A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.2.6A.9.3.1A.9.4.1A.9.4.2A.9.4.3A.9.4.4A.9.4.5IA-2AC-3CM-6(a)PR.AC-1PR.AC-4PR.AC-6PR.AC-7PR.PT-3FIA_AFL.1SRG-OS-000080-GPOS-00048RHEL-07-010481SV-92519r2_ruleThis prevents attackers with physical access from trivially bypassing security
on the machine and gaining root access. Such accesses are further prevented
by configuring the bootloader password.CCE-82185-0
service_file="/usr/lib/systemd/system/emergency.service"
sulogin='/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"'
if grep "^ExecStart=.*" "$service_file" ; then
sed -i "s%^ExecStart=.*%ExecStart=-$sulogin%" "$service_file"
else
echo "ExecStart=-$sulogin" >> "$service_file"
fi
- name: require emergency mode password
lineinfile:
create: true
dest: /usr/lib/systemd/system/emergency.service
regexp: ^#?ExecStart=
line: ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block
default"
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- require_emergency_target_auth
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82185-0
- DISA-STIG-RHEL-07-010481
- NIST-800-171-3.1.1
- NIST-800-171-3.4.5
- NIST-800-53-IA-2
- NIST-800-53-AC-3
- NIST-800-53-CM-6(a)
Disable Ctrl-Alt-Del Burst ActionBy default, SystemD will reboot the system if the Ctrl-Alt-Del
key sequence is pressed Ctrl-Alt-Delete more than 7 times in 2 seconds.
To configure the system to ignore the CtrlAltDelBurstAction
setting, add or modify the following to /etc/systemd/system.conf:
CtrlAltDelBurstAction=noneDisabling the Ctrl-Alt-Del key sequence
in /etc/init/control-alt-delete.conf DOES NOT disable the Ctrl-Alt-Del
key sequence if running in runlevel 6 (e.g. in GNOME, KDE, etc.)! The
Ctrl-Alt-Del key sequence will only be disabled if running in
the non-graphical runlevel 3.12131415161835APO01.06DSS05.04DSS05.07DSS06.023.4.5CCI-000366164.308(a)(1)(ii)(B)164.308(a)(7)(i)164.308(a)(7)(ii)(A)164.310(a)(1)164.310(a)(2)(i)164.310(a)(2)(ii)164.310(a)(2)(iii)164.310(b)164.310(c)164.310(d)(1)164.310(d)(2)(iii)4.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)AC-6(1)CM-6(a)PR.AC-4PR.DS-5SRG-OS-000324-GPOS-00125A locally logged-in user who presses Ctrl-Alt-Del, when at the console,
can reboot the system. If accidentally pressed, as could happen in
the case of mixed OS environment, this can create the risk of short-term
loss of availability of systems due to unintentional reboot.CCE-80449-2
replace_or_append '/etc/systemd/system.conf' '^CtrlAltDelBurstAction=' 'none' 'CCE-80449-2' '%s=%s'
- name: Disable Ctrl-Alt-Del Burst Action
lineinfile:
dest: /etc/systemd/system.conf
state: present
regexp: ^CtrlAltDelBurstAction
line: CtrlAltDelBurstAction=none
create: true
tags:
- disable_ctrlaltdel_burstaction
- high_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80449-2
- NIST-800-171-3.4.5
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
Verify that Interactive Boot is DisabledRed Hat Enterprise Linux 7 systems support an "interactive boot" option that can
be used to prevent services from being started. On a Red Hat Enterprise Linux 7
system, interactive boot can be enabled by providing a 1,
yes, true, or on value to the
systemd.confirm_spawn kernel argument in /etc/default/grub.
Remove any instance of systemd.confirm_spawn=(1|yes|true|on) from
the kernel arguments in that file to disable interactive boot. It is also
required to change the runtime configuration, run:
/sbin/grubby --update-kernel=ALL --remove-args="systemd.confirm_spawn"11121415161835DSS05.02DSS05.04DSS05.05DSS05.07DSS06.03DSS06.063.1.23.4.5CCI-000213164.308(a)(1)(ii)(B)164.308(a)(7)(i)164.308(a)(7)(ii)(A)164.310(a)(1)164.310(a)(2)(i)164.310(a)(2)(ii)164.310(a)(2)(iii)164.310(b)164.310(c)164.310(d)(1)164.310(d)(2)(iii)4.3.3.2.24.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.4SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7A.6.1.2A.7.1.1A.9.1.2A.9.2.1A.9.2.3A.9.4.1A.9.4.4A.9.4.5SC-2(1)CM-6(a)PR.AC-4PR.AC-6PR.PT-3FIA_AFL.1SRG-OS-000480-GPOS-00227Using interactive boot, the console user could disable auditing, firewalls,
or other services, weakening system security.CCE-27335-9
CONFIRM_SPAWN_YES="systemd.confirm_spawn=\(1\|yes\|true\|on\)"
CONFIRM_SPAWN_NO="systemd.confirm_spawn=no"
if grep -q "\(GRUB_CMDLINE_LINUX\|GRUB_CMDLINE_LINUX_DEFAULT\)" /etc/default/grub
then
sed -i "s/${CONFIRM_SPAWN_YES}/${CONFIRM_SPAWN_NO}/" /etc/default/grub
fi
# Remove 'systemd.confirm_spawn' kernel argument also from runtime settings
/sbin/grubby --update-kernel=ALL --remove-args="systemd.confirm_spawn"
- name: Verify that Interactive Boot is Disabled in /etc/default/grub
replace:
dest: /etc/default/grub
regexp: systemd.confirm_spawn=(1|yes|true|on)
replace: systemd.confirm_spawn=no
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- grub2_disable_interactive_boot
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27335-9
- NIST-800-171-3.1.2
- NIST-800-171-3.4.5
- NIST-800-53-SC-2(1)
- NIST-800-53-CM-6(a)
- name: Verify that Interactive Boot is Disabled (runtime)
command: /sbin/grubby --update-kernel=ALL --remove-args="systemd.confirm_spawn"
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- grub2_disable_interactive_boot
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27335-9
- NIST-800-171-3.1.2
- NIST-800-171-3.4.5
- NIST-800-53-SC-2(1)
- NIST-800-53-CM-6(a)
Disable Ctrl-Alt-Del Reboot Activation
By default, SystemD will reboot the system if the Ctrl-Alt-Del
key sequence is pressed.
To configure the system to ignore the Ctrl-Alt-Del key sequence from the
command line instead of rebooting the system, do either of the following:
ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target
or
systemctl mask ctrl-alt-del.target
Do not simply delete the /usr/lib/systemd/system/ctrl-alt-del.service file,
as this file may be restored during future system updates.Disabling the Ctrl-Alt-Del key sequence
in /etc/init/control-alt-delete.conf DOES NOT disable the Ctrl-Alt-Del
key sequence if running in runlevel 6 (e.g. in GNOME, KDE, etc.)! The
Ctrl-Alt-Del key sequence will only be disabled if running in
the non-graphical runlevel 3.12131415161835APO01.06DSS05.04DSS05.07DSS06.023.4.5CCI-000366164.308(a)(1)(ii)(B)164.308(a)(7)(i)164.308(a)(7)(ii)(A)164.310(a)(1)164.310(a)(2)(i)164.310(a)(2)(ii)164.310(a)(2)(iii)164.310(b)164.310(c)164.310(d)(1)164.310(d)(2)(iii)4.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)AC-6(1)PR.AC-4PR.DS-5SRG-OS-000324-GPOS-00125RHEL-07-020230SV-86617r5_ruleA locally logged-in user who presses Ctrl-Alt-Del, when at the console,
can reboot the system. If accidentally pressed, as could happen in
the case of mixed OS environment, this can create the risk of short-term
loss of availability of systems due to unintentional reboot.CCE-27511-5# The process to disable ctrl+alt+del has changed in RHEL7.
# Reference: https://access.redhat.com/solutions/1123873
systemctl mask ctrl-alt-del.target
- name: Disable Ctrl-Alt-Del Reboot Activation
systemd:
name: ctrl-alt-del.target
masked: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- disable_ctrlaltdel_reboot
- high_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27511-5
- DISA-STIG-RHEL-07-020230
- NIST-800-171-3.4.5
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
Configure Screen LockingWhen a user must temporarily leave an account
logged-in, screen locking should be employed to prevent passersby
from abusing the account. User education and training is
particularly important for screen locking to be effective, and policies
can be implemented to reinforce this.
Automatic screen locking is only meant as a safeguard for
those cases where a user forgot to lock the screen.Configure Console Screen LockingA console screen locking mechanism is a temporary action taken when a user
stops work and moves away from the immediate physical vicinity of the
information system but does not logout because of the temporary nature of
the absence. Rather than relying on the user to manually lock their
operation system session prior to vacating the vicinity, operating systems
need to be able to identify when a user's session has idled and take action
to initiate the session lock.Install the screen PackageTo enable console screen locking, install the screen package.
The screen package can be installed with the following command:
$ sudo yum install screen
Instruct users to begin new terminal sessions with the following command:
$ screen
The console can now be locked with the following key combination:
ctrl+a x1121516DSS05.04DSS05.10DSS06.103.1.10CCI-0000584.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.9SR 1.1SR 1.10SR 1.2SR 1.5SR 1.7SR 1.8SR 1.9A.18.1.4A.9.2.1A.9.2.4A.9.3.1A.9.4.2A.9.4.3CM-6(a)PR.AC-7FMT_MOF_EXT.1SRG-OS-000029-GPOS-00010RHEL-07-010090SV-86521r3_ruleSRG-OS-000030-VMM-000110A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate
physical vicinity of the information system but does not logout because of the temporary nature of the absence.
Rather than relying on the user to manually lock their operation system session prior to vacating the vicinity,
operating systems need to be able to identify when a user's session has idled and take action to initiate the
session lock.
The screen package allows for a session lock to be implemented and configured.CCE-27351-6
if ! rpm -q --quiet "screen" ; then
yum install -y "screen"
fi
- name: Ensure screen is installed
package:
name: screen
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- package_screen_installed
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27351-6
- DISA-STIG-RHEL-07-010090
- NIST-800-171-3.1.10
- NIST-800-53-CM-6(a)
include install_screen
class install_screen {
package { 'screen':
ensure => 'installed',
}
}
package --add=screen
Hardware Tokens for AuthenticationThe use of hardware tokens such as smart cards for system login
provides stronger, two-factor authentication than using a username and password.
In Red Hat Enterprise Linux servers and workstations, hardware token login
is not enabled by default and must be enabled in the system settings.OpenSC Smart Card DriversChoose the Smart Card Driver in use by your organization.
For DoD, choose the cac driver.
If your driver is not listed and you don't want to use the
default driver, use the other option and
manually specify your driver.flexcardosepass2003PIV-IIoberthuriaseccstarcosgpkrutoken_ecpincrypto34dnierutokenjpkiNonebelpicasepcosmyeidMaskTechtcositacnscyberflexentersafeacos5npaisoAppletgemsafeV1atrust-acosopenpgpsc-hsmauthenticcoolkeyakisgidsdefaultsetcoswestcoscacmcrdmuscleInstall the pcsc-lite packageThe pcsc-lite package can be installed with the following command:
$ sudo yum install pcsc-liteCCI-001954CM-6(a)SRG-OS-000375-GPOS-00160SRG-OS-000377-VMM-001530The pcsc-lite package must be installed if it is to be available for
multifactor authentication using smartcards.CCE-82347-6
if ! rpm -q --quiet "pcsc-lite" ; then
yum install -y "pcsc-lite"
fi
- name: Ensure pcsc-lite is installed
package:
name: pcsc-lite
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- package_pcsc-lite_installed
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82347-6
- NIST-800-53-CM-6(a)
include install_pcsc-lite
class install_pcsc-lite {
package { 'pcsc-lite':
ensure => 'installed',
}
}
package --add=pcsc-lite
Install the opensc Package For Multifactor AuthenticationThe opensc package can be installed with the following command:
$ sudo yum install openscCCI-001954CM-6(a)SRG-OS-000375-GPOS-00160SRG-OS-000376-VMM-001520Using an authentication device, such as a CAC or token that is separate from
the information system, ensures that even if the information system is
compromised, that compromise will not affect credentials stored on the
authentication device.
Multifactor solutions that require devices separate from
information systems gaining access include, for example, hardware tokens
providing time-based or challenge-response authenticators and smart cards such
as the U.S. Government Personal Identity Verification card and the DoD Common
Access Card.CCE-80568-9
if ! rpm -q --quiet "opensc" ; then
yum install -y "opensc"
fi
- name: Ensure opensc is installed
package:
name: opensc
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- package_opensc_installed
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80568-9
- NIST-800-53-CM-6(a)
include install_opensc
class install_opensc {
package { 'opensc':
ensure => 'installed',
}
}
package --add=opensc
Enable the pcscd Service
The pcscd service can be enabled with the following command:
$ sudo systemctl enable pcscd.serviceCCI-001954IA-2(1)IA-2(2)IA-2(3)IA-2(4)IA-2(6)IA-2(7)IA-2(11)CM-6(a)SRG-OS-000375-GPOS-00160SRG-OS-000377-VMM-001530Using an authentication device, such as a CAC or token that is separate from
the information system, ensures that even if the information system is
compromised, that compromise will not affect credentials stored on the
authentication device.
Multifactor solutions that require devices separate from
information systems gaining access include, for example, hardware tokens
providing time-based or challenge-response authenticators and smart cards such
as the U.S. Government Personal Identity Verification card and the DoD Common
Access Card.CCE-80569-7
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" start 'pcscd.service'
"$SYSTEMCTL_EXEC" enable 'pcscd.service'
- name: Enable service pcscd
block:
- name: Gather the package facts
package_facts:
manager: auto
- name: Enable service pcscd
service:
name: pcscd
enabled: 'yes'
state: started
when:
- '"pcsc-lite" in ansible_facts.packages'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_pcscd_enabled
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80569-7
- NIST-800-53-IA-2(1)
- NIST-800-53-IA-2(2)
- NIST-800-53-IA-2(3)
- NIST-800-53-IA-2(4)
- NIST-800-53-IA-2(6)
- NIST-800-53-IA-2(7)
- NIST-800-53-IA-2(11)
- NIST-800-53-CM-6(a)
include enable_pcscd
class enable_pcscd {
service {'pcscd':
enable => true,
ensure => 'running',
}
}
Install Smart Card Packages For Multifactor AuthenticationConfigure the operating system to implement multifactor authentication by
installing the required packages with the following command:
The esc pam_pkcs11 package can be installed with the following command:
$ sudo yum install esc pam_pkcs11CCI-001954CM-6(a)SRG-OS-000375-GPOS-00160RHEL-07-041001SV-87041r4_ruleUsing an authentication device, such as a CAC or token that is separate from
the information system, ensures that even if the information system is
compromised, that compromise will not affect credentials stored on the
authentication device.
Multifactor solutions that require devices separate from
information systems gaining access include, for example, hardware tokens
providing time-based or challenge-response authenticators and smart cards such
as the U.S. Government Personal Identity Verification card and the DoD Common
Access Card.CCE-80519-2
if ! rpm -q --quiet "esc" ; then
yum install -y "esc"
fi
if ! rpm -q --quiet "pam_pkcs11" ; then
yum install -y "pam_pkcs11"
fi
Configure opensc Smart Card DriversThe OpenSC smart card tool can auto-detect smart card drivers; however,
setting the smart card drivers in use by your organization helps to prevent
users from using unauthorized smart cards. The default smart card driver for this
profile is .
To configure the OpenSC driver, edit the /etc/opensc-ARCH.conf (where
ARCH is the architecture of your operating system) file. Look for a
line similar to:
# card_drivers = old, internal;
and change it to:
card_drivers = ;11215165DSS05.04DSS05.05DSS05.07DSS05.10DSS06.03DSS06.10CCI-000765CCI-000766CCI-000767CCI-000768CCI-000771CCI-000772CCI-0008844.3.3.2.24.3.3.5.14.3.3.5.24.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.24.3.3.7.4SR 1.1SR 1.10SR 1.2SR 1.3SR 1.4SR 1.5SR 1.7SR 1.8SR 1.9SR 2.1A.18.1.4A.7.1.1A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.2.6A.9.3.1A.9.4.2A.9.4.3IA-2(1)IA-2(2)IA-2(3)IA-2(4)IA-2(6)IA-2(7)IA-2(11)CM-6(a)PR.AC-1PR.AC-6PR.AC-7Req-8.3SRG-OS-000104-GPOS-00051SRG-OS-000106-GPOS-00053SRG-OS-000107-GPOS-00054SRG-OS-000109-GPOS-00056SRG-OS-000108-GPOS-00055SRG-OS-000108-GPOS-00057SRG-OS-000108-GPOS-00058SRG-OS-000376-VMM-001520Smart card login provides two-factor authentication stronger than
that provided by a username and password combination. Smart cards leverage PKI
(public key infrastructure) in order to provide and verify credentials.
Configuring the smart card driver in use by your organization helps to prevent
users from using unauthorized smart cards.CCE-80565-5
var_smartcard_drivers=""
OPENSC_TOOL="/usr/bin/opensc-tool"
if [ -f "${OPENSC_TOOL}" ]; then
${OPENSC_TOOL} -S app:default:card_drivers:$var_smartcard_drivers
fi
- name: XCCDF Value var_smartcard_drivers # promote to variable
set_fact:
var_smartcard_drivers: !!str
tags:
- always
- name: Check existence of opensc conf
stat:
path: /etc/opensc-{{ ansible_architecture }}.conf
register: opensc_conf_cd
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- configure_opensc_card_drivers
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80565-5
- PCI-DSS-Req-8.3
- NIST-800-53-IA-2(1)
- NIST-800-53-IA-2(2)
- NIST-800-53-IA-2(3)
- NIST-800-53-IA-2(4)
- NIST-800-53-IA-2(6)
- NIST-800-53-IA-2(7)
- NIST-800-53-IA-2(11)
- NIST-800-53-CM-6(a)
- name: Configure opensc Smart Card Drivers
lineinfile:
path: /etc/opensc-{{ ansible_architecture }}.conf
line: ' card_drivers = {{ var_smartcard_drivers }}'
regexp: (^\s+#|^)\s+card_drivers\s+=\s+.*
state: present
when:
- opensc_conf_cd.stat.exists
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- configure_opensc_card_drivers
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80565-5
- PCI-DSS-Req-8.3
- NIST-800-53-IA-2(1)
- NIST-800-53-IA-2(2)
- NIST-800-53-IA-2(3)
- NIST-800-53-IA-2(4)
- NIST-800-53-IA-2(6)
- NIST-800-53-IA-2(7)
- NIST-800-53-IA-2(11)
- NIST-800-53-CM-6(a)
Configure NSS DB To Use openscThe opensc module should be configured for use over the
Coolkey PKCS#11 module in the NSS database. To configure the
NSS database ot use the opensc module, run the following
command:
$ sudo pkcs11-switch opensc11215165DSS05.04DSS05.05DSS05.07DSS05.10DSS06.03DSS06.10CCI-000765CCI-000766CCI-000767CCI-000768CCI-000771CCI-000772CCI-0008844.3.3.2.24.3.3.5.14.3.3.5.24.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.24.3.3.7.4SR 1.1SR 1.10SR 1.2SR 1.3SR 1.4SR 1.5SR 1.7SR 1.8SR 1.9SR 2.1A.18.1.4A.7.1.1A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.2.6A.9.3.1A.9.4.2A.9.4.3IA-2(1)IA-2(2)IA-2(3)IA-2(4)IA-2(6)IA-2(7)IA-2(11)CM-6(a)PR.AC-1PR.AC-6PR.AC-7Req-8.3SRG-OS-000104-GPOS-00051SRG-OS-000106-GPOS-00053SRG-OS-000107-GPOS-00054SRG-OS-000109-GPOS-00056SRG-OS-000108-GPOS-00055SRG-OS-000108-GPOS-00057SRG-OS-000108-GPOS-00058SRG-OS-000376-VMM-001520SRG-OS-000403-VMM-001640Smart card login provides two-factor authentication stronger than
that provided by a username and password combination. Smart cards leverage PKI
(public key infrastructure) in order to provide and verify credentials.CCE-80567-1
PKCSSW=$(/usr/bin/pkcs11-switch)
if [ ${PKCSSW} != "opensc" ] ; then
${PKCSSW} opensc
fi
- name: Check existence of pkcs11-switch
stat:
path: /usr/bin/pkcs11-switch
register: pkcs11switch
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- configure_opensc_nss_db
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80567-1
- PCI-DSS-Req-8.3
- NIST-800-53-IA-2(1)
- NIST-800-53-IA-2(2)
- NIST-800-53-IA-2(3)
- NIST-800-53-IA-2(4)
- NIST-800-53-IA-2(6)
- NIST-800-53-IA-2(7)
- NIST-800-53-IA-2(11)
- NIST-800-53-CM-6(a)
- name: Get NSS database smart card configuration
command: /usr/bin/pkcs11-switch
changed_when: true
register: pkcsw_output
when:
- pkcs11switch.stat.exists
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- configure_opensc_nss_db
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80567-1
- PCI-DSS-Req-8.3
- NIST-800-53-IA-2(1)
- NIST-800-53-IA-2(2)
- NIST-800-53-IA-2(3)
- NIST-800-53-IA-2(4)
- NIST-800-53-IA-2(6)
- NIST-800-53-IA-2(7)
- NIST-800-53-IA-2(11)
- NIST-800-53-CM-6(a)
- name: Configure NSS DB To Use opensc
command: /usr/bin/pkcs11-switch opensc
when:
- pkcs11switch.stat.exists and pkcsw_output.stdout != "opensc"
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- configure_opensc_nss_db
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80567-1
- PCI-DSS-Req-8.3
- NIST-800-53-IA-2(1)
- NIST-800-53-IA-2(2)
- NIST-800-53-IA-2(3)
- NIST-800-53-IA-2(4)
- NIST-800-53-IA-2(6)
- NIST-800-53-IA-2(7)
- NIST-800-53-IA-2(11)
- NIST-800-53-CM-6(a)
Configure Smart Card Certificate Status CheckingConfigure the operating system to do certificate status checking for PKI
authentication. Modify all of the cert_policy lines in
/etc/pam_pkcs11/pam_pkcs11.conf to include ocsp_on like so:
cert_policy = ca, ocsp_on, signature;CCI-001954SRG-OS-000375-GPOS-00160SRG-OS-000384-GPOS-00167RHEL-07-041003SV-87057r5_ruleUsing an authentication device, such as a CAC or token that is separate from
the information system, ensures that even if the information system is
compromised, that compromise will not affect credentials stored on the
authentication device.
Multifactor solutions that require devices separate from
information systems gaining access include, for example, hardware tokens
providing time-based or challenge-response authenticators and smart cards such
as the U.S. Government Personal Identity Verification card and the DoD Common
Access Card.CCE-80520-0
# Install required packages
if ! rpm --quiet -q pam_pkcs11; then yum -y -d 1 install pam_pkcs11; fi
if grep "^\s*cert_policy" /etc/pam_pkcs11/pam_pkcs11.conf | grep -qv "ocsp_on"; then
sed -i "/^\s*#/! s/cert_policy.*/cert_policy = ca, ocsp_on, signature;/g" /etc/pam_pkcs11/pam_pkcs11.conf
fi
Force opensc To Use Defined Smart Card DriverThe OpenSC smart card tool can auto-detect smart card drivers; however by
forcing the smart card driver in use by your organization, opensc will no longer
autodetect or use other drivers unless specified. This helps to prevent
users from using unauthorized smart cards. The default smart card driver for this
profile is .
To force the OpenSC driver, edit the /etc/opensc-ARCH.conf (where
ARCH is the architecture of your operating system) file. Look for a line
similar to:
# force_card_driver = customcos;
and change it to:
force_card_driver = ;11215165DSS05.04DSS05.05DSS05.07DSS05.10DSS06.03DSS06.10CCI-000765CCI-000766CCI-000767CCI-000768CCI-000771CCI-000772CCI-0008844.3.3.2.24.3.3.5.14.3.3.5.24.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.24.3.3.7.4SR 1.1SR 1.10SR 1.2SR 1.3SR 1.4SR 1.5SR 1.7SR 1.8SR 1.9SR 2.1A.18.1.4A.7.1.1A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.2.6A.9.3.1A.9.4.2A.9.4.3IA-2(1)IA-2(2)IA-2(3)IA-2(4)IA-2(6)IA-2(7)IA-2(11)CM-6(a)PR.AC-1PR.AC-6PR.AC-7Req-8.3SRG-OS-000104-GPOS-00051SRG-OS-000106-GPOS-00053SRG-OS-000107-GPOS-00054SRG-OS-000109-GPOS-00056SRG-OS-000108-GPOS-00055SRG-OS-000108-GPOS-00057SRG-OS-000108-GPOS-00058SRG-OS-000376-VMM-001520Smart card login provides two-factor authentication stronger than
that provided by a username and password combination. Smart cards leverage PKI
(public key infrastructure) in order to provide and verify credentials.
Forcing the smart card driver in use by your organization helps to prevent
users from using unauthorized smart cards.CCE-81002-8
var_smartcard_drivers=""
OPENSC_TOOL="/usr/bin/opensc-tool"
if [ -f "${OPENSC_TOOL}" ]; then
${OPENSC_TOOL} -S app:default:force_card_driver:$var_smartcard_drivers
fi
- name: XCCDF Value var_smartcard_drivers # promote to variable
set_fact:
var_smartcard_drivers: !!str
tags:
- always
- name: Check existence of opensc conf
stat:
path: /etc/opensc-{{ ansible_architecture }}.conf
register: opensc_conf_fcd
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- force_opensc_card_drivers
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-81002-8
- PCI-DSS-Req-8.3
- NIST-800-53-IA-2(1)
- NIST-800-53-IA-2(2)
- NIST-800-53-IA-2(3)
- NIST-800-53-IA-2(4)
- NIST-800-53-IA-2(6)
- NIST-800-53-IA-2(7)
- NIST-800-53-IA-2(11)
- NIST-800-53-CM-6(a)
- name: Force opensc To Use Defined Smart Card Driver
lineinfile:
path: /etc/opensc-{{ ansible_architecture }}.conf
line: ' force_card_driver = {{ var_smartcard_drivers }}'
regexp: (^\s+#|^)\s+force_card_driver\s+=\s+.*
state: present
when:
- opensc_conf_fcd.stat.exists
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- force_opensc_card_drivers
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-81002-8
- PCI-DSS-Req-8.3
- NIST-800-53-IA-2(1)
- NIST-800-53-IA-2(2)
- NIST-800-53-IA-2(3)
- NIST-800-53-IA-2(4)
- NIST-800-53-IA-2(6)
- NIST-800-53-IA-2(7)
- NIST-800-53-IA-2(11)
- NIST-800-53-CM-6(a)
Enable Smart Card LoginTo enable smart card authentication, consult the documentation at:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards
For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at:
https://access.redhat.com/solutions/8227311215165DSS05.04DSS05.05DSS05.07DSS05.10DSS06.03DSS06.10CCI-000765CCI-000766CCI-000767CCI-000768CCI-000771CCI-000772CCI-0008844.3.3.2.24.3.3.5.14.3.3.5.24.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.24.3.3.7.4SR 1.1SR 1.10SR 1.2SR 1.3SR 1.4SR 1.5SR 1.7SR 1.8SR 1.9SR 2.1A.18.1.4A.7.1.1A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.2.6A.9.3.1A.9.4.2A.9.4.3IA-2(1)IA-2(2)IA-2(3)IA-2(4)IA-2(6)IA-2(7)IA-2(11)CM-6(a)PR.AC-1PR.AC-6PR.AC-7Req-8.3SRG-OS-000104-GPOS-00051SRG-OS-000106-GPOS-00053SRG-OS-000107-GPOS-00054SRG-OS-000109-GPOS-00056SRG-OS-000108-GPOS-00055SRG-OS-000108-GPOS-00057SRG-OS-000108-GPOS-00058SRG-OS-000376-GPOS-00161SRG-OS-000377-GPOS-00162RHEL-07-010500SV-86589r2_ruleSmart card login provides two-factor authentication stronger than
that provided by a username and password combination. Smart cards leverage PKI
(public key infrastructure) in order to provide and verify credentials.CCE-80207-4
# Install required packages
if ! rpm -q --quiet "esc" ; then
yum install -y "esc"
fi
if ! rpm -q --quiet "pam_pkcs11" ; then
yum install -y "pam_pkcs11"
fi
# Enable pcscd.socket systemd activation socket
/usr/bin/systemctl enable "pcscd.socket"
/usr/bin/systemctl start "pcscd.socket"
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
/usr/bin/systemctl reset-failed "pcscd.socket"
# Configure the expected /etc/pam.d/system-auth{,-ac} settings directly
#
# The code below will configure system authentication in the way smart card
# logins will be enabled, but also user login(s) via other method to be allowed
#
# NOTE: It is not possible to use the 'authconfig' command to perform the
# remediation for us, because call of 'authconfig' would discard changes
# for other remediations (see RH BZ#1357019 for details)
#
# Therefore we need to configure the necessary settings directly.
#
# Define system-auth config location
SYSTEM_AUTH_CONF="/etc/pam.d/system-auth"
# Define expected 'pam_env.so' row in $SYSTEM_AUTH_CONF
PAM_ENV_SO="auth.*required.*pam_env.so"
# Define 'pam_succeed_if.so' row to be appended past $PAM_ENV_SO row into $SYSTEM_AUTH_CONF
SYSTEM_AUTH_PAM_SUCCEED="\
auth [success=1 default=ignore] pam_succeed_if.so service notin \
login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid"
# Define 'pam_pkcs11.so' row to be appended past $SYSTEM_AUTH_PAM_SUCCEED
# row into SYSTEM_AUTH_CONF file
SYSTEM_AUTH_PAM_PKCS11="\
auth [success=done authinfo_unavail=ignore ignore=ignore default=die] \
pam_pkcs11.so nodebug"
# Define smartcard-auth config location
SMARTCARD_AUTH_CONF="/etc/pam.d/smartcard-auth"
# Define 'pam_pkcs11.so' auth section to be appended past $PAM_ENV_SO into $SMARTCARD_AUTH_CONF
SMARTCARD_AUTH_SECTION="\
auth [success=done ignore=ignore default=die] pam_pkcs11.so nodebug wait_for_card"
# Define expected 'pam_permit.so' row in $SMARTCARD_AUTH_CONF
PAM_PERMIT_SO="account.*required.*pam_permit.so"
# Define 'pam_pkcs11.so' password section
SMARTCARD_PASSWORD_SECTION="\
password required pam_pkcs11.so"
# First Correct the SYSTEM_AUTH_CONF configuration
if ! grep -q 'pam_pkcs11.so' "$SYSTEM_AUTH_CONF"
then
# Append (expected) pam_succeed_if.so row past the pam_env.so into SYSTEM_AUTH_CONF file
# and append (expected) pam_pkcs11.so row right after the pam_succeed_if.so we just added
# in SYSTEM_AUTH_CONF file
# This will preserve any other already existing row equal to "$SYSTEM_AUTH_PAM_SUCCEED"
echo "$(awk '/^'"$PAM_ENV_SO"'/{print $0 RS "'"$SYSTEM_AUTH_PAM_SUCCEED"'" RS "'"$SYSTEM_AUTH_PAM_PKCS11"'";next}1' "$SYSTEM_AUTH_CONF")" > "$SYSTEM_AUTH_CONF"
fi
# Then also correct the SMARTCARD_AUTH_CONF
if ! grep -q 'pam_pkcs11.so' "$SMARTCARD_AUTH_CONF"
then
# Append (expected) SMARTCARD_AUTH_SECTION row past the pam_env.so into SMARTCARD_AUTH_CONF file
sed -i --follow-symlinks -e '/^'"$PAM_ENV_SO"'/a '"$SMARTCARD_AUTH_SECTION" "$SMARTCARD_AUTH_CONF"
# Append (expected) SMARTCARD_PASSWORD_SECTION row past the pam_permit.so into SMARTCARD_AUTH_CONF file
sed -i --follow-symlinks -e '/^'"$PAM_PERMIT_SO"'/a '"$SMARTCARD_PASSWORD_SECTION" "$SMARTCARD_AUTH_CONF"
fi
# Perform /etc/pam_pkcs11/pam_pkcs11.conf settings below
# Define selected constants for later reuse
SP="[:space:]"
PAM_PKCS11_CONF="/etc/pam_pkcs11/pam_pkcs11.conf"
# Ensure OCSP is turned on in $PAM_PKCS11_CONF
# 1) First replace any occurrence of 'none' value of 'cert_policy' key setting with the correct configuration
sed -i "s/^[$SP]*cert_policy[$SP]\+=[$SP]\+none;/\t\tcert_policy = ca, ocsp_on, signature;/g" "$PAM_PKCS11_CONF"
# 2) Then append 'ocsp_on' value setting to each 'cert_policy' key in $PAM_PKCS11_CONF configuration line,
# which does not contain it yet
sed -i "/ocsp_on/! s/^[$SP]*cert_policy[$SP]\+=[$SP]\+\(.*\);/\t\tcert_policy = \1, ocsp_on;/" "$PAM_PKCS11_CONF"
package --add=pam_pkcs11 --add=esc
Secure Session Configuration Files for Login AccountsWhen a user logs into a Unix account, the system
configures the user's session by reading a number of files. Many of
these files are located in the user's home directory, and may have
weak permissions as a result of user error or misconfiguration. If
an attacker can modify or even read certain types of account
configuration information, they can often gain full access to the
affected user's account. Therefore, it is important to test and
correct configuration file permissions for interactive accounts,
particularly those of privileged users such as root or system
administrators.Account Inactivity Timeout (minutes)In an interactive shell, the value is interpreted as the
number of seconds to wait for input after issueing the primary prompt.
Bash terminates after waiting for that number of seconds if input does
not arrive.6003006009001800Maximum concurrent login sessionsMaximum number of concurrent sessions by a user1320511015Maximum login attempts delayMaximum time in seconds between fail login attempts before re-prompting.123454Ensure that User Home Directories are not Group-Writable or World-ReadableFor each human user of the system, view the
permissions of the user's home directory:
# ls -ld /home/USER
Ensure that the directory is not group-writable and that it
is not world-readable. If necessary, repair the permissions:
# chmod g-w /home/USER
# chmod o-rwx /home/USERThis action may involve modifying user home directories.
Notify your user community, and solicit input if appropriate,
before making this type of change.12131415161835APO01.06DSS05.04DSS05.07DSS06.02CCI-0002254.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)AC-6(1)CM-6(a)PR.AC-4PR.DS-5User home directories contain many configuration files which
affect the behavior of a user's account. No user should ever have
write permission to another user's home directory. Group shared
directories can be configured in sub-directories or elsewhere in the
filesystem if they are needed. Typically, user home directories
should not be world-readable, as it would disclose file names
to other users. If a subset of users need read access
to one another's home directories, this can be provided using
groups or ACLs.CCE-80201-7Set Interactive Session TimeoutSetting the TMOUT option in /etc/profile ensures that
all user sessions will terminate based on inactivity. The TMOUT
setting in /etc/profile should read as follows:
TMOUT=NT28(R29)1121516DSS05.04DSS05.10DSS06.103.1.11CCI-001133CCI-0003614.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.9SR 1.1SR 1.10SR 1.2SR 1.5SR 1.7SR 1.8SR 1.9A.18.1.4A.9.2.1A.9.2.4A.9.3.1A.9.4.2A.9.4.3AC-12SC-10AC-2(5)CM-6(a)PR.AC-7FMT_MOF_EXT.1SRG-OS-000163-GPOS-00072RHEL-07-040160SV-86847r4_ruleSRG-OS-000163-VMM-000700SRG-OS-000279-VMM-001010Terminating an idle session within a short time period reduces
the window of opportunity for unauthorized personnel to take control of a
management session enabled on the console or console port that has been
left unattended.CCE-27557-8
var_accounts_tmout=""
if grep --silent ^TMOUT /etc/profile ; then
sed -i "s/^TMOUT.*/TMOUT=$var_accounts_tmout/g" /etc/profile
else
echo -e "\n# Set TMOUT to $var_accounts_tmout per security requirements" >> /etc/profile
echo "TMOUT=$var_accounts_tmout" >> /etc/profile
fi
- name: XCCDF Value var_accounts_tmout # promote to variable
set_fact:
var_accounts_tmout: !!str
tags:
- always
- name: Set Interactive Session Timeout
block:
- name: Deduplicate values from /etc/profile
lineinfile:
path: /etc/profile
create: false
regexp: ^\s*TMOUT=
state: absent
- name: Check if /etc/profile.d exists
stat:
path: /etc/profile.d
register: _etc_profile_d_exists
- name: Check if the parameter TMOUT is present in /etc/profile.d
find:
paths: /etc/profile.d
recurse: 'yes'
follow: 'no'
contains: ^\s*TMOUT=
register: _etc_profile_d_has_parameter
when: _etc_profile_d_exists.stat.isdir is defined and _etc_profile_d_exists.stat.isdir
- name: Remove parameter from files in /etc/profile.d
lineinfile:
path: '{{ item.path }}'
create: false
regexp: ^\s*TMOUT=
state: absent
with_items: '{{ _etc_profile_d_has_parameter.files }}'
when: _etc_profile_d_has_parameter.matched
- name: Insert correct line to /etc/profile
lineinfile:
path: /etc/profile
create: true
line: TMOUT={{ var_accounts_tmout }}
state: present
validate: bash -n %s
tags:
- accounts_tmout
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27557-8
- DISA-STIG-RHEL-07-040160
- NIST-800-171-3.1.11
- NIST-800-53-AC-12
- NIST-800-53-SC-10
- NIST-800-53-AC-2(5)
- NIST-800-53-CM-6(a)
User Initialization Files Must Be Owned By the Primary UserSet the owner of the user initialization files for interactive users to
the primary owner with the following command:
$ sudo chown USER /home/USER/.*CCI-000366SRG-OS-000480-GPOS-00227RHEL-07-020690SV-86653r3_ruleLocal initialization files are used to configure the user's shell environment
upon logon. Malicious modification of these files could compromise accounts upon
logon.CCE-80527-5Ensure All User Initialization Files Have Mode 0740 Or Less PermissiveSet the mode of the user initialization files to 0740 with the
following command:
$ sudo chmod 0740 /home/USER/.INIT_FILECCI-000366SRG-OS-000480-GPOS-00227RHEL-07-020710SV-86657r3_ruleLocal initialization files are used to configure the user's shell environment
upon logon. Malicious modification of these files could compromise accounts upon
logon.CCE-80525-9All Interactive Users Home Directories Must ExistCreate home directories to all interactive users that currently do not
have a home directory assigned. Use the following commands to create the user
home directory assigned in /etc/passwd:
$ sudo mkdir /home/USERCCI-000366SRG-OS-000480-GPOS-00227RHEL-07-020620SV-86639r2_ruleIf a local interactive user has a home directory defined that does not exist,
the user may be given access to the / directory as the current working directory
upon logon. This could create a Denial of Service because the user would not be
able to access their logon configuration files, and it may give them visibility
to system files they normally would not be able to access.CCE-80529-1Ensure Home Directories are Created for New UsersAll local interactive user accounts, upon creation, should be assigned a home directory.
Configure the operating system to assign home directories to all new local interactive users by setting the CREATE_HOME
parameter in /etc/login.defs to yes as follows:
CREATE_HOME yesSRG-OS-000480-GPOS-00227RHEL-07-020610SV-86637r2_ruleIf local interactive users are not assigned a valid home directory, there is no place
for the storage and control of files they should own.CCE-80434-4
if ! grep -q ^CREATE_HOME /etc/login.defs; then
echo "CREATE_HOME yes" >> /etc/login.defs
else
sed -i "s/^\(CREATE_HOME\).*/\1 yes/g" /etc/login.defs
fi
Ensure the Logon Failure Delay is Set Correctly in login.defsTo ensure the logon failure delay controlled by /etc/login.defs is set properly,
add or correct the FAIL_DELAY setting in /etc/login.defs to read as follows:
FAIL_DELAY 1139BAI10.01BAI10.02BAI10.03BAI10.05CCI-0003664.3.4.3.24.3.4.3.3SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4AC-7(b)CM-6(a)PR.IP-1SRG-OS-000480-GPOS-00226RHEL-07-010430SV-86575r2_ruleIncreasing the time between a failed authentication attempt and re-prompting to
enter credentials helps to slow a single-threaded brute force attack.CCE-80352-8
# Set variables
var_accounts_fail_delay=""
replace_or_append '/etc/login.defs' '^FAIL_DELAY' "$var_accounts_fail_delay" 'CCE-80352-8' '%s %s'
- name: XCCDF Value var_accounts_fail_delay # promote to variable
set_fact:
var_accounts_fail_delay: !!str
tags:
- always
- name: Set accounts logon fail delay
lineinfile:
dest: /etc/login.defs
regexp: ^FAIL_DELAY
line: FAIL_DELAY {{ var_accounts_fail_delay }}
create: true
tags:
- accounts_logon_fail_delay
- low_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80352-8
- DISA-STIG-RHEL-07-010430
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary UserChange the group of a local interactive users files and directories to a
group that the interactive user is a member of. To change the group owner of a
local interactive users files and directories, use the following command:
$ sudo chgrp USER_GROUP /home/USER/FILE_DIRCCI-000366SRG-OS-000480-GPOS-00227RHEL-07-020670SV-86649r2_ruleIf a local interactive users files are group-owned by a group of which the
user is not a member, unintended users may be able to access them.CCE-80534-1All Interactive User Home Directories Must Be Owned By The Primary UserChange the owner of interactive users home directories to that correct
owner. To change the owner of a interactive users home directory, use
the following command:
$ sudo chown USER /home/USERCCI-000366SRG-OS-000480-GPOS-00227RHEL-07-020640SV-86643r5_ruleIf a local interactive user does not own their home directory, unauthorized
users could access or modify the user's files, and the users may not be able to
access their own files.CCE-80531-7Limit the Number of Concurrent Login Sessions Allowed Per UserLimiting the number of allowed users and sessions per user can limit risks related to Denial of
Service attacks. This addresses concurrent sessions for a single account and does not address
concurrent sessions by a single user via multiple accounts. To set the number of concurrent
sessions per user add the following line in /etc/security/limits.conf:
* hard maxlogins 14151895.5.2.2DSS01.05DSS05.02CCI-0000544.3.3.4SR 3.1SR 3.8A.13.1.1A.13.1.3A.13.2.1A.14.1.2A.14.1.3AC-10CM-6(a)PR.AC-5SRG-OS-000027-GPOS-00008RHEL-07-040000SV-86841r3_ruleSRG-OS-000027-VMM-000080Limiting simultaneous user logins can insulate the system from denial of service
problems caused by excessive logins. Automated login processes operating improperly or
maliciously may result in an exceptional number of simultaneous login sessions.CCE-82041-5
var_accounts_max_concurrent_login_sessions=""
if grep -q '^[^#]*\<maxlogins\>' /etc/security/limits.d/*.conf; then
sed -i "/^[^#]*\<maxlogins\>/ s/maxlogins.*/maxlogins $var_accounts_max_concurrent_login_sessions/" /etc/security/limits.d/*.conf
elif grep -q '^[^#]*\<maxlogins\>' /etc/security/limits.conf; then
sed -i "/^[^#]*\<maxlogins\>/ s/maxlogins.*/maxlogins $var_accounts_max_concurrent_login_sessions/" /etc/security/limits.conf
else
echo "* hard maxlogins $var_accounts_max_concurrent_login_sessions" >> /etc/security/limits.conf
fi
- name: XCCDF Value var_accounts_max_concurrent_login_sessions # promote to variable
set_fact:
var_accounts_max_concurrent_login_sessions: !!str
tags:
- always
- name: Limit the Number of Concurrent Login Sessions Allowed Per User
lineinfile:
state: present
dest: /etc/security/limits.conf
insertbefore: ^# End of file
regexp: ^#?\*.*maxlogins
line: '* hard maxlogins {{ var_accounts_max_concurrent_login_sessions
}}'
create: true
tags:
- accounts_max_concurrent_login_sessions
- low_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82041-5
- DISA-STIG-RHEL-07-040000
- NIST-800-53-AC-10
- NIST-800-53-CM-6(a)
- CJIS-5.5.2.2
All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less PermissiveSet the mode on files and directories in the local interactive user home
directory with the following command:
$ sudo chmod 0750 /home/USER/FILE_DIRCCI-000366SRG-OS-000480-GPOS-00227RHEL-07-020680SV-86651r2_ruleIf a local interactive user files have excessive permissions, unintended users
may be able to access or modify them.CCE-80535-8Ensure that Users Path Contains Only Local DirectoriesEnsure that all interactive user initialization files executable search
path statements do not contain statements that will reference a working
directory other than the users home directory.CCI-000366SRG-OS-000480-GPOS-00227RHEL-07-020720SV-86659r4_ruleThe executable search path (typically the PATH environment variable) contains a
list of directories for the shell to search to find executables. If this path
includes the current working directory (other than the users home directory),
executables in these directories may be executed instead of system commands.
This variable is formatted as a colon-separated list of directories. If there is
an empty entry, such as a leading or trailing colon or two consecutive colons,
this is interpreted as the current working directory. If deviations from the
default system search path for the local interactive user are required, they
must be documented with the Information System Security Officer (ISSO).CCE-80524-2All Interactive User Home Directories Must Be Group-Owned By The Primary UserChange the group owner of interactive users home directory to the
group found in /etc/passwd. To change the group owner of
interactive users home directory, use the following command:
$ sudo chgrp USER_GROUP /home/USERCCI-000366SRG-OS-000480-GPOS-00227RHEL-07-020650SV-86645r5_ruleIf the Group Identifier (GID) of a local interactive users home directory is
not the same as the primary GID of the user, this would allow unauthorized
access to the users files, and users that share the same group may not be
able to access files that they legitimately should.CCE-80532-5All Interactive Users Must Have A Home Directory DefinedAssign home directories to all interactive users that currently do not
have a home directory assigned.CCI-000366SRG-OS-000480-GPOS-00227RHEL-07-020600SV-86635r2_ruleIf local interactive users are not assigned a valid home directory, there is no
place for the storage and control of files they should own.CCE-80528-3User Initialization Files Must Not Run World-Writable ProgramsSet the mode on files being executed by the user initialization files with the
following command:
$ sudo chmod 0755 FILECCI-000366SRG-OS-000480-GPOS-00227RHEL-07-020730SV-86661r2_ruleIf user start-up files execute world-writable programs, especially in
unprotected directories, they could be maliciously modified to destroy user
files or otherwise compromise the system at the user level. If the system is
compromised at the user level, it is easier to elevate privileges to eventually
compromise the system at the root and network level.CCE-80523-4All User Files and Directories In The Home Directory Must Be Owned By The Primary UserChange the owner of a interactive users files and directories to that
owner. To change the of a local interactive users files and
directories, use the following command:
$ sudo chown -R USER /home/USERCCI-000366SRG-OS-000480-GPOS-00227RHEL-07-020660SV-86647r2_ruleIf local interactive users do not own the files in their directories,
unauthorized users may be able to access them. Additionally, if files are not
owned by the user, this could be an indication of system compromise.CCE-80533-3User Initialization Files Must Be Group-Owned By The Primary UserChange the group owner of interactive users files to the group found
in /etc/passwd for the user. To change the group owner of a local
interactive user home directory, use the following command:
$ sudo chgrp USER_GROUP /home/USER/.INIT_FILECCI-000366SRG-OS-000480-GPOS-00227RHEL-07-020700SV-86655r4_ruleLocal initialization files for interactive users are used to configure the
user's shell environment upon logon. Malicious modification of these files could
compromise accounts upon logon.CCE-80526-7All Interactive User Home Directories Must Have mode 0750 Or Less PermissiveChange the mode of interactive users home directories to 0750. To
change the mode of interactive users home directory, use the
following command:
$ sudo chmod 0750 /home/USERCCI-000366SRG-OS-000480-GPOS-00227RHEL-07-020630SV-86641r3_ruleExcessive permissions on local interactive user home directories may allow
unauthorized access to user files by other users.CCE-80530-9Ensure that No Dangerous Directories Exist in Root's PathThe active path of the root account can be obtained by
starting a new root shell and running:
# echo $PATH
This will produce a colon-separated list of
directories in the path.
Certain path elements could be considered dangerous, as they could lead
to root executing unknown or
untrusted programs, which could contain malicious
code.
Since root may sometimes work inside
untrusted directories, the . character, which represents the
current directory, should never be in the root path, nor should any
directory which can be written to by an unprivileged or
semi-privileged (system) user.
It is a good practice for administrators to always execute
privileged commands by typing the full path to the
command.Ensure that Root's Path Does Not Include Relative Paths or Null DirectoriesEnsure that none of the directories in root's path is equal to a single
. character, or
that it contains any instances that lead to relative path traversal, such as
.. or beginning a path without the slash (/) character.
Also ensure that there are no "empty" elements in the path, such as in these examples:
PATH=:/bin
PATH=/bin:
PATH=/bin::/sbin
These empty elements have the same effect as a single . character.1139BAI10.01BAI10.02BAI10.03BAI10.05CCI-0003664.3.4.3.24.3.4.3.3SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4CM-6(a)CM-6(a)PR.IP-1Including these entries increases the risk that root could
execute code from an untrusted location.CCE-80199-3Ensure that Root's Path Does Not Include World or Group-Writable DirectoriesFor each element in root's path, run:
# ls -ld DIR
and ensure that write permissions are disabled for group and
other.1139BAI10.01BAI10.02BAI10.03BAI10.05CCI-0003664.3.4.3.24.3.4.3.3SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4CM-6(a)CM-6(a)PR.IP-1Such entries increase the risk that root could
execute code provided by unprivileged users,
and potentially malicious code.CCE-80200-9- name: Print error message if user is not root
fail:
msg: Root account required to read root $PATH
when: ansible_user != "root"
ignore_errors: true
tags:
- accounts_root_path_dirs_no_write
- medium_severity
- restrict_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80200-9
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(a)
- name: Get root paths which are not symbolic links
stat:
path: '{{ item }}'
changed_when: false
failed_when: false
register: root_paths
with_items: '{{ ansible_env.PATH.split('':'') }}'
when: ansible_user == "root"
tags:
- accounts_root_path_dirs_no_write
- medium_severity
- restrict_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80200-9
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(a)
- name: Disable writability to root directories
file:
path: '{{ item.item }}'
mode: g-w,o-w
with_items: '{{ root_paths.results }}'
when:
- root_paths.results is defined
- item.stat.exists
- not item.stat.islnk
tags:
- accounts_root_path_dirs_no_write
- medium_severity
- restrict_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80200-9
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(a)
Ensure that Users Have Sensible Umask ValuesThe umask setting controls the default permissions
for the creation of new files.
With a default umask setting of 077, files and directories
created by users will not be readable by any other user on the
system. Users who wish to make specific files group- or
world-readable can accomplish this by using the chmod command.
Additionally, users can make all their files readable to their
group by default by setting a umask of 027 in their shell
configuration files. If default per-user groups exist (that is, if
every user has a default group whose name is the same as that
user's username and whose only member is the user), then it may
even be safe for users to select a umask of 007, making it very
easy to intentionally share files with groups of which the user is
a member.
Sensible umaskEnter default user umask027077027007022Ensure the Default Umask is Set Correctly For Interactive UsersRemove the UMASK environment variable from all interactive users initialization files.CCI-001814SRG-OS-000480-GPOS-00227RHEL-07-021040SV-86673r2_ruleThe umask controls the default access mode assigned to newly created files. A
umask of 077 limits new files to mode 700 or less permissive. Although umask can
be represented as a four-digit number, the first digit representing special
access modes is typically ignored or required to be 0. This requirement
applies to the globally configured system defaults and the local interactive
user defaults for each account on the system.CCE-80536-6Ensure the Default Umask is Set Correctly in login.defsTo ensure the default umask controlled by /etc/login.defs is set properly,
add or correct the UMASK setting in /etc/login.defs to read as follows:
UMASK NT28(R35)111839APO13.01BAI03.01BAI03.02BAI03.03BAI10.01BAI10.02BAI10.03BAI10.05CCI-0003664.3.4.3.24.3.4.3.3SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.1.1A.14.2.1A.14.2.2A.14.2.3A.14.2.4A.14.2.5A.6.1.5AC-6(1)CM-6(a)PR.IP-1PR.IP-2SRG-OS-000480-GPOS-00228RHEL-07-020240SV-86619r2_ruleThe umask value influences the permissions assigned to files when they are created.
A misconfigured umask value could result in files with excessive permissions that can be read and
written to by unauthorized users.CCE-80205-8
var_accounts_user_umask=""
replace_or_append '/etc/login.defs' '^UMASK' "$var_accounts_user_umask" 'CCE-80205-8' '%s %s'
- name: XCCDF Value var_accounts_user_umask # promote to variable
set_fact:
var_accounts_user_umask: !!str
tags:
- always
- name: Ensure the Default UMASK is Set Correctly
lineinfile:
create: true
dest: /etc/login.defs
regexp: ^UMASK
line: UMASK {{ var_accounts_user_umask }}
tags:
- accounts_umask_etc_login_defs
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80205-8
- DISA-STIG-RHEL-07-020240
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
Ensure the Default Bash Umask is Set CorrectlyTo ensure the default umask for users of the Bash shell is set properly,
add or correct the umask setting in /etc/bashrc to read
as follows:
umask 5.4.418APO13.01BAI03.01BAI03.02BAI03.03CCI-0003664.3.4.3.3A.14.1.1A.14.2.1A.14.2.5A.6.1.5AC-6(1)CM-6(a)PR.IP-2SRG-OS-000480-GPOS-00228The umask value influences the permissions assigned to files when they are created.
A misconfigured umask value could result in files with excessive permissions that can be read or
written to by unauthorized users.CCE-80202-5
var_accounts_user_umask=""
grep -q umask /etc/bashrc && \
sed -i "s/umask.*/umask $var_accounts_user_umask/g" /etc/bashrc
if ! [ $? -eq 0 ]; then
echo "umask $var_accounts_user_umask" >> /etc/bashrc
fi
- name: XCCDF Value var_accounts_user_umask # promote to variable
set_fact:
var_accounts_user_umask: !!str
tags:
- always
- name: Set user umask in /etc/bashrc
replace:
path: /etc/bashrc
regexp: umask.*
replace: umask {{ var_accounts_user_umask }}
tags:
- accounts_umask_etc_bashrc
- unknown_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80202-5
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
Ensure the Default C Shell Umask is Set CorrectlyTo ensure the default umask for users of the C shell is set properly,
add or correct the umask setting in /etc/csh.cshrc to read as follows:
umask 18APO13.01BAI03.01BAI03.02BAI03.03CCI-0003664.3.4.3.3A.14.1.1A.14.2.1A.14.2.5A.6.1.5AC-6(1)CM-6(a)PR.IP-2SRG-OS-000480-GPOS-00228The umask value influences the permissions assigned to files when they are created.
A misconfigured umask value could result in files with excessive permissions that can be read or
written to by unauthorized users.CCE-80203-3
var_accounts_user_umask=""
grep -q umask /etc/csh.cshrc && \
sed -i "s/umask.*/umask $var_accounts_user_umask/g" /etc/csh.cshrc
if ! [ $? -eq 0 ]; then
echo "umask $var_accounts_user_umask" >> /etc/csh.cshrc
fi
- name: XCCDF Value var_accounts_user_umask # promote to variable
set_fact:
var_accounts_user_umask: !!str
tags:
- always
- name: Set user umask in /etc/csh.cshrc
replace:
path: /etc/csh.cshrc
regexp: umask.*
replace: umask {{ var_accounts_user_umask }}
tags:
- accounts_umask_etc_csh_cshrc
- unknown_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80203-3
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
Ensure the Default Umask is Set Correctly in /etc/profileTo ensure the default umask controlled by /etc/profile is set properly,
add or correct the umask setting in /etc/profile to read as follows:
umask NT28(R35)5.4.418APO13.01BAI03.01BAI03.02BAI03.03CCI-0003664.3.4.3.3A.14.1.1A.14.2.1A.14.2.5A.6.1.5AC-6(1)CM-6(a)PR.IP-2SRG-OS-000480-GPOS-00228The umask value influences the permissions assigned to files when they are created.
A misconfigured umask value could result in files with excessive permissions that can be read or
written to by unauthorized users.CCE-80204-1
var_accounts_user_umask=""
grep -q umask /etc/profile && \
sed -i "s/umask.*/umask $var_accounts_user_umask/g" /etc/profile
if ! [ $? -eq 0 ]; then
echo "umask $var_accounts_user_umask" >> /etc/profile
fi
- name: XCCDF Value var_accounts_user_umask # promote to variable
set_fact:
var_accounts_user_umask: !!str
tags:
- always
- name: Set user umask in /etc/profile
replace:
path: /etc/profile
regexp: umask.*
replace: umask {{ var_accounts_user_umask }}
tags:
- accounts_umask_etc_profile
- unknown_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80204-1
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
Warning Banners for System AccessesEach system should expose as little information about
itself as possible.
System banners, which are typically displayed just before a
login prompt, give out information about the service or the host's
operating system. This might include the distribution name and the
system kernel version, and the particular version of a network
service. This information can assist intruders in gaining access to
the system as it can reveal whether the system is running
vulnerable software. Most network services can be configured to
limit what information is displayed.
Many organizations implement security policies that require a
system banner provide notice of the system's ownership, provide
warning to unauthorized users, and remind authorized users of their
consent to monitoring.Login Banner VerbiageEnter an appropriate login banner for your organization. Please note that new lines must
be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\'.Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times.[\s\n]+This[\s\n]+is[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+and[\s\n]+related[\s\n]+equipment[\s\n]+are[\s\n]+intended[\s\n]+for[\s\n]+the[\s\n]+communication,[\s\n]+transmission,[\s\n]+processing,[\s\n]+and[\s\n]+storage[\s\n]+of[\s\n]+official[\s\n]+U.S.[\s\n]+Government[\s\n]+or[\s\n]+other[\s\n]+authorized[\s\n]+information[\s\n]+only.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times[\s\n]+to[\s\n]+ensure[\s\n]+proper[\s\n]+functioning[\s\n]+of[\s\n]+equipment[\s\n]+and[\s\n]+systems[\s\n]+including[\s\n]+security[\s\n]+devices[\s\n]+and[\s\n]+systems,[\s\n]+to[\s\n]+prevent[\s\n]+unauthorized[\s\n]+use[\s\n]+and[\s\n]+violations[\s\n]+of[\s\n]+statutes[\s\n]+and[\s\n]+security[\s\n]+regulations,[\s\n]+to[\s\n]+deter[\s\n]+criminal[\s\n]+activity,[\s\n]+and[\s\n]+for[\s\n]+other[\s\n]+similar[\s\n]+purposes.[\s\n]+Any[\s\n]+user[\s\n]+of[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+should[\s\n]+be[\s\n]+aware[\s\n]+that[\s\n]+any[\s\n]+information[\s\n]+placed[\s\n]+in[\s\n]+the[\s\n]+system[\s\n]+is[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+not[\s\n]+subject[\s\n]+to[\s\n]+any[\s\n]+expectation[\s\n]+of[\s\n]+privacy.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+violation[\s\n]+of[\s\n]+criminal[\s\n]+statutes,[\s\n]+this[\s\n]+evidence[\s\n]+and[\s\n]+any[\s\n]+other[\s\n]+related[\s\n]+information,[\s\n]+including[\s\n]+identification[\s\n]+information[\s\n]+about[\s\n]+the[\s\n]+user,[\s\n]+may[\s\n]+be[\s\n]+provided[\s\n]+to[\s\n]+law[\s\n]+enforcement[\s\n]+officials.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+reveals[\s\n]+violations[\s\n]+of[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+unauthorized[\s\n]+use,[\s\n]+employees[\s\n]+who[\s\n]+violate[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+make[\s\n]+unauthorized[\s\n]+use[\s\n]+of[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+appropriate[\s\n]+disciplinary[\s\n]+action.[\s\n]+Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times.--[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials.You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.(^You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.$|^I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t$)I(\\\')*(\')*ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t.Modify the System Message of the Day BannerTo configure the system message banner edit /etc/motd. Replace the
default text with a message compliant with the local site policy or a legal
disclaimer.
The DoD required text is either:
You are accessing a U.S. Government (USG) Information System (IS) that
is provided for USG-authorized use only. By using this IS (which includes
any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS
for purposes including, but not limited to, penetration testing, COMSEC
monitoring, network operations and defense, personnel misconduct (PM), law
enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private,
are subject to routine monitoring, interception, and search, and may be
disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access
controls) to protect USG interests -- not for your personal benefit or
privacy.
-Notwithstanding the above, using this IS does not constitute consent
to PM, LE or CI investigative searching or monitoring of the content of
privileged communications, or work product, related to personal
representation or services by attorneys, psychotherapists, or clergy, and
their assistants. Such communications and work product are private and
confidential. See User Agreement for details.
OR:
I've read & consent to terms in IS user agreem't.Display of a standardized and approved use notification before granting
access to the operating system ensures privacy and security notification
verbiage used is consistent with applicable federal laws, Executive Orders,
directives, policies, regulations, standards, and guidance.
System use notifications are required only for access via login interfaces
with human users and are not required when such human interfaces do not
exist.
login_banner_text=""
# There was a regular-expression matching various banners, needs to be expanded
expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/[^-]- /\n\n-/g;s/(n)\**//g')
formatted=$(echo "$expanded" | fold -sw 80)
cat <<EOF >/etc/motd
$formatted
EOF
printf "\n" >> /etc/motd
Modify the System Login BannerTo configure the system login banner edit /etc/issue. Replace the
default text with a message compliant with the local site policy or a legal
disclaimer.
The DoD required text is either:
You are accessing a U.S. Government (USG) Information System (IS) that
is provided for USG-authorized use only. By using this IS (which includes
any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS
for purposes including, but not limited to, penetration testing, COMSEC
monitoring, network operations and defense, personnel misconduct (PM), law
enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private,
are subject to routine monitoring, interception, and search, and may be
disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access
controls) to protect USG interests -- not for your personal benefit or
privacy.
-Notwithstanding the above, using this IS does not constitute consent
to PM, LE or CI investigative searching or monitoring of the content of
privileged communications, or work product, related to personal
representation or services by attorneys, psychotherapists, or clergy, and
their assistants. Such communications and work product are private and
confidential. See User Agreement for details.
OR:
I've read & consent to terms in IS user agreem't.1.7.1.21121516DSS05.04DSS05.10DSS06.103.1.9CCI-000048CCI-0000504.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.9SR 1.1SR 1.10SR 1.2SR 1.5SR 1.7SR 1.8SR 1.9A.18.1.4A.9.2.1A.9.2.4A.9.3.1A.9.4.2A.9.4.3AC-8(a)AC-8(c)PR.AC-7FMT_MOF_EXT.1SRG-OS-000023-GPOS-00006SRG-OS-000024-GPOS-00007RHEL-07-010050SV-86487r3_ruleSRG-OS-000023-VMM-000060SRG-OS-000024-VMM-000070Display of a standardized and approved use notification before granting
access to the operating system ensures privacy and security notification
verbiage used is consistent with applicable federal laws, Executive Orders,
directives, policies, regulations, standards, and guidance.
System use notifications are required only for access via login interfaces
with human users and are not required when such human interfaces do not
exist.CCE-27303-7
login_banner_text=""
# There was a regular-expression matching various banners, needs to be expanded
expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/[^-]- /\n\n-/g;s/(n)\**//g')
formatted=$(echo "$expanded" | fold -sw 80)
cat <<EOF >/etc/issue
$formatted
EOF
printf "\n" >> /etc/issue
Implement a GUI Warning BannerIn the default graphical environment, users logging
directly into the system are greeted with a login screen provided
by the GNOME Display Manager (GDM). The warning banner should be
displayed in this graphical environment for these users.
The following sections describe how to configure the GDM login
banner.Enable GNOME3 Login Warning BannerIn the default graphical environment, displaying a login warning banner
in the GNOME Display Manager's login screen can be enabled on the login
screen by setting banner-message-enable to true.
To enable, add or edit banner-message-enable to
/etc/dconf/db/gdm.d/00-security-settings. For example:
[org/gnome/login-screen]
banner-message-enable=true
Once the setting has been added, add a lock to
/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/login-screen/banner-message-enable
After the settings have been set, run dconf update.
The banner text must also be set.1.7.21121516DSS05.04DSS05.10DSS06.103.1.9CCI-0000484.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.9SR 1.1SR 1.10SR 1.2SR 1.5SR 1.7SR 1.8SR 1.9A.18.1.4A.9.2.1A.9.2.4A.9.3.1A.9.4.2A.9.4.3AC-8(a)AC-8(b)AC-8(c)PR.AC-7FMT_MOF_EXT.1SRG-OS-000023-GPOS-00006SRG-OS-000024-GPOS-00007SRG-OS-000228-GPOS-00088RHEL-07-010030SV-86483r4_ruleDisplay of a standardized and approved use notification before granting access to the operating system
ensures privacy and security notification verbiage used is consistent with applicable federal laws,
Executive Orders, directives, policies, regulations, standards, and guidance.
For U.S. Government systems, system use notifications are required only for access via login interfaces
with human users and are not required when such human interfaces do not exist.CCE-26970-4
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
DCONFFILE="/etc/dconf/db/gdm.d/00-security-settings"
DBDIR="/etc/dconf/db/gdm.d"
mkdir -p "${DBDIR}"
if [ "${#SETTINGSFILES[@]}" -eq 0 ]
then
[ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE}
printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE}
printf '%s=%s\n' "banner-message-enable" "true" >> ${DCONFFILE}
else
escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
if grep -q "^\\s*banner-message-enable" "${SETTINGSFILES[@]}"
then
sed -i "s/\\s*banner-message-enable\\s*=\\s*.*/banner-message-enable=${escaped_value}/g" "${SETTINGSFILES[@]}"
else
sed -i "\\|\\[org/gnome/login-screen\\]|a\\banner-message-enable=${escaped_value}" "${SETTINGSFILES[@]}"
fi
fi
dconf update
# Check for setting in any of the DConf db directories
LOCKFILES=$(grep -r "^/org/gnome/login-screen/banner-message-enable$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
LOCKSFOLDER="/etc/dconf/db/gdm.d/locks"
mkdir -p "${LOCKSFOLDER}"
if [[ -z "${LOCKFILES}" ]]
then
echo "/org/gnome/login-screen/banner-message-enable" >> "/etc/dconf/db/gdm.d/locks/00-security-settings-lock"
fi
dconf update
- name: Enable GNOME3 Login Warning Banner
ini_file:
dest: /etc/dconf/db/local.d/00-security-settings
section: org/gnome/login-screen
option: banner-message-enable
value: 'true'
create: true
tags:
- dconf_gnome_banner_enabled
- medium_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-26970-4
- DISA-STIG-RHEL-07-010030
- NIST-800-171-3.1.9
- NIST-800-53-AC-8(a)
- NIST-800-53-AC-8(b)
- NIST-800-53-AC-8(c)
- name: Prevent user modification of GNOME banner-message-enabled
lineinfile:
path: /etc/dconf/db/local.d/locks/00-security-settings-lock
regexp: ^/org/gnome/login-screen/banner-message-enable
line: /org/gnome/login-screen/banner-message-enable
create: true
tags:
- dconf_gnome_banner_enabled
- medium_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-26970-4
- DISA-STIG-RHEL-07-010030
- NIST-800-171-3.1.9
- NIST-800-53-AC-8(a)
- NIST-800-53-AC-8(b)
- NIST-800-53-AC-8(c)
Set the GNOME3 Login Warning Banner TextIn the default graphical environment, configuring the login warning banner text
in the GNOME Display Manager's login screen can be configured on the login
screen by setting banner-message-text to string 'APPROVED_BANNER'
where APPROVED_BANNER is the approved banner for your environment.
To enable, add or edit banner-message-text to
/etc/dconf/db/gdm.d/00-security-settings. For example:
[org/gnome/login-screen]
banner-message-text='APPROVED_BANNER'
Once the setting has been added, add a lock to
/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/login-screen/banner-message-text
After the settings have been set, run dconf update.
When entering a warning banner that spans several lines, remember
to begin and end the string with ' and use \n for new lines.1.7.21121516DSS05.04DSS05.10DSS06.103.1.9CCI-0000484.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.9SR 1.1SR 1.10SR 1.2SR 1.5SR 1.7SR 1.8SR 1.9A.18.1.4A.9.2.1A.9.2.4A.9.3.1A.9.4.2A.9.4.3AC-8(a)AC-8(c)PR.AC-7FMT_MOF_EXT.1SRG-OS-000023-GPOS-00006SRG-OS-000024-GPOS-00007SRG-OS-000228-GPOS-00088RHEL-07-010040SV-86485r4_ruleAn appropriate warning message reinforces policy awareness during the logon
process and facilitates possible legal action against attackers.CCE-26892-0
login_banner_text=""
expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;')
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
DCONFFILE="/etc/dconf/db/gdm.d/00-security-settings"
DBDIR="/etc/dconf/db/gdm.d"
mkdir -p "${DBDIR}"
if [ "${#SETTINGSFILES[@]}" -eq 0 ]
then
[ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE}
printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE}
printf '%s=%s\n' "banner-message-text" "'${expanded}'" >> ${DCONFFILE}
else
escaped_value="$(sed -e 's/\\/\\\\/g' <<< "'${expanded}'")"
if grep -q "^\\s*banner-message-text" "${SETTINGSFILES[@]}"
then
sed -i "s/\\s*banner-message-text\\s*=\\s*.*/banner-message-text=${escaped_value}/g" "${SETTINGSFILES[@]}"
else
sed -i "\\|\\[org/gnome/login-screen\\]|a\\banner-message-text=${escaped_value}" "${SETTINGSFILES[@]}"
fi
fi
dconf update
# Check for setting in any of the DConf db directories
LOCKFILES=$(grep -r "^/org/gnome/login-screen/banner-message-text$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
LOCKSFOLDER="/etc/dconf/db/gdm.d/locks"
mkdir -p "${LOCKSFOLDER}"
if [[ -z "${LOCKFILES}" ]]
then
echo "/org/gnome/login-screen/banner-message-text" >> "/etc/dconf/db/gdm.d/locks/00-security-settings-lock"
fi
dconf update
- name: XCCDF Value login_banner_text # promote to variable
set_fact:
login_banner_text: !!str
tags:
- always
- name: Set the GNOME3 Login Warning Banner Text
file:
path: /etc/dconf/db/{{ item }}
owner: root
group: root
mode: 493
state: directory
with_items:
- gdm.d
- gdm.d/locks
tags:
- dconf_gnome_login_banner_text
- medium_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-26892-0
- DISA-STIG-RHEL-07-010040
- NIST-800-171-3.1.9
- NIST-800-53-AC-8(a)
- NIST-800-53-AC-8(c)
- name: Set the GNOME3 Login Warning Banner Text
file:
path: /etc/dconf/db/gdm.d/{{ item }}
owner: root
group: root
mode: 420
state: touch
with_items:
- 00-security-settings
- locks/00-security-settings-lock
tags:
- dconf_gnome_login_banner_text
- medium_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-26892-0
- DISA-STIG-RHEL-07-010040
- NIST-800-171-3.1.9
- NIST-800-53-AC-8(a)
- NIST-800-53-AC-8(c)
- name: Set the GNOME3 Login Warning Banner Text
ini_file:
dest: /etc/dconf/db/gdm.d/00-security-settings
section: org/gnome/login-screen
option: banner-message-text
value: '{{ login_banner_text }}'
create: true
tags:
- dconf_gnome_login_banner_text
- medium_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-26892-0
- DISA-STIG-RHEL-07-010040
- NIST-800-171-3.1.9
- NIST-800-53-AC-8(a)
- NIST-800-53-AC-8(c)
- name: Prevent user modification of the GNOME3 Login Warning Banner Text
lineinfile:
path: /etc/dconf/db/gdm.d/locks/00-security-settings-lock
regexp: ^org/gnome/login-screen/banner-message-text$
line: org/gnome/login-screen/banner-message-text
create: true
state: present
tags:
- dconf_gnome_login_banner_text
- medium_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-26892-0
- DISA-STIG-RHEL-07-010040
- NIST-800-171-3.1.9
- NIST-800-53-AC-8(a)
- NIST-800-53-AC-8(c)
Enable GUI Warning BannerTo enable displaying a login warning banner in the GNOME
Display Manager's login screen, run the following command:
$ sudo gconftool-2 --direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type bool \
--set /apps/gdm/simple-greeter/banner_message_enable true
To display a banner, this setting must be enabled and then
banner text must also be set.1121516DSS05.04DSS05.10DSS06.104.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.9SR 1.1SR 1.10SR 1.2SR 1.5SR 1.7SR 1.8SR 1.9A.18.1.4A.9.2.1A.9.2.4A.9.3.1A.9.4.2A.9.4.3AC-8(a)AC-8(b)AC-8(c)PR.AC-7An appropriate warning message reinforces policy awareness during the login
process and facilitates possible legal action against attackers.Set GUI Warning Banner TextTo set the text shown by the GNOME Display Manager
in the login screen, run the following command:
$ sudo gconftool-2 --direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type string \
--set /apps/gdm/simple-greeter/banner_message_text \
"Text of the warning banner here"
When entering a warning banner that spans several lines, remember
to begin and end the string with ". This command writes
directly either to the /etc/gconf/gconf.xml.mandatory/%gconf-tree.xml
if it exists or to the file /etc/gconf/gconf.xml.mandatory/apps/gdm/simple-greeter/%gconf.xml.
Either of these files can later be edited directly if necessary.1121516DSS05.04DSS05.10DSS06.104.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.9SR 1.1SR 1.10SR 1.2SR 1.5SR 1.7SR 1.8SR 1.9A.18.1.4A.9.2.1A.9.2.4A.9.3.1A.9.4.2A.9.4.3AC-8(a)AC-8(c)PR.AC-7An appropriate warning message reinforces policy awareness during the login
process and facilitates possible legal action against attackers.Protect Accounts by Configuring PAMPAM, or Pluggable Authentication Modules, is a system
which implements modular authentication for Linux programs. PAM provides
a flexible and configurable architecture for authentication, and it should be configured
to minimize exposure to unnecessary risk. This section contains
guidance on how to accomplish that.
PAM is implemented as a set of shared objects which are
loaded and invoked whenever an application wishes to authenticate a
user. Typically, the application must be running as root in order
to take advantage of PAM, because PAM's modules often need to be able
to access sensitive stores of account information, such as /etc/shadow.
Traditional privileged network listeners
(e.g. sshd) or SUID programs (e.g. sudo) already meet this
requirement. An SUID root application, userhelper, is provided so
that programs which are not SUID or privileged themselves can still
take advantage of PAM.
PAM looks in the directory /etc/pam.d for
application-specific configuration information. For instance, if
the program login attempts to authenticate a user, then PAM's
libraries follow the instructions in the file /etc/pam.d/login
to determine what actions should be taken.
One very important file in /etc/pam.d is
/etc/pam.d/system-auth. This file, which is included by
many other PAM configuration files, defines 'default' system authentication
measures. Modifying this file is a good way to make far-reaching
authentication changes, for instance when implementing a
centralized authentication service.Be careful when making changes to PAM's configuration files.
The syntax for these files is complex, and modifications can
have unexpected consequences. The default configurations shipped
with applications should be sufficient for most users.Running authconfig or system-config-authentication
will re-write the PAM configuration files, destroying any manually
made changes and replacing them with a series of system defaults.
One reference to the configuration file syntax can be found at
http://www.linux-pam.org/Linux-PAM-html/sag-configuration-file.html.rememberThe last n passwords for each user are saved in
/etc/security/opasswd in order to force password change history and
keep the user from alternating between the same password too
frequently.04524510Ensure PAM Displays Last Logon/Access NotificationTo configure the system to notify users of last logon/access
using pam_lastlog, add or correct the pam_lastlog settings in
/etc/pam.d/postlogin to read as follows:
session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session [default=1] pam_lastlog.so nowtmp showfailed
session optional pam_lastlog.so silent noupdate showfailed11215165.5.2DSS05.04DSS05.10DSS06.10CCI-0003664.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.9SR 1.1SR 1.10SR 1.2SR 1.5SR 1.7SR 1.8SR 1.9A.18.1.4A.9.2.1A.9.2.4A.9.3.1A.9.4.2A.9.4.3AC-9(1)CM-6(a)PR.AC-7Req-10.2.4SRG-OS-000480-GPOS-00227RHEL-07-040530SV-86899r4_ruleUsers need to be aware of activity that occurs regarding
their account. Providing users with information regarding the number
of unsuccessful attempts that were made to login to their account
allows the user to determine if any unauthorized activity has occurred
and gives them an opportunity to notify administrators.CCE-27275-7if grep -q "^session.*pam_lastlog.so" /etc/pam.d/postlogin; then
sed -i --follow-symlinks "/pam_lastlog.so/d" /etc/pam.d/postlogin
fi
echo "session [default=1] pam_lastlog.so nowtmp showfailed" >> /etc/pam.d/postlogin
echo "session optional pam_lastlog.so silent noupdate showfailed" >> /etc/pam.d/postlogin
Set Password Hashing AlgorithmThe system's default algorithm for storing password hashes in
/etc/shadow is SHA-512. This can be configured in several
locations.Set Password Hashing Algorithm in /etc/login.defsIn /etc/login.defs, add or correct the following line to ensure
the system will use SHA-512 as the hashing algorithm:
ENCRYPT_METHOD SHA512NT28(R32)6.3.1112151655.6.2.2DSS05.04DSS05.05DSS05.07DSS05.10DSS06.03DSS06.103.13.11CCI-0001964.3.3.2.24.3.3.5.14.3.3.5.24.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.24.3.3.7.4SR 1.1SR 1.10SR 1.2SR 1.3SR 1.4SR 1.5SR 1.7SR 1.8SR 1.9SR 2.1A.18.1.4A.7.1.1A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.2.6A.9.3.1A.9.4.2A.9.4.3IA-5(c)IA-5(1)(c)CM-6(a)PR.AC-1PR.AC-6PR.AC-7Req-8.2.1SRG-OS-000073-GPOS-00041RHEL-07-010210SV-86545r2_rulePasswords need to be protected at all times, and encryption is the standard method for protecting passwords.
If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords
that are encrypted with a weak algorithm are no more protected than if they are kept in plain text.
Using a stronger hashing algorithm makes password cracking attacks more difficult.CCE-82050-6if grep --silent ^ENCRYPT_METHOD /etc/login.defs ; then
sed -i 's/^ENCRYPT_METHOD.*/ENCRYPT_METHOD SHA512/g' /etc/login.defs
else
echo "" >> /etc/login.defs
echo "ENCRYPT_METHOD SHA512" >> /etc/login.defs
fi
- name: Set Password Hashing Algorithm in /etc/login.defs
lineinfile:
dest: /etc/login.defs
regexp: ^#?ENCRYPT_METHOD
line: ENCRYPT_METHOD SHA512
state: present
create: true
tags:
- set_password_hashing_algorithm_logindefs
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82050-6
- PCI-DSS-Req-8.2.1
- DISA-STIG-RHEL-07-010210
- NIST-800-171-3.13.11
- NIST-800-53-IA-5(c)
- NIST-800-53-IA-5(1)(c)
- NIST-800-53-CM-6(a)
- CJIS-5.6.2.2
Set PAM's Password Hashing AlgorithmThe PAM system service can be configured to only store encrypted
representations of passwords. In /etc/pam.d/system-auth, the
password section of the file controls which PAM modules execute
during a password change. Set the pam_unix.so module in the
password section to include the argument sha512, as shown
below:
password sufficient pam_unix.so sha512 other arguments...
This will help ensure when local users change their passwords, hashes for
the new passwords will be generated using the SHA-512 algorithm. This is
the default.6.3.1112151655.6.2.2DSS05.04DSS05.05DSS05.07DSS05.10DSS06.03DSS06.103.13.11CCI-0001964.3.3.2.24.3.3.5.14.3.3.5.24.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.24.3.3.7.4SR 1.1SR 1.10SR 1.2SR 1.3SR 1.4SR 1.5SR 1.7SR 1.8SR 1.9SR 2.1A.18.1.4A.7.1.1A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.2.6A.9.3.1A.9.4.2A.9.4.3IA-5(c)IA-5(1)(c)CM-6(a)PR.AC-1PR.AC-6PR.AC-7Req-8.2.1SRG-OS-000073-GPOS-00041RHEL-07-010200SV-86543r3_ruleSRG-OS-000480-VMM-002000Passwords need to be protected at all times, and encryption is the standard
method for protecting passwords. If passwords are not encrypted, they can
be plainly read (i.e., clear text) and easily compromised. Passwords that
are encrypted with a weak algorithm are no more protected than if they are
kepy in plain text.
This setting ensures user and group account administration utilities are
configured to store only encrypted representations of passwords.
Additionally, the crypt_style configuration option ensures the use
of a strong hashing algorithm that makes password cracking attacks more
difficult.CCE-82043-1
AUTH_FILES[0]="/etc/pam.d/system-auth"
AUTH_FILES[1]="/etc/pam.d/password-auth"
for pamFile in "${AUTH_FILES[@]}"
do
if ! grep -q "^password.*sufficient.*pam_unix.so.*sha512" $pamFile; then
sed -i --follow-symlinks "/^password.*sufficient.*pam_unix.so/ s/$/ sha512/" $pamFile
fi
done
Set Password Hashing Algorithm in /etc/libuser.confIn /etc/libuser.conf, add or correct the following line in its
[defaults] section to ensure the system will use the SHA-512
algorithm for password hashing:
crypt_style = sha512112151655.6.2.2DSS05.04DSS05.05DSS05.07DSS05.10DSS06.03DSS06.103.13.11CCI-0001964.3.3.2.24.3.3.5.14.3.3.5.24.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.24.3.3.7.4SR 1.1SR 1.10SR 1.2SR 1.3SR 1.4SR 1.5SR 1.7SR 1.8SR 1.9SR 2.1A.18.1.4A.7.1.1A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.2.6A.9.3.1A.9.4.2A.9.4.3IA-5(c)IA-5(1)(c)CM-6(a)PR.AC-1PR.AC-6PR.AC-7Req-8.2.1SRG-OS-000073-GPOS-00041RHEL-07-010220SV-86547r3_ruleSRG-OS-000480-VMM-002000Passwords need to be protected at all times, and encryption is the standard
method for protecting passwords. If passwords are not encrypted, they can
be plainly read (i.e., clear text) and easily compromised. Passwords that
are encrypted with a weak algorithm are no more protected than if they are
kepy in plain text.
This setting ensures user and group account administration utilities are
configured to store only encrypted representations of passwords.
Additionally, the crypt_style configuration option ensures the use
of a strong hashing algorithm that makes password cracking attacks more
difficult.CCE-82038-1
LIBUSER_CONF="/etc/libuser.conf"
CRYPT_STYLE_REGEX='[[:space:]]*\[defaults](.*(\n)+)+?[[:space:]]*crypt_style[[:space:]]*'
# Try find crypt_style in [defaults] section. If it is here, then change algorithm to sha512.
# If it isn't here, then add it to [defaults] section.
if grep -qzosP $CRYPT_STYLE_REGEX $LIBUSER_CONF ; then
sed -i "s/\(crypt_style[[:space:]]*=[[:space:]]*\).*/\1sha512/g" $LIBUSER_CONF
elif grep -qs "\[defaults]" $LIBUSER_CONF ; then
sed -i "/[[:space:]]*\[defaults]/a crypt_style = sha512" $LIBUSER_CONF
else
echo -e "[defaults]\ncrypt_style = sha512" >> $LIBUSER_CONF
fi
- name: Set Password Hashing Algorithm in /etc/libuser.conf
lineinfile:
dest: /etc/libuser.conf
insertafter: ^\s*\[defaults]
regexp: ^#?crypt_style
line: crypt_style = sha512
state: present
create: true
tags:
- set_password_hashing_algorithm_libuserconf
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82038-1
- PCI-DSS-Req-8.2.1
- DISA-STIG-RHEL-07-010220
- NIST-800-171-3.13.11
- NIST-800-53-IA-5(c)
- NIST-800-53-IA-5(1)(c)
- NIST-800-53-CM-6(a)
- CJIS-5.6.2.2
Set Lockouts for Failed Password AttemptsThe pam_faillock PAM module provides the capability to
lock out user accounts after a number of failed login attempts. Its
documentation is available in
/usr/share/doc/pam-VERSION/txts/README.pam_faillock.
Locking out user accounts presents the
risk of a denial-of-service attack. The lockout policy
must weigh whether the risk of such a
denial-of-service attack outweighs the benefits of thwarting
password guessing attacks.fail_denyNumber of failed login attempts before account lockout310356fail_intervalInterval for counting failed login attempts before account lockout1000000008640090090036001800fail_unlock_timeSeconds before automatic unlocking or permanently locking after excessive failed logins604800864009001800036000600Configure the root Account for Failed Password AttemptsTo configure the system to lock out the root account after a
number of incorrect login attempts using pam_faillock.so, modify
the content of both /etc/pam.d/system-auth and
/etc/pam.d/password-auth as follows:
Modify the following line in the AUTH section to add
even_deny_root:
auth required pam_faillock.so preauth silent even_deny_root deny= unlock_time= fail_interval=Modify the following line in the AUTH section to add
even_deny_root:
auth [default=die] pam_faillock.so authfail even_deny_root deny= unlock_time= fail_interval=1121516DSS05.04DSS05.10DSS06.10CCI-0022384.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.9SR 1.1SR 1.10SR 1.2SR 1.5SR 1.7SR 1.8SR 1.9A.18.1.4A.9.2.1A.9.2.4A.9.3.1A.9.4.2A.9.4.3CM-6(a)AC-7(b)IA-5(c)PR.AC-7FMT_MOF_EXT.1SRG-OS-000329-GPOS-00128SRG-OS-000021-GPOS-00005RHEL-07-010330SV-86569r4_ruleBy limiting the number of failed logon attempts, the risk of unauthorized system access via user password
guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.CCE-80353-6
AUTH_FILES[0]="/etc/pam.d/system-auth"
AUTH_FILES[1]="/etc/pam.d/password-auth"
# This script fixes absence of pam_faillock.so in PAM stack or the
# absense of even_deny_root in pam_faillock.so arguments
# When inserting auth pam_faillock.so entries,
# the entry with preauth argument will be added before pam_unix.so module
# and entry with authfail argument will be added before pam_deny.so module.
# The placement of pam_faillock.so entries will not be changed
# if they are already present
for pamFile in "${AUTH_FILES[@]}"
do
# if PAM file is missing, system is not using PAM or broken
if [ ! -f $pamFile ]; then
continue
fi
# is 'auth required' here?
if grep -q "^auth.*required.*pam_faillock.so.*" $pamFile; then
# has 'auth required' even_deny_root option?
if ! grep -q "^auth.*required.*pam_faillock.so.*preauth.*even_deny_root" $pamFile; then
# even_deny_root is not present
sed -i --follow-symlinks "s/\(^auth.*required.*pam_faillock.so.*preauth.*\).*/\1 even_deny_root/" $pamFile
fi
else
# no 'auth required', add it
sed -i --follow-symlinks "/^auth.*pam_unix.so.*/i auth required pam_faillock.so preauth silent even_deny_root" $pamFile
fi
# is 'auth [default=die]' here?
if grep -q "^auth.*\[default=die\].*pam_faillock.so.*" $pamFile; then
# has 'auth [default=die]' even_deny_root option?
if ! grep -q "^auth.*\[default=die\].*pam_faillock.so.*authfail.*even_deny_root" $pamFile; then
# even_deny_root is not present
sed -i --follow-symlinks "s/\(^auth.*\[default=die\].*pam_faillock.so.*authfail.*\).*/\1 even_deny_root/" $pamFile
fi
else
# no 'auth [default=die]', add it
sed -i --follow-symlinks "/^auth.*pam_unix.so.*/a auth [default=die] pam_faillock.so authfail silent even_deny_root" $pamFile
fi
done
- name: Add auth pam_faillock preauth even_deny_root before pam_unix.so
pamd:
name: '{{ item }}'
type: auth
control: sufficient
module_path: pam_unix.so
new_type: auth
new_control: required
new_module_path: pam_faillock.so
module_arguments: preauth silent even_deny_root
state: before
loop:
- system-auth
- password-auth
tags:
- accounts_passwords_pam_faillock_deny_root
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80353-6
- DISA-STIG-RHEL-07-010330
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-7(b)
- NIST-800-53-IA-5(c)
- name: Add even_deny_root argument to auth pam_faillock preauth
pamd:
name: '{{ item }}'
type: auth
control: required
module_path: pam_faillock.so
module_arguments: preauth silent even_deny_root
state: args_present
loop:
- system-auth
- password-auth
tags:
- accounts_passwords_pam_faillock_deny_root
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80353-6
- DISA-STIG-RHEL-07-010330
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-7(b)
- NIST-800-53-IA-5(c)
- name: Add auth pam_faillock authfail even_deny_root after pam_unix.so
pamd:
name: '{{ item }}'
type: auth
control: sufficient
module_path: pam_unix.so
new_type: auth
new_control: '[default=die]'
new_module_path: pam_faillock.so
module_arguments: authfail even_deny_root
state: after
loop:
- system-auth
- password-auth
tags:
- accounts_passwords_pam_faillock_deny_root
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80353-6
- DISA-STIG-RHEL-07-010330
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-7(b)
- NIST-800-53-IA-5(c)
- name: Add even_deny_root argument to auth pam_faillock authfail
pamd:
name: '{{ item }}'
type: auth
control: '[default=die]'
module_path: pam_faillock.so
module_arguments: authfail even_deny_root
state: args_present
loop:
- system-auth
- password-auth
tags:
- accounts_passwords_pam_faillock_deny_root
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80353-6
- DISA-STIG-RHEL-07-010330
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-7(b)
- NIST-800-53-IA-5(c)
- name: Add account pam_faillock before pam_unix.so
pamd:
name: '{{ item }}'
type: account
control: required
module_path: pam_unix.so
new_type: account
new_control: required
new_module_path: pam_faillock.so
state: before
loop:
- system-auth
- password-auth
tags:
- accounts_passwords_pam_faillock_deny_root
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80353-6
- DISA-STIG-RHEL-07-010330
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-7(b)
- NIST-800-53-IA-5(c)
Set Lockout Time for Failed Password AttemptsTo configure the system to lock out accounts after a number of incorrect login
attempts and require an administrator to unlock the account using pam_faillock.so,
modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:
add the following line immediately before the pam_unix.so statement in the AUTH section:
auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section:
auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section:
account required pam_faillock.so
If unlock_time is set to 0, manual intervention by an administrator is required to unlock a user.5.3.211215165.5.3DSS05.04DSS05.10DSS06.103.1.8CCI-0022384.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.9SR 1.1SR 1.10SR 1.2SR 1.5SR 1.7SR 1.8SR 1.9A.18.1.4A.9.2.1A.9.2.4A.9.3.1A.9.4.2A.9.4.3CM-6(a)AC-7(b)PR.AC-7FMT_MOF_EXT.1Req-8.1.7SRG-OS-000329-GPOS-00128SRG-OS-000021-GPOS-00005RHEL-07-010320SV-86567r5_ruleSRG-OS-000329-VMM-001180Locking out user accounts after a number of incorrect attempts
prevents direct password guessing attacks. Ensuring that an administrator is
involved in unlocking locked accounts draws appropriate attention to such
situations.CCE-26884-7
var_accounts_passwords_pam_faillock_unlock_time=""
AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
for pam_file in "${AUTH_FILES[@]}"
do
# is auth required pam_faillock.so preauth present?
if grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*$' "$pam_file" ; then
# is the option set?
if grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*'"unlock_time"'=([0-9]*).*$' "$pam_file" ; then
# just change the value of option to a correct value
sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock.so.*preauth.*silent.*\)\('"unlock_time"' *= *\).*/\1\2'"$var_accounts_passwords_pam_faillock_unlock_time"'/' "$pam_file"
# the option is not set.
else
# append the option
sed -i --follow-symlinks '/^auth.*required.*pam_faillock.so.*preauth.*silent.*/ s/$/ '"unlock_time"'='"$var_accounts_passwords_pam_faillock_unlock_time"'/' "$pam_file"
fi
# auth required pam_faillock.so preauth is not present, insert the whole line
else
sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix.so.*/i auth required pam_faillock.so preauth silent '"unlock_time"'='"$var_accounts_passwords_pam_faillock_unlock_time" "$pam_file"
fi
# is auth default pam_faillock.so authfail present?
if grep -qE '^\s*auth\s+(\[default=die\])\s+pam_faillock\.so\s+authfail.*$' "$pam_file" ; then
# is the option set?
if grep -qE '^\s*auth\s+(\[default=die\])\s+pam_faillock\.so\s+authfail.*'"unlock_time"'=([0-9]*).*$' "$pam_file" ; then
# just change the value of option to a correct value
sed -i --follow-symlinks 's/\(^auth.*[default=die].*pam_faillock.so.*authfail.*\)\('"unlock_time"' *= *\).*/\1\2'"$var_accounts_passwords_pam_faillock_unlock_time"'/' "$pam_file"
# the option is not set.
else
# append the option
sed -i --follow-symlinks '/^auth.*[default=die].*pam_faillock.so.*authfail.*/ s/$/ '"unlock_time"'='"$var_accounts_passwords_pam_faillock_unlock_time"'/' "$pam_file"
fi
# auth default pam_faillock.so authfail is not present, insert the whole line
else
sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix.so.*/a auth [default=die] pam_faillock.so authfail '"unlock_time"'='"$var_accounts_passwords_pam_faillock_unlock_time" "$pam_file"
fi
if ! grep -qE '^\s*account\s+required\s+pam_faillock\.so.*$' "$pam_file" ; then
sed -E -i --follow-symlinks '/^\s*account\s*required\s*pam_unix.so/i account required pam_faillock.so' "$pam_file"
fi
done
- name: XCCDF Value var_accounts_passwords_pam_faillock_unlock_time # promote to variable
set_fact:
var_accounts_passwords_pam_faillock_unlock_time: !!str
tags:
- always
- name: Add auth pam_faillock preauth unlock_time before pam_unix.so
pamd:
name: '{{ item }}'
type: auth
control: sufficient
module_path: pam_unix.so
new_type: auth
new_control: required
new_module_path: pam_faillock.so
module_arguments: preauth silent unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time
}}
state: before
loop:
- system-auth
- password-auth
tags:
- accounts_passwords_pam_faillock_unlock_time
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-26884-7
- PCI-DSS-Req-8.1.7
- DISA-STIG-RHEL-07-010320
- NIST-800-171-3.1.8
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-7(b)
- CJIS-5.5.3
- name: Add unlock_time argument to pam_faillock preauth
pamd:
name: '{{ item }}'
type: auth
control: required
module_path: pam_faillock.so
module_arguments: preauth silent unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time
}}
state: args_present
loop:
- system-auth
- password-auth
tags:
- accounts_passwords_pam_faillock_unlock_time
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-26884-7
- PCI-DSS-Req-8.1.7
- DISA-STIG-RHEL-07-010320
- NIST-800-171-3.1.8
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-7(b)
- CJIS-5.5.3
- name: Add auth pam_faillock authfail unlock_interval after pam_unix.so
pamd:
name: '{{ item }}'
type: auth
control: sufficient
module_path: pam_unix.so
new_type: auth
new_control: '[default=die]'
new_module_path: pam_faillock.so
module_arguments: authfail unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time
}}
state: after
loop:
- system-auth
- password-auth
tags:
- accounts_passwords_pam_faillock_unlock_time
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-26884-7
- PCI-DSS-Req-8.1.7
- DISA-STIG-RHEL-07-010320
- NIST-800-171-3.1.8
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-7(b)
- CJIS-5.5.3
- name: Add unlock_time argument to auth pam_faillock authfail
pamd:
name: '{{ item }}'
type: auth
control: '[default=die]'
module_path: pam_faillock.so
module_arguments: authfail unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time
}}
state: args_present
loop:
- system-auth
- password-auth
tags:
- accounts_passwords_pam_faillock_unlock_time
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-26884-7
- PCI-DSS-Req-8.1.7
- DISA-STIG-RHEL-07-010320
- NIST-800-171-3.1.8
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-7(b)
- CJIS-5.5.3
- name: Add account pam_faillock before pam_unix.so
pamd:
name: '{{ item }}'
type: account
control: required
module_path: pam_unix.so
new_type: account
new_control: required
new_module_path: pam_faillock.so
state: before
loop:
- system-auth
- password-auth
tags:
- accounts_passwords_pam_faillock_unlock_time
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-26884-7
- PCI-DSS-Req-8.1.7
- DISA-STIG-RHEL-07-010320
- NIST-800-171-3.1.8
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-7(b)
- CJIS-5.5.3
Limit Password ReuseDo not allow users to reuse recent passwords. This can be
accomplished by using the remember option for the pam_unix
or pam_pwhistory PAM modules.
In the file /etc/pam.d/system-auth, append remember=
to the line which refers to the pam_unix.so or pam_pwhistory.somodule, as shown below:
for the pam_unix.so case:
password sufficient pam_unix.so ...existing_options... remember=for the pam_pwhistory.so case:
password requisite pam_pwhistory.so ...existing_options... remember=
The DoD STIG requirement is 5 passwords.5.3.3112151655.6.2.1.1DSS05.04DSS05.05DSS05.07DSS05.10DSS06.03DSS06.103.5.8CCI-0002004.3.3.2.24.3.3.5.14.3.3.5.24.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.24.3.3.7.4SR 1.1SR 1.10SR 1.2SR 1.3SR 1.4SR 1.5SR 1.7SR 1.8SR 1.9SR 2.1A.18.1.4A.7.1.1A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.2.6A.9.3.1A.9.4.2A.9.4.3IA-5(f)IA-5(1)(e)PR.AC-1PR.AC-6PR.AC-7Req-8.2.5SRG-OS-000077-GPOS-00045RHEL-07-010270SV-86557r3_ruleSRG-OS-000077-VMM-000440Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user.CCE-82030-8
var_password_pam_unix_remember=""
AUTH_FILES[0]="/etc/pam.d/system-auth"
AUTH_FILES[1]="/etc/pam.d/password-auth"
for pamFile in "${AUTH_FILES[@]}"
do
if grep -q "remember=" $pamFile; then
sed -i --follow-symlinks "s/\(^password.*sufficient.*pam_unix.so.*\)\(\(remember *= *\)[^ $]*\)/\1remember=$var_password_pam_unix_remember/" $pamFile
else
sed -i --follow-symlinks "/^password[[:space:]]\+sufficient[[:space:]]\+pam_unix.so/ s/$/ remember=$var_password_pam_unix_remember/" $pamFile
fi
done
- name: XCCDF Value var_password_pam_unix_remember # promote to variable
set_fact:
var_password_pam_unix_remember: !!str
tags:
- always
- name: Do not allow users to reuse recent passwords - system-auth (change)
replace:
dest: /etc/pam.d/system-auth
follow: true
regexp: ^(password\s+sufficient\s+pam_unix\.so\s.*remember\s*=\s*)(\S+)(.*)$
replace: \g<1>{{ var_password_pam_unix_remember }}\g<3>
tags:
- accounts_password_pam_unix_remember
- medium_severity
- configure_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-82030-8
- PCI-DSS-Req-8.2.5
- DISA-STIG-RHEL-07-010270
- NIST-800-171-3.5.8
- NIST-800-53-IA-5(f)
- NIST-800-53-IA-5(1)(e)
- CJIS-5.6.2.1.1
- name: Do not allow users to reuse recent passwords - system-auth (add)
replace:
dest: /etc/pam.d/system-auth
follow: true
regexp: ^password\s+sufficient\s+pam_unix\.so\s(?!.*remember\s*=\s*).*$
replace: \g<0> remember={{ var_password_pam_unix_remember }}
tags:
- accounts_password_pam_unix_remember
- medium_severity
- configure_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-82030-8
- PCI-DSS-Req-8.2.5
- DISA-STIG-RHEL-07-010270
- NIST-800-171-3.5.8
- NIST-800-53-IA-5(f)
- NIST-800-53-IA-5(1)(e)
- CJIS-5.6.2.1.1
Set Interval For Counting Failed Password AttemptsUtilizing pam_faillock.so, the fail_interval directive
configures the system to lock out an account after a number of incorrect
login attempts within a specified time period. Modify the content of both
/etc/pam.d/system-auth and /etc/pam.d/password-auth
as follows:
Add the following line immediately before the
pam_unix.so statement in the AUTH section:
auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval=Add the following line immediately after the
pam_unix.so statement in the AUTH section:
auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval=Add the following line immediately before the
pam_unix.so statement in the ACCOUNT section:
account required pam_faillock.so1121516DSS05.04DSS05.10DSS06.10CCI-002238CCI-0000444.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.9SR 1.1SR 1.10SR 1.2SR 1.5SR 1.7SR 1.8SR 1.9A.18.1.4A.9.2.1A.9.2.4A.9.3.1A.9.4.2A.9.4.3CM-6(a)AC-7(a)PR.AC-7FMT_MOF_EXT.1SRG-OS-000329-GPOS-00128SRG-OS-000021-GPOS-00005RHEL-07-010320SV-86567r5_ruleSRG-OS-000021-VMM-000050By limiting the number of failed logon attempts the risk of unauthorized system
access via user password guessing, otherwise known as brute-forcing, is reduced.
Limits are imposed by locking the account.CCE-27297-1
var_accounts_passwords_pam_faillock_fail_interval=""
AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
for pam_file in "${AUTH_FILES[@]}"
do
# is auth required pam_faillock.so preauth present?
if grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*$' "$pam_file" ; then
# is the option set?
if grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*'"fail_interval"'=([0-9]*).*$' "$pam_file" ; then
# just change the value of option to a correct value
sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock.so.*preauth.*silent.*\)\('"fail_interval"' *= *\).*/\1\2'"$var_accounts_passwords_pam_faillock_fail_interval"'/' "$pam_file"
# the option is not set.
else
# append the option
sed -i --follow-symlinks '/^auth.*required.*pam_faillock.so.*preauth.*silent.*/ s/$/ '"fail_interval"'='"$var_accounts_passwords_pam_faillock_fail_interval"'/' "$pam_file"
fi
# auth required pam_faillock.so preauth is not present, insert the whole line
else
sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix.so.*/i auth required pam_faillock.so preauth silent '"fail_interval"'='"$var_accounts_passwords_pam_faillock_fail_interval" "$pam_file"
fi
# is auth default pam_faillock.so authfail present?
if grep -qE '^\s*auth\s+(\[default=die\])\s+pam_faillock\.so\s+authfail.*$' "$pam_file" ; then
# is the option set?
if grep -qE '^\s*auth\s+(\[default=die\])\s+pam_faillock\.so\s+authfail.*'"fail_interval"'=([0-9]*).*$' "$pam_file" ; then
# just change the value of option to a correct value
sed -i --follow-symlinks 's/\(^auth.*[default=die].*pam_faillock.so.*authfail.*\)\('"fail_interval"' *= *\).*/\1\2'"$var_accounts_passwords_pam_faillock_fail_interval"'/' "$pam_file"
# the option is not set.
else
# append the option
sed -i --follow-symlinks '/^auth.*[default=die].*pam_faillock.so.*authfail.*/ s/$/ '"fail_interval"'='"$var_accounts_passwords_pam_faillock_fail_interval"'/' "$pam_file"
fi
# auth default pam_faillock.so authfail is not present, insert the whole line
else
sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix.so.*/a auth [default=die] pam_faillock.so authfail '"fail_interval"'='"$var_accounts_passwords_pam_faillock_fail_interval" "$pam_file"
fi
if ! grep -qE '^\s*account\s+required\s+pam_faillock\.so.*$' "$pam_file" ; then
sed -E -i --follow-symlinks '/^\s*account\s*required\s*pam_unix.so/i account required pam_faillock.so' "$pam_file"
fi
done
- name: XCCDF Value var_accounts_passwords_pam_faillock_fail_interval # promote to variable
set_fact:
var_accounts_passwords_pam_faillock_fail_interval: !!str
tags:
- always
- name: Add auth pam_faillock preauth fail_interval before pam_unix.so
pamd:
name: '{{ item }}'
type: auth
control: sufficient
module_path: pam_unix.so
new_type: auth
new_control: required
new_module_path: pam_faillock.so
module_arguments: preauth silent fail_interval={{ var_accounts_passwords_pam_faillock_fail_interval
}}
state: before
loop:
- system-auth
- password-auth
tags:
- accounts_passwords_pam_faillock_interval
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27297-1
- DISA-STIG-RHEL-07-010320
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-7(a)
- name: Add fail_interval argument to auth pam_faillock preauth
pamd:
name: '{{ item }}'
type: auth
control: required
module_path: pam_faillock.so
module_arguments: preauth silent fail_interval={{ var_accounts_passwords_pam_faillock_fail_interval
}}
state: args_present
loop:
- system-auth
- password-auth
tags:
- accounts_passwords_pam_faillock_interval
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27297-1
- DISA-STIG-RHEL-07-010320
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-7(a)
- name: Add auth pam_faillock aufthfail fail_interval after pam_unix.so
pamd:
name: '{{ item }}'
type: auth
control: sufficient
module_path: pam_unix.so
new_type: auth
new_control: '[default=die]'
new_module_path: pam_faillock.so
module_arguments: authfail fail_interval={{ var_accounts_passwords_pam_faillock_fail_interval
}}
state: after
loop:
- system-auth
- password-auth
tags:
- accounts_passwords_pam_faillock_interval
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27297-1
- DISA-STIG-RHEL-07-010320
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-7(a)
- name: Add fail_interval argument to auth pam_faillock authfail
pamd:
name: '{{ item }}'
type: auth
control: '[default=die]'
module_path: pam_faillock.so
module_arguments: authfail fail_interval={{ var_accounts_passwords_pam_faillock_fail_interval
}}
state: args_present
loop:
- system-auth
- password-auth
tags:
- accounts_passwords_pam_faillock_interval
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27297-1
- DISA-STIG-RHEL-07-010320
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-7(a)
- name: Add account pam_faillock before pam_unix.so
pamd:
name: '{{ item }}'
type: account
control: required
module_path: pam_unix.so
new_type: account
new_control: required
new_module_path: pam_faillock.so
state: before
loop:
- system-auth
- password-auth
tags:
- accounts_passwords_pam_faillock_interval
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27297-1
- DISA-STIG-RHEL-07-010320
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-7(a)
Set Deny For Failed Password AttemptsTo configure the system to lock out accounts after a number of incorrect login
attempts using pam_faillock.so, modify the content of both
/etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:
add the following line immediately before the pam_unix.so statement in the AUTH section:
auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section:
auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section:
account required pam_faillock.so5.3.211215165.5.3DSS05.04DSS05.10DSS06.103.1.8CCI-002238CCI-0000444.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.9SR 1.1SR 1.10SR 1.2SR 1.5SR 1.7SR 1.8SR 1.9A.18.1.4A.9.2.1A.9.2.4A.9.3.1A.9.4.2A.9.4.3CM-6(a)AC-7(a)PR.AC-7FMT_MOF_EXT.1Req-8.1.6SRG-OS-000329-GPOS-00128SRG-OS-000021-GPOS-00005RHEL-07-010320SV-86567r5_ruleSRG-OS-000021-VMM-000050Locking out user accounts after a number of incorrect attempts
prevents direct password guessing attacks.CCE-27350-8
var_accounts_passwords_pam_faillock_deny=""
AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
for pam_file in "${AUTH_FILES[@]}"
do
# is auth required pam_faillock.so preauth present?
if grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*$' "$pam_file" ; then
# is the option set?
if grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*'"deny"'=([0-9]*).*$' "$pam_file" ; then
# just change the value of option to a correct value
sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock.so.*preauth.*silent.*\)\('"deny"' *= *\).*/\1\2'"$var_accounts_passwords_pam_faillock_deny"'/' "$pam_file"
# the option is not set.
else
# append the option
sed -i --follow-symlinks '/^auth.*required.*pam_faillock.so.*preauth.*silent.*/ s/$/ '"deny"'='"$var_accounts_passwords_pam_faillock_deny"'/' "$pam_file"
fi
# auth required pam_faillock.so preauth is not present, insert the whole line
else
sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix.so.*/i auth required pam_faillock.so preauth silent '"deny"'='"$var_accounts_passwords_pam_faillock_deny" "$pam_file"
fi
# is auth default pam_faillock.so authfail present?
if grep -qE '^\s*auth\s+(\[default=die\])\s+pam_faillock\.so\s+authfail.*$' "$pam_file" ; then
# is the option set?
if grep -qE '^\s*auth\s+(\[default=die\])\s+pam_faillock\.so\s+authfail.*'"deny"'=([0-9]*).*$' "$pam_file" ; then
# just change the value of option to a correct value
sed -i --follow-symlinks 's/\(^auth.*[default=die].*pam_faillock.so.*authfail.*\)\('"deny"' *= *\).*/\1\2'"$var_accounts_passwords_pam_faillock_deny"'/' "$pam_file"
# the option is not set.
else
# append the option
sed -i --follow-symlinks '/^auth.*[default=die].*pam_faillock.so.*authfail.*/ s/$/ '"deny"'='"$var_accounts_passwords_pam_faillock_deny"'/' "$pam_file"
fi
# auth default pam_faillock.so authfail is not present, insert the whole line
else
sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix.so.*/a auth [default=die] pam_faillock.so authfail '"deny"'='"$var_accounts_passwords_pam_faillock_deny" "$pam_file"
fi
if ! grep -qE '^\s*account\s+required\s+pam_faillock\.so.*$' "$pam_file" ; then
sed -E -i --follow-symlinks '/^\s*account\s*required\s*pam_unix.so/i account required pam_faillock.so' "$pam_file"
fi
done
- name: XCCDF Value var_accounts_passwords_pam_faillock_deny # promote to variable
set_fact:
var_accounts_passwords_pam_faillock_deny: !!str
tags:
- always
- name: Add auth pam_faillock preauth deny before pam_unix.so
pamd:
name: '{{ item }}'
type: auth
control: sufficient
module_path: pam_unix.so
new_type: auth
new_control: required
new_module_path: pam_faillock.so
module_arguments: preauth silent deny={{ var_accounts_passwords_pam_faillock_deny
}}
state: before
loop:
- system-auth
- password-auth
tags:
- accounts_passwords_pam_faillock_deny
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27350-8
- PCI-DSS-Req-8.1.6
- DISA-STIG-RHEL-07-010320
- NIST-800-171-3.1.8
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-7(a)
- CJIS-5.5.3
- name: Add deny argument to auth pam_faillock preauth
pamd:
name: '{{ item }}'
type: auth
control: required
module_path: pam_faillock.so
module_arguments: preauth silent deny={{ var_accounts_passwords_pam_faillock_deny
}}
state: args_present
loop:
- system-auth
- password-auth
tags:
- accounts_passwords_pam_faillock_deny
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27350-8
- PCI-DSS-Req-8.1.6
- DISA-STIG-RHEL-07-010320
- NIST-800-171-3.1.8
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-7(a)
- CJIS-5.5.3
- name: Add auth pam_faillock authfail deny after pam_unix.so
pamd:
name: '{{ item }}'
type: auth
control: sufficient
module_path: pam_unix.so
new_type: auth
new_control: '[default=die]'
new_module_path: pam_faillock.so
module_arguments: authfail deny={{ var_accounts_passwords_pam_faillock_deny }}
state: after
loop:
- system-auth
- password-auth
tags:
- accounts_passwords_pam_faillock_deny
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27350-8
- PCI-DSS-Req-8.1.6
- DISA-STIG-RHEL-07-010320
- NIST-800-171-3.1.8
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-7(a)
- CJIS-5.5.3
- name: Add deny argument to auth pam_faillock authfail
pamd:
name: '{{ item }}'
type: auth
new_type: auth
control: '[default=die]'
module_path: pam_faillock.so
module_arguments: authfail deny={{ var_accounts_passwords_pam_faillock_deny }}
state: args_present
loop:
- system-auth
- password-auth
tags:
- accounts_passwords_pam_faillock_deny
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27350-8
- PCI-DSS-Req-8.1.6
- DISA-STIG-RHEL-07-010320
- NIST-800-171-3.1.8
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-7(a)
- CJIS-5.5.3
- name: Add account pam_faillock before pam_unix.so
pamd:
name: '{{ item }}'
type: account
control: required
module_path: pam_unix.so
new_type: account
new_control: required
new_module_path: pam_faillock.so
state: before
loop:
- system-auth
- password-auth
tags:
- accounts_passwords_pam_faillock_deny
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27350-8
- PCI-DSS-Req-8.1.6
- DISA-STIG-RHEL-07-010320
- NIST-800-171-3.1.8
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-7(a)
- CJIS-5.5.3
Set Password Quality RequirementsThe default pam_pwquality PAM module provides strength
checking for passwords. It performs a number of checks, such as
making sure passwords are not similar to dictionary words, are of
at least a certain length, are not the previous password reversed,
and are not simply a change of case from the previous password. It
can also require passwords to be in certain character classes. The
pam_pwquality module is the preferred way of configuring
password requirements.
The pam_cracklib PAM module can also provide strength
checking for passwords as the pam_pwquality module.
It performs a number of checks, such as making sure passwords are
not similar to dictionary words, are of at least a certain length,
are not the previous password reversed, and are not simply a change
of case from the previous password. It can also require passwords to
be in certain character classes.
The man pages pam_pwquality(8) and pam_cracklib(8)
provide information on the capabilities and configuration of
each.Set Password Quality Requirements with pam_pwqualityThe pam_pwquality PAM module can be configured to meet
requirements for a variety of policies.
For example, to configure pam_pwquality to require at least one uppercase
character, lowercase character, digit, and other (special)
character, make sure that pam_pwquality exists in /etc/pam.d/system-auth:
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
If no such line exists, add one as the first line of the password section in /etc/pam.d/system-auth.
Next, modify the settings in /etc/security/pwquality.conf to match the following:
difok = 4
minlen = 14
dcredit = -1
ucredit = -1
lcredit = -1
ocredit = -1
maxrepeat = 3
The arguments can be modified to ensure compliance with
your organization's security policy. Discussion of each parameter follows.minclassMinimum number of categories of characters that must exist in a password31234ucreditMinimum number of upper case in password-10-2-1maxrepeatMaximum Number of Consecutive Repeating Characters in a Password3123difokMinimum number of characters not present in old
password12345678158lcreditMinimum number of lower case in password-10-2-1maxclassrepeatMaximum Number of Consecutive Repeating Characters in a Password From the Same Character Class41234ocreditMinimum number of other (special characters) in
password-10-2-1dcreditMinimum number of digits in password-10-2-1retryNumber of retry attempts before erroring out123453minlenMinimum number of characters in password6781012141515Ensure PAM Enforces Password Requirements - Minimum LengthThe pam_pwquality module's minlen parameter controls requirements for
minimum characters required in a password. Add minlen=
after pam_pwquality to set minimum password length requirements.6.3.2112151655.6.2.1.1DSS05.04DSS05.05DSS05.07DSS05.10DSS06.03DSS06.10CCI-0002054.3.3.2.24.3.3.5.14.3.3.5.24.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.24.3.3.7.4SR 1.1SR 1.10SR 1.2SR 1.3SR 1.4SR 1.5SR 1.7SR 1.8SR 1.9SR 2.1A.18.1.4A.7.1.1A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.2.6A.9.3.1A.9.4.2A.9.4.3IA-5(c)IA-5(1)(a)CM-6(a)IA-5(4)PR.AC-1PR.AC-6PR.AC-7FMT_MOF_EXT.1Req-8.2.3SRG-OS-000078-GPOS-00046RHEL-07-010280SV-86559r2_ruleSRG-OS-000072-VMM-000390SRG-OS-000078-VMM-000450The shorter the password, the lower the number of possible combinations
that need to be tested before the password is compromised.
Password complexity, or strength, is a measure of the effectiveness of a
password in resisting attempts at guessing and brute-force attacks.
Password length is one factor of several that helps to determine strength
and how long it takes to crack a password. Use of more characters in a password
helps to exponentially increase the time and/or resources required to
compromose the password.CCE-27293-0
var_password_pam_minlen=""
replace_or_append '/etc/security/pwquality.conf' '^minlen' $var_password_pam_minlen 'CCE-27293-0' '%s = %s'
- name: XCCDF Value var_password_pam_minlen # promote to variable
set_fact:
var_password_pam_minlen: !!str
tags:
- always
- name: Ensure PAM variable minlen is set accordingly
lineinfile:
create: true
dest: /etc/security/pwquality.conf
regexp: ^#?\s*minlen
line: minlen = {{ var_password_pam_minlen }}
tags:
- accounts_password_pam_minlen
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27293-0
- PCI-DSS-Req-8.2.3
- DISA-STIG-RHEL-07-010280
- NIST-800-53-IA-5(c)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(4)
- CJIS-5.6.2.1.1
Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character ClassThe pam_pwquality module's maxclassrepeat parameter controls requirements for
consecutive repeating characters from the same character class. When set to a positive number, it will reject passwords
which contain more than that number of consecutive characters from the same character class. Modify the
maxclassrepeat setting in /etc/security/pwquality.conf to equal
to prevent a run of ( + 1) or more identical characters.11215165DSS05.04DSS05.05DSS05.07DSS05.10DSS06.03DSS06.10CCI-0001954.3.3.2.24.3.3.5.14.3.3.5.24.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.24.3.3.7.4SR 1.1SR 1.10SR 1.2SR 1.3SR 1.4SR 1.5SR 1.7SR 1.8SR 1.9SR 2.1A.18.1.4A.7.1.1A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.2.6A.9.3.1A.9.4.2A.9.4.3IA-5(c)IA-5(1)(a)CM-6(a)IA-5(4)PR.AC-1PR.AC-6PR.AC-7SRG-OS-000072-GPOS-00040RHEL-07-010190SV-86541r2_ruleUse of a complex password helps to increase the time and resources required to comrpomise the password.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting
attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The
more complex a password, the greater the number of possible combinations that need to be tested before the
password is compromised.CCE-27512-3
var_password_pam_maxclassrepeat=""
replace_or_append '/etc/security/pwquality.conf' '^maxclassrepeat' $var_password_pam_maxclassrepeat 'CCE-27512-3' '%s = %s'
- name: XCCDF Value var_password_pam_maxclassrepeat # promote to variable
set_fact:
var_password_pam_maxclassrepeat: !!str
tags:
- always
- name: Ensure PAM variable maxclassrepeat is set accordingly
lineinfile:
create: true
dest: /etc/security/pwquality.conf
regexp: ^#?\s*maxclassrepeat
line: maxclassrepeat = {{ var_password_pam_maxclassrepeat }}
tags:
- accounts_password_pam_maxclassrepeat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27512-3
- DISA-STIG-RHEL-07-010190
- NIST-800-53-IA-5(c)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(4)
Set Password Maximum Consecutive Repeating CharactersThe pam_pwquality module's maxrepeat parameter controls requirements for
consecutive repeating characters. When set to a positive number, it will reject passwords
which contain more than that number of consecutive characters. Modify the maxrepeat setting
in /etc/security/pwquality.conf to equal to prevent a
run of ( + 1) or more identical characters.11215165DSS05.04DSS05.05DSS05.07DSS05.10DSS06.03DSS06.10CCI-0001954.3.3.2.24.3.3.5.14.3.3.5.24.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.24.3.3.7.4SR 1.1SR 1.10SR 1.2SR 1.3SR 1.4SR 1.5SR 1.7SR 1.8SR 1.9SR 2.1A.18.1.4A.7.1.1A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.2.6A.9.3.1A.9.4.2A.9.4.3IA-5(c)CM-6(a)IA-5(4)PR.AC-1PR.AC-6PR.AC-7SRG-OS-000072-GPOS-00040RHEL-07-010180SV-86539r3_ruleUse of a complex password helps to increase the time and resources required to compromise the password.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at
guessing and brute-force attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more
complex the password, the greater the number of possible combinations that need to be tested before the
password is compromised.
Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks.CCE-82055-5
var_password_pam_maxrepeat=""
replace_or_append '/etc/security/pwquality.conf' '^maxrepeat' $var_password_pam_maxrepeat 'CCE-82055-5' '%s = %s'
- name: XCCDF Value var_password_pam_maxrepeat # promote to variable
set_fact:
var_password_pam_maxrepeat: !!str
tags:
- always
- name: Ensure PAM variable maxrepeat is set accordingly
lineinfile:
create: true
dest: /etc/security/pwquality.conf
regexp: ^#?\s*maxrepeat
line: maxrepeat = {{ var_password_pam_maxrepeat }}
tags:
- accounts_password_pam_maxrepeat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82055-5
- DISA-STIG-RHEL-07-010180
- NIST-800-53-IA-5(c)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(4)
Ensure PAM Enforces Password Requirements - Minimum Digit CharactersThe pam_pwquality module's dcredit parameter controls requirements for
usage of digits in a password. When set to a negative number, any password will be required to
contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional
length credit for each digit. Modify the dcredit setting in
/etc/security/pwquality.conf to require the use of a digit in passwords.6.3.211215165DSS05.04DSS05.05DSS05.07DSS05.10DSS06.03DSS06.10CCI-0001944.3.3.2.24.3.3.5.14.3.3.5.24.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.24.3.3.7.4SR 1.1SR 1.10SR 1.2SR 1.3SR 1.4SR 1.5SR 1.7SR 1.8SR 1.9SR 2.1A.18.1.4A.7.1.1A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.2.6A.9.3.1A.9.4.2A.9.4.3IA-5(c)IA-5(1)(a)CM-6(a)IA-5(4)PR.AC-1PR.AC-6PR.AC-7FMT_MOF_EXT.1Req-8.2.3SRG-OS-000071-GPOS-00039RHEL-07-010140SV-86531r3_ruleSRG-OS-000071-VMM-000380Use of a complex password helps to increase the time and resources required
to compromise the password. Password complexity, or strength, is a measure of
the effectiveness of a password in resisting attempts at guessing and brute-force
attacks.
Password complexity is one factor of several that determines how long it takes
to crack a password. The more complex the password, the greater the number of
possible combinations that need to be tested before the password is compromised.
Requiring digits makes password guessing attacks more difficult by ensuring a larger
search space.CCE-27214-6
var_password_pam_dcredit=""
replace_or_append '/etc/security/pwquality.conf' '^dcredit' $var_password_pam_dcredit 'CCE-27214-6' '%s = %s'
- name: XCCDF Value var_password_pam_dcredit # promote to variable
set_fact:
var_password_pam_dcredit: !!str
tags:
- always
- name: Ensure PAM variable dcredit is set accordingly
lineinfile:
create: true
dest: /etc/security/pwquality.conf
regexp: ^#?\s*dcredit
line: dcredit = {{ var_password_pam_dcredit }}
tags:
- accounts_password_pam_dcredit
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27214-6
- PCI-DSS-Req-8.2.3
- DISA-STIG-RHEL-07-010140
- NIST-800-53-IA-5(c)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(4)
Ensure PAM Enforces Password Requirements - Minimum Different CategoriesThe pam_pwquality module's minclass parameter controls
requirements for usage of different character classes, or types, of character
that must exist in a password before it is considered valid. For example,
setting this value to three (3) requires that any password must have characters
from at least three different categories in order to be approved. The default
value is zero (0), meaning there are no required classes. There are four
categories available:
* Upper-case characters
* Lower-case characters
* Digits
* Special characters (for example, punctuation)
Modify the minclass setting in /etc/security/pwquality.conf entry
to require
differing categories of characters when changing passwords.11215165DSS05.04DSS05.05DSS05.07DSS05.10DSS06.03DSS06.10CCI-0001954.3.3.2.24.3.3.5.14.3.3.5.24.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.24.3.3.7.4SR 1.1SR 1.10SR 1.2SR 1.3SR 1.4SR 1.5SR 1.7SR 1.8SR 1.9SR 2.1A.18.1.4A.7.1.1A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.2.6A.9.3.1A.9.4.2A.9.4.3IA-5(c)IA-5(1)(a)CM-6(a)IA-5(4)PR.AC-1PR.AC-6PR.AC-7SRG-OS-000072-GPOS-00040RHEL-07-010170SV-86537r2_ruleUse of a complex password helps to increase the time and resources required to compromise the password.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts
at guessing and brute-force attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The
more complex the password, the greater the number of possible combinations that need to be tested before
the password is compromised.
Requiring a minimum number of character categories makes password guessing attacks more difficult
by ensuring a larger search space.CCE-82045-6
var_password_pam_minclass=""
replace_or_append '/etc/security/pwquality.conf' '^minclass' $var_password_pam_minclass 'CCE-82045-6' '%s = %s'
- name: XCCDF Value var_password_pam_minclass # promote to variable
set_fact:
var_password_pam_minclass: !!str
tags:
- always
- name: Ensure PAM variable minclass is set accordingly
lineinfile:
create: true
dest: /etc/security/pwquality.conf
regexp: ^#?\s*minclass
line: minclass = {{ var_password_pam_minclass }}
tags:
- accounts_password_pam_minclass
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82045-6
- DISA-STIG-RHEL-07-010170
- NIST-800-53-IA-5(c)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(4)
Ensure PAM Enforces Password Requirements - Minimum Different CharactersThe pam_pwquality module's difok parameter sets the number of characters
in a password that must not be present in and old password during a password change.
Modify the difok setting in /etc/security/pwquality.conf
to equal to require differing characters
when changing passwords.112151655.6.2.1.1DSS05.04DSS05.05DSS05.07DSS05.10DSS06.03DSS06.10CCI-0001954.3.3.2.24.3.3.5.14.3.3.5.24.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.24.3.3.7.4SR 1.1SR 1.10SR 1.2SR 1.3SR 1.4SR 1.5SR 1.7SR 1.8SR 1.9SR 2.1A.18.1.4A.7.1.1A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.2.6A.9.3.1A.9.4.2A.9.4.3IA-5(c)IA-5(1)(b)CM-6(a)IA-5(4)PR.AC-1PR.AC-6PR.AC-7SRG-OS-000072-GPOS-00040RHEL-07-010160SV-86535r2_ruleSRG-OS-000072-VMM-000390Use of a complex password helps to increase the time and resources
required to compromise the password. Password complexity, or strength,
is a measure of the effectiveness of a password in resisting attempts
at guessing and brute–force attacks.
Password complexity is one factor of several that determines how long
it takes to crack a password. The more complex the password, the
greater the number of possible combinations that need to be tested
before the password is compromised.
Requiring a minimum number of different characters during password changes ensures that
newly changed passwords should not resemble previously compromised ones.
Note that passwords which are changed on compromised systems will still be compromised, however.CCE-82020-9
var_password_pam_difok=""
replace_or_append '/etc/security/pwquality.conf' '^difok' $var_password_pam_difok 'CCE-82020-9' '%s = %s'
- name: XCCDF Value var_password_pam_difok # promote to variable
set_fact:
var_password_pam_difok: !!str
tags:
- always
- name: Ensure PAM variable difok is set accordingly
lineinfile:
create: true
dest: /etc/security/pwquality.conf
regexp: ^#?\s*difok
line: difok = {{ var_password_pam_difok }}
tags:
- accounts_password_pam_difok
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82020-9
- DISA-STIG-RHEL-07-010160
- NIST-800-53-IA-5(c)
- NIST-800-53-IA-5(1)(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(4)
- CJIS-5.6.2.1.1
Ensure PAM Enforces Password Requirements - Minimum Special CharactersThe pam_pwquality module's ocredit= parameter controls requirements for
usage of special (or "other") characters in a password. When set to a negative number,
any password will be required to contain that many special characters.
When set to a positive number, pam_pwquality will grant +1
additional length credit for each special character. Modify the ocredit setting
in /etc/security/pwquality.conf to equal
to require use of a special character in passwords.11215165DSS05.04DSS05.05DSS05.07DSS05.10DSS06.03DSS06.10CCI-0016194.3.3.2.24.3.3.5.14.3.3.5.24.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.24.3.3.7.4SR 1.1SR 1.10SR 1.2SR 1.3SR 1.4SR 1.5SR 1.7SR 1.8SR 1.9SR 2.1A.18.1.4A.7.1.1A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.2.6A.9.3.1A.9.4.2A.9.4.3IA-5(c)IA-5(1)(a)CM-6(a)IA-5(4)PR.AC-1PR.AC-6PR.AC-7FMT_MOF_EXT.1SRG-OS-000266-GPOS-00101RHEL-07-010150SV-86533r2_ruleSRG-OS-000266-VMM-000940Use of a complex password helps to increase the time and resources required
to compromise the password. Password complexity, or strength, is a measure of
the effectiveness of a password in resisting attempts at guessing and brute-force
attacks.
Password complexity is one factor of several that determines how long it takes
to crack a password. The more complex the password, the greater the number of
possble combinations that need to be tested before the password is compromised.
Requiring a minimum number of special characters makes password guessing attacks
more difficult by ensuring a larger search space.CCE-27360-7
var_password_pam_ocredit=""
replace_or_append '/etc/security/pwquality.conf' '^ocredit' $var_password_pam_ocredit 'CCE-27360-7' '%s = %s'
- name: XCCDF Value var_password_pam_ocredit # promote to variable
set_fact:
var_password_pam_ocredit: !!str
tags:
- always
- name: Ensure PAM variable ocredit is set accordingly
lineinfile:
create: true
dest: /etc/security/pwquality.conf
regexp: ^#?\s*ocredit
line: ocredit = {{ var_password_pam_ocredit }}
tags:
- accounts_password_pam_ocredit
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27360-7
- DISA-STIG-RHEL-07-010150
- NIST-800-53-IA-5(c)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(4)
Ensure PAM Enforces Password Requirements - Minimum Lowercase CharactersThe pam_pwquality module's lcredit parameter controls requirements for
usage of lowercase letters in a password. When set to a negative number, any password will be required to
contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional
length credit for each lowercase character. Modify the lcredit setting in
/etc/security/pwquality.conf to require the use of a lowercase character in passwords.11215165DSS05.04DSS05.05DSS05.07DSS05.10DSS06.03DSS06.10CCI-0001934.3.3.2.24.3.3.5.14.3.3.5.24.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.24.3.3.7.4SR 1.1SR 1.10SR 1.2SR 1.3SR 1.4SR 1.5SR 1.7SR 1.8SR 1.9SR 2.1A.18.1.4A.7.1.1A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.2.6A.9.3.1A.9.4.2A.9.4.3IA-5(c)IA-5(1)(a)CM-6(a)IA-5(4)PR.AC-1PR.AC-6PR.AC-7FMT_MOF_EXT.1Req-8.2.3SRG-OS-000070-GPOS-00038RHEL-07-010130SV-86529r5_ruleSRG-OS-000070-VMM-000370Use of a complex password helps to increase the time and resources required
to compromise the password. Password complexity, or strength, is a measure of
the effectiveness of a password in resisting attempts at guessing and brute-force
attacks.
Password complexity is one factor of several that determines how long it takes
to crack a password. The more complex the password, the greater the number of
possble combinations that need to be tested before the password is compromised.
Requiring a minimum number of lowercase characters makes password guessing attacks
more difficult by ensuring a larger search space.CCE-27345-8
var_password_pam_lcredit=""
replace_or_append '/etc/security/pwquality.conf' '^lcredit' $var_password_pam_lcredit 'CCE-27345-8' '%s = %s'
- name: XCCDF Value var_password_pam_lcredit # promote to variable
set_fact:
var_password_pam_lcredit: !!str
tags:
- always
- name: Ensure PAM variable lcredit is set accordingly
lineinfile:
create: true
dest: /etc/security/pwquality.conf
regexp: ^#?\s*lcredit
line: lcredit = {{ var_password_pam_lcredit }}
tags:
- accounts_password_pam_lcredit
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27345-8
- PCI-DSS-Req-8.2.3
- DISA-STIG-RHEL-07-010130
- NIST-800-53-IA-5(c)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(4)
Ensure PAM Enforces Password Requirements - Minimum Uppercase CharactersThe pam_pwquality module's ucredit= parameter controls requirements for
usage of uppercase letters in a password. When set to a negative number, any password will be required to
contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional
length credit for each uppercase character. Modify the ucredit setting in
/etc/security/pwquality.conf to require the use of an uppercase character in passwords.6.3.211215165DSS05.04DSS05.05DSS05.07DSS05.10DSS06.03DSS06.10CCI-0001924.3.3.2.24.3.3.5.14.3.3.5.24.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.24.3.3.7.4SR 1.1SR 1.10SR 1.2SR 1.3SR 1.4SR 1.5SR 1.7SR 1.8SR 1.9SR 2.1A.18.1.4A.7.1.1A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.2.6A.9.3.1A.9.4.2A.9.4.3IA-5(c)IA-5(1)(a)CM-6(a)IA-5(4)PR.AC-1PR.AC-6PR.AC-7FMT_MOF_EXT.1Req-8.2.3SRG-OS-000069-GPOS-00037RHEL-07-010120SV-86527r3_ruleSRG-OS-000069-VMM-000360Use of a complex password helps to increase the time and resources reuiqred to compromise the password.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts
at guessing and brute-force attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more
complex the password, the greater the number of possible combinations that need to be tested before
the password is compromised.CCE-27200-5
var_password_pam_ucredit=""
replace_or_append '/etc/security/pwquality.conf' '^ucredit' $var_password_pam_ucredit 'CCE-27200-5' '%s = %s'
- name: XCCDF Value var_password_pam_ucredit # promote to variable
set_fact:
var_password_pam_ucredit: !!str
tags:
- always
- name: Ensure PAM variable ucredit is set accordingly
lineinfile:
create: true
dest: /etc/security/pwquality.conf
regexp: ^#?\s*ucredit
line: ucredit = {{ var_password_pam_ucredit }}
tags:
- accounts_password_pam_ucredit
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27200-5
- PCI-DSS-Req-8.2.3
- DISA-STIG-RHEL-07-010120
- NIST-800-53-IA-5(c)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(4)
Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-SessionTo configure the number of retry prompts that are permitted per-session:
Edit the pam_pwquality.so statement in /etc/pam.d/system-auth to
show retry=, or a lower value if
site policy is more restrictive.
The DoD requirement is a maximum of 3 prompts per session.6.3.21111215163595.5.3BAI10.01BAI10.02BAI10.03BAI10.05DSS05.04DSS05.05DSS05.07DSS05.10DSS06.03DSS06.10CCI-0003664.3.3.2.24.3.3.5.14.3.3.5.24.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.24.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.2SR 1.3SR 1.4SR 1.5SR 1.7SR 1.8SR 1.9SR 2.1SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.18.1.4A.7.1.1A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.2.6A.9.3.1A.9.4.2A.9.4.3CM-6(a)AC-7(a)IA-5(4)PR.AC-1PR.AC-6PR.AC-7PR.IP-1FMT_MOF_EXT.1SRG-OS-000480-GPOS-00225RHEL-07-010119SV-87811r4_ruleSetting the password retry prompts that are permitted on a per-session basis to a low value
requires some software, such as SSH, to re-connect. This can slow down and
draw additional attention to some types of password-guessing attacks. Note that this
is different from account lockout, which is provided by the pam_faillock module.CCE-27160-1
var_password_pam_retry=""
if grep -q "retry=" /etc/pam.d/system-auth ; then
sed -i --follow-symlinks "s/\(retry *= *\).*/\1$var_password_pam_retry/" /etc/pam.d/system-auth
else
sed -i --follow-symlinks "/pam_pwquality.so/ s/$/ retry=$var_password_pam_retry/" /etc/pam.d/system-auth
fi
- name: XCCDF Value var_password_pam_retry # promote to variable
set_fact:
var_password_pam_retry: !!str
tags:
- always
- name: Set Password Retry Prompts Permitted Per-Session - system-auth (change)
replace:
dest: /etc/pam.d/system-auth
follow: true
regexp: (^.*\spam_pwquality.so\s.*retry\s*=\s*)(\S+)(.*$)
replace: \g<1>{{ var_password_pam_retry }}\g<3>
tags:
- accounts_password_pam_retry
- medium_severity
- configure_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-27160-1
- DISA-STIG-RHEL-07-010119
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-7(a)
- NIST-800-53-IA-5(4)
- CJIS-5.5.3
- name: Set Password Retry Prompts Permitted Per-Session - system-auth (add)
replace:
dest: /etc/pam.d/system-auth
follow: true
regexp: ^.*\spam_pwquality.so\s(?!.*retry\s*=\s*).*$
replace: \g<0> retry={{ var_password_pam_retry }}
tags:
- accounts_password_pam_retry
- medium_severity
- configure_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-27160-1
- DISA-STIG-RHEL-07-010119
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-7(a)
- NIST-800-53-IA-5(4)
- CJIS-5.5.3
Set Password Quality Requirements, if using
pam_cracklibThe pam_cracklib PAM module can be configured to meet
requirements for a variety of policies.
For example, to configure pam_cracklib to require at least one uppercase
character, lowercase character, digit, and other (special)
character, locate the following line in /etc/pam.d/system-auth:
password requisite pam_cracklib.so try_first_pass retry=3
and then alter it to read:
password required pam_cracklib.so try_first_pass retry=3 maxrepeat=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=4
If no such line exists, add one as the first line of the password section in /etc/pam.d/system-auth.
The arguments can be modified to ensure compliance with
your organization's security policy. Discussion of each parameter follows.Note that the password quality requirements are not enforced for the
root account for some reason.Protect Random-Number Entropy PoolThe I/O operations of the Linux kernel block layer due to their inherently
unpredictable execution times have been traditionally considered as a reliable
source to contribute to random-number entropy pool of the Linux kernel. This
has changed with introduction of solid-state storage devices (SSDs) though.Ensure Solid State Drives Do Not Contribute To Random-Number Entropy PoolFor each solid-state drive on the system, run:
# echo 0 > /sys/block/DRIVE/queue/add_randomIn contrast to traditional electromechanical magnetic disks, containing
spinning disks and / or movable read / write heads, the solid-state storage
devices (SSDs) do not contain moving / mechanical components. Therefore the
I/O operation completion times are much more predictable for them.File Permissions and MasksTraditional Unix security relies heavily on file and
directory permissions to prevent unauthorized users from reading or
modifying files to which they should not have access.
Several of the commands in this section search filesystems
for files or directories with certain characteristics, and are
intended to be run on every local partition on a given system.
When the variable PART appears in one of the commands below,
it means that the command is intended to be run repeatedly, with the
name of each local partition substituted for PART in turn.
The following command prints a list of all xfs partitions on the local
system, which is the default filesystem for Red Hat Enterprise Linux 7
installations:
$ mount -t xfs | awk '{print $3}'
For any systems that use a different
local filesystem type, modify this command as appropriate.Verify Permissions on Important Files and
DirectoriesPermissions for many files on a system must be set
restrictively to ensure sensitive information is properly protected.
This section discusses important
permission restrictions which can be verified
to ensure that no harmful discrepancies have
arisen.Ensure All SGID Executables Are AuthorizedThe SGID (set group id) bit should be set only on files that were
installed via authorized means. A straightforward means of identifying
unauthorized SGID files is determine if any were not installed as part of an
RPM package, which is cryptographically verified. Investigate the origin
of any unpackaged SGID files.
This configuration check considers authorized SGID files which were installed via RPM.
It is assumed that when an individual has sudo access to install an RPM
and all packages are signed with an organizationally-recognized GPG key,
the software should be considered an approved package on the system.
Any SGID file not deployed through an RPM will be flagged for further review.NT28(R37)NT28(R38)6.1.1412131415161835APO01.06DSS05.04DSS05.07DSS06.024.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)AC-6(1)PR.AC-4PR.DS-5Executable files with the SGID permission run with the privileges of
the owner of the file. SGID files of uncertain provenance could allow for
unprivileged users to elevate privileges. The presence of these files should be
strictly controlled on the system.CCE-80132-4Enable Kernel Parameter to Enforce DAC on SymlinksTo set the runtime status of the fs.protected_symlinks kernel parameter, run the following command: $ sudo sysctl -w fs.protected_symlinks=1
If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: fs.protected_symlinks = 1NT28(R23)1.6.1CM-6(a)AC-6(1)SRG-OS-000324-GPOS-00125By enabling this kernel parameter, symbolic links are permitted to be followed
only when outside a sticky world-writable directory, or when the UID of the
link and follower match, or when the directory owner matches the symlink's owner.
Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system
accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of
open() or creat().CCE-81029-1
#
# Set runtime for fs.protected_symlinks
#
/sbin/sysctl -q -n -w fs.protected_symlinks="1"
#
# If fs.protected_symlinks present in /etc/sysctl.conf, change value to "1"
# else, add "fs.protected_symlinks = 1" to /etc/sysctl.conf
#
replace_or_append '/etc/sysctl.conf' '^fs.protected_symlinks' "1" 'CCE-81029-1'
- name: Ensure sysctl fs.protected_symlinks is set to 1
sysctl:
name: fs.protected_symlinks
value: '1'
state: present
reload: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sysctl_fs_protected_symlinks
- unknown_severity
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- CCE-81029-1
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
Ensure All World-Writable Directories Are Owned by a System AccountAll directories in local partitions which are
world-writable should be owned by root or another
system account. If any world-writable directories are not
owned by a system account, this should be investigated.
Following this, the files should be deleted or assigned to an
appropriate group.12131415161835APO01.06DSS05.04DSS05.07DSS06.02CCI-0003664.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)AC-6(1)PR.AC-4PR.DS-5SRG-OS-000480-GPOS-00227RHEL-07-021030SV-86671r4_ruleAllowing a user account to own a world-writable directory is
undesirable because it allows the owner of that directory to remove
or replace any files that may be placed in the directory by other
users.CCE-80136-5Ensure All Files Are Owned by a GroupIf any files are not owned by a group, then the
cause of their lack of group-ownership should be investigated.
Following this, the files should be deleted or assigned to an
appropriate group.6.1.1211112131415161835APO01.06DSS05.02DSS05.04DSS05.05DSS05.07DSS05.10DSS06.02DSS06.03DSS06.06DSS06.10CCI-0021654.3.3.2.24.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.4SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.18.1.4A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.2.6A.9.3.1A.9.4.1A.9.4.2A.9.4.3A.9.4.4A.9.4.5CM-6(a)AC-6(1)PR.AC-1PR.AC-4PR.AC-6PR.AC-7PR.DS-5PR.PT-3SRG-OS-000480-GPOS-00227RHEL-07-020330SV-86633r3_ruleUnowned files do not directly imply a security problem, but they are generally
a sign that something is amiss. They may
be caused by an intruder, by incorrect software installation or
draft software removal, or by failure to remove all files belonging
to a deleted account. The files should be repaired so they
will not cause problems when accounts are created in the future,
and the cause should be discovered and addressed.CCE-80135-7Ensure All Files Are Owned by a UserIf any files are not owned by a user, then the
cause of their lack of ownership should be investigated.
Following this, the files should be deleted or assigned to an
appropriate user.6.1.1111121314151618359APO01.06BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.04DSS05.05DSS05.07DSS06.02DSS06.03DSS06.06CCI-0021654.3.3.2.24.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 5.2SR 7.6A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.12.1.2A.12.5.1A.12.6.2A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.14.2.2A.14.2.3A.14.2.4A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.1A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)AC-6(1)PR.AC-4PR.AC-6PR.DS-5PR.IP-1PR.PT-3SRG-OS-000480-GPOS-00227RHEL-07-020320SV-86631r3_ruleUnowned files do not directly imply a security problem, but they are generally
a sign that something is amiss. They may
be caused by an intruder, by incorrect software installation or
draft software removal, or by failure to remove all files belonging
to a deleted account. The files should be repaired so they
will not cause problems when accounts are created in the future,
and the cause should be discovered and addressed.CCE-80134-0Enable Kernel Parameter to Enforce DAC on HardlinksTo set the runtime status of the fs.protected_hardlinks kernel parameter, run the following command: $ sudo sysctl -w fs.protected_hardlinks=1
If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: fs.protected_hardlinks = 1NT28(R23)1.6.1CM-6(a)AC-6(1)SRG-OS-000324-GPOS-00125By enabling this kernel parameter, users can no longer create soft or hard links to
files which they do not own. Disallowing such hardlinks mitigate vulnerabilities
based on insecure file system accessed by privileged programs, avoiding an
exploitation vector exploiting unsafe use of open() or creat().CCE-81026-7
#
# Set runtime for fs.protected_hardlinks
#
/sbin/sysctl -q -n -w fs.protected_hardlinks="1"
#
# If fs.protected_hardlinks present in /etc/sysctl.conf, change value to "1"
# else, add "fs.protected_hardlinks = 1" to /etc/sysctl.conf
#
replace_or_append '/etc/sysctl.conf' '^fs.protected_hardlinks' "1" 'CCE-81026-7'
- name: Ensure sysctl fs.protected_hardlinks is set to 1
sysctl:
name: fs.protected_hardlinks
value: '1'
state: present
reload: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sysctl_fs_protected_hardlinks
- unknown_severity
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- CCE-81026-7
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
Ensure No World-Writable Files ExistIt is generally a good idea to remove global (other) write
access to a file when it is discovered. However, check with
documentation for specific applications before making changes.
Also, monitor for recurring world-writable files, as these may be
symptoms of a misconfigured application or user account. Finally,
this applies to real files and not virtual files that are a part of
pseudo file systems such as sysfs or procfs.6.1.1012131415161835APO01.06DSS05.04DSS05.07DSS06.024.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)AC-6(1)PR.AC-4PR.DS-5Data in world-writable files can be modified by any
user on the system. In almost all circumstances, files can be
configured using a combination of user and group permissions to
support whatever legitimate access is needed without the risk
caused by world-writable files.CCE-80131-6Ensure All SUID Executables Are AuthorizedThe SUID (set user id) bit should be set only on files that were
installed via authorized means. A straightforward means of identifying
unauthorized SUID files is determine if any were not installed as part of an
RPM package, which is cryptographically verified. Investigate the origin
of any unpackaged SUID files.
This configuration check considers authorized SUID files which were installed via RPM.
It is assumed that when an individual has sudo access to install an RPM
and all packages are signed with an organizationally-recognized GPG key,
the software should be considered an approved package on the system.
Any SUID file not deployed through an RPM will be flagged for further review.NT28(R37)NT28(R38)6.1.1312131415161835APO01.06DSS05.04DSS05.07DSS06.024.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)AC-6(1)PR.AC-4PR.DS-5Executable files with the SUID permission run with the privileges of
the owner of the file. SUID files of uncertain provenance could allow for
unprivileged users to elevate privileges. The presence of these files should be
strictly controlled on the system.CCE-80133-2Verify that local System.map file (if exists) is readable only by rootFiles containing sensitive informations should be protected by restrictive
permissions. Most of the time, there is no need that these files need to be read by any non-root user
To properly set the permissions of /boot/System.map-*, run the command:
$ sudo chmod 0600 /boot/System.map-*NT28(R13)The System.map file contains information about kernel symbols and
can give some hints to generate local exploitation.CCE-82350-0Verify that All World-Writable Directories Have Sticky Bits SetWhen the so-called 'sticky bit' is set on a directory,
only the owner of a given file may remove that file from the
directory. Without the sticky bit, any user with write access to a
directory may remove any file in the directory. Setting the sticky
bit prevents users from removing each other's files. In cases where
there is no reason for a directory to be world-writable, a better
solution is to remove that permission rather than to set the sticky
bit. However, if a directory is used by a particular application,
consult that application's documentation instead of blindly
changing modes.
To set the sticky bit on a world-writable directory DIR, run the
following command:
$ sudo chmod +t DIR1.1.2112131415161835APO01.06DSS05.04DSS05.07DSS06.024.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)AC-6(1)PR.AC-4PR.DS-5Failing to set the sticky bit on public directories allows unauthorized
users to delete files in the directory structure.
The only authorized public directories are those temporary directories
supplied with the system, or those designed to be temporary file
repositories. The setting is normally reserved for directories used by the
system, by users for temporary file storage (such as /tmp), and
for directories requiring global read/write access.CCE-80130-8df --local -P | awk '{if (NR!=1) print $6}' \
| xargs -I '{}' find '{}' -xdev -type d \
\( -perm -0002 -a ! -perm -1000 \) 2>/dev/null \
| xargs chmod a+t
Verify Permissions on Files with Local Account Information and CredentialsThe default restrictive permissions for files which act as
important security databases such as passwd, shadow,
group, and gshadow files must be maintained. Many utilities
need read access to the passwd file in order to function properly, but
read access to the shadow file allows malicious attacks against system
passwords, and should never be enabled.Verify Permissions on shadow File
To properly set the permissions of /etc/shadow, run the command:
$ sudo chmod 0000 /etc/shadowNT28(R36)6.1.3121314151618355.5.2.2APO01.06DSS05.04DSS05.07DSS06.024.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)AC-6(1)PR.AC-4PR.DS-5Req-8.7.cThe /etc/shadow file contains the list of local
system accounts and stores password hashes. Protection of this file is
critical for system security. Failure to give ownership of this file
to root provides the designated owner with access to sensitive information
which could weaken the system security posture.CCE-82042-3
chmod 0000 /etc/shadow
- name: Test for existence /etc/shadow
stat:
path: /etc/shadow
register: file_exists
tags:
- file_permissions_etc_shadow
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82042-3
- PCI-DSS-Req-8.7.c
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- CJIS-5.5.2.2
- name: Ensure permission 0000 on /etc/shadow
file:
path: /etc/shadow
mode: '0000'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- file_permissions_etc_shadow
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82042-3
- PCI-DSS-Req-8.7.c
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- CJIS-5.5.2.2
Verify User Who Owns shadow File To properly set the owner of /etc/shadow, run the command: $ sudo chown root /etc/shadow NT28(R36)6.1.3121314151618355.5.2.2APO01.06DSS05.04DSS05.07DSS06.024.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)AC-6(1)PR.AC-4PR.DS-5Req-8.7.cThe /etc/shadow file contains the list of local
system accounts and stores password hashes. Protection of this file is
critical for system security. Failure to give ownership of this file
to root provides the designated owner with access to sensitive information
which could weaken the system security posture.CCE-82022-5
chown 0 /etc/shadow
- name: Test for existence /etc/shadow
stat:
path: /etc/shadow
register: file_exists
tags:
- file_owner_etc_shadow
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82022-5
- PCI-DSS-Req-8.7.c
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- CJIS-5.5.2.2
- name: Ensure owner 0 on /etc/shadow
file:
path: /etc/shadow
owner: '0'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- file_owner_etc_shadow
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82022-5
- PCI-DSS-Req-8.7.c
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- CJIS-5.5.2.2
Verify User Who Owns group File To properly set the owner of /etc/group, run the command: $ sudo chown root /etc/group 6.1.4121314151618355.5.2.2APO01.06DSS05.04DSS05.07DSS06.024.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)AC-6(1)PR.AC-4PR.DS-5Req-8.7.cThe /etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security.CCE-82031-6
chown 0 /etc/group
- name: Test for existence /etc/group
stat:
path: /etc/group
register: file_exists
tags:
- file_owner_etc_group
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82031-6
- PCI-DSS-Req-8.7.c
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- CJIS-5.5.2.2
- name: Ensure owner 0 on /etc/group
file:
path: /etc/group
owner: '0'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- file_owner_etc_group
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82031-6
- PCI-DSS-Req-8.7.c
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- CJIS-5.5.2.2
Verify Permissions on group File
To properly set the permissions of /etc/passwd, run the command:
$ sudo chmod 0644 /etc/passwd6.1.4121314151618355.5.2.2APO01.06DSS05.04DSS05.07DSS06.024.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)AC-6(1)PR.AC-4PR.DS-5Req-8.7.cThe /etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security.CCE-82032-4
chmod 0644 /etc/group
- name: Test for existence /etc/group
stat:
path: /etc/group
register: file_exists
tags:
- file_permissions_etc_group
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82032-4
- PCI-DSS-Req-8.7.c
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- CJIS-5.5.2.2
- name: Ensure permission 0644 on /etc/group
file:
path: /etc/group
mode: '0644'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- file_permissions_etc_group
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82032-4
- PCI-DSS-Req-8.7.c
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- CJIS-5.5.2.2
Verify Group Who Owns gshadow File To properly set the group owner of /etc/gshadow, run the command: $ sudo chgrp root /etc/gshadow6.1.512131415161835APO01.06DSS05.04DSS05.07DSS06.024.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)AC-6(1)PR.AC-4PR.DS-5The /etc/gshadow file contains group password hashes. Protection of this file
is critical for system security.CCE-82025-8
chgrp 0 /etc/gshadow
- name: Test for existence /etc/gshadow
stat:
path: /etc/gshadow
register: file_exists
tags:
- file_groupowner_etc_gshadow
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82025-8
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- name: Ensure group owner 0 on /etc/gshadow
file:
path: /etc/gshadow
group: '0'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- file_groupowner_etc_gshadow
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82025-8
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
Verify Group Who Owns passwd File To properly set the group owner of /etc/passwd, run the command: $ sudo chgrp root /etc/passwd6.1.2121314151618355.5.2.2APO01.06DSS05.04DSS05.07DSS06.024.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)AC-6(1)PR.AC-4PR.DS-5Req-8.7.cThe /etc/passwd file contains information about the users that are configured on
the system. Protection of this file is critical for system security.CCE-26639-5
chgrp 0 /etc/passwd
- name: Test for existence /etc/passwd
stat:
path: /etc/passwd
register: file_exists
tags:
- file_groupowner_etc_passwd
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-26639-5
- PCI-DSS-Req-8.7.c
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- CJIS-5.5.2.2
- name: Ensure group owner 0 on /etc/passwd
file:
path: /etc/passwd
group: '0'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- file_groupowner_etc_passwd
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-26639-5
- PCI-DSS-Req-8.7.c
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- CJIS-5.5.2.2
Verify Group Who Owns shadow File To properly set the group owner of /etc/shadow, run the command: $ sudo chgrp root /etc/shadow6.1.3121314151618355.5.2.2APO01.06DSS05.04DSS05.07DSS06.024.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)AC-6(1)PR.AC-4PR.DS-5Req-8.7.cThe /etc/shadow file stores password hashes. Protection of this file is
critical for system security.CCE-82051-4
chgrp 0 /etc/shadow
- name: Test for existence /etc/shadow
stat:
path: /etc/shadow
register: file_exists
tags:
- file_groupowner_etc_shadow
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82051-4
- PCI-DSS-Req-8.7.c
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- CJIS-5.5.2.2
- name: Ensure group owner 0 on /etc/shadow
file:
path: /etc/shadow
group: '0'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- file_groupowner_etc_shadow
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82051-4
- PCI-DSS-Req-8.7.c
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- CJIS-5.5.2.2
Verify User Who Owns gshadow File To properly set the owner of /etc/gshadow, run the command: $ sudo chown root /etc/gshadow NT28(R36)6.1.512131415161835APO01.06DSS05.04DSS05.07DSS06.024.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)AC-6(1)PR.AC-4PR.DS-5The /etc/gshadow file contains group password hashes. Protection of this file
is critical for system security.CCE-82195-9
chown 0 /etc/gshadow
- name: Test for existence /etc/gshadow
stat:
path: /etc/gshadow
register: file_exists
tags:
- file_owner_etc_gshadow
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82195-9
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- name: Ensure owner 0 on /etc/gshadow
file:
path: /etc/gshadow
owner: '0'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- file_owner_etc_gshadow
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82195-9
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
Verify Group Who Owns group File To properly set the group owner of /etc/group, run the command: $ sudo chgrp root /etc/group6.1.4121314151618355.5.2.2APO01.06DSS05.04DSS05.07DSS06.024.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)AC-6(1)PR.AC-4PR.DS-5Req-8.7.cThe /etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security.CCE-82037-3
chgrp 0 /etc/group
- name: Test for existence /etc/group
stat:
path: /etc/group
register: file_exists
tags:
- file_groupowner_etc_group
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82037-3
- PCI-DSS-Req-8.7.c
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- CJIS-5.5.2.2
- name: Ensure group owner 0 on /etc/group
file:
path: /etc/group
group: '0'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- file_groupowner_etc_group
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82037-3
- PCI-DSS-Req-8.7.c
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- CJIS-5.5.2.2
Verify Permissions on gshadow File
To properly set the permissions of /etc/gshadow, run the command:
$ sudo chmod 0000 /etc/gshadowNT28(R36)6.1.512131415161835APO01.06DSS05.04DSS05.07DSS06.024.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)AC-6(1)PR.AC-4PR.DS-5The /etc/gshadow file contains group password hashes. Protection of this file
is critical for system security.CCE-82192-6
chmod 0000 /etc/gshadow
- name: Test for existence /etc/gshadow
stat:
path: /etc/gshadow
register: file_exists
tags:
- file_permissions_etc_gshadow
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82192-6
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- name: Ensure permission 0000 on /etc/gshadow
file:
path: /etc/gshadow
mode: '0000'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- file_permissions_etc_gshadow
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82192-6
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
Verify User Who Owns passwd File To properly set the owner of /etc/passwd, run the command: $ sudo chown root /etc/passwd 6.1.2121314151618355.5.2.2APO01.06DSS05.04DSS05.07DSS06.024.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)AC-6(1)PR.AC-4PR.DS-5Req-8.7.cThe /etc/passwd file contains information about the users that are configured on
the system. Protection of this file is critical for system security.CCE-82052-2
chown 0 /etc/passwd
- name: Test for existence /etc/passwd
stat:
path: /etc/passwd
register: file_exists
tags:
- file_owner_etc_passwd
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82052-2
- PCI-DSS-Req-8.7.c
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- CJIS-5.5.2.2
- name: Ensure owner 0 on /etc/passwd
file:
path: /etc/passwd
owner: '0'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- file_owner_etc_passwd
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82052-2
- PCI-DSS-Req-8.7.c
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- CJIS-5.5.2.2
Verify Permissions on passwd File
To properly set the permissions of /etc/passwd, run the command:
$ sudo chmod 0644 /etc/passwd6.1.2121314151618355.5.2.2APO01.06DSS05.04DSS05.07DSS06.024.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)AC-6(1)PR.AC-4PR.DS-5Req-8.7.cIf the /etc/passwd file is writable by a group-owner or the
world the risk of its compromise is increased. The file contains the list of
accounts on the system and associated information, and protection of this file
is critical for system security.CCE-82029-0
chmod 0644 /etc/passwd
- name: Test for existence /etc/passwd
stat:
path: /etc/passwd
register: file_exists
tags:
- file_permissions_etc_passwd
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82029-0
- PCI-DSS-Req-8.7.c
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- CJIS-5.5.2.2
- name: Ensure permission 0644 on /etc/passwd
file:
path: /etc/passwd
mode: '0644'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- file_permissions_etc_passwd
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82029-0
- PCI-DSS-Req-8.7.c
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- CJIS-5.5.2.2
Verify File Permissions Within Some Important DirectoriesSome directories contain files whose confidentiality or integrity
is notably important and may also be susceptible to misconfiguration over time, particularly if
unpackaged software is installed. As such,
an argument exists to verify that files' permissions within these directories remain
configured correctly and restrictively.Verify that Shared Library Files Have Root OwnershipSystem-wide shared library files, which are linked to executables
during process load time or run time, are stored in the following directories
by default:
/lib
/lib64
/usr/lib
/usr/lib64
Kernel modules, which can be added to the kernel during runtime, are also
stored in /lib/modules. All files in these directories should be
owned by the root user. If the directory, or any file in these
directories, is found to be owned by a user other than root correct its
ownership with the following command:
$ sudo chown root FILE12131415161835APO01.06DSS05.04DSS05.07DSS06.024.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)AC-6(1)PR.AC-4PR.DS-5Files from shared library directories are loaded into the address
space of processes (including privileged ones) or of the kernel itself at
runtime. Proper ownership is necessary to protect the integrity of the system.CCE-82021-7for LIBDIR in /usr/lib /usr/lib64 /lib /lib64
do
if [ -d $LIBDIR ]
then
find -L $LIBDIR \! -user root -exec chown root {} \;
fi
done
- name: Read list libraries without root ownership
command: find -L /usr/lib /usr/lib64 /lib /lib64 \! -user root
register: libraries_not_owned_by_root
changed_when: false
failed_when: false
check_mode: false
tags:
- file_ownership_library_dirs
- medium_severity
- restrict_strategy
- medium_complexity
- medium_disruption
- no_reboot_needed
- CCE-82021-7
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- name: Set ownership of system libraries to root
file:
path: '{{ item }}'
owner: root
with_items: '{{ libraries_not_owned_by_root.stdout_lines }}'
when: libraries_not_owned_by_root | length > 0
tags:
- file_ownership_library_dirs
- medium_severity
- restrict_strategy
- medium_complexity
- medium_disruption
- no_reboot_needed
- CCE-82021-7
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
Verify that System Executables Have Restrictive PermissionsSystem executables are stored in the following directories by default:
/bin
/sbin
/usr/bin
/usr/libexec
/usr/local/bin
/usr/local/sbin
/usr/sbin
All files in these directories should not be group-writable or world-writable.
If any file FILE in these directories is found
to be group-writable or world-writable, correct its permission with the
following command:
$ sudo chmod go-w FILE12131415161835APO01.06DSS05.04DSS05.07DSS06.024.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)AC-6(1)PR.AC-4PR.DS-5System binaries are executed by privileged users, as well as system services,
and restrictive permissions are necessary to ensure execution of these programs
cannot be co-opted.CCE-82040-7DIRS="/bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin /usr/libexec"
for dirPath in $DIRS; do
find "$dirPath" -perm /022 -exec chmod go-w '{}' \;
done
- name: Read list of world and group writable system executables
command: find /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin /usr/libexec
-perm /022 -type f
register: world_writable_library_files
changed_when: false
failed_when: false
check_mode: false
tags:
- file_permissions_binary_dirs
- medium_severity
- restrict_strategy
- medium_complexity
- medium_disruption
- no_reboot_needed
- CCE-82040-7
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- name: Remove world/group writability of system executables
file:
path: '{{ item }}'
mode: go-w
with_items: '{{ world_writable_library_files.stdout_lines }}'
when: world_writable_library_files.stdout_lines | length > 0
tags:
- file_permissions_binary_dirs
- medium_severity
- restrict_strategy
- medium_complexity
- medium_disruption
- no_reboot_needed
- CCE-82040-7
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
Verify that System Executables Have Root OwnershipSystem executables are stored in the following directories by default:
/bin
/sbin
/usr/bin
/usr/libexec
/usr/local/bin
/usr/local/sbin
/usr/sbin
All files in these directories should be owned by the root user.
If any file FILE in these directories is found
to be owned by a user other than root, correct its ownership with the
following command:
$ sudo chown root FILE12131415161835APO01.06DSS05.04DSS05.07DSS06.024.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)AC-6(1)PR.AC-4PR.DS-5System binaries are executed by privileged users as well as system services,
and restrictive permissions are necessary to ensure that their
execution of these programs cannot be co-opted.CCE-82048-0find /bin/ \
/usr/bin/ \
/usr/local/bin/ \
/sbin/ \
/usr/sbin/ \
/usr/local/sbin/ \
/usr/libexec \
\! -user root -execdir chown root {} \;
- name: Read list of system executables without root ownership
command: find /bin/ /usr/bin/ /usr/local/bin/ /sbin/ /usr/sbin/ /usr/local/sbin/
/usr/libexec \! -user root
register: no_root_system_executables
changed_when: false
failed_when: false
check_mode: false
tags:
- file_ownership_binary_dirs
- medium_severity
- restrict_strategy
- medium_complexity
- medium_disruption
- no_reboot_needed
- CCE-82048-0
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- name: Set ownership to root of system executables
file:
path: '{{ item }}'
owner: root
with_items: '{{ no_root_system_executables.stdout_lines }}'
when: no_root_system_executables.stdout_lines | length > 0
tags:
- file_ownership_binary_dirs
- medium_severity
- restrict_strategy
- medium_complexity
- medium_disruption
- no_reboot_needed
- CCE-82048-0
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
Verify that Shared Library Files Have Restrictive PermissionsSystem-wide shared library files, which are linked to executables
during process load time or run time, are stored in the following directories
by default:
/lib
/lib64
/usr/lib
/usr/lib64
Kernel modules, which can be added to the kernel during runtime, are
stored in /lib/modules. All files in these directories
should not be group-writable or world-writable. If any file in these
directories is found to be group-writable or world-writable, correct
its permission with the following command:
$ sudo chmod go-w FILE12131415161835APO01.06DSS05.04DSS05.07DSS06.024.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)AC-6(1)PR.AC-4PR.DS-5Files from shared library directories are loaded into the address
space of processes (including privileged ones) or of the kernel itself at
runtime. Restrictive permissions are necessary to protect the integrity of the system.CCE-82033-2DIRS="/lib /lib64 /usr/lib /usr/lib64"
for dirPath in $DIRS; do
find "$dirPath" -perm /022 -type f -exec chmod go-w '{}' \;
done
- name: Read list of world and group writable files in libraries directories
command: find /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type f
register: world_writable_library_files
changed_when: false
failed_when: false
check_mode: false
tags:
- file_permissions_library_dirs
- medium_severity
- restrict_strategy
- high_complexity
- medium_disruption
- no_reboot_needed
- CCE-82033-2
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- name: Disable world/group writability to library files
file:
path: '{{ item }}'
mode: go-w
with_items: '{{ world_writable_library_files.stdout_lines }}'
when: world_writable_library_files.stdout_lines | length > 0
tags:
- file_permissions_library_dirs
- medium_severity
- restrict_strategy
- high_complexity
- medium_disruption
- no_reboot_needed
- CCE-82033-2
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
Restrict Dynamic Mounting and Unmounting of
FilesystemsLinux includes a number of facilities for the automated addition
and removal of filesystems on a running system. These facilities may be
necessary in many environments, but this capability also carries some risk -- whether direct
risk from allowing users to introduce arbitrary filesystems,
or risk that software flaws in the automated mount facility itself could
allow an attacker to compromise the system.
This command can be used to list the types of filesystems that are
available to the currently executing kernel:
$ find /lib/modules/`uname -r`/kernel/fs -type f -name '*.ko'
If these filesystems are not required then they can be explicitly disabled
in a configuratio file in /etc/modprobe.d.Disable the AutomounterThe autofs daemon mounts and unmounts filesystems, such as user
home directories shared via NFS, on demand. In addition, autofs can be used to handle
removable media, and the default configuration provides the cdrom device as /misc/cd.
However, this method of providing access to removable media is not common, so autofs
can almost always be disabled if NFS is not in use. Even if NFS is required, it may be
possible to configure filesystem mounts statically by editing /etc/fstab
rather than relying on the automounter.
The autofs service can be disabled with the following command:
$ sudo systemctl disable autofs.service
The autofs service can be masked with the following command:
$ sudo systemctl mask autofs.service1.1.2211215165APO13.01DSS01.04DSS05.03DSS05.04DSS05.05DSS05.07DSS05.10DSS06.03DSS06.103.4.6CCI-000366CCI-000778CCI-001958164.308(a)(3)(i)164.308(a)(3)(ii)(A)164.310(d)(1)164.310(d)(2)164.312(a)(1)164.312(a)(2)(iv)164.312(b)4.3.3.2.24.3.3.5.14.3.3.5.24.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.24.3.3.7.4SR 1.1SR 1.10SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.7SR 1.8SR 1.9SR 2.1SR 2.6A.11.2.6A.13.1.1A.13.2.1A.18.1.4A.6.2.1A.6.2.2A.7.1.1A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.2.6A.9.3.1A.9.4.2A.9.4.3CM-7(a)CM-7(b)CM-6(a)MP-7PR.AC-1PR.AC-3PR.AC-6PR.AC-7SRG-OS-000114-GPOS-00059SRG-OS-000378-GPOS-00163SRG-OS-000480-GPOS-00227RHEL-07-020110SV-86609r2_ruleDisabling the automounter permits the administrator to
statically control filesystem mounting through /etc/fstab.
Additionally, automatically mounting filesystems permits easy introduction of
unknown devices, thereby facilitating malicious activity.CCE-27498-5
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'autofs.service'
"$SYSTEMCTL_EXEC" disable 'autofs.service'
"$SYSTEMCTL_EXEC" mask 'autofs.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^autofs.socket'; then
"$SYSTEMCTL_EXEC" stop 'autofs.socket'
"$SYSTEMCTL_EXEC" disable 'autofs.socket'
"$SYSTEMCTL_EXEC" mask 'autofs.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'autofs.service' || true
- name: Disable service autofs
block:
- name: Gather the service facts
service_facts: null
- name: Disable service autofs
systemd:
name: autofs.service
enabled: 'no'
state: stopped
masked: 'yes'
when: '"autofs.service" in ansible_facts.services'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_autofs_disabled
- medium_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27498-5
- DISA-STIG-RHEL-07-020110
- NIST-800-171-3.4.6
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-MP-7
- name: Unit Socket Exists - autofs.socket
command: systemctl list-unit-files autofs.socket
args:
warn: false
register: socket_file_exists
changed_when: false
ignore_errors: true
check_mode: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_autofs_disabled
- medium_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27498-5
- DISA-STIG-RHEL-07-020110
- NIST-800-171-3.4.6
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-MP-7
- name: Disable socket autofs
systemd:
name: autofs.socket
enabled: 'no'
state: stopped
masked: 'yes'
when:
- '"autofs.socket" in socket_file_exists.stdout_lines[1]'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_autofs_disabled
- medium_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27498-5
- DISA-STIG-RHEL-07-020110
- NIST-800-171-3.4.6
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-MP-7
include disable_autofs
class disable_autofs {
service {'autofs':
enable => false,
ensure => 'stopped',
}
}
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
config:
ignition:
version: 2.2.0
systemd:
units:
enabled: false
name: autofs.service
Disable Modprobe Loading of USB Storage DriverTo prevent USB storage devices from being used, configure the kernel module loading system
to prevent automatic loading of the USB storage driver.
To configure the system to prevent the usb-storage
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install usb-storage /bin/true
This will prevent the modprobe program from loading the usb-storage
module, but will not prevent an administrator (or another program) from using the
insmod program to load the module manually.11215165APO13.01DSS01.04DSS05.03DSS05.04DSS05.05DSS05.07DSS05.10DSS06.03DSS06.103.1.21CCI-000366CCI-000778CCI-001958164.308(a)(3)(i)164.308(a)(3)(ii)(A)164.310(d)(1)164.310(d)(2)164.312(a)(1)164.312(a)(2)(iv)164.312(b)4.3.3.2.24.3.3.5.14.3.3.5.24.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.24.3.3.7.4SR 1.1SR 1.10SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.7SR 1.8SR 1.9SR 2.1SR 2.6A.11.2.6A.13.1.1A.13.2.1A.18.1.4A.6.2.1A.6.2.2A.7.1.1A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.2.6A.9.3.1A.9.4.2A.9.4.3CM-7(a)CM-7(b)CM-6(a)MP-7PR.AC-1PR.AC-3PR.AC-6PR.AC-7SRG-OS-000114-GPOS-00059SRG-OS-000378-GPOS-0016SRG-OS-000480-GPOS-00227RHEL-07-020100SV-86607r4_ruleUSB storage devices such as thumb drives can be used to introduce
malicious software.CCE-27277-3if LC_ALL=C grep -q -m 1 "^install usb-storage" /etc/modprobe.d/usb-storage.conf ; then
sed -i 's/^install usb-storage.*/install usb-storage /bin/true/g' /etc/modprobe.d/usb-storage.conf
else
echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/usb-storage.conf
echo "install usb-storage /bin/true" >> /etc/modprobe.d/usb-storage.conf
fi
- name: Ensure kernel module 'usb-storage' is disabled
lineinfile:
create: true
dest: /etc/modprobe.d/usb-storage.conf
regexp: usb-storage
line: install usb-storage /bin/true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- kernel_module_usb-storage_disabled
- medium_severity
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- CCE-27277-3
- DISA-STIG-RHEL-07-020100
- NIST-800-171-3.1.21
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-MP-7
Assign Password to Prevent Changes to Boot Firmware ConfigurationAssign a password to the system boot firmware (historically called BIOS on PC
systems) to require a password for any configuration changes.Assigning a password to the system boot firmware prevents anyone
with physical access from configuring the system to boot
from local media and circumvent the operating system's access controls.
For systems in physically secure locations, such as
a data center or Sensitive Compartmented Information Facility (SCIF), this risk must be weighed
against the risk of administrative personnel being unable to conduct recovery operations in
a timely fashion.CCE-27194-0Disable Booting from USB Devices in Boot FirmwareConfigure the system boot firmware (historically called BIOS on PC
systems) to disallow booting from USB drives.1216APO13.01DSS01.04DSS05.03DSS05.04DSS05.05DSS05.07DSS06.03CCI-0012504.3.3.2.24.3.3.5.24.3.3.6.64.3.3.7.24.3.3.7.4SR 1.1SR 1.13SR 1.2SR 1.4SR 1.5SR 1.9SR 2.1SR 2.6A.11.2.6A.13.1.1A.13.2.1A.6.2.1A.6.2.2A.7.1.1A.9.2.1MP-7CM-7(b)CM-6(a)PR.AC-3PR.AC-6Booting a system from a USB device would allow an attacker to
circumvent any security measures provided by the operating system. Attackers
could mount partitions and modify the configuration of the OS.CCE-26960-5Disable Mounting of udf
To configure the system to prevent the udf
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install udf /bin/true
This effectively prevents usage of this uncommon filesystem.1.1.1.7111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.063.4.64.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.IP-1PR.PT-3Linux kernel modules which implement filesystems that are not needed by the
local system should be disabled.CCE-80143-1if LC_ALL=C grep -q -m 1 "^install udf" /etc/modprobe.d/udf.conf ; then
sed -i 's/^install udf.*/install udf /bin/true/g' /etc/modprobe.d/udf.conf
else
echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/udf.conf
echo "install udf /bin/true" >> /etc/modprobe.d/udf.conf
fi
- name: Ensure kernel module 'udf' is disabled
lineinfile:
create: true
dest: /etc/modprobe.d/udf.conf
regexp: udf
line: install udf /bin/true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- kernel_module_udf_disabled
- low_severity
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- CCE-80143-1
- NIST-800-171-3.4.6
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
Disable Mounting of squashfs
To configure the system to prevent the squashfs
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install squashfs /bin/true
This effectively prevents usage of this uncommon filesystem.1.1.1.6111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.063.4.64.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.IP-1PR.PT-3Linux kernel modules which implement filesystems that are not needed by the
local system should be disabled.CCE-80142-3if LC_ALL=C grep -q -m 1 "^install squashfs" /etc/modprobe.d/squashfs.conf ; then
sed -i 's/^install squashfs.*/install squashfs /bin/true/g' /etc/modprobe.d/squashfs.conf
else
echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/squashfs.conf
echo "install squashfs /bin/true" >> /etc/modprobe.d/squashfs.conf
fi
- name: Ensure kernel module 'squashfs' is disabled
lineinfile:
create: true
dest: /etc/modprobe.d/squashfs.conf
regexp: squashfs
line: install squashfs /bin/true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- kernel_module_squashfs_disabled
- low_severity
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- CCE-80142-3
- NIST-800-171-3.4.6
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
Disable Mounting of hfsplus
To configure the system to prevent the hfsplus
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install hfsplus /bin/true
This effectively prevents usage of this uncommon filesystem.1.1.1.5111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.063.4.64.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.IP-1PR.PT-3Linux kernel modules which implement filesystems that are not needed by the
local system should be disabled.CCE-80141-5if LC_ALL=C grep -q -m 1 "^install hfsplus" /etc/modprobe.d/hfsplus.conf ; then
sed -i 's/^install hfsplus.*/install hfsplus /bin/true/g' /etc/modprobe.d/hfsplus.conf
else
echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/hfsplus.conf
echo "install hfsplus /bin/true" >> /etc/modprobe.d/hfsplus.conf
fi
- name: Ensure kernel module 'hfsplus' is disabled
lineinfile:
create: true
dest: /etc/modprobe.d/hfsplus.conf
regexp: hfsplus
line: install hfsplus /bin/true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- kernel_module_hfsplus_disabled
- low_severity
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- CCE-80141-5
- NIST-800-171-3.4.6
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
Disable Mounting of FAT filesystems
To configure the system to prevent the vfat
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install vfat /bin/true
This effectively prevents usage of this uncommon filesystem.1.1.1.8111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.063.4.64.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.IP-1PR.PT-3Linux kernel modules which implement filesystems that are not needed by the
local system should be disabled.CCE-82169-4if LC_ALL=C grep -q -m 1 "^install vfat" /etc/modprobe.d/vfat.conf ; then
sed -i 's/^install vfat.*/install vfat /bin/true/g' /etc/modprobe.d/vfat.conf
else
echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/vfat.conf
echo "install vfat /bin/true" >> /etc/modprobe.d/vfat.conf
fi
- name: Ensure kernel module 'vfat' is disabled
lineinfile:
create: true
dest: /etc/modprobe.d/vfat.conf
regexp: vfat
line: install vfat /bin/true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- kernel_module_vfat_disabled
- low_severity
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- CCE-82169-4
- NIST-800-171-3.4.6
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
Disable Mounting of jffs2
To configure the system to prevent the jffs2
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install jffs2 /bin/true
This effectively prevents usage of this uncommon filesystem.1.1.1.3111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.063.4.64.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.IP-1PR.PT-3Linux kernel modules which implement filesystems that are not needed by the
local system should be disabled.CCE-80139-9if LC_ALL=C grep -q -m 1 "^install jffs2" /etc/modprobe.d/jffs2.conf ; then
sed -i 's/^install jffs2.*/install jffs2 /bin/true/g' /etc/modprobe.d/jffs2.conf
else
echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/jffs2.conf
echo "install jffs2 /bin/true" >> /etc/modprobe.d/jffs2.conf
fi
- name: Ensure kernel module 'jffs2' is disabled
lineinfile:
create: true
dest: /etc/modprobe.d/jffs2.conf
regexp: jffs2
line: install jffs2 /bin/true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- kernel_module_jffs2_disabled
- low_severity
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- CCE-80139-9
- NIST-800-171-3.4.6
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
Disable Kernel Support for USB via Bootloader ConfigurationAll USB support can be disabled by adding the nousb
argument to the kernel's boot loader configuration. To do so,
append "nousb" to the kernel line in /etc/default/grub as shown:
kernel /vmlinuz-VERSION ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet nousbDisabling all kernel support for USB will cause problems for systems
with USB-based keyboards, mice, or printers. This configuration is
infeasible for systems which require USB devices, which is common.1216APO13.01DSS01.04DSS05.03DSS05.04DSS05.05DSS05.07DSS06.03CCI-001250164.308(a)(3)(i)164.308(a)(3)(ii)(A)164.310(d)(1)164.310(d)(2)164.312(a)(1)164.312(a)(2)(iv)164.312(b)4.3.3.2.24.3.3.5.24.3.3.6.64.3.3.7.24.3.3.7.4SR 1.1SR 1.13SR 1.2SR 1.4SR 1.5SR 1.9SR 2.1SR 2.6A.11.2.6A.13.1.1A.13.2.1A.6.2.1A.6.2.2A.7.1.1A.9.2.1MP-7CM-6(a)PR.AC-3PR.AC-6Disabling the USB subsystem within the Linux kernel at system boot will
protect against potentially malicious USB devices, although it is only practical
in specialized systems.CCE-26548-8
# Correct the form of default kernel command line in /etc/default/grub
if ! grep -q ^GRUB_CMDLINE_LINUX=\".*nousb.*\" /etc/default/grub;
then
# Edit configuration setting
# Append 'nousb' argument to /etc/default/grub (if not present yet)
sed -i "s/\(GRUB_CMDLINE_LINUX=\)\"\(.*\)\"/\1\"\2 nousb\"/" /etc/default/grub
# Edit runtime setting
# Correct the form of kernel command line for each installed kernel in the bootloader
/sbin/grubby --update-kernel=ALL --args="nousb"
fi
Disable Mounting of hfs
To configure the system to prevent the hfs
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install hfs /bin/true
This effectively prevents usage of this uncommon filesystem.1.1.1.4111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.063.4.64.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.IP-1PR.PT-3Linux kernel modules which implement filesystems that are not needed by the
local system should be disabled.CCE-80140-7if LC_ALL=C grep -q -m 1 "^install hfs" /etc/modprobe.d/hfs.conf ; then
sed -i 's/^install hfs.*/install hfs /bin/true/g' /etc/modprobe.d/hfs.conf
else
echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/hfs.conf
echo "install hfs /bin/true" >> /etc/modprobe.d/hfs.conf
fi
- name: Ensure kernel module 'hfs' is disabled
lineinfile:
create: true
dest: /etc/modprobe.d/hfs.conf
regexp: hfs
line: install hfs /bin/true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- kernel_module_hfs_disabled
- low_severity
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- CCE-80140-7
- NIST-800-171-3.4.6
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
Disable Mounting of cramfs
To configure the system to prevent the cramfs
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install cramfs /bin/true
This effectively prevents usage of this uncommon filesystem.1.1.1.1111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.063.4.64.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.IP-1PR.PT-3SRG-OS-000095-GPOS-00049Linux kernel modules which implement filesystems that are not needed by the
local system should be disabled.CCE-80137-3if LC_ALL=C grep -q -m 1 "^install cramfs" /etc/modprobe.d/cramfs.conf ; then
sed -i 's/^install cramfs.*/install cramfs /bin/true/g' /etc/modprobe.d/cramfs.conf
else
echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/cramfs.conf
echo "install cramfs /bin/true" >> /etc/modprobe.d/cramfs.conf
fi
- name: Ensure kernel module 'cramfs' is disabled
lineinfile:
create: true
dest: /etc/modprobe.d/cramfs.conf
regexp: cramfs
line: install cramfs /bin/true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- kernel_module_cramfs_disabled
- low_severity
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- CCE-80137-3
- NIST-800-171-3.4.6
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
Disable Mounting of freevxfs
To configure the system to prevent the freevxfs
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install freevxfs /bin/true
This effectively prevents usage of this uncommon filesystem.1.1.1.2111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.063.4.64.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.IP-1PR.PT-3Linux kernel modules which implement filesystems that are not needed by the
local system should be disabled.CCE-80138-1if LC_ALL=C grep -q -m 1 "^install freevxfs" /etc/modprobe.d/freevxfs.conf ; then
sed -i 's/^install freevxfs.*/install freevxfs /bin/true/g' /etc/modprobe.d/freevxfs.conf
else
echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/freevxfs.conf
echo "install freevxfs /bin/true" >> /etc/modprobe.d/freevxfs.conf
fi
- name: Ensure kernel module 'freevxfs' is disabled
lineinfile:
create: true
dest: /etc/modprobe.d/freevxfs.conf
regexp: freevxfs
line: install freevxfs /bin/true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- kernel_module_freevxfs_disabled
- low_severity
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- CCE-80138-1
- NIST-800-171-3.4.6
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
Restrict Partition Mount OptionsSystem partitions can be mounted with certain options
that limit what files on those partitions can do. These options
are set in the /etc/fstab configuration file, and can be
used to make certain types of malicious behavior more difficult.Removable PartitionThis value is used by the checks mount_option_nodev_removable_partitions, mount_option_nodev_removable_partitions,
and mount_option_nodev_removable_partitions to ensure that the correct mount options are set on partitions mounted from
removable media such as CD-ROMs, USB keys, and floppy drives. This value should be modified to reflect any removable
partitions that are required on the local system./dev/cdromAdd nosuid Option to /dev/shmThe nosuid mount option can be used to prevent execution
of setuid programs in /dev/shm. The SUID and SGID permissions should not
be required in these world-writable directories.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/dev/shm.1.1.16111314389APO13.01BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS05.06DSS06.064.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.11.2.9A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.8.2.1A.8.2.2A.8.2.3A.8.3.1A.8.3.3A.9.1.2CM-7(a)CM-7(b)CM-6(a)AC-6AC-6(1)MP-7PR.IP-1PR.PT-2PR.PT-3SRG-OS-000368-GPOS-00154The presence of SUID and SGID executables should be tightly controlled. Users
should not be able to execute SUID or SGID binaries from temporary storage partitions.CCE-80154-8
include_mount_options_functions
function perform_remediation {
# test "$mount_has_to_exist" = 'yes'
if test "no" = 'yes'; then
assert_mount_point_in_fstab /dev/shm || { echo "Not remediating, because there is no record of /dev/shm in /etc/fstab" >&2; return 1; }
fi
ensure_mount_option_in_fstab "/dev/shm" "nosuid" "tmpfs" "tmpfs"
ensure_partition_is_mounted "/dev/shm"
}
perform_remediation
- name: get back mount information associated to mountpoint
command: findmnt --fstab '/dev/shm'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_dev_shm_nosuid
- medium_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-80154-8
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-MP-7
- name: create mount_info dictionary variable
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_dev_shm_nosuid
- medium_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-80154-8
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-MP-7
- name: Ensure permission nosuid are set on /dev/shm
mount:
path: /dev/shm
src: '{{ mount_info.source }}'
opts: '{{ mount_info.options }},nosuid'
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- device_name.stdout is defined
- (device_name.stdout | length > 0)
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_dev_shm_nosuid
- medium_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-80154-8
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-MP-7
Add nodev Option to /tmpThe nodev mount option can be used to prevent device files from
being created in /tmp. Legitimate character and block devices
should not exist within temporary directories like /tmp.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
/tmp.NT28(R12)1.1.3111314389APO13.01BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS05.06DSS06.064.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.11.2.9A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.8.2.1A.8.2.2A.8.2.3A.8.3.1A.8.3.3A.9.1.2CM-7(a)CM-7(b)CM-6(a)AC-6AC-6(1)MP-7PR.IP-1PR.PT-2PR.PT-3SRG-OS-000368-GPOS-00154The only legitimate location for device files is the /dev directory
located on the root partition. The only exception to this is chroot jails.CCE-80149-8
include_mount_options_functions
function perform_remediation {
# test "$mount_has_to_exist" = 'yes'
if test "yes" = 'yes'; then
assert_mount_point_in_fstab /tmp || { echo "Not remediating, because there is no record of /tmp in /etc/fstab" >&2; return 1; }
fi
ensure_mount_option_in_fstab "/tmp" "nodev" "" ""
ensure_partition_is_mounted "/tmp"
}
perform_remediation
- name: get back mount information associated to mountpoint
command: findmnt --fstab '/tmp'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_tmp_nodev
- unknown_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-80149-8
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-MP-7
- name: create mount_info dictionary variable
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_tmp_nodev
- unknown_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-80149-8
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-MP-7
- name: Ensure permission nodev are set on /tmp
mount:
path: /tmp
src: '{{ mount_info.source }}'
opts: '{{ mount_info.options }},nodev'
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- device_name.stdout is defined
- (device_name.stdout | length > 0)
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_tmp_nodev
- unknown_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-80149-8
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-MP-7
part /tmp --mountoptions="nodev"
Add nosuid Option to /tmpThe nosuid mount option can be used to prevent
execution of setuid programs in /tmp. The SUID and SGID permissions
should not be required in these world-writable directories.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/tmp.NT28(R12)1.1.4111314389APO13.01BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS05.06DSS06.064.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.11.2.9A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.8.2.1A.8.2.2A.8.2.3A.8.3.1A.8.3.3A.9.1.2CM-7(a)CM-7(b)CM-6(a)AC-6AC-6(1)MP-7PR.IP-1PR.PT-2PR.PT-3SRG-OS-000368-GPOS-00154The presence of SUID and SGID executables should be tightly controlled. Users
should not be able to execute SUID or SGID binaries from temporary storage partitions.CCE-80151-4
include_mount_options_functions
function perform_remediation {
# test "$mount_has_to_exist" = 'yes'
if test "yes" = 'yes'; then
assert_mount_point_in_fstab /tmp || { echo "Not remediating, because there is no record of /tmp in /etc/fstab" >&2; return 1; }
fi
ensure_mount_option_in_fstab "/tmp" "nosuid" "" ""
ensure_partition_is_mounted "/tmp"
}
perform_remediation
- name: get back mount information associated to mountpoint
command: findmnt --fstab '/tmp'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_tmp_nosuid
- unknown_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-80151-4
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-MP-7
- name: create mount_info dictionary variable
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_tmp_nosuid
- unknown_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-80151-4
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-MP-7
- name: Ensure permission nosuid are set on /tmp
mount:
path: /tmp
src: '{{ mount_info.source }}'
opts: '{{ mount_info.options }},nosuid'
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- device_name.stdout is defined
- (device_name.stdout | length > 0)
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_tmp_nosuid
- unknown_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-80151-4
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-MP-7
part /tmp --mountoptions="nosuid"
Add nodev Option to Non-Root Local PartitionsThe nodev mount option prevents files from being interpreted as
character or block devices. Legitimate character and block devices should
exist only in the /dev directory on the root partition or within
chroot jails built for system services.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
any non-root local partitions.1.1.11111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.064.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)AC-6AC-6(1)MP-7PR.IP-1PR.PT-3SRG-OS-000368-GPOS-00154The nodev mount option prevents files from being
interpreted as character or block devices. The only legitimate location
for device files is the /dev directory located on the root partition.
The only exception to this is chroot jails, for which it is not advised
to set nodev on these filesystems.CCE-80145-6Add nodev Option to Removable Media PartitionsThe nodev mount option prevents files from being
interpreted as character or block devices.
Legitimate character and block devices should exist only in
the /dev directory on the root partition or within chroot
jails built for system services.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
any removable media partitions.1.1.181112131416389APO13.01BAI10.01BAI10.02BAI10.03BAI10.05DSS01.04DSS05.02DSS05.03DSS05.04DSS05.05DSS05.06DSS05.07DSS06.03DSS06.064.3.3.2.24.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.11.2.6A.11.2.9A.12.1.2A.12.5.1A.12.6.2A.13.1.1A.13.2.1A.14.2.2A.14.2.3A.14.2.4A.6.2.1A.6.2.2A.7.1.1A.8.2.1A.8.2.2A.8.2.3A.8.3.1A.8.3.3A.9.1.2A.9.2.1CM-7(a)CM-7(b)CM-6(a)AC-6AC-6(1)MP-7PR.AC-3PR.AC-6PR.IP-1PR.PT-2PR.PT-3The only legitimate location for device files is the /dev directory
located on the root partition. An exception to this is chroot jails, and it is
not advised to set nodev on partitions which contain their root
filesystems.CCE-80146-4
var_removable_partition=""
include_mount_options_functions
function perform_remediation {
# test "$mount_has_to_exist" = 'yes'
if test "yes" = 'yes'; then
assert_mount_point_in_fstab "$var_removable_partition" || { echo "Not remediating, because there is no record of $var_removable_partition in /etc/fstab" >&2; return 1; }
fi
ensure_mount_option_in_fstab "$var_removable_partition" "nodev" "" ""
ensure_partition_is_mounted "$var_removable_partition"
}
perform_remediation
- name: XCCDF Value var_removable_partition # promote to variable
set_fact:
var_removable_partition: !!str
tags:
- always
- name: get back mount information associated to mountpoint
command: findmnt --fstab '{{ var_removable_partition }}'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_nodev_removable_partitions
- unknown_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-80146-4
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-MP-7
- name: create mount_info dictionary variable
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_nodev_removable_partitions
- unknown_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-80146-4
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-MP-7
- name: Ensure permission nodev are set on var_removable_partition
mount:
path: '{{ var_removable_partition }}'
src: '{{ mount_info.source }}'
opts: '{{ mount_info.options }},nodev'
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- device_name.stdout is defined
- (device_name.stdout | length > 0)
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_nodev_removable_partitions
- unknown_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-80146-4
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-MP-7
Add nodev Option to /var/log/auditThe nodev mount option can be used to prevent device files from
being created in /var/log/audit.
Legitimate character and block devices should exist only in
the /dev directory on the root partition or within chroot
jails built for system services.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/log/audit.CM-7(a)CM-7(b)CM-6(a)AC-6AC-6(1)MP-7PR.IP-1PR.PT-2PR.PT-3SRG-OS-000368-GPOS-00154The only legitimate location for device files is the /dev directory
located on the root partition. The only exception to this is chroot jails.CCE-82079-5
include_mount_options_functions
function perform_remediation {
# test "$mount_has_to_exist" = 'yes'
if test "yes" = 'yes'; then
assert_mount_point_in_fstab /var/log/audit || { echo "Not remediating, because there is no record of /var/log/audit in /etc/fstab" >&2; return 1; }
fi
ensure_mount_option_in_fstab "/var/log/audit" "nodev" "" ""
ensure_partition_is_mounted "/var/log/audit"
}
perform_remediation
- name: get back mount information associated to mountpoint
command: findmnt --fstab '/var/log/audit'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_var_log_audit_nodev
- medium_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-82079-5
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-MP-7
- name: create mount_info dictionary variable
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_var_log_audit_nodev
- medium_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-82079-5
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-MP-7
- name: Ensure permission nodev are set on /var/log/audit
mount:
path: /var/log/audit
src: '{{ mount_info.source }}'
opts: '{{ mount_info.options }},nodev'
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- device_name.stdout is defined
- (device_name.stdout | length > 0)
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_var_log_audit_nodev
- medium_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-82079-5
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-MP-7
part /var/log/audit --mountoptions="nodev"
Add nosuid Option to /var/log/auditThe nosuid mount option can be used to prevent
execution of setuid programs in /var/log/audit. The SUID and SGID permissions
should not be required in directories containing audit log files.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/log/audit.CM-7(a)CM-7(b)CM-6(a)AC-6AC-6(1)MP-7PR.IP-1PR.PT-2PR.PT-3SRG-OS-000368-GPOS-00154The presence of SUID and SGID executables should be tightly controlled. Users
should not be able to execute SUID or SGID binaries from partitions
designated for audit log files.CCE-82148-8
include_mount_options_functions
function perform_remediation {
# test "$mount_has_to_exist" = 'yes'
if test "yes" = 'yes'; then
assert_mount_point_in_fstab /var/log/audit || { echo "Not remediating, because there is no record of /var/log/audit in /etc/fstab" >&2; return 1; }
fi
ensure_mount_option_in_fstab "/var/log/audit" "nosuid" "" ""
ensure_partition_is_mounted "/var/log/audit"
}
perform_remediation
- name: get back mount information associated to mountpoint
command: findmnt --fstab '/var/log/audit'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_var_log_audit_nosuid
- medium_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-82148-8
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-MP-7
- name: create mount_info dictionary variable
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_var_log_audit_nosuid
- medium_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-82148-8
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-MP-7
- name: Ensure permission nosuid are set on /var/log/audit
mount:
path: /var/log/audit
src: '{{ mount_info.source }}'
opts: '{{ mount_info.options }},nosuid'
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- device_name.stdout is defined
- (device_name.stdout | length > 0)
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_var_log_audit_nosuid
- medium_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-82148-8
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-MP-7
part /var/log/audit --mountoptions="nosuid"
Add nodev Option to /varThe nodev mount option can be used to prevent device files from
being created in /var.
Legitimate character and block devices should exist only in
the /dev directory on the root partition or within chroot
jails built for system services.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
/var.CM-7(a)CM-7(b)CM-6(a)AC-6AC-6(1)MP-7PR.IP-1PR.PT-2PR.PT-3SRG-OS-000368-GPOS-00154The only legitimate location for device files is the /dev directory
located on the root partition. The only exception to this is chroot jails.CCE-82064-7
include_mount_options_functions
function perform_remediation {
# test "$mount_has_to_exist" = 'yes'
if test "yes" = 'yes'; then
assert_mount_point_in_fstab /var || { echo "Not remediating, because there is no record of /var in /etc/fstab" >&2; return 1; }
fi
ensure_mount_option_in_fstab "/var" "nodev" "" ""
ensure_partition_is_mounted "/var"
}
perform_remediation
- name: get back mount information associated to mountpoint
command: findmnt --fstab '/var'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_var_nodev
- medium_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-82064-7
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-MP-7
- name: create mount_info dictionary variable
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_var_nodev
- medium_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-82064-7
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-MP-7
- name: Ensure permission nodev are set on /var
mount:
path: /var
src: '{{ mount_info.source }}'
opts: '{{ mount_info.options }},nodev'
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- device_name.stdout is defined
- (device_name.stdout | length > 0)
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_var_nodev
- medium_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-82064-7
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-MP-7
part /var --mountoptions="nodev"
Add nosuid Option to /varThe nosuid mount option can be used to prevent
execution of setuid programs in /var. The SUID and SGID permissions
should not be required for this directory.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/var.The presence of SUID and SGID executables should be tightly controlled.
include_mount_options_functions
function perform_remediation {
# test "$mount_has_to_exist" = 'yes'
if test "yes" = 'yes'; then
assert_mount_point_in_fstab /var || { echo "Not remediating, because there is no record of /var in /etc/fstab" >&2; return 1; }
fi
ensure_mount_option_in_fstab "/var" "nosuid" "" ""
ensure_partition_is_mounted "/var"
}
perform_remediation
- name: get back mount information associated to mountpoint
command: findmnt --fstab '/var'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_var_nosuid
- unknown_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- name: create mount_info dictionary variable
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_var_nosuid
- unknown_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- name: Ensure permission nosuid are set on /var
mount:
path: /var
src: '{{ mount_info.source }}'
opts: '{{ mount_info.options }},nosuid'
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- device_name.stdout is defined
- (device_name.stdout | length > 0)
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_var_nosuid
- unknown_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
part /var --mountoptions="nosuid"
Add nodev Option to /var/logThe nodev mount option can be used to prevent device files from
being created in /var/log.
Legitimate character and block devices should exist only in
the /dev directory on the root partition or within chroot
jails built for system services.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/log.CM-7(a)CM-7(b)CM-6(a)AC-6AC-6(1)MP-7PR.IP-1PR.PT-2PR.PT-3SRG-OS-000368-GPOS-00154The only legitimate location for device files is the /dev directory
located on the root partition. The only exception to this is chroot jails.CCE-82076-1
include_mount_options_functions
function perform_remediation {
# test "$mount_has_to_exist" = 'yes'
if test "yes" = 'yes'; then
assert_mount_point_in_fstab /var/log || { echo "Not remediating, because there is no record of /var/log in /etc/fstab" >&2; return 1; }
fi
ensure_mount_option_in_fstab "/var/log" "nodev" "" ""
ensure_partition_is_mounted "/var/log"
}
perform_remediation
- name: get back mount information associated to mountpoint
command: findmnt --fstab '/var/log'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_var_log_nodev
- medium_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-82076-1
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-MP-7
- name: create mount_info dictionary variable
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_var_log_nodev
- medium_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-82076-1
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-MP-7
- name: Ensure permission nodev are set on /var/log
mount:
path: /var/log
src: '{{ mount_info.source }}'
opts: '{{ mount_info.options }},nodev'
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- device_name.stdout is defined
- (device_name.stdout | length > 0)
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_var_log_nodev
- medium_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-82076-1
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-MP-7
part /var/log --mountoptions="nodev"
Add nodev Option to /homeThe nodev mount option can be used to prevent device files from
being created in /home.
Legitimate character and block devices should exist only in
the /dev directory on the root partition or within chroot
jails built for system services.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
/home.NT28(R12)1.1.14SRG-OS-000368-GPOS-00154The only legitimate location for device files is the /dev directory
located on the root partition. The only exception to this is chroot jails.CCE-81047-3
include_mount_options_functions
function perform_remediation {
# test "$mount_has_to_exist" = 'yes'
if test "yes" = 'yes'; then
assert_mount_point_in_fstab /home || { echo "Not remediating, because there is no record of /home in /etc/fstab" >&2; return 1; }
fi
ensure_mount_option_in_fstab "/home" "nodev" "" ""
ensure_partition_is_mounted "/home"
}
perform_remediation
- name: get back mount information associated to mountpoint
command: findmnt --fstab '/home'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_home_nodev
- unknown_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-81047-3
- name: create mount_info dictionary variable
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_home_nodev
- unknown_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-81047-3
- name: Ensure permission nodev are set on /home
mount:
path: /home
src: '{{ mount_info.source }}'
opts: '{{ mount_info.options }},nodev'
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- device_name.stdout is defined
- (device_name.stdout | length > 0)
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_home_nodev
- unknown_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-81047-3
part /home --mountoptions="nodev"
Add nosuid Option to /var/tmpThe nosuid mount option can be used to prevent
execution of setuid programs in /var/tmp. The SUID and SGID permissions
should not be required in these world-writable directories.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/tmp.NT28(R12)1.1.9SRG-OS-000368-GPOS-00154The presence of SUID and SGID executables should be tightly controlled. Users
should not be able to execute SUID or SGID binaries from temporary storage partitions.CCE-82153-8
include_mount_options_functions
function perform_remediation {
# test "$mount_has_to_exist" = 'yes'
if test "yes" = 'yes'; then
assert_mount_point_in_fstab /var/tmp || { echo "Not remediating, because there is no record of /var/tmp in /etc/fstab" >&2; return 1; }
fi
ensure_mount_option_in_fstab "/var/tmp" "nosuid" "" ""
ensure_partition_is_mounted "/var/tmp"
}
perform_remediation
- name: get back mount information associated to mountpoint
command: findmnt --fstab '/var/tmp'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_var_tmp_nosuid
- unknown_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-82153-8
- name: create mount_info dictionary variable
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_var_tmp_nosuid
- unknown_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-82153-8
- name: Ensure permission nosuid are set on /var/tmp
mount:
path: /var/tmp
src: '{{ mount_info.source }}'
opts: '{{ mount_info.options }},nosuid'
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- device_name.stdout is defined
- (device_name.stdout | length > 0)
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_var_tmp_nosuid
- unknown_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-82153-8
part /var/tmp --mountoptions="nosuid"
Add nodev Option to /dev/shmThe nodev mount option can be used to prevent creation of device
files in /dev/shm. Legitimate character and block devices should
not exist within temporary directories like /dev/shm.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
/dev/shm.1.1.15111314389APO13.01BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS05.06DSS06.064.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.11.2.9A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.8.2.1A.8.2.2A.8.2.3A.8.3.1A.8.3.3A.9.1.2CM-7(a)CM-7(b)CM-6(a)AC-6AC-6(1)MP-7PR.IP-1PR.PT-2PR.PT-3SRG-OS-000368-GPOS-00154The only legitimate location for device files is the /dev directory
located on the root partition. The only exception to this is chroot jails.CCE-80152-2
include_mount_options_functions
function perform_remediation {
# test "$mount_has_to_exist" = 'yes'
if test "no" = 'yes'; then
assert_mount_point_in_fstab /dev/shm || { echo "Not remediating, because there is no record of /dev/shm in /etc/fstab" >&2; return 1; }
fi
ensure_mount_option_in_fstab "/dev/shm" "nodev" "tmpfs" "tmpfs"
ensure_partition_is_mounted "/dev/shm"
}
perform_remediation
- name: get back mount information associated to mountpoint
command: findmnt --fstab '/dev/shm'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_dev_shm_nodev
- medium_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-80152-2
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-MP-7
- name: create mount_info dictionary variable
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_dev_shm_nodev
- medium_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-80152-2
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-MP-7
- name: Ensure permission nodev are set on /dev/shm
mount:
path: /dev/shm
src: '{{ mount_info.source }}'
opts: '{{ mount_info.options }},nodev'
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- device_name.stdout is defined
- (device_name.stdout | length > 0)
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_dev_shm_nodev
- medium_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-80152-2
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-MP-7
Add noexec Option to /dev/shmThe noexec mount option can be used to prevent binaries
from being executed out of /dev/shm.
It can be dangerous to allow the execution of binaries
from world-writable temporary storage directories such as /dev/shm.
Add the noexec option to the fourth column of
/etc/fstab for the line which controls mounting of
/dev/shm.1.1.17111314389APO13.01BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS05.06DSS06.064.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.11.2.9A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.8.2.1A.8.2.2A.8.2.3A.8.3.1A.8.3.3A.9.1.2CM-7(a)CM-7(b)CM-6(a)AC-6AC-6(1)MP-7PR.IP-1PR.PT-2PR.PT-3SRG-OS-000368-GPOS-00154Allowing users to execute binaries from world-writable directories
such as /dev/shm can expose the system to potential compromise.CCE-80153-0
include_mount_options_functions
function perform_remediation {
# test "$mount_has_to_exist" = 'yes'
if test "no" = 'yes'; then
assert_mount_point_in_fstab /dev/shm || { echo "Not remediating, because there is no record of /dev/shm in /etc/fstab" >&2; return 1; }
fi
ensure_mount_option_in_fstab "/dev/shm" "noexec" "tmpfs" "tmpfs"
ensure_partition_is_mounted "/dev/shm"
}
perform_remediation
- name: get back mount information associated to mountpoint
command: findmnt --fstab '/dev/shm'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_dev_shm_noexec
- medium_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-80153-0
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-MP-7
- name: create mount_info dictionary variable
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_dev_shm_noexec
- medium_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-80153-0
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-MP-7
- name: Ensure permission noexec are set on /dev/shm
mount:
path: /dev/shm
src: '{{ mount_info.source }}'
opts: '{{ mount_info.options }},noexec'
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- device_name.stdout is defined
- (device_name.stdout | length > 0)
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_dev_shm_noexec
- medium_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-80153-0
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-MP-7
Bind Mount /var/tmp To /tmpThe /var/tmp directory is a world-writable directory. Bind-mount
it to /tmp in order to consolidate temporary storage into one
location protected by the same techniques as /tmp. To do so, edit
/etc/fstab and add the following line:
/tmp /var/tmp none rw,nodev,noexec,nosuid,bind 0 0
See the mount(8) man page for further explanation of bind mounting.1.1.6111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.064.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)AC-6AC-6(1)MP-7PR.IP-1PR.PT-3Having multiple locations for temporary storage is not required. Unless absolutely
necessary to meet requirements, the storage location /var/tmp should be bind mounted to
/tmp and thus share the same protections.CCE-80155-5
# Delete particular /etc/fstab's row if /var/tmp is already configured to
# represent a mount point (for some device or filesystem other than /tmp)
if grep -q -P '.*\/var\/tmp.*' /etc/fstab
then
sed -i '/.*\/var\/tmp.*/d' /etc/fstab
fi
umount /var/tmp
# Bind-mount /var/tmp to /tmp via /etc/fstab (preserving the /etc/fstab form)
printf "%-24s%-24s%-8s%-32s%-3s\n" "/tmp" "/var/tmp" "none" "rw,nodev,noexec,nosuid,bind" "0 0" >> /etc/fstab
mkdir -p /var/tmp
mount -B /tmp /var/tmp
- name: get back mount information associated to mountpoint
command: findmnt --fstab '/var/tmp'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_var_tmp_bind
- unknown_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-80155-5
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-MP-7
- name: create mount_info dictionary variable
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_var_tmp_bind
- unknown_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-80155-5
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-MP-7
- name: Ensure permission bind are set on /var/tmp
mount:
path: /var/tmp
src: '{{ mount_info.source }}'
opts: '{{ mount_info.options }},bind'
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- device_name.stdout is defined
- (device_name.stdout | length > 0)
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_var_tmp_bind
- unknown_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-80155-5
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-MP-7
part /var/tmp --mountoptions="bind"
Add nosuid Option to /var/logThe nosuid mount option can be used to prevent
execution of setuid programs in /var/log. The SUID and SGID permissions
should not be required in directories containing log files.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/log.CM-7(a)CM-7(b)CM-6(a)AC-6AC-6(1)MP-7PR.IP-1PR.PT-2PR.PT-3SRG-OS-000368-GPOS-00154The presence of SUID and SGID executables should be tightly controlled. Users
should not be able to execute SUID or SGID binaries from partitions
designated for log files.CCE-82144-7
include_mount_options_functions
function perform_remediation {
# test "$mount_has_to_exist" = 'yes'
if test "yes" = 'yes'; then
assert_mount_point_in_fstab /var/log || { echo "Not remediating, because there is no record of /var/log in /etc/fstab" >&2; return 1; }
fi
ensure_mount_option_in_fstab "/var/log" "nosuid" "" ""
ensure_partition_is_mounted "/var/log"
}
perform_remediation
- name: get back mount information associated to mountpoint
command: findmnt --fstab '/var/log'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_var_log_nosuid
- medium_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-82144-7
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-MP-7
- name: create mount_info dictionary variable
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_var_log_nosuid
- medium_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-82144-7
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-MP-7
- name: Ensure permission nosuid are set on /var/log
mount:
path: /var/log
src: '{{ mount_info.source }}'
opts: '{{ mount_info.options }},nosuid'
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- device_name.stdout is defined
- (device_name.stdout | length > 0)
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_var_log_nosuid
- medium_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-82144-7
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-MP-7
part /var/log --mountoptions="nosuid"
Add noexec Option to /var/log/auditThe noexec mount option can be used to prevent binaries
from being executed out of /var/log/audit.
Add the noexec option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/log/audit.CM-7(a)CM-7(b)CM-6(a)AC-6AC-6(1)MP-7PR.IP-1PR.PT-2PR.PT-3SRG-OS-000368-GPOS-00154Allowing users to execute binaries from directories containing audit log files
such as /var/log/audit should never be necessary in normal operation and
can expose the system to potential compromise.CCE-82146-2
include_mount_options_functions
function perform_remediation {
# test "$mount_has_to_exist" = 'yes'
if test "yes" = 'yes'; then
assert_mount_point_in_fstab /var/log/audit || { echo "Not remediating, because there is no record of /var/log/audit in /etc/fstab" >&2; return 1; }
fi
ensure_mount_option_in_fstab "/var/log/audit" "noexec" "" ""
ensure_partition_is_mounted "/var/log/audit"
}
perform_remediation
- name: get back mount information associated to mountpoint
command: findmnt --fstab '/var/log/audit'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_var_log_audit_noexec
- medium_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-82146-2
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-MP-7
- name: create mount_info dictionary variable
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_var_log_audit_noexec
- medium_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-82146-2
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-MP-7
- name: Ensure permission noexec are set on /var/log/audit
mount:
path: /var/log/audit
src: '{{ mount_info.source }}'
opts: '{{ mount_info.options }},noexec'
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- device_name.stdout is defined
- (device_name.stdout | length > 0)
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_var_log_audit_noexec
- medium_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-82146-2
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-MP-7
part /var/log/audit --mountoptions="noexec"
Add nodev Option to /bootThe nodev mount option can be used to prevent device files from
being created in /boot.
Legitimate character and block devices should exist only in
the /dev directory on the root partition or within chroot
jails built for system services.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
/boot.CM-7(a)CM-7(b)CM-6(a)AC-6AC-6(1)MP-7PR.IP-1PR.PT-2PR.PT-3SRG-OS-000368-GPOS-00154The only legitimate location for device files is the /dev directory
located on the root partition. The only exception to this is chroot jails.CCE-82135-5
include_mount_options_functions
function perform_remediation {
# test "$mount_has_to_exist" = 'yes'
if test "yes" = 'yes'; then
assert_mount_point_in_fstab /boot || { echo "Not remediating, because there is no record of /boot in /etc/fstab" >&2; return 1; }
fi
ensure_mount_option_in_fstab "/boot" "nodev" "" ""
ensure_partition_is_mounted "/boot"
}
perform_remediation
- name: get back mount information associated to mountpoint
command: findmnt --fstab '/boot'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_boot_nodev
- medium_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-82135-5
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-MP-7
- name: create mount_info dictionary variable
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_boot_nodev
- medium_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-82135-5
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-MP-7
- name: Ensure permission nodev are set on /boot
mount:
path: /boot
src: '{{ mount_info.source }}'
opts: '{{ mount_info.options }},nodev'
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- device_name.stdout is defined
- (device_name.stdout | length > 0)
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_boot_nodev
- medium_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-82135-5
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-MP-7
part /boot --mountoptions="nodev"
Add nosuid Option to /bootThe nosuid mount option can be used to prevent
execution of setuid programs in /boot. The SUID and SGID permissions
should not be required on the boot partition.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/boot.CM-7(a)CM-7(b)CM-6(a)AC-6AC-6(1)MP-7PR.IP-1PR.PT-2PR.PT-3SRG-OS-000368-GPOS-00154The presence of SUID and SGID executables should be tightly controlled. Users
should not be able to execute SUID or SGID binaries from boot partitions.CCE-82138-9
include_mount_options_functions
function perform_remediation {
# test "$mount_has_to_exist" = 'yes'
if test "yes" = 'yes'; then
assert_mount_point_in_fstab /boot || { echo "Not remediating, because there is no record of /boot in /etc/fstab" >&2; return 1; }
fi
ensure_mount_option_in_fstab "/boot" "nosuid" "" ""
ensure_partition_is_mounted "/boot"
}
perform_remediation
- name: get back mount information associated to mountpoint
command: findmnt --fstab '/boot'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_boot_nosuid
- medium_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-82138-9
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-MP-7
- name: create mount_info dictionary variable
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_boot_nosuid
- medium_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-82138-9
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-MP-7
- name: Ensure permission nosuid are set on /boot
mount:
path: /boot
src: '{{ mount_info.source }}'
opts: '{{ mount_info.options }},nosuid'
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- device_name.stdout is defined
- (device_name.stdout | length > 0)
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_boot_nosuid
- medium_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-82138-9
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-MP-7
part /boot --mountoptions="nosuid"
Add noexec Option to /tmpThe noexec mount option can be used to prevent binaries
from being executed out of /tmp.
Add the noexec option to the fourth column of
/etc/fstab for the line which controls mounting of
/tmp.NT28(R12)1.1.5111314389APO13.01BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS05.06DSS06.064.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.11.2.9A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.8.2.1A.8.2.2A.8.2.3A.8.3.1A.8.3.3A.9.1.2CM-7(a)CM-7(b)CM-6(a)AC-6AC-6(1)MP-7PR.IP-1PR.PT-2PR.PT-3SRG-OS-000368-GPOS-00154Allowing users to execute binaries from world-writable directories
such as /tmp should never be necessary in normal operation and
can expose the system to potential compromise.CCE-80150-6
include_mount_options_functions
function perform_remediation {
# test "$mount_has_to_exist" = 'yes'
if test "yes" = 'yes'; then
assert_mount_point_in_fstab /tmp || { echo "Not remediating, because there is no record of /tmp in /etc/fstab" >&2; return 1; }
fi
ensure_mount_option_in_fstab "/tmp" "noexec" "" ""
ensure_partition_is_mounted "/tmp"
}
perform_remediation
- name: get back mount information associated to mountpoint
command: findmnt --fstab '/tmp'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_tmp_noexec
- unknown_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-80150-6
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-MP-7
- name: create mount_info dictionary variable
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_tmp_noexec
- unknown_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-80150-6
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-MP-7
- name: Ensure permission noexec are set on /tmp
mount:
path: /tmp
src: '{{ mount_info.source }}'
opts: '{{ mount_info.options }},noexec'
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- device_name.stdout is defined
- (device_name.stdout | length > 0)
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_tmp_noexec
- unknown_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-80150-6
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-MP-7
part /tmp --mountoptions="noexec"
Add nosuid Option to /homeThe nosuid mount option can be used to prevent
execution of setuid programs in /home. The SUID and SGID permissions
should not be required in these user data directories.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/home.NT28(R12)1.1.3111314389APO13.01BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS05.06DSS06.064.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.11.2.9A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.8.2.1A.8.2.2A.8.2.3A.8.3.1A.8.3.3A.9.1.2CM-7(a)CM-7(b)CM-6(a)AC-6AC-6(1)MP-7PR.IP-1PR.PT-2PR.PT-3SRG-OS-000368-GPOS-00154RHEL-07-021000SV-86665r4_ruleThe presence of SUID and SGID executables should be tightly controlled. Users
should not be able to execute SUID or SGID binaries from user home directory partitions.CCE-81153-9
include_mount_options_functions
function perform_remediation {
# test "$mount_has_to_exist" = 'yes'
if test "yes" = 'yes'; then
assert_mount_point_in_fstab /home || { echo "Not remediating, because there is no record of /home in /etc/fstab" >&2; return 1; }
fi
ensure_mount_option_in_fstab "/home" "nosuid" "" ""
ensure_partition_is_mounted "/home"
}
perform_remediation
- name: get back mount information associated to mountpoint
command: findmnt --fstab '/home'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_home_nosuid
- unknown_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-81153-9
- DISA-STIG-RHEL-07-021000
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-MP-7
- name: create mount_info dictionary variable
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_home_nosuid
- unknown_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-81153-9
- DISA-STIG-RHEL-07-021000
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-MP-7
- name: Ensure permission nosuid are set on /home
mount:
path: /home
src: '{{ mount_info.source }}'
opts: '{{ mount_info.options }},nosuid'
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- device_name.stdout is defined
- (device_name.stdout | length > 0)
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_home_nosuid
- unknown_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-81153-9
- DISA-STIG-RHEL-07-021000
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-MP-7
part /home --mountoptions="nosuid"
Add nodev Option to /var/tmpThe nodev mount option can be used to prevent device files from
being created in /var/tmp. Legitimate character and block devices
should not exist within temporary directories like /var/tmp.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/tmp.NT28(R12)1.1.8SRG-OS-000368-GPOS-00154The only legitimate location for device files is the /dev directory
located on the root partition. The only exception to this is chroot jails.CCE-81052-3
include_mount_options_functions
function perform_remediation {
# test "$mount_has_to_exist" = 'yes'
if test "yes" = 'yes'; then
assert_mount_point_in_fstab /var/tmp || { echo "Not remediating, because there is no record of /var/tmp in /etc/fstab" >&2; return 1; }
fi
ensure_mount_option_in_fstab "/var/tmp" "nodev" "" ""
ensure_partition_is_mounted "/var/tmp"
}
perform_remediation
- name: get back mount information associated to mountpoint
command: findmnt --fstab '/var/tmp'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_var_tmp_nodev
- unknown_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-81052-3
- name: create mount_info dictionary variable
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_var_tmp_nodev
- unknown_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-81052-3
- name: Ensure permission nodev are set on /var/tmp
mount:
path: /var/tmp
src: '{{ mount_info.source }}'
opts: '{{ mount_info.options }},nodev'
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- device_name.stdout is defined
- (device_name.stdout | length > 0)
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_var_tmp_nodev
- unknown_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-81052-3
part /var/tmp --mountoptions="nodev"
Add nosuid Option to Removable Media PartitionsThe nosuid mount option prevents set-user-identifier (SUID)
and set-group-identifier (SGID) permissions from taking effect. These permissions
allow users to execute binaries with the same permissions as the owner and group
of the file respectively. Users should not be allowed to introduce SUID and SGID
files into the system via partitions mounted from removeable media.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
any removable media partitions.1.1.19111213141516183589APO01.06APO13.01BAI10.01BAI10.02BAI10.03BAI10.05DSS01.04DSS05.02DSS05.03DSS05.04DSS05.05DSS05.06DSS05.07DSS06.02DSS06.03DSS06.06CCI-0003664.3.3.2.24.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 5.2SR 7.6A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.11.2.6A.11.2.9A.12.1.2A.12.5.1A.12.6.2A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.14.2.2A.14.2.3A.14.2.4A.6.1.2A.6.2.1A.6.2.2A.7.1.1A.7.1.2A.7.3.1A.8.2.1A.8.2.2A.8.2.3A.8.3.1A.8.3.3A.9.1.1A.9.1.2A.9.2.1A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-7(a)CM-7(b)CM-6(a)AC-6AC-6(1)MP-7PR.AC-3PR.AC-4PR.AC-6PR.DS-5PR.IP-1PR.PT-2PR.PT-3SRG-OS-000480-GPOS-00227RHEL-07-021010SV-86667r2_ruleThe presence of SUID and SGID executables should be tightly controlled. Allowing
users to introduce SUID or SGID binaries from partitions mounted off of
removable media would allow them to introduce their own highly-privileged programs.CCE-80148-0
var_removable_partition=""
include_mount_options_functions
function perform_remediation {
# test "$mount_has_to_exist" = 'yes'
if test "yes" = 'yes'; then
assert_mount_point_in_fstab "$var_removable_partition" || { echo "Not remediating, because there is no record of $var_removable_partition in /etc/fstab" >&2; return 1; }
fi
ensure_mount_option_in_fstab "$var_removable_partition" "nosuid" "" ""
ensure_partition_is_mounted "$var_removable_partition"
}
perform_remediation
- name: XCCDF Value var_removable_partition # promote to variable
set_fact:
var_removable_partition: !!str
tags:
- always
- name: get back mount information associated to mountpoint
command: findmnt --fstab '{{ var_removable_partition }}'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_nosuid_removable_partitions
- unknown_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-80148-0
- DISA-STIG-RHEL-07-021010
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-MP-7
- name: create mount_info dictionary variable
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_nosuid_removable_partitions
- unknown_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-80148-0
- DISA-STIG-RHEL-07-021010
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-MP-7
- name: Ensure permission nosuid are set on var_removable_partition
mount:
path: '{{ var_removable_partition }}'
src: '{{ mount_info.source }}'
opts: '{{ mount_info.options }},nosuid'
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- device_name.stdout is defined
- (device_name.stdout | length > 0)
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_nosuid_removable_partitions
- unknown_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-80148-0
- DISA-STIG-RHEL-07-021010
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-MP-7
Add noexec Option to Removable Media PartitionsThe noexec mount option prevents the direct execution of binaries
on the mounted filesystem. Preventing the direct execution of binaries from
removable media (such as a USB key) provides a defense against malicious
software that may be present on such untrusted media.
Add the noexec option to the fourth column of
/etc/fstab for the line which controls mounting of
any removable media partitions.1.1.201112131416389APO13.01BAI10.01BAI10.02BAI10.03BAI10.05DSS01.04DSS05.02DSS05.03DSS05.04DSS05.05DSS05.06DSS05.07DSS06.03DSS06.06CCI-0000874.3.3.2.24.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.11.2.6A.11.2.9A.12.1.2A.12.5.1A.12.6.2A.13.1.1A.13.2.1A.14.2.2A.14.2.3A.14.2.4A.6.2.1A.6.2.2A.7.1.1A.8.2.1A.8.2.2A.8.2.3A.8.3.1A.8.3.3A.9.1.2A.9.2.1CM-7(a)CM-7(b)CM-6(a)AC-6AC-6(1)MP-7PR.AC-3PR.AC-6PR.IP-1PR.PT-2PR.PT-3Allowing users to execute binaries from removable media such as USB keys exposes
the system to potential compromise.CCE-80147-2
var_removable_partition=""
include_mount_options_functions
function perform_remediation {
# test "$mount_has_to_exist" = 'yes'
if test "yes" = 'yes'; then
assert_mount_point_in_fstab "$var_removable_partition" || { echo "Not remediating, because there is no record of $var_removable_partition in /etc/fstab" >&2; return 1; }
fi
ensure_mount_option_in_fstab "$var_removable_partition" "noexec" "" ""
ensure_partition_is_mounted "$var_removable_partition"
}
perform_remediation
- name: XCCDF Value var_removable_partition # promote to variable
set_fact:
var_removable_partition: !!str
tags:
- always
- name: get back mount information associated to mountpoint
command: findmnt --fstab '{{ var_removable_partition }}'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_noexec_removable_partitions
- unknown_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-80147-2
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-MP-7
- name: create mount_info dictionary variable
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_noexec_removable_partitions
- unknown_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-80147-2
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-MP-7
- name: Ensure permission noexec are set on var_removable_partition
mount:
path: '{{ var_removable_partition }}'
src: '{{ mount_info.source }}'
opts: '{{ mount_info.options }},noexec'
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- device_name.stdout is defined
- (device_name.stdout | length > 0)
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_noexec_removable_partitions
- unknown_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-80147-2
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-MP-7
Add noexec Option to /var/logThe noexec mount option can be used to prevent binaries
from being executed out of /var/log.
Add the noexec option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/log.CM-7(a)CM-7(b)CM-6(a)AC-6AC-6(1)MP-7PR.IP-1PR.PT-2PR.PT-3SRG-OS-000368-GPOS-00154Allowing users to execute binaries from directories containing log files
such as /var/log should never be necessary in normal operation and
can expose the system to potential compromise.CCE-82142-1
include_mount_options_functions
function perform_remediation {
# test "$mount_has_to_exist" = 'yes'
if test "yes" = 'yes'; then
assert_mount_point_in_fstab /var/log || { echo "Not remediating, because there is no record of /var/log in /etc/fstab" >&2; return 1; }
fi
ensure_mount_option_in_fstab "/var/log" "noexec" "" ""
ensure_partition_is_mounted "/var/log"
}
perform_remediation
- name: get back mount information associated to mountpoint
command: findmnt --fstab '/var/log'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_var_log_noexec
- medium_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-82142-1
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-MP-7
- name: create mount_info dictionary variable
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_var_log_noexec
- medium_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-82142-1
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-MP-7
- name: Ensure permission noexec are set on /var/log
mount:
path: /var/log
src: '{{ mount_info.source }}'
opts: '{{ mount_info.options }},noexec'
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- device_name.stdout is defined
- (device_name.stdout | length > 0)
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_var_log_noexec
- medium_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-82142-1
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-MP-7
part /var/log --mountoptions="noexec"
Add noexec Option to /var/tmpThe noexec mount option can be used to prevent binaries
from being executed out of /var/tmp.
Add the noexec option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/tmp.NT28(R12)1.1.10SRG-OS-000368-GPOS-00154Allowing users to execute binaries from world-writable directories
such as /var/tmp should never be necessary in normal operation and
can expose the system to potential compromise.CCE-82150-4
include_mount_options_functions
function perform_remediation {
# test "$mount_has_to_exist" = 'yes'
if test "yes" = 'yes'; then
assert_mount_point_in_fstab /var/tmp || { echo "Not remediating, because there is no record of /var/tmp in /etc/fstab" >&2; return 1; }
fi
ensure_mount_option_in_fstab "/var/tmp" "noexec" "" ""
ensure_partition_is_mounted "/var/tmp"
}
perform_remediation
- name: get back mount information associated to mountpoint
command: findmnt --fstab '/var/tmp'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_var_tmp_noexec
- unknown_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-82150-4
- name: create mount_info dictionary variable
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_var_tmp_noexec
- unknown_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-82150-4
- name: Ensure permission noexec are set on /var/tmp
mount:
path: /var/tmp
src: '{{ mount_info.source }}'
opts: '{{ mount_info.options }},noexec'
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- device_name.stdout is defined
- (device_name.stdout | length > 0)
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_var_tmp_noexec
- unknown_severity
- configure_strategy
- low_complexity
- high_disruption
- no_reboot_needed
- CCE-82150-4
part /var/tmp --mountoptions="noexec"
Restrict Programs from Dangerous Execution PatternsThe recommendations in this section are designed to
ensure that the system's features to protect against potentially
dangerous program execution are activated.
These protections are applied at the system initialization or
kernel level, and defend against certain types of badly-configured
or compromised programs.Disable Kernel Image LoadingTo set the runtime status of the kernel.kexec_load_disabled kernel parameter, run the following command: $ sudo sysctl -w kernel.kexec_load_disabled=1
If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: kernel.kexec_load_disabled = 1SRG-OS-000480-GPOS-00227Disabling kexec_load allows greater control of the kernel memory.
It makes it impossible to load another kernel image after it has been disabled.
CCE-81056-4
#
# Set runtime for kernel.kexec_load_disabled
#
/sbin/sysctl -q -n -w kernel.kexec_load_disabled="1"
#
# If kernel.kexec_load_disabled present in /etc/sysctl.conf, change value to "1"
# else, add "kernel.kexec_load_disabled = 1" to /etc/sysctl.conf
#
replace_or_append '/etc/sysctl.conf' '^kernel.kexec_load_disabled' "1" 'CCE-81056-4'
- name: Ensure sysctl kernel.kexec_load_disabled is set to 1
sysctl:
name: kernel.kexec_load_disabled
value: '1'
state: present
reload: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sysctl_kernel_kexec_load_disabled
- medium_severity
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- CCE-81056-4
Disallow kernel profiling by unprivileged usersTo set the runtime status of the kernel.perf_event_paranoid kernel parameter, run the following command: $ sudo sysctl -w kernel.perf_event_paranoid=2
If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: kernel.perf_event_paranoid = 2NT28(R23)FMT_SMF_EXT.1SRG-OS-000132-GPOS-00067Kernel profiling can reveal sensitive information about kernel behaviour.CCE-81053-1
#
# Set runtime for kernel.perf_event_paranoid
#
/sbin/sysctl -q -n -w kernel.perf_event_paranoid="2"
#
# If kernel.perf_event_paranoid present in /etc/sysctl.conf, change value to "2"
# else, add "kernel.perf_event_paranoid = 2" to /etc/sysctl.conf
#
replace_or_append '/etc/sysctl.conf' '^kernel.perf_event_paranoid' "2" 'CCE-81053-1'
- name: Ensure sysctl kernel.perf_event_paranoid is set to 2
sysctl:
name: kernel.perf_event_paranoid
value: '2'
state: present
reload: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sysctl_kernel_perf_event_paranoid
- medium_severity
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- CCE-81053-1
Disable vsyscallsTo disable use of virtual syscalls,
add the argument vsyscall=none to the default
GRUB 2 command line for the Linux operating system in
/etc/default/grub, in the manner below:
GRUB_CMDLINE_LINUX="vsyscall=none"The GRUB 2 configuration file, grub.cfg,
is automatically updated each time a new kernel is installed. Note that any
changes to /etc/default/grub require rebuilding the grub.cfg
file. To update the GRUB 2 configuration file manually, use the
grub2-mkconfig -o command as follows:
On BIOS-based machines, issue the following command as root:
~]# grub2-mkconfig -o /boot/grub2/grub.cfgOn UEFI-based machines, issue the following command as root:
~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfgCM-7(a)SRG-OS-000480-GPOS-00227Virtual Syscalls provide an opportunity of attack for a user who has control
of the return instruction pointer.CCE-82159-5
# Correct the form of default kernel command line in GRUB
if grep -q '^GRUB_CMDLINE_LINUX=.*vsyscall=.*"' '/etc/default/grub' ; then
# modify the GRUB command-line if an vsyscall= arg already exists
sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)vsyscall=[^[:space:]]*\(.*"\)/\1 vsyscall=none \2/' '/etc/default/grub'
else
# no vsyscall=arg is present, append it
sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 vsyscall=none"/' '/etc/default/grub'
fi
# Correct the form of kernel command line for each installed kernel in the bootloader
grubby --update-kernel=ALL --args="vsyscall=none"
- name: check vsyscall argument exists
command: grep 'GRUB_CMDLINE_LINUX.*vsyscall=' /etc/default/grub
failed_when: false
register: argcheck
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- grub2_vsyscall_argument
- medium_severity
- restrict_strategy
- medium_complexity
- low_disruption
- reboot_required
- CCE-82159-5
- NIST-800-53-CM-7(a)
- name: replace existing vsyscall argument
replace:
path: /etc/default/grub
regexp: vsyscall=.
replace: vsyscall=none
when:
- argcheck.rc == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- grub2_vsyscall_argument
- medium_severity
- restrict_strategy
- medium_complexity
- low_disruption
- reboot_required
- CCE-82159-5
- NIST-800-53-CM-7(a)
- name: add vsyscall argument
replace:
path: /etc/default/grub
regexp: (GRUB_CMDLINE_LINUX=.*)"
replace: \1 vsyscall=none"
when:
- argcheck.rc != 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- grub2_vsyscall_argument
- medium_severity
- restrict_strategy
- medium_complexity
- low_disruption
- reboot_required
- CCE-82159-5
- NIST-800-53-CM-7(a)
- name: update bootloader menu
command: /sbin/grubby --update-kernel=ALL --args="vsyscall=none"
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- grub2_vsyscall_argument
- medium_severity
- restrict_strategy
- medium_complexity
- low_disruption
- reboot_required
- CCE-82159-5
- NIST-800-53-CM-7(a)
Restrict usage of ptrace to descendant processesTo set the runtime status of the kernel.yama.ptrace_scope kernel parameter, run the following command: $ sudo sysctl -w kernel.yama.ptrace_scope=1
If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: kernel.yama.ptrace_scope = 1NT28(R25)SRG-OS-000132-GPOS-00067Unrestricted usage of ptrace allows compromised binaries to run ptrace
on another processes of the user. Like this, the attacker can steal
sensitive information from the target processes (e.g. SSH sessions, web browser, ...)
without any additional assistance from the user (i.e. without resorting to phishing).
CCE-81058-0
#
# Set runtime for kernel.yama.ptrace_scope
#
/sbin/sysctl -q -n -w kernel.yama.ptrace_scope="1"
#
# If kernel.yama.ptrace_scope present in /etc/sysctl.conf, change value to "1"
# else, add "kernel.yama.ptrace_scope = 1" to /etc/sysctl.conf
#
replace_or_append '/etc/sysctl.conf' '^kernel.yama.ptrace_scope' "1" 'CCE-81058-0'
- name: Ensure sysctl kernel.yama.ptrace_scope is set to 1
sysctl:
name: kernel.yama.ptrace_scope
value: '1'
state: present
reload: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sysctl_kernel_yama_ptrace_scope
- medium_severity
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- CCE-81058-0
Restrict Access to Kernel Message BufferTo set the runtime status of the kernel.dmesg_restrict kernel parameter, run the following command: $ sudo sysctl -w kernel.dmesg_restrict=1
If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: kernel.dmesg_restrict = 1NT28(R23)3.1.5CCI-001314164.308(a)(1)(ii)(D)164.308(a)(3)164.308(a)(4)164.310(b)164.310(c)164.312(a)164.312(e)SI-11(a)SI-11(b)SRG-OS-000132-GPOS-00067Unprivileged access to the kernel syslog can expose sensitive kernel
address information.CCE-27050-4
#
# Set runtime for kernel.dmesg_restrict
#
/sbin/sysctl -q -n -w kernel.dmesg_restrict="1"
#
# If kernel.dmesg_restrict present in /etc/sysctl.conf, change value to "1"
# else, add "kernel.dmesg_restrict = 1" to /etc/sysctl.conf
#
replace_or_append '/etc/sysctl.conf' '^kernel.dmesg_restrict' "1" 'CCE-27050-4'
- name: Ensure sysctl kernel.dmesg_restrict is set to 1
sysctl:
name: kernel.dmesg_restrict
value: '1'
state: present
reload: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sysctl_kernel_dmesg_restrict
- medium_severity
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- CCE-27050-4
- NIST-800-171-3.1.5
- NIST-800-53-SI-11(a)
- NIST-800-53-SI-11(b)
Daemon UmaskThe umask is a per-process setting which limits
the default permissions for creation of new files and directories.
The system includes initialization scripts which set the default umask
for system daemons.daemon umaskEnter umask for daemons022027022Set Daemon UmaskThe file /etc/init.d/functions includes initialization
parameters for most or all daemons started at boot time. Many daemons
on the system already individually restrict themselves to
a umask of 077 in their own init scripts. By default, the umask of
022 is set which prevents creation of group- or world-writable files.
To set the umask for daemons expected by the profile, edit the following line:
umask Setting the umask to too restrictive a setting can cause serious errors at
runtime.12131415161835APO01.06DSS05.04DSS05.07DSS06.024.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)AC-6(1)PR.AC-4PR.DS-5The umask influences the permissions assigned to files created by a
process at run time. An unnecessarily permissive umask could result in files
being created with insecure permissions.CCE-27068-6
var_umask_for_daemons=""
grep -q ^umask /etc/init.d/functions && \
sed -i "s/umask.*/umask $var_umask_for_daemons/g" /etc/init.d/functions
if ! [ $? -eq 0 ]; then
echo "umask $var_umask_for_daemons" >> /etc/init.d/functions
fi
Memory PoisoningMemory Poisoning consists of writing a special value to uninitialized or freed memory.
Poisoning can be used as a mechanism to prevent leak of information and detection of
corrupted memory.Enable SLUB/SLAB allocator poisoningTo enable poisoning of SLUB/SLAB objects,
add the argument slub_debug=P to the default
GRUB 2 command line for the Linux operating system in
/etc/default/grub, in the manner below:
GRUB_CMDLINE_LINUX="slub_debug=P"The GRUB 2 configuration file, grub.cfg,
is automatically updated each time a new kernel is installed. Note that any
changes to /etc/default/grub require rebuilding the grub.cfg
file. To update the GRUB 2 configuration file manually, use the
grub2-mkconfig -o command as follows:
On BIOS-based machines, issue the following command as root:
~]# grub2-mkconfig -o /boot/grub2/grub.cfgOn UEFI-based machines, issue the following command as root:
~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfgCM-6(a)SRG-OS-000433-GPOS-00192Poisoning writes an arbitrary value to freed objects, so any modification or
reference to that object after being freed or before being initialized will be
detected and prevented.
This prevents many types of use-after-free vulnerabilities at little performance cost.
Also prevents leak of data and detection of corrupted memory.CCE-82157-9
# Correct the form of default kernel command line in GRUB
if grep -q '^GRUB_CMDLINE_LINUX=.*slub_debug=.*"' '/etc/default/grub' ; then
# modify the GRUB command-line if an slub_debug= arg already exists
sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)slub_debug=[^[:space:]]*\(.*"\)/\1 slub_debug=P \2/' '/etc/default/grub'
else
# no slub_debug=arg is present, append it
sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 slub_debug=P"/' '/etc/default/grub'
fi
# Correct the form of kernel command line for each installed kernel in the bootloader
grubby --update-kernel=ALL --args="slub_debug=P"
- name: check slub_debug argument exists
command: grep 'GRUB_CMDLINE_LINUX.*slub_debug=' /etc/default/grub
failed_when: false
register: argcheck
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- grub2_slub_debug_argument
- medium_severity
- restrict_strategy
- medium_complexity
- low_disruption
- reboot_required
- CCE-82157-9
- NIST-800-53-CM-6(a)
- name: replace existing slub_debug argument
replace:
path: /etc/default/grub
regexp: slub_debug=.
replace: slub_debug=P
when:
- argcheck.rc == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- grub2_slub_debug_argument
- medium_severity
- restrict_strategy
- medium_complexity
- low_disruption
- reboot_required
- CCE-82157-9
- NIST-800-53-CM-6(a)
- name: add slub_debug argument
replace:
path: /etc/default/grub
regexp: (GRUB_CMDLINE_LINUX=.*)"
replace: \1 slub_debug=P"
when:
- argcheck.rc != 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- grub2_slub_debug_argument
- medium_severity
- restrict_strategy
- medium_complexity
- low_disruption
- reboot_required
- CCE-82157-9
- NIST-800-53-CM-6(a)
- name: update bootloader menu
command: /sbin/grubby --update-kernel=ALL --args="slub_debug=P"
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- grub2_slub_debug_argument
- medium_severity
- restrict_strategy
- medium_complexity
- low_disruption
- reboot_required
- CCE-82157-9
- NIST-800-53-CM-6(a)
Enable page allocator poisoningTo enable poisoning of free pages,
add the argument page_poison=1 to the default
GRUB 2 command line for the Linux operating system in
/etc/default/grub, in the manner below:
GRUB_CMDLINE_LINUX="page_poison=1"The GRUB 2 configuration file, grub.cfg,
is automatically updated each time a new kernel is installed. Note that any
changes to /etc/default/grub require rebuilding the grub.cfg
file. To update the GRUB 2 configuration file manually, use the
grub2-mkconfig -o command as follows:
On BIOS-based machines, issue the following command as root:
~]# grub2-mkconfig -o /boot/grub2/grub.cfgOn UEFI-based machines, issue the following command as root:
~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfgCM-6(a)SRG-OS-000480-GPOS-00227Poisoning writes an arbitrary value to freed pages, so any modification or
reference to that page after being freed or before being initialized will be
detected and prevented.
This prevents many types of use-after-free vulnerabilities at little performance cost.
Also prevents leak of data and detection of corrupted memory.CCE-82158-7
# Correct the form of default kernel command line in GRUB
if grep -q '^GRUB_CMDLINE_LINUX=.*page_poison=.*"' '/etc/default/grub' ; then
# modify the GRUB command-line if an page_poison= arg already exists
sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)page_poison=[^[:space:]]*\(.*"\)/\1 page_poison=1 \2/' '/etc/default/grub'
else
# no page_poison=arg is present, append it
sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 page_poison=1"/' '/etc/default/grub'
fi
# Correct the form of kernel command line for each installed kernel in the bootloader
grubby --update-kernel=ALL --args="page_poison=1"
- name: check page_poison argument exists
command: grep 'GRUB_CMDLINE_LINUX.*page_poison=' /etc/default/grub
failed_when: false
register: argcheck
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- grub2_page_poison_argument
- medium_severity
- restrict_strategy
- medium_complexity
- low_disruption
- reboot_required
- CCE-82158-7
- NIST-800-53-CM-6(a)
- name: replace existing page_poison argument
replace:
path: /etc/default/grub
regexp: page_poison=.
replace: page_poison=1
when:
- argcheck.rc == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- grub2_page_poison_argument
- medium_severity
- restrict_strategy
- medium_complexity
- low_disruption
- reboot_required
- CCE-82158-7
- NIST-800-53-CM-6(a)
- name: add page_poison argument
replace:
path: /etc/default/grub
regexp: (GRUB_CMDLINE_LINUX=.*)"
replace: \1 page_poison=1"
when:
- argcheck.rc != 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- grub2_page_poison_argument
- medium_severity
- restrict_strategy
- medium_complexity
- low_disruption
- reboot_required
- CCE-82158-7
- NIST-800-53-CM-6(a)
- name: update bootloader menu
command: /sbin/grubby --update-kernel=ALL --args="page_poison=1"
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- grub2_page_poison_argument
- medium_severity
- restrict_strategy
- medium_complexity
- low_disruption
- reboot_required
- CCE-82158-7
- NIST-800-53-CM-6(a)
Disable Core DumpsA core dump file is the memory image of an executable
program when it was terminated by the operating system due to
errant behavior. In most cases, only software developers
legitimately need to access these files. The core dump files may
also contain sensitive information, or unnecessarily occupy large
amounts of disk space.
Once a hard limit is set in /etc/security/limits.conf, a
user cannot increase that limit within his or her own session. If access
to core dumps is required, consider restricting them to only
certain users or groups. See the limits.conf man page for more
information.
The core dumps of setuid programs are further protected. The
sysctl variable fs.suid_dumpable controls whether
the kernel allows core dumps from these programs at all. The default
value of 0 is recommended.Disable core dump backtracesThe ProcessSizeMax option in [Coredump] section
of /etc/systemd/coredump.conf
specifies the maximum size in bytes of a core which will be processed.
Core dumps exceeding this size may be stored, but the backtrace will not
be generated.If the /etc/systemd/coredump.conf file
does not already contain the [Coredump] section,
the value will not be configured correctly.FMT_SMF_EXT.1SRG-OS-000480-GPOS-00227A core dump includes a memory image taken at the time the operating system
terminates an application. The memory image could contain sensitive data
and is generally useful only for developers or system operators trying to
debug problems.
Enabling core dumps on production systems is not recommended,
however there may be overriding operational requirements to enable advanced
debuging. Permitting temporary enablement of core dumps during such situations
should be reviewed through local needs and policy.if [ -e "/etc/systemd/coredump.conf" ] ; then
LC_ALL=C sed -i "/^\s*ProcessSizeMax\s*=\s*/Id" "/etc/systemd/coredump.conf"
else
touch "/etc/systemd/coredump.conf"
fi
cp "/etc/systemd/coredump.conf" "/etc/systemd/coredump.conf.bak"
# Insert at the end of the file
printf '%s\n' "ProcessSizeMax=0" >> "/etc/systemd/coredump.conf"
# Clean up after ourselves.
rm "/etc/systemd/coredump.conf.bak"
- name: Disable core dump backtraces
block:
- name: Deduplicate values from /etc/systemd/coredump.conf
lineinfile:
path: /etc/systemd/coredump.conf
create: false
regexp: ^\s*ProcessSizeMax\s*=\s*
state: absent
- name: Insert correct line to /etc/systemd/coredump.conf
lineinfile:
path: /etc/systemd/coredump.conf
create: false
line: ProcessSizeMax=0
state: present
tags:
- coredump_disable_backtraces
- unknown_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
config:
ignition:
version: 2.2.0
storage:
files:
- contents:
source: data:,%23%20%20This%20file%20is%20part%20of%20systemd.%0A%23%0A%23%20%20systemd%20is%20free%20software%3B%20you%20can%20redistribute%20it%20and/or%20modify%20it%0A%23%20%20under%20the%20terms%20of%20the%20GNU%20Lesser%20General%20Public%20License%20as%20published%20by%0A%23%20%20the%20Free%20Software%20Foundation%3B%20either%20version%202.1%20of%20the%20License%2C%20or%0A%23%20%20%28at%20your%20option%29%20any%20later%20version.%0A%23%0A%23%20Entries%20in%20this%20file%20show%20the%20compile%20time%20defaults.%0A%23%20You%20can%20change%20settings%20by%20editing%20this%20file.%0A%23%20Defaults%20can%20be%20restored%20by%20simply%20deleting%20this%20file.%0A%23%0A%23%20See%20coredump.conf%285%29%20for%20details.%0A%0A%5BCoredump%5D%0A%23Storage%3Dexternal%0A%23Compress%3Dyes%0A%23ProcessSizeMax%3D2G%0A%23ExternalSizeMax%3D2G%0A%23JournalSizeMax%3D767M%0A%23MaxUse%3D%0A%23KeepFree%3D%0AStorage%3Dnone%0AProcessSizeMax%3D0%0A
filesystem: root
mode: 0644
path: /etc/systemd/coredump.conf
Disable Core Dumps for SUID programsTo set the runtime status of the fs.suid_dumpable kernel parameter, run the following command: $ sudo sysctl -w fs.suid_dumpable=0
If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: fs.suid_dumpable = 0NT28(R23)1.5.1164.308(a)(1)(ii)(D)164.308(a)(3)164.308(a)(4)164.310(b)164.310(c)164.312(a)164.312(e)SI-11(a)SI-11(b)The core dump of a setuid program is more likely to contain
sensitive data, as the program itself runs with greater privileges than the
user who initiated execution of the program. Disabling the ability for any
setuid program to write a core file decreases the risk of unauthorized access
of such data.CCE-26900-1
#
# Set runtime for fs.suid_dumpable
#
/sbin/sysctl -q -n -w fs.suid_dumpable="0"
#
# If fs.suid_dumpable present in /etc/sysctl.conf, change value to "0"
# else, add "fs.suid_dumpable = 0" to /etc/sysctl.conf
#
replace_or_append '/etc/sysctl.conf' '^fs.suid_dumpable' "0" 'CCE-26900-1'
- name: Ensure sysctl fs.suid_dumpable is set to 0
sysctl:
name: fs.suid_dumpable
value: '0'
state: present
reload: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sysctl_fs_suid_dumpable
- medium_severity
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- CCE-26900-1
- NIST-800-53-SI-11(a)
- NIST-800-53-SI-11(b)
Disable storing core dumpThe Storage option in [Coredump] section
of /etc/systemd/coredump.conf
can be set to none to disable storing core dumps permanently.If the /etc/systemd/coredump.conf file
does not already contain the [Coredump] section,
the value will not be configured correctly.FMT_SMF_EXT.1SRG-OS-000480-GPOS-00227A core dump includes a memory image taken at the time the operating system
terminates an application. The memory image could contain sensitive data
and is generally useful only for developers or system operators trying to
debug problems. Enabling core dumps on production systems is not recommended,
however there may be overriding operational requirements to enable advanced
debuging. Permitting temporary enablement of core dumps during such situations
should be reviewed through local needs and policy. if [ -e "/etc/systemd/coredump.conf" ] ; then
LC_ALL=C sed -i "/^\s*Storage\s*=\s*/Id" "/etc/systemd/coredump.conf"
else
touch "/etc/systemd/coredump.conf"
fi
cp "/etc/systemd/coredump.conf" "/etc/systemd/coredump.conf.bak"
# Insert at the end of the file
printf '%s\n' "Storage=none" >> "/etc/systemd/coredump.conf"
# Clean up after ourselves.
rm "/etc/systemd/coredump.conf.bak"
- name: Disable storing core dump
block:
- name: Deduplicate values from /etc/systemd/coredump.conf
lineinfile:
path: /etc/systemd/coredump.conf
create: false
regexp: ^\s*Storage\s*=\s*
state: absent
- name: Insert correct line to /etc/systemd/coredump.conf
lineinfile:
path: /etc/systemd/coredump.conf
create: false
line: Storage=none
state: present
tags:
- coredump_disable_storage
- unknown_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
config:
ignition:
version: 2.2.0
storage:
files:
- contents:
source: data:,%23%20%20This%20file%20is%20part%20of%20systemd.%0A%23%0A%23%20%20systemd%20is%20free%20software%3B%20you%20can%20redistribute%20it%20and/or%20modify%20it%0A%23%20%20under%20the%20terms%20of%20the%20GNU%20Lesser%20General%20Public%20License%20as%20published%20by%0A%23%20%20the%20Free%20Software%20Foundation%3B%20either%20version%202.1%20of%20the%20License%2C%20or%0A%23%20%20%28at%20your%20option%29%20any%20later%20version.%0A%23%0A%23%20Entries%20in%20this%20file%20show%20the%20compile%20time%20defaults.%0A%23%20You%20can%20change%20settings%20by%20editing%20this%20file.%0A%23%20Defaults%20can%20be%20restored%20by%20simply%20deleting%20this%20file.%0A%23%0A%23%20See%20coredump.conf%285%29%20for%20details.%0A%0A%5BCoredump%5D%0A%23Storage%3Dexternal%0A%23Compress%3Dyes%0A%23ProcessSizeMax%3D2G%0A%23ExternalSizeMax%3D2G%0A%23JournalSizeMax%3D767M%0A%23MaxUse%3D%0A%23KeepFree%3D%0AStorage%3Dnone%0AProcessSizeMax%3D0%0A
filesystem: root
mode: 0644
path: /etc/systemd/coredump.conf
Disable Core Dumps for All UsersTo disable core dumps for all users, add the following line to
/etc/security/limits.conf:
* hard core 01.5.1112131516278APO13.01BAI04.04DSS01.03DSS03.05DSS05.07SR 6.2SR 7.1SR 7.2A.12.1.3A.17.2.1DE.CM-1PR.DS-4SRG-OS-000480-GPOS-00227A core dump includes a memory image taken at the time the operating system
terminates an application. The memory image could contain sensitive data and is generally useful
only for developers trying to debug problems.CCE-80169-6SECURITY_LIMITS_FILE="/etc/security/limits.conf"
if grep -qE '\*\s+hard\s+core' $SECURITY_LIMITS_FILE; then
sed -ri 's/(hard\s+core\s+)[[:digit:]]+/\1 0/' $SECURITY_LIMITS_FILE
else
echo "* hard core 0" >> $SECURITY_LIMITS_FILE
fi
- name: disable core dumps with limits
lineinfile:
dest: /etc/security/limits.conf
regexp: ^[^#].*core
line: '* hard core 0'
create: true
tags:
- disable_users_coredumps
- unknown_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80169-6
Enable Execute Disable (XD) or No Execute (NX) Support on
x86 SystemsRecent processors in the x86 family support the
ability to prevent code execution on a per memory page basis.
Generically and on AMD processors, this ability is called No
Execute (NX), while on Intel processors it is called Execute
Disable (XD). This ability can help prevent exploitation of buffer
overflow vulnerabilities and should be activated whenever possible.
Extra steps must be taken to ensure that this protection is
enabled, particularly on 32-bit x86 systems. Other processors, such
as Itanium and POWER, have included such support since inception
and the standard kernel for those platforms supports the
feature. This is enabled by default on the latest Red Hat and
Fedora systems if supported by the hardware.Install PAE Kernel on Supported 32-bit x86 SystemsSystems that are using the 64-bit x86 kernel package
do not need to install the kernel-PAE package because the 64-bit
x86 kernel already includes this support. However, if the system is
32-bit and also supports the PAE and NX features as
determined in the previous section, the kernel-PAE package should
be installed to enable XD or NX support.
The kernel-PAE package can be installed with the following command:
$ sudo yum install kernel-PAE
The installation process should also have configured the
bootloader to load the new kernel at boot. Verify this after reboot
and modify /etc/default/grub if necessary.The kernel-PAE package should not be
installed on older systems that do not support the XD or NX bit, as
8this may prevent them from booting.81139BAI10.01BAI10.02BAI10.03BAI10.053.1.74.3.4.3.24.3.4.3.3SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4CM-6(a)PR.IP-1On 32-bit systems that support the XD or NX bit, the vendor-supplied
PAE kernel is required to enable either Execute Disable (XD) or No Execute (NX) support.CCE-27116-3Enable NX or XD Support in the BIOSReboot the system and enter the BIOS or Setup configuration menu.
Navigate the BIOS configuration menu and make sure that the option is enabled. The setting may be located
under a Security section. Look for Execute Disable (XD) on Intel-based systems and No Execute (NX)
on AMD-based systems.1139BAI10.01BAI10.02BAI10.03BAI10.053.1.74.3.4.3.24.3.4.3.3SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4SC-39CM-6(a)PR.IP-1Computers with the ability to prevent this type of code execution frequently put an option in the BIOS that will
allow users to turn the feature on or off at will.CCE-27099-1Enable ExecShieldExecShield describes kernel features that provide
protection against exploitation of memory corruption errors such as buffer
overflows. These features include random placement of the stack and other
memory regions, prevention of execution in memory that should only hold data,
and special handling of text buffers. These protections are enabled by default
on 32-bit systems and controlled through sysctl variables
kernel.exec-shield and kernel.randomize_va_space. On the latest
64-bit systems, kernel.exec-shield cannot be enabled or disabled with
sysctl.Restrict Exposed Kernel Pointer Addresses AccessTo set the runtime status of the kernel.kptr_restrict kernel parameter, run the following command: $ sudo sysctl -w kernel.kptr_restrict=1
If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: kernel.kptr_restrict = 1NT28(R23)SC-30SC-30(2)SC-30(5)CM-6(a)SRG-OS-000132-GPOS-00067Exposing kernel pointers (through procfs or seq_printf()) exposes
kernel writeable structures that can contain functions pointers. If a write vulnereability occurs
in the kernel allowing a write access to any of this structure, the kernel can be compromise. This
option disallow any program withtout the CAP_SYSLOG capability from getting the kernel pointers addresses,
replacing them with 0.CCE-80659-6
#
# Set runtime for kernel.kptr_restrict
#
/sbin/sysctl -q -n -w kernel.kptr_restrict="1"
#
# If kernel.kptr_restrict present in /etc/sysctl.conf, change value to "1"
# else, add "kernel.kptr_restrict = 1" to /etc/sysctl.conf
#
replace_or_append '/etc/sysctl.conf' '^kernel.kptr_restrict' "1" 'CCE-80659-6'
- name: Ensure sysctl kernel.kptr_restrict is set to 1
sysctl:
name: kernel.kptr_restrict
value: '1'
state: present
reload: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sysctl_kernel_kptr_restrict
- medium_severity
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- CCE-80659-6
- NIST-800-53-SC-30
- NIST-800-53-SC-30(2)
- NIST-800-53-SC-30(5)
- NIST-800-53-CM-6(a)
Enable ExecShield via sysctlBy default on Red Hat Enterprise Linux 7 64-bit systems, ExecShield is
enabled and can only be disabled if the hardware does not support
ExecShield or is disabled in /etc/default/grub. For Red Hat
Enterprise Linux 7 32-bit systems, sysctl can be used to enable
ExecShield.1.5.212158APO13.01DSS05.023.1.7CCI-002530164.308(a)(1)(ii)(D)164.308(a)(3)164.308(a)(4)164.310(b)164.310(c)164.312(a)164.312(e)SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 7.1SR 7.6A.13.1.1A.13.2.1A.14.1.3SC-39CM-6(a)PR.PT-4SRG-OS-000433-GPOS-00192ExecShield uses the segmentation feature on all x86 systems to prevent
execution in memory higher than a certain address. It writes an address as
a limit in the code segment descriptor, to control where code can be
executed, on a per-process basis. When the kernel places a process's memory
regions such as the stack and heap higher than this address, the hardware
prevents execution in that address range. This is enabled by default on the
latest Red Hat and Fedora systems if supported by the hardware.CCE-27211-2
if [ "$(getconf LONG_BIT)" = "32" ] ; then
#
# Set runtime for kernel.exec-shield
#
sysctl -q -n -w kernel.exec-shield=1
#
# If kernel.exec-shield present in /etc/sysctl.conf, change value to "1"
# else, add "kernel.exec-shield = 1" to /etc/sysctl.conf
#
replace_or_append '/etc/sysctl.conf' '^kernel.exec-shield' '1' 'CCE-27211-2'
fi
if [ "$(getconf LONG_BIT)" = "64" ] ; then
if grep --silent noexec /boot/grub2/grub*.cfg ; then
sed -i "s/noexec.*//g" /etc/default/grub
sed -i "s/noexec.*//g" /etc/grub.d/*
GRUBCFG=/boot/grub2/*.cfg
grub2-mkconfig -o "$GRUBCFG"
fi
fi
Enable Randomized Layout of Virtual Address SpaceTo set the runtime status of the kernel.randomize_va_space kernel parameter, run the following command: $ sudo sysctl -w kernel.randomize_va_space=2
If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: kernel.randomize_va_space = 2NT28(R23)1.5.13.1.7CCI-000366164.308(a)(1)(ii)(D)164.308(a)(3)164.308(a)(4)164.310(b)164.310(c)164.312(a)164.312(e)SC-30SC-30(2)CM-6(a)SRG-OS-000480-GPOS-00227RHEL-07-040201SV-92521r2_ruleAddress space layout randomization (ASLR) makes it more difficult for an
attacker to predict the location of attack code they have introduced into a
process's address space during an attempt at exploitation. Additionally,
ASLR makes it more difficult for an attacker to know the location of
existing code in order to re-purpose it using return oriented programming
(ROP) techniques.CCE-27127-0
#
# Set runtime for kernel.randomize_va_space
#
/sbin/sysctl -q -n -w kernel.randomize_va_space="2"
#
# If kernel.randomize_va_space present in /etc/sysctl.conf, change value to "2"
# else, add "kernel.randomize_va_space = 2" to /etc/sysctl.conf
#
replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' "2" 'CCE-27127-0'
- name: Ensure sysctl kernel.randomize_va_space is set to 2
sysctl:
name: kernel.randomize_va_space
value: '2'
state: present
reload: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sysctl_kernel_randomize_va_space
- medium_severity
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- CCE-27127-0
- DISA-STIG-RHEL-07-040201
- NIST-800-171-3.1.7
- NIST-800-53-SC-30
- NIST-800-53-SC-30(2)
- NIST-800-53-CM-6(a)
System Accounting with auditdThe audit service provides substantial capabilities
for recording system activities. By default, the service audits about
SELinux AVC denials and certain types of security-relevant events
such as system logins, account modifications, and authentication
events performed by programs such as sudo.
Under its default configuration, auditd has modest disk space
requirements, and should not noticeably impact system performance.
NOTE: The Linux Audit daemon auditd can be configured to use
the augenrules program to read audit rules files (*.rules)
located in /etc/audit/rules.d location and compile them to create
the resulting form of the /etc/audit/audit.rules configuration file
during the daemon startup (default configuration). Alternatively, the auditd
daemon can use the auditctl utility to read audit rules from the
/etc/audit/audit.rules configuration file during daemon startup,
and load them into the kernel. The expected behavior is configured via the
appropriate ExecStartPost directive setting in the
/usr/lib/systemd/system/auditd.service configuration file.
To instruct the auditd daemon to use the augenrules program
to read audit rules (default configuration), use the following setting:
ExecStartPost=-/sbin/augenrules --load
in the /usr/lib/systemd/system/auditd.service configuration file.
In order to instruct the auditd daemon to use the auditctl
utility to read audit rules, use the following setting:
ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
in the /usr/lib/systemd/system/auditd.service configuration file.
Refer to [Service] section of the /usr/lib/systemd/system/auditd.service
configuration file for further details.
Government networks often have substantial auditing
requirements and auditd can be configured to meet these
requirements.
Examining some example audit records demonstrates how the Linux audit system
satisfies common requirements.
The following example from Fedora Documentation available at
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html#sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages
shows the substantial amount of information captured in a
two typical "raw" audit messages, followed by a breakdown of the most important
fields. In this example the message is SELinux-related and reports an AVC
denial (and the associated system call) that occurred when the Apache HTTP
Server attempted to access the /var/www/html/file1 file (labeled with
the samba_share_t type):
type=AVC msg=audit(1226874073.147:96): avc: denied { getattr } for pid=2465 comm="httpd"
path="/var/www/html/file1" dev=dm-0 ino=284133 scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file
type=SYSCALL msg=audit(1226874073.147:96): arch=40000003 syscall=196 success=no exit=-13
a0=b98df198 a1=bfec85dc a2=54dff4 a3=2008171 items=0 ppid=2463 pid=2465 auid=502 uid=48
gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=6 comm="httpd"
exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
msg=audit(1226874073.147:96)The number in parentheses is the unformatted time stamp (Epoch time)
for the event, which can be converted to standard time by using the
date command.
{ getattr }The item in braces indicates the permission that was denied. getattr
indicates the source process was trying to read the target file's status information.
This occurs before reading files. This action is denied due to the file being
accessed having the wrong label. Commonly seen permissions include getattr,
read, and write.comm="httpd"The executable that launched the process. The full path of the executable is
found in the exe= section of the system call (SYSCALL) message,
which in this case, is exe="/usr/sbin/httpd".
path="/var/www/html/file1"The path to the object (target) the process attempted to access.
scontext="unconfined_u:system_r:httpd_t:s0"The SELinux context of the process that attempted the denied action. In
this case, it is the SELinux context of the Apache HTTP Server, which is running
in the httpd_t domain.
tcontext="unconfined_u:object_r:samba_share_t:s0"The SELinux context of the object (target) the process attempted to access.
In this case, it is the SELinux context of file1. Note: the samba_share_t
type is not accessible to processes running in the httpd_t domain. From the system call (SYSCALL) message, two items are of interest:
success=no: indicates whether the denial (AVC) was enforced or not.
success=no indicates the system call was not successful (SELinux denied
access). success=yes indicates the system call was successful - this can
be seen for permissive domains or unconfined domains, such as initrc_t
and kernel_t.
exe="/usr/sbin/httpd": the full path to the executable that launched
the process, which in this case, is exe="/usr/sbin/httpd".
Ensure the audit Subsystem is InstalledThe audit package should be installed.NT28(R50)AC-7(a)AU-7(1)AU-7(2)AU-14AU-12(2)AU-2(a)CM-6(a)SRG-OS-000480-GPOS-00227SRG-OS-000122-GPOS-00063The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy.CCE-81042-4
if ! rpm -q --quiet "audit" ; then
yum install -y "audit"
fi
- name: Ensure audit is installed
package:
name: audit
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- package_audit_installed
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-81042-4
- NIST-800-53-AC-7(a)
- NIST-800-53-AU-7(1)
- NIST-800-53-AU-7(2)
- NIST-800-53-AU-14
- NIST-800-53-AU-12(2)
- NIST-800-53-AU-2(a)
- NIST-800-53-CM-6(a)
include install_audit
class install_audit {
package { 'audit':
ensure => 'installed',
}
}
package --add=audit
Install audispd-plugins PackageThe audispd-plugins package can be installed with the following command:
$ sudo yum install audispd-pluginsSRG-OS-000342-GPOS-00133audispd-plugins provides plugins for the real-time interface to the
audit subsystem, audispd. These plugins can do things like relay events
to remote machines or analyze events for suspicious behavior.CCE-82954-9
if ! rpm -q --quiet "audispd-plugins" ; then
yum install -y "audispd-plugins"
fi
- name: Ensure audispd-plugins is installed
package:
name: audispd-plugins
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- package_audispd-plugins_installed
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82954-9
include install_audispd-plugins
class install_audispd-plugins {
package { 'audispd-plugins':
ensure => 'installed',
}
}
package --add=audispd-plugins
Enable auditd ServiceThe auditd service is an essential userspace component of
the Linux Auditing System, as it is responsible for writing audit records to
disk.
The auditd service can be enabled with the following command:
$ sudo systemctl enable auditd.service4.1.2111121314151619234567895.4.1.1APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.3.13.3.23.3.6CCI-000126CCI-000130CCI-000131CCI-000132CCI-000133CCI-000134164.308(a)(1)(ii)(D)164.308(a)(5)(ii)(C)164.310(a)(2)(iv)164.310(d)(2)(iii)164.312(b)4.2.3.104.3.2.6.74.3.3.3.94.3.3.5.84.3.3.6.64.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.13SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.2.1A.6.2.2AC-2(g)AU-3AU-10AU-2(d)AU-12(c)AU-14(1)AC-6(9)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-3PR.PT-1PR.PT-4RS.AN-1RS.AN-4Req-10.1SRG-OS-000037-GPOS-00015SRG-OS-000038-GPOS-00016SRG-OS-000039-GPOS-00017SRG-OS-000040-GPOS-00018SRG-OS-000042-GPOS-00021SRG-OS-000255-GPOS-00096RHEL-07-030000SV-86703r3_ruleSRG-OS-000037-VMM-000150SRG-OS-000063-VMM-000310SRG-OS-000038-VMM-000160SRG-OS-000039-VMM-000170SRG-OS-000040-VMM-000180SRG-OS-000041-VMM-000190Without establishing what type of events occurred, it would be difficult
to establish, correlate, and investigate the events leading up to an outage or attack.
Ensuring the auditd service is active ensures audit records
generated by the kernel are appropriately recorded.
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions.CCE-27407-6
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" start 'auditd.service'
"$SYSTEMCTL_EXEC" enable 'auditd.service'
- name: Enable service auditd
block:
- name: Gather the package facts
package_facts:
manager: auto
- name: Enable service auditd
service:
name: auditd
enabled: 'yes'
state: started
when:
- '"audit" in ansible_facts.packages'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_auditd_enabled
- high_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27407-6
- PCI-DSS-Req-10.1
- DISA-STIG-RHEL-07-030000
- NIST-800-171-3.3.1
- NIST-800-171-3.3.2
- NIST-800-171-3.3.6
- NIST-800-53-AC-2(g)
- NIST-800-53-AU-3
- NIST-800-53-AU-10
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-14(1)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
include enable_auditd
class enable_auditd {
service {'auditd':
enable => true,
ensure => 'running',
}
}
Extend Audit Backlog Limit for the Audit DaemonTo improve the kernel capacity to queue all log events, even those which occurred
prior to the audit daemon, add the argument audit_backlog_limit=8192 to the default
GRUB 2 command line for the Linux operating system in
/etc/default/grub, in the manner below:
GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap rhgb quiet rd.shell=0 audit=1 audit_backlog_limit=8192"The GRUB 2 configuration file, grub.cfg,
is automatically updated each time a new kernel is installed. Note that any
changes to /etc/default/grub require rebuilding the grub.cfg
file. To update the GRUB 2 configuration file manually, use the
grub2-mkconfig -o command as follows:
On BIOS-based machines, issue the following command as root:
~]# grub2-mkconfig -o /boot/grub2/grub.cfgOn UEFI-based machines, issue the following command as root:
~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfgCM-6(a)SRG-OS-000254-GPOS-00095audit_backlog_limit sets the queue length for audit events awaiting transfer
to the audit daemon. Until the audit daemon is up and running, all log messages
are stored in this queue. If the queue is overrun during boot process, the action
defined by audit failure flag is taken.CCE-82156-1
# Correct the form of default kernel command line in GRUB
if grep -q '^GRUB_CMDLINE_LINUX=.*audit_backlog_limit=.*"' '/etc/default/grub' ; then
# modify the GRUB command-line if an audit_backlog_limit= arg already exists
sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)audit_backlog_limit=[^[:space:]]*\(.*"\)/\1 audit_backlog_limit=8192 \2/' '/etc/default/grub'
else
# no audit_backlog_limit=arg is present, append it
sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 audit_backlog_limit=8192"/' '/etc/default/grub'
fi
# Correct the form of kernel command line for each installed kernel in the bootloader
grubby --update-kernel=ALL --args="audit_backlog_limit=8192"
- name: check audit_backlog_limit argument exists
command: grep 'GRUB_CMDLINE_LINUX.*audit_backlog_limit=' /etc/default/grub
failed_when: false
register: argcheck
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- grub2_audit_backlog_limit_argument
- medium_severity
- restrict_strategy
- medium_complexity
- low_disruption
- reboot_required
- CCE-82156-1
- NIST-800-53-CM-6(a)
- name: replace existing audit_backlog_limit argument
replace:
path: /etc/default/grub
regexp: audit_backlog_limit=.
replace: audit_backlog_limit=8192
when:
- argcheck.rc == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- grub2_audit_backlog_limit_argument
- medium_severity
- restrict_strategy
- medium_complexity
- low_disruption
- reboot_required
- CCE-82156-1
- NIST-800-53-CM-6(a)
- name: add audit_backlog_limit argument
replace:
path: /etc/default/grub
regexp: (GRUB_CMDLINE_LINUX=.*)"
replace: \1 audit_backlog_limit=8192"
when:
- argcheck.rc != 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- grub2_audit_backlog_limit_argument
- medium_severity
- restrict_strategy
- medium_complexity
- low_disruption
- reboot_required
- CCE-82156-1
- NIST-800-53-CM-6(a)
- name: update bootloader menu
command: /sbin/grubby --update-kernel=ALL --args="audit_backlog_limit=8192"
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- grub2_audit_backlog_limit_argument
- medium_severity
- restrict_strategy
- medium_complexity
- low_disruption
- reboot_required
- CCE-82156-1
- NIST-800-53-CM-6(a)
Enable Auditing for Processes Which Start Prior to the Audit DaemonTo ensure all processes can be audited, even those which start
prior to the audit daemon, add the argument audit=1 to the default
GRUB 2 command line for the Linux operating system in
/etc/default/grub, so that the line looks similar to
GRUB_CMDLINE_LINUX="... audit=1 ..."
In case the GRUB_DISABLE_RECOVERY is set to true, then the parameter should be added to the GRUB_CMDLINE_LINUX_DEFAULT instead.The GRUB 2 configuration file, grub.cfg,
is automatically updated each time a new kernel is installed. Note that any
changes to /etc/default/grub require rebuilding the grub.cfg
file. To update the GRUB 2 configuration file manually, use the
grub2-mkconfig -o command as follows:
On BIOS-based machines, issue the following command as root:
~]# grub2-mkconfig -o /boot/grub2/grub.cfgOn UEFI-based machines, issue the following command as root:
~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg4.1.31111213141516193456785.4.1.1APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS05.02DSS05.03DSS05.04DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.3.1CCI-001464CCI-000130164.308(a)(1)(ii)(D)164.308(a)(5)(ii)(C)164.310(a)(2)(iv)164.310(d)(2)(iii)164.312(b)4.2.3.104.3.2.6.74.3.3.3.94.3.3.5.84.3.3.6.64.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.13SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 7.1SR 7.6A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.2.1A.6.2.2AC-17(1)AU-14(1)AU-10CM-6(a)IR-5(1)DE.AE-3DE.AE-5ID.SC-4PR.AC-3PR.PT-1PR.PT-4RS.AN-1RS.AN-4Req-10.3SRG-OS-000254-GPOS-00095SRG-OS-000254-VMM-000880Each process on the system carries an "auditable" flag which indicates whether
its activities can be audited. Although auditd takes care of enabling
this for all processes which launch after it does, adding the kernel argument
ensures it is set for every process during boot.CCE-27212-0
# Correct the form of default kernel command line in GRUB
if grep -q '^GRUB_CMDLINE_LINUX=.*audit=.*"' '/etc/default/grub' ; then
# modify the GRUB command-line if an audit= arg already exists
sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)audit=[^[:space:]]*\(.*"\)/\1 audit=1 \2/' '/etc/default/grub'
else
# no audit=arg is present, append it
sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 audit=1"/' '/etc/default/grub'
fi
# Correct the form of kernel command line for each installed kernel in the bootloader
grubby --update-kernel=ALL --args="audit=1"
- name: check audit argument exists
command: grep 'GRUB_CMDLINE_LINUX.*audit=' /etc/default/grub
failed_when: false
register: argcheck
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- grub2_audit_argument
- medium_severity
- restrict_strategy
- medium_complexity
- low_disruption
- reboot_required
- CCE-27212-0
- PCI-DSS-Req-10.3
- NIST-800-171-3.3.1
- NIST-800-53-AC-17(1)
- NIST-800-53-AU-14(1)
- NIST-800-53-AU-10
- NIST-800-53-CM-6(a)
- NIST-800-53-IR-5(1)
- CJIS-5.4.1.1
- name: replace existing audit argument
replace:
path: /etc/default/grub
regexp: audit=.
replace: audit=1
when:
- argcheck.rc == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- grub2_audit_argument
- medium_severity
- restrict_strategy
- medium_complexity
- low_disruption
- reboot_required
- CCE-27212-0
- PCI-DSS-Req-10.3
- NIST-800-171-3.3.1
- NIST-800-53-AC-17(1)
- NIST-800-53-AU-14(1)
- NIST-800-53-AU-10
- NIST-800-53-CM-6(a)
- NIST-800-53-IR-5(1)
- CJIS-5.4.1.1
- name: add audit argument
replace:
path: /etc/default/grub
regexp: (GRUB_CMDLINE_LINUX=.*)"
replace: \1 audit=1"
when:
- argcheck.rc != 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- grub2_audit_argument
- medium_severity
- restrict_strategy
- medium_complexity
- low_disruption
- reboot_required
- CCE-27212-0
- PCI-DSS-Req-10.3
- NIST-800-171-3.3.1
- NIST-800-53-AC-17(1)
- NIST-800-53-AU-14(1)
- NIST-800-53-AU-10
- NIST-800-53-CM-6(a)
- NIST-800-53-IR-5(1)
- CJIS-5.4.1.1
- name: update bootloader menu
command: /sbin/grubby --update-kernel=ALL --args="audit=1"
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- grub2_audit_argument
- medium_severity
- restrict_strategy
- medium_complexity
- low_disruption
- reboot_required
- CCE-27212-0
- PCI-DSS-Req-10.3
- NIST-800-171-3.3.1
- NIST-800-53-AC-17(1)
- NIST-800-53-AU-14(1)
- NIST-800-53-AU-10
- NIST-800-53-CM-6(a)
- NIST-800-53-IR-5(1)
- CJIS-5.4.1.1
Configure auditd Data RetentionThe audit system writes data to /var/log/audit/audit.log. By default,
auditd rotates 5 logs by size (6MB), retaining a maximum of 30MB of
data in total, and refuses to write entries when the disk is too
full. This minimizes the risk of audit data filling its partition
and impacting other services. This also minimizes the risk of the audit
daemon temporarily disabling the system if it cannot write audit log (which
it can be configured to do).
For a busy
system or a system which is thoroughly auditing system activity, the default settings
for data retention may be
insufficient. The log file size needed will depend heavily on what types
of events are being audited. First configure auditing to log all the events of
interest. Then monitor the log size manually for awhile to determine what file
size will allow you to keep the required data for the correct time period.
Using a dedicated partition for /var/log/audit prevents the
auditd logs from disrupting system functionality if they fill, and,
more importantly, prevents other activity in /var from filling the
partition and stopping the audit trail. (The audit logs are size-limited and
therefore unlikely to grow without bound unless configured to do so.) Some
machines may have requirements that no actions occur which cannot be audited.
If this is the case, then auditd can be configured to halt the machine
if it runs out of space. Note: Since older logs are rotated,
configuring auditd this way does not prevent older logs from being
rotated away before they can be viewed.
If your system is configured to halt when logging cannot be performed, make
sure this can never happen under normal circumstances! Ensure that
/var/log/audit is on its own partition, and that this partition is
larger than the maximum amount of data auditd will retain
normally.Account for auditd to send email when actions occursThe setting for action_mail_acct in /etc/audit/auditd.confadminrootrootAction for auditd to take when disk errorsThe setting for disk_error_action in /etc/audit/auditd.confsyslogsinglehaltexecsingleemailAction for auditd to take when log files reach their maximum sizeThe setting for max_log_file_action in /etc/audit/auditd.confrotatesyslogkeep_logsrotatesuspendSize remaining in disk space before prompting space_left_actionThe setting for space_left (MB) in /etc/audit/auditd.conf7501000100100500250Action for audispd to take when disk is fullThe setting for disk_full_action in /etc/audisp/audisp-remote.confsyslogsinglesuspendhaltexecsingleemailAction for auditd to take when disk space just starts to run lowThe setting for space_left_action in /etc/audit/auditd.confsuspendhaltexecemailsyslogsinglerotateemailRemote server for audispd to send audit records
The setting for remote_server in /etc/audisp/audisp-remote.conflogcollectorAction for auditd to take when disk is fullThe setting for disk_full_action in /etc/audit/auditd.confsyslogsinglehaltexecsingleemailMaximum audit log file size for auditdThe setting for max_log_size in /etc/audit/auditd.conf12056610Action for auditd to take when disk space is lowThe setting for admin_space_left_action in /etc/audit/auditd.confsuspendhaltexecsinglesyslogsinglerotateemailNumber of log files for auditd to retainThe setting for num_logs in /etc/audit/auditd.conf1234505Auditd priority for flushing data to diskThe setting for flush in /etc/audit/auditd.confnoneincrementalincremental_asyncdatadatasyncAction for audispd to take when network failsThe setting for network_failure_action in /etc/audisp/audisp-remote.confsyslogsinglesuspendhaltexecsingleemailConfigure auditd flush priorityThe auditd service can be configured to
synchronously write audit event data to disk. Add or correct the following
line in /etc/audit/auditd.conf to ensure that audit event data is
fully synchronized with the log files on the disk:
flush = 112131415162356789APO10.01APO10.03APO10.04APO10.05APO11.04BAI03.05DSS01.03DSS03.05DSS05.02DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.3.1CCI-001576164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.3.2.6.74.3.3.3.94.3.3.5.84.3.4.4.74.4.2.14.4.2.24.4.2.4SR 2.10SR 2.11SR 2.12SR 2.8SR 2.9SR 6.1SR 6.2A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.14.2.7A.15.2.1A.15.2.2AU-11CM-6(a)DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.PT-1SRG-OS-000480-GPOS-00227Audit data should be synchronously written to disk to ensure
log integrity. These parameters assure that all audit event data is fully
synchronized with the log files on the disk.CCE-27331-8
var_auditd_flush=""
AUDITCONFIG=/etc/audit/auditd.conf
# if flush is present, flush param edited to var_auditd_flush
# else flush param is defined by var_auditd_flush
#
# the freq param is only used value 'incremental' and will be
# commented out if flush != incremental
#
# if flush == incremental && freq param is not defined, it
# will be defined as the package-default value of 20
grep -q ^flush $AUDITCONFIG && \
sed -i 's/^flush.*/flush = '"$var_auditd_flush"'/g' $AUDITCONFIG
if ! [ $? -eq 0 ]; then
echo "flush = $var_auditd_flush" >> $AUDITCONFIG
fi
if ! [ "$var_auditd_flush" == "incremental" ]; then
sed -i 's/^freq/##freq/g' $AUDITCONFIG
elif [ "$var_auditd_flush" == "incremental" ]; then
grep -q freq $AUDITCONFIG && \
sed -i 's/^#\+freq/freq/g' $AUDITCONFIG
if ! [ $? -eq 0 ]; then
echo "freq = 20" >> $AUDITCONFIG
fi
fi
- name: XCCDF Value var_auditd_flush # promote to variable
set_fact:
var_auditd_flush: !!str
tags:
- always
- name: Configure auditd Flush Priority
lineinfile:
dest: /etc/audit/auditd.conf
regexp: ^\s*flush\s*=\s*.*$
line: flush = {{ var_auditd_flush }}
state: present
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- auditd_data_retention_flush
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27331-8
- NIST-800-171-3.3.1
- NIST-800-53-AU-11
- NIST-800-53-CM-6(a)
Encrypt Audit Records Sent With audispd PluginConfigure the operating system to encrypt the transfer of off-loaded audit
records onto a different system or media from the system being audited.
Uncomment the enable_krb5 option in /etc/audisp/audisp-remote.conf,
and set it with the following line:
enable_krb5 = yesCCI-001851AU-9(3)CM-6(a)FAU_GEN.1.1.cSRG-OS-000342-GPOS-00133RHEL-07-030310SV-86709r2_ruleInformation stored in one location is vulnerable to accidental or incidental deletion
or alteration. Off-loading is a common process in information systems with limited
audit storage capacity.CCE-80540-8
AUDISP_REMOTE_CONFIG="/etc/audisp/audisp-remote.conf"
option="^enable_krb5"
value="yes"
replace_or_append $AUDISP_REMOTE_CONFIG "$option" "$value" "CCE-80540-8"
- name: Configure Kerberos 5 Encryption in Audit Event Multiplexor (audispd)
lineinfile:
dest: /etc/audisp/audisp-remote.conf
line: enable_krb5 = yes
regexp: ^\s*enable_krb5\s*=\s*.*$
state: present
mode: 416
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- auditd_audispd_encrypt_sent_records
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80540-8
- DISA-STIG-RHEL-07-030310
- NIST-800-53-AU-9(3)
- NIST-800-53-CM-6(a)
Write Audit Logs to the DiskTo configure Audit daemon to write Audit logs to the disk, set
write_logs to yes in /etc/audit/auditd.conf.
This is the default setting.FAU_GEN.1.1.cSRG-OS-000480-GPOS-00227If write_logs isn't set to yes, the Audit logs will
not be written to the disk.CCE-82356-7if [ -e "/etc/audit/auditd.conf" ] ; then
LC_ALL=C sed -i "/^\s*write_logs\s*=\s*/Id" "/etc/audit/auditd.conf"
else
touch "/etc/audit/auditd.conf"
fi
cp "/etc/audit/auditd.conf" "/etc/audit/auditd.conf.bak"
# Insert at the end of the file
printf '%s\n' "write_logs = yes" >> "/etc/audit/auditd.conf"
# Clean up after ourselves.
rm "/etc/audit/auditd.conf.bak"
- name: Write Audit Logs to the Disk
block:
- name: Deduplicate values from /etc/audit/auditd.conf
lineinfile:
path: /etc/audit/auditd.conf
create: false
regexp: (?i)^\s*write_logs\s*=\s*
state: absent
- name: Insert correct line to /etc/audit/auditd.conf
lineinfile:
path: /etc/audit/auditd.conf
create: true
line: write_logs = yes
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- auditd_write_logs
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82356-7
Configure audispd Plugin To Send Logs To Remote ServerConfigure the audispd plugin to off-load audit records onto a different
system or media from the system being audited.
Set the remote_server option in /etc/audisp/audisp-remote.conf
with an IP address or hostname of the system that the audispd plugin should
send audit records to. For example
remote_server = CCI-001851FAU_GEN.1.1.cSRG-OS-000342-GPOS-00133SRG-OS-000479-GPOS-00224RHEL-07-030300SV-86707r2_ruleSRG-OS-000051-VMM-000230SRG-OS-000058-VMM-000270SRG-OS-000059-VMM-000280SRG-OS-000479-VMM-001990SRG-OS-000479-VMM-001990Information stored in one location is vulnerable to accidental or incidental
deletion or alteration.Off-loading is a common process in information systems
with limited audit storage capacity.CCE-80541-6
var_audispd_remote_server=""
AUDITCONFIG=/etc/audisp/audisp-remote.conf
replace_or_append $AUDITCONFIG '^remote_server' "$var_audispd_remote_server" "CCE-80541-6"
Set hostname as computer node name in audit logsTo configure Audit daemon to use value returned by gethostname
syscall as computer node name in the audit events,
set name_format to hostname
in /etc/audit/auditd.conf.FAU_GEN.1SRG-OS-000039-GPOS-00017If option name_format is left at its default value of
none, audit events from different computers may be hard
to distinguish.CCE-82359-1if [ -e "/etc/audit/auditd.conf" ] ; then
LC_ALL=C sed -i "/^\s*name_format\s*=\s*/Id" "/etc/audit/auditd.conf"
else
touch "/etc/audit/auditd.conf"
fi
cp "/etc/audit/auditd.conf" "/etc/audit/auditd.conf.bak"
# Insert at the end of the file
printf '%s\n' "name_format = hostname" >> "/etc/audit/auditd.conf"
# Clean up after ourselves.
rm "/etc/audit/auditd.conf.bak"
- name: Set hostname as computer node name in audit logs
block:
- name: Deduplicate values from /etc/audit/auditd.conf
lineinfile:
path: /etc/audit/auditd.conf
create: false
regexp: (?i)^\s*name_format\s*=\s*
state: absent
- name: Insert correct line to /etc/audit/auditd.conf
lineinfile:
path: /etc/audit/auditd.conf
create: true
line: name_format = hostname
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- auditd_name_format
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82359-1
Configure audispd's Plugin network_failure_action On Network FailureConfigure the action the operating system takes if there is an error sending
audit records to a remote system. Edit the file /etc/audisp/audisp-remote.conf.
Add or modify the following line, substituting ACTION appropriately:
network_failure_action = ACTION
Set this value to single to cause the system to switch to single user
mode for corrective action. Acceptable values also include syslog and
halt. For certain systems, the need for availability
outweighs the need to log all actions, and a different setting should be
determined.CCI-001851AU-5(b)AU-5(2)AU-5(1)AU-5(4)CM-6(a)SRG-OS-000342-GPOS-00133RHEL-07-030321SV-87815r3_ruleTaking appropriate action when there is an error sending audit records to a
remote system will minimize the possibility of losing audit records.CCE-80538-2Configure auditd Disk Full Action when Disk Space Is FullThe auditd service can be configured to take an action
when disk space is running low but prior to running out of space completely.
Edit the file /etc/audit/auditd.conf. Add or modify the following line,
substituting ACTION appropriately:
disk_full_action = ACTION
Set this value to single to cause the system to switch to single-user
mode for corrective action. Acceptable values also include syslog,
exec, single, and halt. For certain systems, the need for availability
outweighs the need to log all actions, and a different setting should be
determined. Details regarding all possible values for ACTION are described in the
auditd.conf man page.1111213141516192345678APO11.04APO12.06APO13.01BAI03.05BAI04.04BAI08.02DSS02.02DSS02.04DSS02.07DSS03.01DSS05.04DSS05.07MEA02.014.2.3.104.3.3.3.94.3.3.5.84.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 2.10SR 2.11SR 2.12SR 2.8SR 2.9SR 6.1SR 7.1SR 7.2A.12.1.3A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.16.1.4A.16.1.5A.16.1.7A.17.2.1AU-5(b)AU-5(2)AU-5(1)AU-5(4)CM-6(a)DE.AE-3DE.AE-5PR.DS-4PR.PT-1RS.AN-1RS.AN-4Taking appropriate action in case of a filled audit storage volume will minimize
the possibility of losing audit records.
var_auditd_disk_full_action=""
replace_or_append /etc/audit/auditd.conf '^disk_full_action' "$var_auditd_disk_full_action" ""
- name: XCCDF Value var_auditd_disk_full_action # promote to variable
set_fact:
var_auditd_disk_full_action: !!str
tags:
- always
- name: Configure auditd Disk Full Action when Disk Space Is Full
lineinfile:
dest: /etc/audit/auditd.conf
line: disk_full_action = {{ var_auditd_disk_full_action }}
regexp: ^\s*disk_full_action\s*=\s*.*$
state: present
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- auditd_data_disk_full_action
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- NIST-800-53-AU-5(b)
- NIST-800-53-AU-5(2)
- NIST-800-53-AU-5(1)
- NIST-800-53-AU-5(4)
- NIST-800-53-CM-6(a)
Configure auditd Max Log File SizeDetermine the amount of audit data (in megabytes)
which should be retained in each log file. Edit the file
/etc/audit/auditd.conf. Add or modify the following line, substituting
the correct value of for STOREMB:
max_log_file = STOREMB
Set the value to 6 (MB) or higher for general-purpose systems.
Larger values, of course,
support retention of even more audit data.5.2.1.11111213141516193456785.4.1.1APO11.04APO12.06BAI03.05BAI08.02DSS02.02DSS02.04DSS02.07DSS03.01DSS05.04DSS05.07MEA02.014.2.3.104.3.3.3.94.3.3.5.84.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 2.10SR 2.11SR 2.12SR 2.8SR 2.9SR 6.1A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.16.1.4A.16.1.5A.16.1.7AU-11CM-6(a)DE.AE-3DE.AE-5PR.PT-1RS.AN-1RS.AN-4Req-10.7The total storage for audit log files must be large enough to retain
log information over the period required. This is a function of the maximum
log file size and the number of logs retained.CCE-27319-3
var_auditd_max_log_file=""
AUDITCONFIG=/etc/audit/auditd.conf
replace_or_append $AUDITCONFIG '^max_log_file' "$var_auditd_max_log_file" "CCE-27319-3"
- name: XCCDF Value var_auditd_max_log_file # promote to variable
set_fact:
var_auditd_max_log_file: !!str
tags:
- always
- name: Configure auditd Max Log File Size
lineinfile:
dest: /etc/audit/auditd.conf
regexp: ^\s*max_log_file\s*=\s*.*$
line: max_log_file = {{ var_auditd_max_log_file }}
state: present
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- auditd_data_retention_max_log_file
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27319-3
- PCI-DSS-Req-10.7
- NIST-800-53-AU-11
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
Configure auditd space_left on Low Disk SpaceThe auditd service can be configured to take an action
when disk space is running low but prior to running out of space completely.
Edit the file /etc/audit/auditd.conf. Add or modify the following line,
substituting SIZE_in_MB appropriately:
space_left = SIZE_in_MB
Set this value to the appropriate size in Megabytes cause the system to
notify the user of an issue.1111213141516192345678APO11.04APO12.06APO13.01BAI03.05BAI04.04BAI08.02DSS02.02DSS02.04DSS02.07DSS03.01DSS05.04DSS05.07MEA02.01CCI-0018554.2.3.104.3.3.3.94.3.3.5.84.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 2.10SR 2.11SR 2.12SR 2.8SR 2.9SR 6.1SR 7.1SR 7.2A.12.1.3A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.16.1.4A.16.1.5A.16.1.7A.17.2.1AU-5(b)AU-5(2)AU-5(1)AU-5(4)CM-6(a)DE.AE-3DE.AE-5PR.DS-4PR.PT-1RS.AN-1RS.AN-4Req-10.7SRG-OS-000343-GPOS-00134RHEL-07-030330SV-86713r4_ruleSRG-OS-000343-VMM-001240Notifying administrators of an impending disk space problem may allow them to
take corrective action prior to any disruption.CCE-80537-4
var_auditd_space_left=""
grep -q "^space_left[[:space:]]*=.*$" /etc/audit/auditd.conf && \
sed -i "s/^space_left[[:space:]]*=.*$/space_left = $var_auditd_space_left/g" /etc/audit/auditd.conf || \
echo "space_left = $var_auditd_space_left" >> /etc/audit/auditd.conf
- name: XCCDF Value var_auditd_space_left # promote to variable
set_fact:
var_auditd_space_left: !!str
tags:
- always
- name: Configure auditd space_left on Low Disk Space
lineinfile:
dest: /etc/audit/auditd.conf
line: space_left = {{ var_auditd_space_left }}
regexp: ^\s*space_left\s*=\s*.*$
state: present
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- auditd_data_retention_space_left
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80537-4
- PCI-DSS-Req-10.7
- DISA-STIG-RHEL-07-030330
- NIST-800-53-AU-5(b)
- NIST-800-53-AU-5(2)
- NIST-800-53-AU-5(1)
- NIST-800-53-AU-5(4)
- NIST-800-53-CM-6(a)
Configure auditd mail_acct Action on Low Disk SpaceThe auditd service can be configured to send email to
a designated account in certain situations. Add or correct the following line
in /etc/audit/auditd.conf to ensure that administrators are notified
via email for those situations:
action_mail_acct = 5.2.1.211112131415161923456785.4.1.1APO11.04APO12.06APO13.01BAI03.05BAI04.04BAI08.02DSS02.02DSS02.04DSS02.07DSS03.01DSS05.04DSS05.07MEA02.013.3.1CCI-000139CCI-001855164.312(a)(2)(ii)4.2.3.104.3.3.3.94.3.3.5.84.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 2.10SR 2.11SR 2.12SR 2.8SR 2.9SR 6.1SR 7.1SR 7.2A.12.1.3A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.16.1.4A.16.1.5A.16.1.7A.17.2.1IA-5(1)AU-5(a)AU-5(2)CM-6(a)DE.AE-3DE.AE-5PR.DS-4PR.PT-1RS.AN-1RS.AN-4Req-10.7.aSRG-OS-000343-GPOS-00134RHEL-07-030350SV-86717r3_ruleSRG-OS-000046-VMM-000210SRG-OS-000343-VMM-001240Email sent to the root account is typically aliased to the
administrators of the system, who can take appropriate action.CCE-27394-6
var_auditd_action_mail_acct=""
AUDITCONFIG=/etc/audit/auditd.conf
replace_or_append $AUDITCONFIG '^action_mail_acct' "$var_auditd_action_mail_acct" "CCE-27394-6"
- name: XCCDF Value var_auditd_action_mail_acct # promote to variable
set_fact:
var_auditd_action_mail_acct: !!str
tags:
- always
- name: Configure auditd mail_acct Action on Low Disk Space
lineinfile:
dest: /etc/audit/auditd.conf
line: action_mail_acct = {{ var_auditd_action_mail_acct }}
state: present
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- auditd_data_retention_action_mail_acct
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27394-6
- PCI-DSS-Req-10.7.a
- DISA-STIG-RHEL-07-030350
- NIST-800-171-3.3.1
- NIST-800-53-IA-5(1)
- NIST-800-53-AU-5(a)
- NIST-800-53-AU-5(2)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
Configure auditd space_left Action on Low Disk SpaceThe auditd service can be configured to take an action
when disk space starts to run low.
Edit the file /etc/audit/auditd.conf. Modify the following line,
substituting ACTION appropriately:
space_left_action = ACTION
Possible values for ACTION are described in the auditd.conf man page.
These include:
syslogemailexecsuspendsinglehalt
Set this to email (instead of the default,
which is suspend) as it is more likely to get prompt attention. Acceptable values
also include suspend, single, and halt.5.2.1.211112131415161923456785.4.1.1APO11.04APO12.06APO13.01BAI03.05BAI04.04BAI08.02DSS02.02DSS02.04DSS02.07DSS03.01DSS05.04DSS05.07MEA02.013.3.1CCI-001855164.312(a)(2)(ii)4.2.3.104.3.3.3.94.3.3.5.84.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 2.10SR 2.11SR 2.12SR 2.8SR 2.9SR 6.1SR 7.1SR 7.2A.12.1.3A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.16.1.4A.16.1.5A.16.1.7A.17.2.1AU-5(b)AU-5(2)AU-5(1)AU-5(4)CM-6(a)DE.AE-3DE.AE-5PR.DS-4PR.PT-1RS.AN-1RS.AN-4Req-10.7SRG-OS-000343-GPOS-00134RHEL-07-030340SV-86715r2_ruleSRG-OS-000343-VMM-001240Notifying administrators of an impending disk space problem may
allow them to take corrective action prior to any disruption.CCE-27375-5
var_auditd_space_left_action=""
#
# If space_left_action present in /etc/audit/auditd.conf, change value
# to var_auditd_space_left_action, else
# add "space_left_action = $var_auditd_space_left_action" to /etc/audit/auditd.conf
#
AUDITCONFIG=/etc/audit/auditd.conf
replace_or_append $AUDITCONFIG '^space_left_action' "$var_auditd_space_left_action" "CCE-27375-5"
- name: XCCDF Value var_auditd_space_left_action # promote to variable
set_fact:
var_auditd_space_left_action: !!str
tags:
- always
- name: Configure auditd space_left Action on Low Disk Space
lineinfile:
dest: /etc/audit/auditd.conf
line: space_left_action = {{ var_auditd_space_left_action }}
regexp: ^\s*space_left_action\s*=\s*.*$
state: present
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- auditd_data_retention_space_left_action
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27375-5
- PCI-DSS-Req-10.7
- DISA-STIG-RHEL-07-030340
- NIST-800-171-3.3.1
- NIST-800-53-AU-5(b)
- NIST-800-53-AU-5(2)
- NIST-800-53-AU-5(1)
- NIST-800-53-AU-5(4)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
Configure auditd to use audispd's syslog pluginTo configure the auditd service to use the
syslog plug-in of the audispd audit event multiplexor, set
the active line in /etc/audisp/plugins.d/syslog.conf to yes.
Restart the auditd service:
$ sudo service auditd restart1111213141516193456785.4.1.1APO11.04APO12.06BAI03.05BAI08.02DSS02.02DSS02.04DSS02.07DSS03.01DSS05.04DSS05.07MEA02.013.3.1CCI-000136164.308(a)(1)(ii)(D)164.308(a)(5)(ii)(B)164.308(a)(5)(ii)(C)164.308(a)(6)(ii)164.308(a)(8)164.310(d)(2)(iii)164.312(b)164.314(a)(2)(i)(C)164.314(a)(2)(iii)4.2.3.104.3.3.3.94.3.3.5.84.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 2.10SR 2.11SR 2.12SR 2.8SR 2.9SR 6.1A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.16.1.4A.16.1.5A.16.1.7AU-4(1)CM-6(a)DE.AE-3DE.AE-5PR.PT-1RS.AN-1RS.AN-4FAU_GEN.1.1.cReq-10.5.3SRG-OS-000479-GPOS-00224SRG-OS-000342-GPOS-00133SRG-OS-000051-VMM-000230SRG-OS-000058-VMM-000270SRG-OS-000059-VMM-000280SRG-OS-000479-VMM-001990SRG-OS-000479-VMM-001990The auditd service does not include the ability to send audit
records to a centralized server for management directly. It does, however,
include a plug-in for audit event multiplexor (audispd) to pass audit records
to the local syslog serverCCE-27341-7
var_syslog_active="yes"
AUDISP_SYSLOGCONFIG=/etc/audisp/plugins.d/syslog.conf
replace_or_append $AUDISP_SYSLOGCONFIG '^active' "$var_syslog_active" "CCE-27341-7"
- name: enable syslog plugin
lineinfile:
dest: /etc/audisp/plugins.d/syslog.conf
regexp: ^active
line: active = yes
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- auditd_audispd_syslog_plugin_activated
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27341-7
- PCI-DSS-Req-10.5.3
- NIST-800-171-3.3.1
- NIST-800-53-AU-4(1)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
Configure auditd admin_space_left Action on Low Disk SpaceThe auditd service can be configured to take an action
when disk space is running low but prior to running out of space completely.
Edit the file /etc/audit/auditd.conf. Add or modify the following line,
substituting ACTION appropriately:
admin_space_left_action = ACTION
Set this value to single to cause the system to switch to single user
mode for corrective action. Acceptable values also include suspend and
halt. For certain systems, the need for availability
outweighs the need to log all actions, and a different setting should be
determined. Details regarding all possible values for ACTION are described in the
auditd.conf man page.5.2.1.211112131415161923456785.4.1.1APO11.04APO12.06APO13.01BAI03.05BAI04.04BAI08.02DSS02.02DSS02.04DSS02.07DSS03.01DSS05.04DSS05.07MEA02.013.3.1CCI-000140CCI-001343164.312(a)(2)(ii)4.2.3.104.3.3.3.94.3.3.5.84.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 2.10SR 2.11SR 2.12SR 2.8SR 2.9SR 6.1SR 7.1SR 7.2A.12.1.3A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.16.1.4A.16.1.5A.16.1.7A.17.2.1AU-5(b)AU-5(2)AU-5(1)AU-5(4)CM-6(a)DE.AE-3DE.AE-5PR.DS-4PR.PT-1RS.AN-1RS.AN-4Req-10.7RHEL-07-030340SV-86715r2_ruleAdministrators should be made aware of an inability to record
audit records. If a separate partition or logical volume of adequate size
is used, running low on space for audit records should never occur.CCE-27370-6
var_auditd_admin_space_left_action=""
AUDITCONFIG=/etc/audit/auditd.conf
replace_or_append $AUDITCONFIG '^admin_space_left_action' "$var_auditd_admin_space_left_action" "CCE-27370-6"
- name: XCCDF Value var_auditd_admin_space_left_action # promote to variable
set_fact:
var_auditd_admin_space_left_action: !!str
tags:
- always
- name: Configure auditd admin_space_left Action on Low Disk Space
lineinfile:
dest: /etc/audit/auditd.conf
line: admin_space_left_action = {{ var_auditd_admin_space_left_action }}
regexp: ^\s*admin_space_left_action\s*=\s*.*$
state: present
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- auditd_data_retention_admin_space_left_action
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27370-6
- PCI-DSS-Req-10.7
- DISA-STIG-RHEL-07-030340
- NIST-800-171-3.3.1
- NIST-800-53-AU-5(b)
- NIST-800-53-AU-5(2)
- NIST-800-53-AU-5(1)
- NIST-800-53-AU-5(4)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
Configure auditd max_log_file_action Upon Reaching Maximum Log SizeThe default action to take when the logs reach their maximum size
is to rotate the log files, discarding the oldest one. To configure the action taken
by auditd, add or correct the line in /etc/audit/auditd.conf:
max_log_file_action = ACTION
Possible values for ACTION are described in the auditd.conf man
page. These include:
syslogsuspendrotatekeep_logs
Set the ACTION to rotate to ensure log rotation
occurs. This is the default. The setting is case-insensitive.5.2.1.311112131415161923456785.4.1.1APO11.04APO12.06APO13.01BAI03.05BAI04.04BAI08.02DSS02.02DSS02.04DSS02.07DSS03.01DSS05.04DSS05.07MEA02.01164.312(a)(2)(ii)4.2.3.104.3.3.3.94.3.3.5.84.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 2.10SR 2.11SR 2.12SR 2.8SR 2.9SR 6.1SR 7.1SR 7.2A.12.1.3A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.16.1.4A.16.1.5A.16.1.7A.17.2.1AU-5(b)AU-5(2)AU-5(1)AU-5(4)CM-6(a)DE.AE-3DE.AE-5PR.DS-4PR.PT-1RS.AN-1RS.AN-4Req-10.7Automatically rotating logs (by setting this to rotate)
minimizes the chances of the system unexpectedly running out of disk space by
being overwhelmed with log data. However, for systems that must never discard
log data, or which use external processes to transfer it and reclaim space,
keep_logs can be employed.CCE-27231-0
var_auditd_max_log_file_action=""
AUDITCONFIG=/etc/audit/auditd.conf
replace_or_append $AUDITCONFIG '^max_log_file_action' "$var_auditd_max_log_file_action" "CCE-27231-0"
- name: XCCDF Value var_auditd_max_log_file_action # promote to variable
set_fact:
var_auditd_max_log_file_action: !!str
tags:
- always
- name: Configure auditd max_log_file_action Upon Reaching Maximum Log Size
lineinfile:
dest: /etc/audit/auditd.conf
line: max_log_file_action = {{ var_auditd_max_log_file_action }}
regexp: ^\s*max_log_file_action\s*=\s*.*$
state: present
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- auditd_data_retention_max_log_file_action
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27231-0
- PCI-DSS-Req-10.7
- NIST-800-53-AU-5(b)
- NIST-800-53-AU-5(2)
- NIST-800-53-AU-5(1)
- NIST-800-53-AU-5(4)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
Include Local Events in Audit LogsTo configure Audit daemon to include local events in Audit logs, set
local_events to yes in /etc/audit/auditd.conf.
This is the default setting.FAU_GEN.1.1.cSRG-OS-000062-GPOS-00031If option local_events isn't set to yes only events from
network will be aggregated.CCE-82355-9if [ -e "/etc/audit/auditd.conf" ] ; then
LC_ALL=C sed -i "/^\s*local_events\s*=\s*/Id" "/etc/audit/auditd.conf"
else
touch "/etc/audit/auditd.conf"
fi
cp "/etc/audit/auditd.conf" "/etc/audit/auditd.conf.bak"
# Insert at the end of the file
printf '%s\n' "local_events = yes" >> "/etc/audit/auditd.conf"
# Clean up after ourselves.
rm "/etc/audit/auditd.conf.bak"
- name: Include Local Events in Audit Logs
block:
- name: Deduplicate values from /etc/audit/auditd.conf
lineinfile:
path: /etc/audit/auditd.conf
create: false
regexp: (?i)^\s*local_events\s*=\s*
state: absent
- name: Insert correct line to /etc/audit/auditd.conf
lineinfile:
path: /etc/audit/auditd.conf
create: true
line: local_events = yes
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- auditd_local_events
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82355-9
Configure auditd Disk Error Action on Disk ErrorThe auditd service can be configured to take an action
when there is a disk error.
Edit the file /etc/audit/auditd.conf. Add or modify the following line,
substituting ACTION appropriately:
disk_error_action = ACTION
Set this value to single to cause the system to switch to single-user
mode for corrective action. Acceptable values also include syslog,
exec, single, and halt. For certain systems, the need for availability
outweighs the need to log all actions, and a different setting should be
determined. Details regarding all possible values for ACTION are described in the
auditd.conf man page.1111213141516192345678APO11.04APO12.06APO13.01BAI03.05BAI04.04BAI08.02DSS02.02DSS02.04DSS02.07DSS03.01DSS05.04DSS05.07MEA02.014.2.3.104.3.3.3.94.3.3.5.84.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 2.10SR 2.11SR 2.12SR 2.8SR 2.9SR 6.1SR 7.1SR 7.2A.12.1.3A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.16.1.4A.16.1.5A.16.1.7A.17.2.1AU-5(b)AU-5(2)AU-5(1)AU-5(4)CM-6(a)DE.AE-3DE.AE-5PR.DS-4PR.PT-1RS.AN-1RS.AN-4Taking appropriate action in case of disk errors will minimize the possibility of
losing audit records.CCE-80646-3
var_auditd_disk_error_action=""
#
# If disk_error_action present in /etc/audit/auditd.conf, change value
# to var_auditd_disk_error_action, else
# add "disk_error_action = $var_auditd_disk_error_action" to /etc/audit/auditd.conf
#
if grep --silent ^disk_error_action /etc/audit/auditd.conf ; then
sed -i 's/^disk_error_action.*/disk_error_action = '"$var_auditd_disk_error_action"'/g' /etc/audit/auditd.conf
else
echo -e "\n# Set disk_error_action to $var_auditd_disk_error_action per security requirements" >> /etc/audit/auditd.conf
echo "disk_error_action = $var_auditd_disk_error_action" >> /etc/audit/auditd.conf
fi
- name: XCCDF Value var_auditd_disk_error_action # promote to variable
set_fact:
var_auditd_disk_error_action: !!str
tags:
- always
- name: Configure auditd Disk Error Action on Disk Error
lineinfile:
dest: /etc/audit/auditd.conf
line: disk_error_action = {{ var_auditd_disk_error_action }}
regexp: ^\s*disk_error_action\s*=\s*.*$
state: present
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- auditd_data_disk_error_action
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80646-3
- NIST-800-53-AU-5(b)
- NIST-800-53-AU-5(2)
- NIST-800-53-AU-5(1)
- NIST-800-53-AU-5(4)
- NIST-800-53-CM-6(a)
Set number of records to cause an explicit flush to audit logsTo configure Audit daemon to issue an explicit flush to disk command
after writing 50 records, set freq to 50
in /etc/audit/auditd.conf.FAU_GEN.1SRG-OS-000051-GPOS-00024If option freq isn't set to 50, the flush to disk
may happen after higher number of records, increasing the danger
of audit loss.CCE-82358-3if [ -e "/etc/audit/auditd.conf" ] ; then
LC_ALL=C sed -i "/^\s*freq\s*=\s*/Id" "/etc/audit/auditd.conf"
else
touch "/etc/audit/auditd.conf"
fi
cp "/etc/audit/auditd.conf" "/etc/audit/auditd.conf.bak"
# Insert at the end of the file
printf '%s\n' "freq = 50" >> "/etc/audit/auditd.conf"
# Clean up after ourselves.
rm "/etc/audit/auditd.conf.bak"
- name: Set number of records to cause an explicit flush to audit logs
block:
- name: Deduplicate values from /etc/audit/auditd.conf
lineinfile:
path: /etc/audit/auditd.conf
create: false
regexp: (?i)^\s*freq\s*=\s*
state: absent
- name: Insert correct line to /etc/audit/auditd.conf
lineinfile:
path: /etc/audit/auditd.conf
create: true
line: freq = 50
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- auditd_freq
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82358-3
Configure auditd Number of Logs RetainedDetermine how many log files
auditd should retain when it rotates logs.
Edit the file /etc/audit/auditd.conf. Add or modify the following
line, substituting NUMLOGS with the correct value of :
num_logs = NUMLOGS
Set the value to 5 for general-purpose systems.
Note that values less than 2 result in no log rotation.1111213141516193456785.4.1.1APO11.04APO12.06BAI03.05BAI08.02DSS02.02DSS02.04DSS02.07DSS03.01DSS05.04DSS05.07MEA02.013.3.14.2.3.104.3.3.3.94.3.3.5.84.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 2.10SR 2.11SR 2.12SR 2.8SR 2.9SR 6.1A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.16.1.4A.16.1.5A.16.1.7AU-11CM-6(a)DE.AE-3DE.AE-5PR.PT-1RS.AN-1RS.AN-4Req-10.7The total storage for audit log files must be large enough to retain
log information over the period required. This is a function of the maximum log
file size and the number of logs retained.CCE-27348-2
var_auditd_num_logs=""
AUDITCONFIG=/etc/audit/auditd.conf
replace_or_append $AUDITCONFIG '^num_logs' "$var_auditd_num_logs" "CCE-27348-2"
- name: XCCDF Value var_auditd_num_logs # promote to variable
set_fact:
var_auditd_num_logs: !!str
tags:
- always
- name: Configure auditd Number of Logs Retained
lineinfile:
dest: /etc/audit/auditd.conf
line: num_logs = {{ var_auditd_num_logs }}
regexp: ^\s*num_logs\s*=\s*.*$
state: present
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- auditd_data_retention_num_logs
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27348-2
- PCI-DSS-Req-10.7
- NIST-800-171-3.3.1
- NIST-800-53-AU-11
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
Configure audispd's Plugin disk_full_action When Disk Is FullConfigure the action the operating system takes if the disk the audit records
are written to becomes full. Edit the file /etc/audisp/audisp-remote.conf.
Add or modify the following line, substituting ACTION appropriately:
disk_full_action = ACTION
Set this value to single to cause the system to switch to single user
mode for corrective action. Acceptable values also include syslog and
halt. For certain systems, the need for availability
outweighs the need to log all actions, and a different setting should be
determined.CCI-001851AU-5(b)AU-5(2)AU-5(1)AU-5(4)CM-6(a)SRG-OS-000342-GPOS-00133RHEL-07-030320SV-86711r3_ruleTaking appropriate action in case of a filled audit storage volume will
minimize the possibility of losing audit records.CCE-80539-0Resolve information before writing to audit logsTo configure Audit daemon to resolve all uid, gid, syscall,
architecture, and socket address information before writing the
events to disk, set log_format to ENRICHED
in /etc/audit/auditd.conf.FAU_GEN.1SRG-OS-000255-GPOS-00096If option log_format isn't set to ENRICHED, the
audit records will be stored in a format exactly as the kernel sends them.CCE-82357-5if [ -e "/etc/audit/auditd.conf" ] ; then
LC_ALL=C sed -i "/^\s*log_format\s*=\s*/Id" "/etc/audit/auditd.conf"
else
touch "/etc/audit/auditd.conf"
fi
cp "/etc/audit/auditd.conf" "/etc/audit/auditd.conf.bak"
# Insert at the end of the file
printf '%s\n' "log_format = ENRICHED" >> "/etc/audit/auditd.conf"
# Clean up after ourselves.
rm "/etc/audit/auditd.conf.bak"
- name: Resolve information before writing to audit logs
block:
- name: Deduplicate values from /etc/audit/auditd.conf
lineinfile:
path: /etc/audit/auditd.conf
create: false
regexp: (?i)^\s*log_format\s*=\s*
state: absent
- name: Insert correct line to /etc/audit/auditd.conf
lineinfile:
path: /etc/audit/auditd.conf
create: true
line: log_format = ENRICHED
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- auditd_log_format
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82357-5
Configure auditd Rules for Comprehensive AuditingThe auditd program can perform comprehensive
monitoring of system activity. This section describes recommended
configuration settings for comprehensive auditing, but a full
description of the auditing system's capabilities is beyond the
scope of this guide. The mailing list linux-audit@redhat.com exists
to facilitate community discussion of the auditing system.
The audit subsystem supports extensive collection of events, including:
Tracing of arbitrary system calls (identified by name or number)
on entry or exit.Filtering by PID, UID, call success, system call argument (with
some limitations), etc.Monitoring of specific files for modifications to the file's
contents or metadata.
Auditing rules at startup are controlled by the file /etc/audit/audit.rules.
Add rules to it to meet the auditing requirements for your organization.
Each line in /etc/audit/audit.rules represents a series of arguments
that can be passed to auditctl and can be individually tested
during runtime. See documentation in /usr/share/doc/audit-VERSION and
in the related man pages for more details.
If copying any example audit rulesets from /usr/share/doc/audit-VERSION,
be sure to comment out the
lines containing arch= which are not appropriate for your system's
architecture. Then review and understand the following rules,
ensuring rules are activated as needed for the appropriate
architecture.
After reviewing all the rules, reading the following sections, and
editing as needed, the new rules can be activated as follows:
$ sudo service auditd restartRecord Events that Modify User/Group Information via openat syscall - /etc/gshadowThe audit system should collect write events to /etc/gshadow file for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modifyNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modifyAC-2(4)AU-2(d)AU-12(c)AC-6(9)CM-6(a)FAU_GEN.1.1.cCreation of users through direct edition of /etc/gshadow could be an indicator of malicious activity on a system.
Auditing these events could serve as evidence of potential system compromise.
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S openat -F a2&03 -F path=/etc/gshadow.*"
GROUP="modify"
FULL_RULE="-a always,exit -F arch=$ARCH -S openat -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=modify"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
- name: Set architecture for audit openat tasks
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_gshadow_openat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Search /etc/audit/rules.d for other DAC audit rules
find:
paths: /etc/audit/rules.d
recurse: false
contains: .*openat(,[\S]+)?[\s]+-F[\s]+a2&03[\s]+-F[\s]+path=/etc/gshadow.*
patterns: '*.rules'
register: find_openat
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_gshadow_openat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: If existing DAC ruleset not found, use /etc/audit/rules.d/modify.rules as
the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/modify.rules
when:
- find_openat.matched is defined and find_openat.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_gshadow_openat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_openat.files | map(attribute=''path'') | list | first }}'
when:
- find_openat.matched is defined and find_openat.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_gshadow_openat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the openat rule in rules.d when on x86
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
regexp: -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/gshadow -F
auid>=1000 -F auid!=unset -F key=[\S]+
with_items:
- -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/gshadow -F auid>=1000
-F auid!=unset -F key=modify
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_gshadow_openat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the openat rule in rules.d when on x86_64
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
regexp: -a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/gshadow -F
auid>=1000 -F auid!=unset -F key=[\S]+
with_items:
- -a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/gshadow -F auid>=1000
-F auid!=unset -F key=modify
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_gshadow_openat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the openat rule in /etc/audit/audit.rules when on x86
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
regexp: -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/gshadow -F
auid>=1000 -F auid!=unset -F key=[\S]+
with_items:
- -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/gshadow -F auid>=1000
-F auid!=unset -F key=modify
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_gshadow_openat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the openat rule in audit.rules when on x86_64
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
regexp: -a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/gshadow -F
auid>=1000 -F auid!=unset -F key=[\S]+
with_items:
- -a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/gshadow -F auid>=1000
-F auid!=unset -F key=modify
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_gshadow_openat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
Ensure auditd Collects System Administrator ActionsAt a minimum, the audit system should collect administrator actions
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the default),
add the following line to a file with suffix .rules in the directory
/etc/audit/rules.d:
-w /etc/sudoers -p wa -k actions
-w /etc/sudoers.d/ -p wa -k actions
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-w /etc/sudoers -p wa -k actions
-w /etc/sudoers.d/ -p wa -k actions11112131415161819234567895.4.1.1APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07DSS06.03MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000126CCI-000130CCI-000135CCI-000172CCI-002884164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.2.3.104.3.2.6.74.3.3.2.24.3.3.3.94.3.3.5.14.3.3.5.24.3.3.5.84.3.3.6.64.3.3.7.24.3.3.7.34.3.3.7.44.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.1SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.7SR 1.8SR 1.9SR 2.1SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.1.2A.6.2.1A.6.2.2A.7.1.1A.9.1.2A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.2.6A.9.3.1A.9.4.1A.9.4.2A.9.4.3A.9.4.4A.9.4.5AC-2(7)(b)AU-2(d)AU-12(c)AC-6(9)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-1PR.AC-3PR.AC-4PR.AC-6PR.PT-1PR.PT-4RS.AN-1RS.AN-4FAU_GEN.1.1.cReq-10.2.2Req-10.2.5.bSRG-OS-000037-GPOS-00015SRG-OS-000042-GPOS-00020SRG-OS-000392-GPOS-00172SRG-OS-000462-GPOS-00206SRG-OS-000471-GPOS-00215RHEL-07-030700SV-86787r5_ruleSRG-OS-000462-VMM-001840SRG-OS-000471-VMM-001910The actions taken by system administrators should be audited to keep a record
of what was executed on the system, as well as, for accountability purposes.CCE-27461-3
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_watch_rule "auditctl" "/etc/sudoers" "wa" "actions"
fix_audit_watch_rule "augenrules" "/etc/sudoers" "wa" "actions"
fix_audit_watch_rule "auditctl" "/etc/sudoers.d" "wa" "actions"
fix_audit_watch_rule "augenrules" "/etc/sudoers.d" "wa" "actions"
Record Events that Modify the System's Network EnvironmentIf the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
-w /etc/issue -p wa -k audit_rules_networkconfig_modification
-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
-w /etc/hosts -p wa -k audit_rules_networkconfig_modification
-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
-w /etc/issue -p wa -k audit_rules_networkconfig_modification
-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
-w /etc/hosts -p wa -k audit_rules_networkconfig_modification
-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification5.2.6111121314151619234567895.4.1.1APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.2.3.104.3.2.6.74.3.3.3.94.3.3.5.84.3.3.6.64.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.13SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.2.1A.6.2.2AU-2(d)AU-12(c)AC-6(9)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-3PR.PT-1PR.PT-4RS.AN-1RS.AN-4Req-10.5.5The network environment should not be modified by anything other
than administrator action. Any change to network parameters should be
audited.CCE-27076-9
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S .* -k *"
# Use escaped BRE regex to specify rule group
GROUP="set\(host\|domain\)name"
FULL_RULE="-a always,exit -F arch=$ARCH -S sethostname -S setdomainname -k audit_rules_networkconfig_modification"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
# Then perform the remediations for the watch rules
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_watch_rule "auditctl" "/etc/issue" "wa" "audit_rules_networkconfig_modification"
fix_audit_watch_rule "augenrules" "/etc/issue" "wa" "audit_rules_networkconfig_modification"
fix_audit_watch_rule "auditctl" "/etc/issue.net" "wa" "audit_rules_networkconfig_modification"
fix_audit_watch_rule "augenrules" "/etc/issue.net" "wa" "audit_rules_networkconfig_modification"
fix_audit_watch_rule "auditctl" "/etc/hosts" "wa" "audit_rules_networkconfig_modification"
fix_audit_watch_rule "augenrules" "/etc/hosts" "wa" "audit_rules_networkconfig_modification"
fix_audit_watch_rule "auditctl" "/etc/sysconfig/network" "wa" "audit_rules_networkconfig_modification"
fix_audit_watch_rule "augenrules" "/etc/sysconfig/network" "wa" "audit_rules_networkconfig_modification"
Record Events that Modify User/Group InformationIf the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d, in order to capture events that modify
account changes:
-w /etc/group -p wa -k audit_rules_usergroup_modification
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:
-w /etc/group -p wa -k audit_rules_usergroup_modification
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modificationThis rule checks for multiple syscalls related to account changes;
it was written with DISA STIG in mind. Other policies should use a
separate rule for each syscall that needs to be checked. For example:
audit_rules_usergroup_modification_groupaudit_rules_usergroup_modification_gshadowaudit_rules_usergroup_modification_passwd5.2.511112131415161819234567895.4.1.1APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07DSS06.03MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000018CCI-000172CCI-001403CCI-0021304.2.3.104.3.2.6.74.3.3.2.24.3.3.3.94.3.3.5.14.3.3.5.24.3.3.5.84.3.3.6.64.3.3.7.24.3.3.7.34.3.3.7.44.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.1SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.7SR 1.8SR 1.9SR 2.1SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.1.2A.6.2.1A.6.2.2A.7.1.1A.9.1.2A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.2.6A.9.3.1A.9.4.1A.9.4.2A.9.4.3A.9.4.4A.9.4.5AC-2(4)AU-2(d)AU-12(c)AC-6(9)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-1PR.AC-3PR.AC-4PR.AC-6PR.PT-1PR.PT-4RS.AN-1RS.AN-4Req-10.2.5SRG-OS-000004-GPOS-00004SRG-OS-000239-GPOS-00089SRG-OS-000241-GPOS-00090SRG-OS-000241-GPOS-00091SRG-OS-000303-GPOS-00120SRG-OS-000476-GPOS-00221RHEL-07-030710SV-86789r4_ruleIn addition to auditing new user and group accounts, these watches
will alert the system administrator(s) to any modifications. Any unexpected
users, groups, or modifications should be investigated for legitimacy.CCE-27192-4
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_watch_rule "auditctl" "/etc/group" "wa" "audit_rules_usergroup_modification"
fix_audit_watch_rule "augenrules" "/etc/group" "wa" "audit_rules_usergroup_modification"
fix_audit_watch_rule "auditctl" "/etc/passwd" "wa" "audit_rules_usergroup_modification"
fix_audit_watch_rule "augenrules" "/etc/passwd" "wa" "audit_rules_usergroup_modification"
fix_audit_watch_rule "auditctl" "/etc/gshadow" "wa" "audit_rules_usergroup_modification"
fix_audit_watch_rule "augenrules" "/etc/gshadow" "wa" "audit_rules_usergroup_modification"
fix_audit_watch_rule "auditctl" "/etc/shadow" "wa" "audit_rules_usergroup_modification"
fix_audit_watch_rule "augenrules" "/etc/shadow" "wa" "audit_rules_usergroup_modification"
fix_audit_watch_rule "auditctl" "/etc/security/opasswd" "wa" "audit_rules_usergroup_modification"
fix_audit_watch_rule "augenrules" "/etc/security/opasswd" "wa" "audit_rules_usergroup_modification"
Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/passwdThe audit system should collect write events to /etc/passwd file for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modifyNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modifyAC-2(4)AU-2(d)AU-12(c)AC-6(9)CM-6(a)FAU_GEN.1.1.cCreation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system.
Auditing these events could serve as evidence of potential system compromise.
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S open_by_handle_at -F a2&03 -F path=/etc/passwd.*"
GROUP="modify"
FULL_RULE="-a always,exit -F arch=$ARCH -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
- name: Set architecture for audit open_by_handle_at tasks
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_passwd_open_by_handle_at
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Search /etc/audit/rules.d for other DAC audit rules
find:
paths: /etc/audit/rules.d
recurse: false
contains: .*open_by_handle_at(,[\S]+)?[\s]+-F[\s]+a2&03[\s]+-F[\s]+path=/etc/passwd.*
patterns: '*.rules'
register: find_open_by_handle_at
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_passwd_open_by_handle_at
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: If existing DAC ruleset not found, use /etc/audit/rules.d/modify.rules as
the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/modify.rules
when:
- find_open_by_handle_at.matched is defined and find_open_by_handle_at.matched
== 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_passwd_open_by_handle_at
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_open_by_handle_at.files | map(attribute=''path'') | list | first
}}'
when:
- find_open_by_handle_at.matched is defined and find_open_by_handle_at.matched
> 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_passwd_open_by_handle_at
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the open_by_handle_at rule in rules.d when on x86
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
regexp: -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/passwd
-F auid>=1000 -F auid!=unset -F key=[\S]+
with_items:
- -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/passwd
-F auid>=1000 -F auid!=unset -F key=modify
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_passwd_open_by_handle_at
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the open_by_handle_at rule in rules.d when on x86_64
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
regexp: -a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/passwd
-F auid>=1000 -F auid!=unset -F key=[\S]+
with_items:
- -a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/passwd
-F auid>=1000 -F auid!=unset -F key=modify
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_passwd_open_by_handle_at
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the open_by_handle_at rule in /etc/audit/audit.rules when
on x86
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
regexp: -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/passwd
-F auid>=1000 -F auid!=unset -F key=[\S]+
with_items:
- -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/passwd
-F auid>=1000 -F auid!=unset -F key=modify
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_passwd_open_by_handle_at
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the open_by_handle_at rule in audit.rules when on x86_64
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
regexp: -a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/passwd
-F auid>=1000 -F auid!=unset -F key=[\S]+
with_items:
- -a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/passwd
-F auid>=1000 -F auid!=unset -F key=modify
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_passwd_open_by_handle_at
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/groupThe audit system should collect write events to /etc/group file for all group and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modifyNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modifyAC-2(4)AU-2(d)AU-12(c)AC-6(9)CM-6(a)FAU_GEN.1.1.cCreation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system.
Auditing these events could serve as evidence of potential system compromise.
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S open_by_handle_at -F a2&03 -F path=/etc/group.*"
GROUP="modify"
FULL_RULE="-a always,exit -F arch=$ARCH -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
- name: Set architecture for audit open_by_handle_at tasks
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_group_open_by_handle_at
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Search /etc/audit/rules.d for other DAC audit rules
find:
paths: /etc/audit/rules.d
recurse: false
contains: .*open_by_handle_at(,[\S]+)?[\s]+-F[\s]+a2&03[\s]+-F[\s]+path=/etc/group.*
patterns: '*.rules'
register: find_open_by_handle_at
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_group_open_by_handle_at
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: If existing DAC ruleset not found, use /etc/audit/rules.d/modify.rules as
the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/modify.rules
when:
- find_open_by_handle_at.matched is defined and find_open_by_handle_at.matched
== 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_group_open_by_handle_at
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_open_by_handle_at.files | map(attribute=''path'') | list | first
}}'
when:
- find_open_by_handle_at.matched is defined and find_open_by_handle_at.matched
> 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_group_open_by_handle_at
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the open_by_handle_at rule in rules.d when on x86
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
regexp: -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/group
-F auid>=1000 -F auid!=unset -F key=[\S]+
with_items:
- -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/group
-F auid>=1000 -F auid!=unset -F key=modify
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_group_open_by_handle_at
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the open_by_handle_at rule in rules.d when on x86_64
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
regexp: -a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/group
-F auid>=1000 -F auid!=unset -F key=[\S]+
with_items:
- -a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/group
-F auid>=1000 -F auid!=unset -F key=modify
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_group_open_by_handle_at
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the open_by_handle_at rule in /etc/audit/audit.rules when
on x86
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
regexp: -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/group
-F auid>=1000 -F auid!=unset -F key=[\S]+
with_items:
- -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/group
-F auid>=1000 -F auid!=unset -F key=modify
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_group_open_by_handle_at
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the open_by_handle_at rule in audit.rules when on x86_64
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
regexp: -a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/group
-F auid>=1000 -F auid!=unset -F key=[\S]+
with_items:
- -a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/group
-F auid>=1000 -F auid!=unset -F key=modify
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_group_open_by_handle_at
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
Record Attempts to Alter Process and Session Initiation InformationThe audit system already collects process information for all
users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d in order to watch for attempted manual
edits of files involved in storing such process information:
-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file in order to watch for attempted manual
edits of files involved in storing such process information:
-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session5.2.9111121314151619234567895.4.1.1APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.2.3.104.3.2.6.74.3.3.3.94.3.3.5.84.3.3.6.64.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.13SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.2.1A.6.2.2AU-2(d)AU-12(c)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-3PR.PT-1PR.PT-4RS.AN-1RS.AN-4FAU_GEN.1.1.cReq-10.2.3Manual editing of these files may indicate nefarious activity, such
as an attacker attempting to remove evidence of an intrusion.CCE-27301-1
# Perform the remediation
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_watch_rule "auditctl" "/var/run/utmp" "wa" "session"
fix_audit_watch_rule "augenrules" "/var/run/utmp" "wa" "session"
fix_audit_watch_rule "auditctl" "/var/log/btmp" "wa" "session"
fix_audit_watch_rule "augenrules" "/var/log/btmp" "wa" "session"
fix_audit_watch_rule "auditctl" "/var/log/wtmp" "wa" "session"
fix_audit_watch_rule "augenrules" "/var/log/wtmp" "wa" "session"
Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/gshadowThe audit system should collect write events to /etc/gshadow file for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modifyNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modifyAC-2(4)AU-2(d)AU-12(c)AC-6(9)CM-6(a)FAU_GEN.1.1.cCreation of users through direct edition of /etc/gshadow could be an indicator of malicious activity on a system.
Auditing these events could serve as evidence of potential system compromise.
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S open_by_handle_at -F a2&03 -F path=/etc/gshadow.*"
GROUP="modify"
FULL_RULE="-a always,exit -F arch=$ARCH -S open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=modify"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
- name: Set architecture for audit open_by_handle_at tasks
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_gshadow_open_by_handle_at
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Search /etc/audit/rules.d for other DAC audit rules
find:
paths: /etc/audit/rules.d
recurse: false
contains: .*open_by_handle_at(,[\S]+)?[\s]+-F[\s]+a2&03[\s]+-F[\s]+path=/etc/gshadow.*
patterns: '*.rules'
register: find_open_by_handle_at
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_gshadow_open_by_handle_at
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: If existing DAC ruleset not found, use /etc/audit/rules.d/modify.rules as
the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/modify.rules
when:
- find_open_by_handle_at.matched is defined and find_open_by_handle_at.matched
== 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_gshadow_open_by_handle_at
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_open_by_handle_at.files | map(attribute=''path'') | list | first
}}'
when:
- find_open_by_handle_at.matched is defined and find_open_by_handle_at.matched
> 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_gshadow_open_by_handle_at
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the open_by_handle_at rule in rules.d when on x86
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
regexp: -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow
-F auid>=1000 -F auid!=unset -F key=[\S]+
with_items:
- -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow
-F auid>=1000 -F auid!=unset -F key=modify
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_gshadow_open_by_handle_at
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the open_by_handle_at rule in rules.d when on x86_64
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
regexp: -a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow
-F auid>=1000 -F auid!=unset -F key=[\S]+
with_items:
- -a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow
-F auid>=1000 -F auid!=unset -F key=modify
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_gshadow_open_by_handle_at
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the open_by_handle_at rule in /etc/audit/audit.rules when
on x86
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
regexp: -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow
-F auid>=1000 -F auid!=unset -F key=[\S]+
with_items:
- -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow
-F auid>=1000 -F auid!=unset -F key=modify
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_gshadow_open_by_handle_at
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the open_by_handle_at rule in audit.rules when on x86_64
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
regexp: -a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow
-F auid>=1000 -F auid!=unset -F key=[\S]+
with_items:
- -a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow
-F auid>=1000 -F auid!=unset -F key=modify
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_gshadow_open_by_handle_at
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
Record Events that Modify User/Group Information via open syscall - /etc/passwdThe audit system should collect write events to /etc/passwd file for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modifyNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modifyAC-2(4)AU-2(d)AU-12(c)AC-6(9)CM-6(a)FAU_GEN.1.1.cCreation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system.
Auditing these events could serve as evidence of potential system compromise.
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S open -F a1&03 -F path=/etc/passwd.*"
GROUP="modify"
FULL_RULE="-a always,exit -F arch=$ARCH -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
- name: Set architecture for audit open tasks
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_passwd_open
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Search /etc/audit/rules.d for other DAC audit rules
find:
paths: /etc/audit/rules.d
recurse: false
contains: .*open(,[\S]+)?[\s]+-F[\s]+a1&03[\s]+-F[\s]+path=/etc/passwd.*
patterns: '*.rules'
register: find_open
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_passwd_open
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: If existing DAC ruleset not found, use /etc/audit/rules.d/modify.rules as
the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/modify.rules
when:
- find_open.matched is defined and find_open.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_passwd_open
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_open.files | map(attribute=''path'') | list | first }}'
when:
- find_open.matched is defined and find_open.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_passwd_open
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the open rule in rules.d when on x86
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
regexp: -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000
-F auid!=unset -F key=[\S]+
with_items:
- -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000
-F auid!=unset -F key=modify
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_passwd_open
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the open rule in rules.d when on x86_64
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
regexp: -a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000
-F auid!=unset -F key=[\S]+
with_items:
- -a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000
-F auid!=unset -F key=modify
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_passwd_open
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the open rule in /etc/audit/audit.rules when on x86
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
regexp: -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000
-F auid!=unset -F key=[\S]+
with_items:
- -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000
-F auid!=unset -F key=modify
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_passwd_open
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the open rule in audit.rules when on x86_64
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
regexp: -a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000
-F auid!=unset -F key=[\S]+
with_items:
- -a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000
-F auid!=unset -F key=modify
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_passwd_open
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
System Audit Logs Must Have Mode 0750 or Less PermissiveIf log_group in /etc/audit/auditd.conf is set to a group other than the root
group account, change the mode of the audit log files with the following command:
$ sudo chmod 0750 /var/log/audit
Otherwise, change the mode of the audit log files with the following command:
$ sudo chmod 0700 /var/log/audit11112131415161819345678APO01.06APO11.04APO12.06BAI03.05BAI08.02DSS02.02DSS02.04DSS02.07DSS03.01DSS05.04DSS05.07DSS06.02MEA02.014.2.3.104.3.3.3.94.3.3.5.84.3.3.7.34.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 2.1SR 2.10SR 2.11SR 2.12SR 2.8SR 2.9SR 5.2SR 6.1A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.16.1.4A.16.1.5A.16.1.7A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)AC-6(1)AU-9DE.AE-3DE.AE-5PR.AC-4PR.DS-5PR.PT-1RS.AN-1RS.AN-4If users can write to audit logs, audit trails can be modified or destroyed.
if LC_ALL=C grep -m 1 -q ^log_group /etc/audit/auditd.conf; then
GROUP=$(awk -F "=" '/log_group/ {print $2}' /etc/audit/auditd.conf | tr -d ' ')
if ! [ "${GROUP}" == 'root' ] ; then
chmod 0750 /var/log/audit
else
chmod 0700 /var/log/audit
fi
else
chmod 0700 /var/log/audit
fi
Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/shadowThe audit system should collect write events to /etc/shadow file for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modifyNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modifyAC-2(4)AU-2(d)AU-12(c)AC-6(9)CM-6(a)FAU_GEN.1.1.cCreation of users through direct edition of /etc/shadow could be an indicator of malicious activity on a system.
Auditing these events could serve as evidence of potential system compromise.
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S open_by_handle_at -F a2&03 -F path=/etc/shadow.*"
GROUP="modify"
FULL_RULE="-a always,exit -F arch=$ARCH -S open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=modify"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
- name: Set architecture for audit open_by_handle_at tasks
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_shadow_open_by_handle_at
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Search /etc/audit/rules.d for other DAC audit rules
find:
paths: /etc/audit/rules.d
recurse: false
contains: .*open_by_handle_at(,[\S]+)?[\s]+-F[\s]+a2&03[\s]+-F[\s]+path=/etc/shadow.*
patterns: '*.rules'
register: find_open_by_handle_at
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_shadow_open_by_handle_at
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: If existing DAC ruleset not found, use /etc/audit/rules.d/modify.rules as
the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/modify.rules
when:
- find_open_by_handle_at.matched is defined and find_open_by_handle_at.matched
== 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_shadow_open_by_handle_at
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_open_by_handle_at.files | map(attribute=''path'') | list | first
}}'
when:
- find_open_by_handle_at.matched is defined and find_open_by_handle_at.matched
> 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_shadow_open_by_handle_at
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the open_by_handle_at rule in rules.d when on x86
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
regexp: -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/shadow
-F auid>=1000 -F auid!=unset -F key=[\S]+
with_items:
- -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/shadow
-F auid>=1000 -F auid!=unset -F key=modify
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_shadow_open_by_handle_at
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the open_by_handle_at rule in rules.d when on x86_64
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
regexp: -a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/shadow
-F auid>=1000 -F auid!=unset -F key=[\S]+
with_items:
- -a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/shadow
-F auid>=1000 -F auid!=unset -F key=modify
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_shadow_open_by_handle_at
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the open_by_handle_at rule in /etc/audit/audit.rules when
on x86
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
regexp: -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/shadow
-F auid>=1000 -F auid!=unset -F key=[\S]+
with_items:
- -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/shadow
-F auid>=1000 -F auid!=unset -F key=modify
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_shadow_open_by_handle_at
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the open_by_handle_at rule in audit.rules when on x86_64
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
regexp: -a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/shadow
-F auid>=1000 -F auid!=unset -F key=[\S]+
with_items:
- -a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/shadow
-F auid>=1000 -F auid!=unset -F key=modify
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_shadow_open_by_handle_at
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
Record Events that Modify User/Group Information via openat syscall - /etc/groupThe audit system should collect write events to /etc/group file for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modifyNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modifyAC-2(4)AU-2(d)AU-12(c)AC-6(9)CM-6(a)FAU_GEN.1.1.cCreation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system.
Auditing these events could serve as evidence of potential system compromise.
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S openat -F a2&03 -F path=/etc/group.*"
GROUP="modify"
FULL_RULE="-a always,exit -F arch=$ARCH -S openat -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
- name: Set architecture for audit openat tasks
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_group_openat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Search /etc/audit/rules.d for other DAC audit rules
find:
paths: /etc/audit/rules.d
recurse: false
contains: .*openat(,[\S]+)?[\s]+-F[\s]+a2&03[\s]+-F[\s]+path=/etc/group.*
patterns: '*.rules'
register: find_openat
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_group_openat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: If existing DAC ruleset not found, use /etc/audit/rules.d/modify.rules as
the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/modify.rules
when:
- find_openat.matched is defined and find_openat.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_group_openat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_openat.files | map(attribute=''path'') | list | first }}'
when:
- find_openat.matched is defined and find_openat.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_group_openat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the openat rule in rules.d when on x86
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
regexp: -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/group -F auid>=1000
-F auid!=unset -F key=[\S]+
with_items:
- -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/group -F auid>=1000
-F auid!=unset -F key=modify
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_group_openat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the openat rule in rules.d when on x86_64
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
regexp: -a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/group -F auid>=1000
-F auid!=unset -F key=[\S]+
with_items:
- -a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/group -F auid>=1000
-F auid!=unset -F key=modify
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_group_openat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the openat rule in /etc/audit/audit.rules when on x86
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
regexp: -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/group -F auid>=1000
-F auid!=unset -F key=[\S]+
with_items:
- -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/group -F auid>=1000
-F auid!=unset -F key=modify
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_group_openat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the openat rule in audit.rules when on x86_64
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
regexp: -a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/group -F auid>=1000
-F auid!=unset -F key=[\S]+
with_items:
- -a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/group -F auid>=1000
-F auid!=unset -F key=modify
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_group_openat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
Make the auditd Configuration ImmutableIf the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d in order to make the auditd configuration
immutable:
-e 2
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file in order to make the auditd configuration
immutable:
-e 2
With this setting, a reboot will be required to change any audit rules.4.1.18111121314151618193456785.4.1.1APO01.06APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06BAI03.05BAI08.02DSS02.02DSS02.04DSS02.07DSS03.01DSS05.04DSS05.07DSS06.02MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.3.13.4.3164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.310(a)(2)(iv)164.312(d)164.310(d)(2)(iii)164.312(b)164.312(e)4.2.3.104.3.2.6.74.3.3.3.94.3.3.5.84.3.3.7.34.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 2.1SR 2.10SR 2.11SR 2.12SR 2.8SR 2.9SR 5.2SR 6.1A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5AC-6(9)CM-6(a)DE.AE-3DE.AE-5ID.SC-4PR.AC-4PR.DS-5PR.PT-1RS.AN-1RS.AN-4Req-10.5.2Making the audit configuration immutable prevents accidental as
well as malicious modification of the audit rules, although it may be
problematic if legitimate changes are needed during system
operationCCE-27097-5
# Traverse all of:
#
# /etc/audit/audit.rules, (for auditctl case)
# /etc/audit/rules.d/*.rules (for augenrules case)
#
# files to check if '-e .*' setting is present in that '*.rules' file already.
# If found, delete such occurrence since auditctl(8) manual page instructs the
# '-e 2' rule should be placed as the last rule in the configuration
find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-e[[:space:]]\+.*/d' {} ';'
# Append '-e 2' requirement at the end of both:
# * /etc/audit/audit.rules file (for auditctl case)
# * /etc/audit/rules.d/immutable.rules (for augenrules case)
for AUDIT_FILE in "/etc/audit/audit.rules" "/etc/audit/rules.d/immutable.rules"
do
echo '' >> $AUDIT_FILE
echo '# Set the audit.rules configuration immutable per security requirements' >> $AUDIT_FILE
echo '# Reboot is required to change audit rules once this setting is applied' >> $AUDIT_FILE
echo '-e 2' >> $AUDIT_FILE
done
Record Events that Modify User/Group Information via open syscall - /etc/groupThe audit system should collect write events to /etc/group file for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modifyNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modifyAC-2(4)AU-2(d)AU-12(c)AC-6(9)CM-6(a)FAU_GEN.1.1.cCreation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system.
Auditing these events could serve as evidence of potential system compromise.
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S open -F a1&03 -F path=/etc/group.*"
GROUP="modify"
FULL_RULE="-a always,exit -F arch=$ARCH -S open -F a1&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
- name: Set architecture for audit open tasks
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_group_open
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Search /etc/audit/rules.d for other DAC audit rules
find:
paths: /etc/audit/rules.d
recurse: false
contains: .*open(,[\S]+)?[\s]+-F[\s]+a1&03[\s]+-F[\s]+path=/etc/group.*
patterns: '*.rules'
register: find_open
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_group_open
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: If existing DAC ruleset not found, use /etc/audit/rules.d/modify.rules as
the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/modify.rules
when:
- find_open.matched is defined and find_open.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_group_open
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_open.files | map(attribute=''path'') | list | first }}'
when:
- find_open.matched is defined and find_open.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_group_open
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the open rule in rules.d when on x86
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
regexp: -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/group -F auid>=1000
-F auid!=unset -F key=[\S]+
with_items:
- -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/group -F auid>=1000
-F auid!=unset -F key=modify
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_group_open
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the open rule in rules.d when on x86_64
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
regexp: -a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/group -F auid>=1000
-F auid!=unset -F key=[\S]+
with_items:
- -a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/group -F auid>=1000
-F auid!=unset -F key=modify
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_group_open
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the open rule in /etc/audit/audit.rules when on x86
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
regexp: -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/group -F auid>=1000
-F auid!=unset -F key=[\S]+
with_items:
- -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/group -F auid>=1000
-F auid!=unset -F key=modify
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_group_open
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the open rule in audit.rules when on x86_64
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
regexp: -a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/group -F auid>=1000
-F auid!=unset -F key=[\S]+
with_items:
- -a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/group -F auid>=1000
-F auid!=unset -F key=modify
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_group_open
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
Record Events that Modify User/Group Information - /etc/shadowIf the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d, in order to capture events that modify
account changes:
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:
-w /etc/shadow -p wa -k audit_rules_usergroup_modification5.2.511112131415161819234567895.4.1.1APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07DSS06.03MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000018CCI-000172CCI-001403CCI-001404CCI-001405CCI-001683CCI-001684CCI-001685CCI-001686CCI-002130CCI-002132164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.2.3.104.3.2.6.74.3.3.2.24.3.3.3.94.3.3.5.14.3.3.5.24.3.3.5.84.3.3.6.64.3.3.7.24.3.3.7.34.3.3.7.44.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.1SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.7SR 1.8SR 1.9SR 2.1SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.1.2A.6.2.1A.6.2.2A.7.1.1A.9.1.2A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.2.6A.9.3.1A.9.4.1A.9.4.2A.9.4.3A.9.4.4A.9.4.5AC-2(4)AU-2(d)AU-12(c)AC-6(9)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-1PR.AC-3PR.AC-4PR.AC-6PR.PT-1PR.PT-4RS.AN-1RS.AN-4FAU_GEN.1.1.cReq-10.2.5SRG-OS-000004-GPOS-00004RHEL-07-030873SV-87823r4_ruleSRG-OS-000004-VMM-000040SRG-OS-000239-VMM-000810SRG-OS-000240-VMM-000820SRG-OS-000241-VMM-000830SRG-OS-000274-VMM-000960SRG-OS-000275-VMM-000970SRG-OS-000276-VMM-000980SRG-OS-000277-VMM-000990SRG-OS-000303-VMM-001090SRG-OS-000304-VMM-001100SRG-OS-000476-VMM-001960In addition to auditing new user and group accounts, these watches
will alert the system administrator(s) to any modifications. Any unexpected
users, groups, or modifications should be investigated for legitimacy.CCE-80431-0
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_watch_rule "auditctl" "/etc/shadow" "wa" "audit_rules_usergroup_modification"
fix_audit_watch_rule "augenrules" "/etc/shadow" "wa" "audit_rules_usergroup_modification"
- name: Set architecture for audit shadow tasks
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_usergroup_modification_shadow
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80431-0
- PCI-DSS-Req-10.2.5
- DISA-STIG-RHEL-07-030873
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Search /etc/audit/rules.d for other user/group modification audit rules
find:
paths: /etc/audit/rules.d
recurse: false
contains: -k audit_rules_usergroup_modification$
patterns: '*.rules'
register: find_shadow
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_usergroup_modification_shadow
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80431-0
- PCI-DSS-Req-10.2.5
- DISA-STIG-RHEL-07-030873
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: If existing user/group modification ruleset not found, use /etc/audit/rules.d/privileged.rules
as the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/privileged.rules
when:
- find_shadow.matched is defined and find_shadow.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_usergroup_modification_shadow
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80431-0
- PCI-DSS-Req-10.2.5
- DISA-STIG-RHEL-07-030873
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_shadow.files | map(attribute=''path'') | list | first }}'
when:
- find_shadow.matched is defined and find_shadow.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_usergroup_modification_shadow
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80431-0
- PCI-DSS-Req-10.2.5
- DISA-STIG-RHEL-07-030873
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Inserts/replaces the shadow rule in rules.d when on x86
lineinfile:
path: '{{ all_files[0] }}'
line: -w /etc/shadow -p wa -k audit_rules_usergroup_modification
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_usergroup_modification_shadow
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80431-0
- PCI-DSS-Req-10.2.5
- DISA-STIG-RHEL-07-030873
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Inserts/replaces the shadow rule in /etc/audit/audit.rules
lineinfile:
line: -w /etc/shadow -p wa -k audit_rules_usergroup_modification
state: present
dest: /etc/audit/audit.rules
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_usergroup_modification_shadow
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80431-0
- PCI-DSS-Req-10.2.5
- DISA-STIG-RHEL-07-030873
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
Record Events that Modify User/Group Information via openat syscall - /etc/passwdThe audit system should collect write events to /etc/passwd file for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modifyNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modifyAC-2(4)AU-2(d)AU-12(c)AC-6(9)CM-6(a)FAU_GEN.1.1.cCreation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system.
Auditing these events could serve as evidence of potential system compromise.
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S openat -F a2&03 -F path=/etc/passwd.*"
GROUP="modify"
FULL_RULE="-a always,exit -F arch=$ARCH -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
- name: Set architecture for audit openat tasks
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_passwd_openat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Search /etc/audit/rules.d for other DAC audit rules
find:
paths: /etc/audit/rules.d
recurse: false
contains: .*openat(,[\S]+)?[\s]+-F[\s]+a2&03[\s]+-F[\s]+path=/etc/passwd.*
patterns: '*.rules'
register: find_openat
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_passwd_openat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: If existing DAC ruleset not found, use /etc/audit/rules.d/modify.rules as
the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/modify.rules
when:
- find_openat.matched is defined and find_openat.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_passwd_openat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_openat.files | map(attribute=''path'') | list | first }}'
when:
- find_openat.matched is defined and find_openat.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_passwd_openat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the openat rule in rules.d when on x86
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
regexp: -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000
-F auid!=unset -F key=[\S]+
with_items:
- -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000
-F auid!=unset -F key=modify
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_passwd_openat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the openat rule in rules.d when on x86_64
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
regexp: -a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000
-F auid!=unset -F key=[\S]+
with_items:
- -a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000
-F auid!=unset -F key=modify
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_passwd_openat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the openat rule in /etc/audit/audit.rules when on x86
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
regexp: -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000
-F auid!=unset -F key=[\S]+
with_items:
- -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000
-F auid!=unset -F key=modify
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_passwd_openat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the openat rule in audit.rules when on x86_64
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
regexp: -a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000
-F auid!=unset -F key=[\S]+
with_items:
- -a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000
-F auid!=unset -F key=modify
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_passwd_openat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
Record Events that Modify User/Group Information via open syscall - /etc/shadowThe audit system should collect write events to /etc/shadow file for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modifyNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modifyAC-2(4)AU-2(d)AU-12(c)AC-6(9)CM-6(a)FAU_GEN.1.1.cCreation of users through direct edition of /etc/shadow could be an indicator of malicious activity on a system.
Auditing these events could serve as evidence of potential system compromise.
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S open -F a1&03 -F path=/etc/shadow.*"
GROUP="modify"
FULL_RULE="-a always,exit -F arch=$ARCH -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=modify"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
- name: Set architecture for audit open tasks
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_shadow_open
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Search /etc/audit/rules.d for other DAC audit rules
find:
paths: /etc/audit/rules.d
recurse: false
contains: .*open(,[\S]+)?[\s]+-F[\s]+a1&03[\s]+-F[\s]+path=/etc/shadow.*
patterns: '*.rules'
register: find_open
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_shadow_open
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: If existing DAC ruleset not found, use /etc/audit/rules.d/modify.rules as
the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/modify.rules
when:
- find_open.matched is defined and find_open.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_shadow_open
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_open.files | map(attribute=''path'') | list | first }}'
when:
- find_open.matched is defined and find_open.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_shadow_open
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the open rule in rules.d when on x86
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
regexp: -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000
-F auid!=unset -F key=[\S]+
with_items:
- -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000
-F auid!=unset -F key=modify
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_shadow_open
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the open rule in rules.d when on x86_64
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
regexp: -a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000
-F auid!=unset -F key=[\S]+
with_items:
- -a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000
-F auid!=unset -F key=modify
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_shadow_open
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the open rule in /etc/audit/audit.rules when on x86
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
regexp: -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000
-F auid!=unset -F key=[\S]+
with_items:
- -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000
-F auid!=unset -F key=modify
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_shadow_open
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the open rule in audit.rules when on x86_64
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
regexp: -a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000
-F auid!=unset -F key=[\S]+
with_items:
- -a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000
-F auid!=unset -F key=modify
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_shadow_open
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
Record Access Events to Audit Log DirectoryThe audit system should collect access events to read audit log directory.
The following audit rule will assure that access to audit log directory are
collected.
-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
rule to a file with suffix .rules in the directory
/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the rule to
/etc/audit/audit.rules file.AU-2(d)AU-12(c)AC-6(9)CM-6(a)FAU_GEN.1.1.cAttempts to read the logs should be recorded, suspicious access to audit log files could be an indicator of malicious activity on a system.
Auditing these events could serve as evidence of potential system compromise.'CCE-82071-2
PATTERN="-a always,exit -F path=/var/log/audit/\\s\\+.*"
GROUP="access-audit-trail"
FULL_RULE="-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
- name: Search /etc/audit/rules.d for audit rule entries
find:
paths: /etc/audit/rules.d
recurse: false
contains: ^.*dir=/var/log/audit/.*$
patterns: '*.rules'
register: find_var_log_audit
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- directory_access_var_log_audit
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82071-2
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use /etc/audit/rules.d/access-audit-trail.rules as the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/access-audit-trail.rules
when:
- find_var_log_audit.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- directory_access_var_log_audit
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82071-2
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_var_log_audit.files | map(attribute=''path'') | list | first }}'
when:
- find_var_log_audit.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- directory_access_var_log_audit
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82071-2
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the /var/log/audit/ rule in rules.d
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset
-F key=access-audit-trail
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- directory_access_var_log_audit
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82071-2
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the /var/log/audit/ rule in audit.rules
lineinfile:
path: /etc/audit/audit.rules
line: -a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset
-F key=access-audit-trail
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- directory_access_var_log_audit
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82071-2
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
Ensure auditd Collects Information on Exporting to Media (successful)At a minimum, the audit system should collect media exportation
events for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export5.2.13111121314151619234567895.4.1.1APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000135CCI-002884164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.2.3.104.3.2.6.74.3.3.3.94.3.3.5.84.3.3.6.64.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.13SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.2.1A.6.2.2AU-2(d)AU-12(c)AC-6(9)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-3PR.PT-1PR.PT-4RS.AN-1RS.AN-4Req-10.2.7SRG-OS-000042-GPOS-00020SRG-OS-000392-GPOS-00172RHEL-07-030740SV-86795r7_ruleThe unauthorized exportation of data to external media could result in an information leak
where classified information, Privacy Act information, and intellectual property could be lost. An audit
trail should be created each time a filesystem is mounted to help identify and guard against information
loss.CCE-27447-2
# Perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S .* -F auid>=1000 -F auid!=unset -k *"
GROUP="mount"
FULL_RULE="-a always,exit -F arch=$ARCH -S mount -F auid>=1000 -F auid!=unset -k export"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
Record Events that Modify User/Group Information - /etc/security/opasswdIf the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d, in order to capture events that modify
account changes:
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification5.2.511112131415161819234567895.4.1.1APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07DSS06.03MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000018CCI-000172CCI-001403CCI-001404CCI-001405CCI-001683CCI-001684CCI-001685CCI-001686CCI-002130CCI-002132164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.2.3.104.3.2.6.74.3.3.2.24.3.3.3.94.3.3.5.14.3.3.5.24.3.3.5.84.3.3.6.64.3.3.7.24.3.3.7.34.3.3.7.44.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.1SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.7SR 1.8SR 1.9SR 2.1SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.1.2A.6.2.1A.6.2.2A.7.1.1A.9.1.2A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.2.6A.9.3.1A.9.4.1A.9.4.2A.9.4.3A.9.4.4A.9.4.5AC-2(4)AU-2(d)AU-12(c)AC-6(9)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-1PR.AC-3PR.AC-4PR.AC-6PR.PT-1PR.PT-4RS.AN-1RS.AN-4FAU_GEN.1.1.cReq-10.2.5SRG-OS-000003-GPOS-00004RHEL-07-030874SV-87825r5_ruleSRG-OS-000004-VMM-000040SRG-OS-000239-VMM-000810SRG-OS-000240-VMM-000820SRG-OS-000241-VMM-000830SRG-OS-000274-VMM-000960SRG-OS-000275-VMM-000970SRG-OS-000276-VMM-000980SRG-OS-000277-VMM-000990SRG-OS-000303-VMM-001090SRG-OS-000304-VMM-001100SRG-OS-000476-VMM-001960In addition to auditing new user and group accounts, these watches
will alert the system administrator(s) to any modifications. Any unexpected
users, groups, or modifications should be investigated for legitimacy.CCE-80430-2
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_watch_rule "auditctl" "/etc/security/opasswd" "wa" "audit_rules_usergroup_modification"
fix_audit_watch_rule "augenrules" "/etc/security/opasswd" "wa" "audit_rules_usergroup_modification"
- name: Set architecture for audit opasswd tasks
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_usergroup_modification_opasswd
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80430-2
- PCI-DSS-Req-10.2.5
- DISA-STIG-RHEL-07-030874
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Search /etc/audit/rules.d for other user/group modification audit rules
find:
paths: /etc/audit/rules.d
recurse: false
contains: -k audit_rules_usergroup_modification$
patterns: '*.rules'
register: find_opasswd
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_usergroup_modification_opasswd
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80430-2
- PCI-DSS-Req-10.2.5
- DISA-STIG-RHEL-07-030874
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: If existing user/group modification ruleset not found, use /etc/audit/rules.d/privileged.rules
as the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/privileged.rules
when:
- find_opasswd.matched is defined and find_opasswd.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_usergroup_modification_opasswd
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80430-2
- PCI-DSS-Req-10.2.5
- DISA-STIG-RHEL-07-030874
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_opasswd.files | map(attribute=''path'') | list | first }}'
when:
- find_opasswd.matched is defined and find_opasswd.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_usergroup_modification_opasswd
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80430-2
- PCI-DSS-Req-10.2.5
- DISA-STIG-RHEL-07-030874
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Inserts/replaces the opasswd rule in rules.d when on x86
lineinfile:
path: '{{ all_files[0] }}'
line: -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_usergroup_modification_opasswd
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80430-2
- PCI-DSS-Req-10.2.5
- DISA-STIG-RHEL-07-030874
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Inserts/replaces the opasswd rule in /etc/audit/audit.rules
lineinfile:
line: -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
state: present
dest: /etc/audit/audit.rules
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_usergroup_modification_opasswd
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80430-2
- PCI-DSS-Req-10.2.5
- DISA-STIG-RHEL-07-030874
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
System Audit Logs Must Be Owned By RootAll audit logs must be owned by root user and group. By default, the path for audit log is /var/log/audit/.
To properly set the owner of /var/log/audit, run the command:
$ sudo chown root /var/log/audit
To properly set the owner of /var/log/audit/*, run the command:
$ sudo chown root /var/log/audit/* 111121314151618193456785.4.1.1APO01.06APO11.04APO12.06BAI03.05BAI08.02DSS02.02DSS02.04DSS02.07DSS03.01DSS05.04DSS05.07DSS06.02MEA02.013.3.1CCI-0001634.2.3.104.3.3.3.94.3.3.5.84.3.3.7.34.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 2.1SR 2.10SR 2.11SR 2.12SR 2.8SR 2.9SR 5.2SR 6.1A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.16.1.4A.16.1.5A.16.1.7A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)AC-6(1)AU-9(4)DE.AE-3DE.AE-5PR.AC-4PR.DS-5PR.PT-1RS.AN-1RS.AN-4Req-10.5.1SRG-OS-000058-GPOS-00028Unauthorized disclosure of audit records can reveal system and configuration data to
attackers, thus compromising its confidentiality.CCE-80125-8
if LC_ALL=C grep -m 1 -q ^log_group /etc/audit/auditd.conf; then
GROUP=$(awk -F "=" '/log_group/ {print $2}' /etc/audit/auditd.conf | tr -d ' ')
if ! [ "${GROUP}" == 'root' ] ; then
chown root.${GROUP} /var/log/audit
chown root.${GROUP} /var/log/audit/audit.log*
else
chown root.root /var/log/audit
chown root.root /var/log/audit/audit.log*
fi
else
chown root.root /var/log/audit
chown root.root /var/log/audit/audit.log*
fi
Record Events that Modify the System's Mandatory Access ControlsIf the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d:
-w /etc/selinux/ -p wa -k MAC-policy
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-w /etc/selinux/ -p wa -k MAC-policy5.2.7111121314151619234567895.4.1.1APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.8164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.2.3.104.3.2.6.74.3.3.3.94.3.3.5.84.3.3.6.64.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.13SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.2.1A.6.2.2AU-2(d)AU-12(c)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-3PR.PT-1PR.PT-4RS.AN-1RS.AN-4FAU_GEN.1.1.cReq-10.5.5The system's mandatory access policy (SELinux) should not be
arbitrarily changed by anything other than administrator action. All changes to
MAC policy should be audited.CCE-27168-4
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_watch_rule "auditctl" "/etc/selinux/" "wa" "MAC-policy"
fix_audit_watch_rule "augenrules" "/etc/selinux/" "wa" "MAC-policy"
Shutdown System When Auditing Failures OccurIf the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d:
-f 2
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to the
top of the /etc/audit/audit.rules file:
-f 21141516356APO11.04BAI03.05DSS05.04DSS05.07MEA02.013.3.13.3.4CCI-000139CCI-000140164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.3.3.3.94.3.3.5.84.3.4.4.74.4.2.14.4.2.24.4.2.4SR 2.10SR 2.11SR 2.12SR 2.8SR 2.9A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1AU-5(b)SC-24CM-6(a)PR.PT-1SRG-OS-000046-GPOS-00022SRG-OS-000047-GPOS-00023RHEL-07-030010SV-86705r4_ruleSRG-OS-000047-VMM-000220It is critical for the appropriate personnel to be aware if a system
is at risk of failing to process audit logs as required. Without this
notification, the security personnel may be unaware of an impending failure of
the audit capability, and system operation may be adversely affected.
Audit processing failures include software/hardware errors, failures in the
audit capturing mechanisms, and audit storage capacity being reached or
exceeded.CCE-80997-0
# Traverse all of:
#
# /etc/audit/audit.rules, (for auditctl case)
# /etc/audit/rules.d/*.rules (for augenrules case)
#
# files to check if '-f .*' setting is present in that '*.rules' file already.
# If found, delete such occurrence since auditctl(8) manual page instructs the
# '-f 2' rule should be placed as the last rule in the configuration
find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-e[[:space:]]\+.*/d' {} ';'
# Append '-f 2' requirement at the end of both:
# * /etc/audit/audit.rules file (for auditctl case)
# * /etc/audit/rules.d/immutable.rules (for augenrules case)
for AUDIT_FILE in "/etc/audit/audit.rules" "/etc/audit/rules.d/immutable.rules"
do
echo '' >> $AUDIT_FILE
echo '# Set the audit.rules configuration to halt system upon audit failure per security requirements' >> $AUDIT_FILE
echo '-f 2' >> $AUDIT_FILE
done
System Audit Logs Must Have Mode 0640 or Less PermissiveIf log_group in /etc/audit/auditd.conf is set to a group other than the root
group account, change the mode of the audit log files with the following command:
$ sudo chmod 0640 audit_file
Otherwise, change the mode of the audit log files with the following command:
$ sudo chmod 0600 audit_file111121314151618193456785.4.1.1APO01.06APO11.04APO12.06BAI03.05BAI08.02DSS02.02DSS02.04DSS02.07DSS03.01DSS05.04DSS05.07DSS06.02MEA02.013.3.14.2.3.104.3.3.3.94.3.3.5.84.3.3.7.34.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 2.1SR 2.10SR 2.11SR 2.12SR 2.8SR 2.9SR 5.2SR 6.1A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.16.1.4A.16.1.5A.16.1.7A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)AC-6(1)AU-9(4)DE.AE-3DE.AE-5PR.AC-4PR.DS-5PR.PT-1RS.AN-1RS.AN-4Req-10.5If users can write to audit logs, audit trails can be modified or destroyed.CCE-27205-4
if LC_ALL=C grep -m 1 -q ^log_group /etc/audit/auditd.conf; then
GROUP=$(awk -F "=" '/log_group/ {print $2}' /etc/audit/auditd.conf | tr -d ' ')
if ! [ "${GROUP}" == 'root' ] ; then
chmod 0640 /var/log/audit/audit.log
chmod 0440 /var/log/audit/audit.log.*
else
chmod 0600 /var/log/audit/audit.log
chmod 0400 /var/log/audit/audit.log.*
fi
chmod 0640 /etc/audit/audit*
chmod 0640 /etc/audit/rules.d/*
else
chmod 0600 /var/log/audit/audit.log
chmod 0400 /var/log/audit/audit.log.*
chmod 0640 /etc/audit/audit*
chmod 0640 /etc/audit/rules.d/*
fi
Record Events that Modify User/Group Information - /etc/gshadowIf the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d, in order to capture events that modify
account changes:
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification5.2.511112131415161819234567895.4.1.1APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07DSS06.03MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000018CCI-000172CCI-001403CCI-001404CCI-001405CCI-001683CCI-001684CCI-001685CCI-001686CCI-002130CCI-002132164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.2.3.104.3.2.6.74.3.3.2.24.3.3.3.94.3.3.5.14.3.3.5.24.3.3.5.84.3.3.6.64.3.3.7.24.3.3.7.34.3.3.7.44.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.1SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.7SR 1.8SR 1.9SR 2.1SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.1.2A.6.2.1A.6.2.2A.7.1.1A.9.1.2A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.2.6A.9.3.1A.9.4.1A.9.4.2A.9.4.3A.9.4.4A.9.4.5AC-2(4)AU-2(d)AU-12(c)AC-6(9)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-1PR.AC-3PR.AC-4PR.AC-6PR.PT-1PR.PT-4RS.AN-1RS.AN-4FAU_GEN.1.1.cReq-10.2.5SRG-OS-000004-GPOS-00004RHEL-07-030872SV-87819r4_ruleSRG-OS-000004-VMM-000040SRG-OS-000239-VMM-000810SRG-OS-000240-VMM-000820SRG-OS-000241-VMM-000830SRG-OS-000274-VMM-000960SRG-OS-000275-VMM-000970SRG-OS-000276-VMM-000980SRG-OS-000277-VMM-000990SRG-OS-000303-VMM-001090SRG-OS-000304-VMM-001100SRG-OS-000476-VMM-001960In addition to auditing new user and group accounts, these watches
will alert the system administrator(s) to any modifications. Any unexpected
users, groups, or modifications should be investigated for legitimacy.CCE-80432-8
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_watch_rule "auditctl" "/etc/gshadow" "wa" "audit_rules_usergroup_modification"
fix_audit_watch_rule "augenrules" "/etc/gshadow" "wa" "audit_rules_usergroup_modification"
- name: Set architecture for audit gshadow tasks
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_usergroup_modification_gshadow
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80432-8
- PCI-DSS-Req-10.2.5
- DISA-STIG-RHEL-07-030872
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Search /etc/audit/rules.d for other user/group modification audit rules
find:
paths: /etc/audit/rules.d
recurse: false
contains: -k audit_rules_usergroup_modification$
patterns: '*.rules'
register: find_gshadow
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_usergroup_modification_gshadow
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80432-8
- PCI-DSS-Req-10.2.5
- DISA-STIG-RHEL-07-030872
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: If existing user/group modification ruleset not found, use /etc/audit/rules.d/privileged.rules
as the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/privileged.rules
when:
- find_gshadow.matched is defined and find_gshadow.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_usergroup_modification_gshadow
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80432-8
- PCI-DSS-Req-10.2.5
- DISA-STIG-RHEL-07-030872
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_gshadow.files | map(attribute=''path'') | list | first }}'
when:
- find_gshadow.matched is defined and find_gshadow.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_usergroup_modification_gshadow
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80432-8
- PCI-DSS-Req-10.2.5
- DISA-STIG-RHEL-07-030872
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Inserts/replaces the gshadow rule in rules.d when on x86
lineinfile:
path: '{{ all_files[0] }}'
line: -w /etc/gshadow -p wa -k audit_rules_usergroup_modification
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_usergroup_modification_gshadow
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80432-8
- PCI-DSS-Req-10.2.5
- DISA-STIG-RHEL-07-030872
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Inserts/replaces the gshadow rule in /etc/audit/audit.rules
lineinfile:
line: -w /etc/gshadow -p wa -k audit_rules_usergroup_modification
state: present
dest: /etc/audit/audit.rules
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_usergroup_modification_gshadow
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80432-8
- PCI-DSS-Req-10.2.5
- DISA-STIG-RHEL-07-030872
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
Record Events that Modify User/Group Information via open syscall - /etc/gshadowThe audit system should collect write events to /etc/gshadow file for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modifyNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modifyAC-2(4)AU-2(d)AU-12(c)AC-6(9)CM-6(a)FAU_GEN.1.1.cCreation of users through direct edition of /etc/gshadow could be an indicator of malicious activity on a system.
Auditing these events could serve as evidence of potential system compromise.
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S open -F a1&03 -F path=/etc/gshadow.*"
GROUP="modify"
FULL_RULE="-a always,exit -F arch=$ARCH -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=modify"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
- name: Set architecture for audit open tasks
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_gshadow_open
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Search /etc/audit/rules.d for other DAC audit rules
find:
paths: /etc/audit/rules.d
recurse: false
contains: .*open(,[\S]+)?[\s]+-F[\s]+a1&03[\s]+-F[\s]+path=/etc/gshadow.*
patterns: '*.rules'
register: find_open
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_gshadow_open
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: If existing DAC ruleset not found, use /etc/audit/rules.d/modify.rules as
the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/modify.rules
when:
- find_open.matched is defined and find_open.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_gshadow_open
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_open.files | map(attribute=''path'') | list | first }}'
when:
- find_open.matched is defined and find_open.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_gshadow_open
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the open rule in rules.d when on x86
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
regexp: -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000
-F auid!=unset -F key=[\S]+
with_items:
- -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000
-F auid!=unset -F key=modify
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_gshadow_open
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the open rule in rules.d when on x86_64
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
regexp: -a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000
-F auid!=unset -F key=[\S]+
with_items:
- -a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000
-F auid!=unset -F key=modify
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_gshadow_open
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the open rule in /etc/audit/audit.rules when on x86
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
regexp: -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000
-F auid!=unset -F key=[\S]+
with_items:
- -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000
-F auid!=unset -F key=modify
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_gshadow_open
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the open rule in audit.rules when on x86_64
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
regexp: -a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000
-F auid!=unset -F key=[\S]+
with_items:
- -a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000
-F auid!=unset -F key=modify
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_gshadow_open
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
Record Events that Modify User/Group Information via openat syscall - /etc/shadowThe audit system should collect write events to /etc/shadow file for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modifyNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modifyAC-2(4)AU-2(d)AU-12(c)AC-6(9)CM-6(a)FAU_GEN.1.1.cCreation of users through direct edition of /etc/shadow could be an indicator of malicious activity on a system.
Auditing these events could serve as evidence of potential system compromise.
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S openat -F a2&03 -F path=/etc/shadow.*"
GROUP="modify"
FULL_RULE="-a always,exit -F arch=$ARCH -S openat -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=modify"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
- name: Set architecture for audit openat tasks
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_shadow_openat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Search /etc/audit/rules.d for other DAC audit rules
find:
paths: /etc/audit/rules.d
recurse: false
contains: .*openat(,[\S]+)?[\s]+-F[\s]+a2&03[\s]+-F[\s]+path=/etc/shadow.*
patterns: '*.rules'
register: find_openat
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_shadow_openat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: If existing DAC ruleset not found, use /etc/audit/rules.d/modify.rules as
the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/modify.rules
when:
- find_openat.matched is defined and find_openat.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_shadow_openat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_openat.files | map(attribute=''path'') | list | first }}'
when:
- find_openat.matched is defined and find_openat.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_shadow_openat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the openat rule in rules.d when on x86
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
regexp: -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/shadow -F auid>=1000
-F auid!=unset -F key=[\S]+
with_items:
- -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/shadow -F auid>=1000
-F auid!=unset -F key=modify
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_shadow_openat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the openat rule in rules.d when on x86_64
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
regexp: -a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/shadow -F auid>=1000
-F auid!=unset -F key=[\S]+
with_items:
- -a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/shadow -F auid>=1000
-F auid!=unset -F key=modify
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_shadow_openat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the openat rule in /etc/audit/audit.rules when on x86
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
regexp: -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/shadow -F auid>=1000
-F auid!=unset -F key=[\S]+
with_items:
- -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/shadow -F auid>=1000
-F auid!=unset -F key=modify
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_shadow_openat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the openat rule in audit.rules when on x86_64
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
regexp: -a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/shadow -F auid>=1000
-F auid!=unset -F key=[\S]+
with_items:
- -a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/shadow -F auid>=1000
-F auid!=unset -F key=modify
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_etc_shadow_openat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
Record Events that Modify User/Group Information - /etc/passwdIf the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d, in order to capture events that modify
account changes:
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:
-w /etc/passwd -p wa -k audit_rules_usergroup_modification5.2.511112131415161819234567895.4.1.1APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07DSS06.03MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000018CCI-000172CCI-001403CCI-001404CCI-001405CCI-001683CCI-001684CCI-001685CCI-001686CCI-002130CCI-002132164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.2.3.104.3.2.6.74.3.3.2.24.3.3.3.94.3.3.5.14.3.3.5.24.3.3.5.84.3.3.6.64.3.3.7.24.3.3.7.34.3.3.7.44.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.1SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.7SR 1.8SR 1.9SR 2.1SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.1.2A.6.2.1A.6.2.2A.7.1.1A.9.1.2A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.2.6A.9.3.1A.9.4.1A.9.4.2A.9.4.3A.9.4.4A.9.4.5AC-2(4)AU-2(d)AU-12(c)AC-6(9)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-1PR.AC-3PR.AC-4PR.AC-6PR.PT-1PR.PT-4RS.AN-1RS.AN-4FAU_GEN.1.1.cReq-10.2.5SRG-OS-000004-GPOS-00004SRG-OS-000239-GPOS-00089SRG-OS-000240-GPOS-00090SRG-OS-000241-GPOS-00091SRG-OS-000303-GPOS-00120SRG-OS-000476-GPOS-00221SRG-OS-000274-GPOS-00104SRG-OS-000275-GPOS-00105SRG-OS-000276-GPOS-00106SRG-OS-000277-GPOS-00107RHEL-07-030870SV-86821r5_ruleSRG-OS-000004-VMM-000040SRG-OS-000239-VMM-000810SRG-OS-000240-VMM-000820SRG-OS-000241-VMM-000830SRG-OS-000274-VMM-000960SRG-OS-000275-VMM-000970SRG-OS-000276-VMM-000980SRG-OS-000277-VMM-000990SRG-OS-000303-VMM-001090SRG-OS-000304-VMM-001100SRG-OS-000476-VMM-001960In addition to auditing new user and group accounts, these watches
will alert the system administrator(s) to any modifications. Any unexpected
users, groups, or modifications should be investigated for legitimacy.CCE-80435-1
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_watch_rule "auditctl" "/etc/passwd" "wa" "audit_rules_usergroup_modification"
fix_audit_watch_rule "augenrules" "/etc/passwd" "wa" "audit_rules_usergroup_modification"
- name: Set architecture for audit passwd tasks
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_usergroup_modification_passwd
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80435-1
- PCI-DSS-Req-10.2.5
- DISA-STIG-RHEL-07-030870
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Search /etc/audit/rules.d for other user/group modification audit rules
find:
paths: /etc/audit/rules.d
recurse: false
contains: -k audit_rules_usergroup_modification$
patterns: '*.rules'
register: find_passwd
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_usergroup_modification_passwd
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80435-1
- PCI-DSS-Req-10.2.5
- DISA-STIG-RHEL-07-030870
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: If existing user/group modification ruleset not found, use /etc/audit/rules.d/privileged.rules
as the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/privileged.rules
when:
- find_passwd.matched is defined and find_passwd.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_usergroup_modification_passwd
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80435-1
- PCI-DSS-Req-10.2.5
- DISA-STIG-RHEL-07-030870
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_passwd.files | map(attribute=''path'') | list | first }}'
when:
- find_passwd.matched is defined and find_passwd.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_usergroup_modification_passwd
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80435-1
- PCI-DSS-Req-10.2.5
- DISA-STIG-RHEL-07-030870
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Inserts/replaces the passwd rule in rules.d when on x86
lineinfile:
path: '{{ all_files[0] }}'
line: -w /etc/passwd -p wa -k audit_rules_usergroup_modification
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_usergroup_modification_passwd
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80435-1
- PCI-DSS-Req-10.2.5
- DISA-STIG-RHEL-07-030870
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Inserts/replaces the passwd rule in /etc/audit/audit.rules
lineinfile:
line: -w /etc/passwd -p wa -k audit_rules_usergroup_modification
state: present
dest: /etc/audit/audit.rules
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_usergroup_modification_passwd
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80435-1
- PCI-DSS-Req-10.2.5
- DISA-STIG-RHEL-07-030870
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
Record Events that Modify User/Group Information - /etc/groupIf the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d, in order to capture events that modify
account changes:
-w /etc/group -p wa -k audit_rules_usergroup_modification
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:
-w /etc/group -p wa -k audit_rules_usergroup_modification5.2.511112131415161819234567895.4.1.1APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07DSS06.03MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000018CCI-000172CCI-001403CCI-001404CCI-001405CCI-001683CCI-001684CCI-001685CCI-001686CCI-002130CCI-002132164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.2.3.104.3.2.6.74.3.3.2.24.3.3.3.94.3.3.5.14.3.3.5.24.3.3.5.84.3.3.6.64.3.3.7.24.3.3.7.34.3.3.7.44.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.1SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.7SR 1.8SR 1.9SR 2.1SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.1.2A.6.2.1A.6.2.2A.7.1.1A.9.1.2A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.2.6A.9.3.1A.9.4.1A.9.4.2A.9.4.3A.9.4.4A.9.4.5AC-2(4)AU-2(d)AU-12(c)AC-6(9)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-1PR.AC-3PR.AC-4PR.AC-6PR.PT-1PR.PT-4RS.AN-1RS.AN-4FAU_GEN.1.1.cReq-10.2.5SRG-OS-000004-GPOS-00004RHEL-07-030871SV-87817r3_ruleSRG-OS-000004-VMM-000040SRG-OS-000239-VMM-000810SRG-OS-000240-VMM-000820SRG-OS-000241-VMM-000830SRG-OS-000274-VMM-000960SRG-OS-000275-VMM-000970SRG-OS-000276-VMM-000980SRG-OS-000277-VMM-000990SRG-OS-000303-VMM-001090SRG-OS-000304-VMM-001100SRG-OS-000476-VMM-001960In addition to auditing new user and group accounts, these watches
will alert the system administrator(s) to any modifications. Any unexpected
users, groups, or modifications should be investigated for legitimacy.CCE-80433-6
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_watch_rule "auditctl" "/etc/group" "wa" "audit_rules_usergroup_modification"
fix_audit_watch_rule "augenrules" "/etc/group" "wa" "audit_rules_usergroup_modification"
- name: Set architecture for audit group tasks
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_usergroup_modification_group
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80433-6
- PCI-DSS-Req-10.2.5
- DISA-STIG-RHEL-07-030871
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Search /etc/audit/rules.d for other user/group modification audit rules
find:
paths: /etc/audit/rules.d
recurse: false
contains: -k audit_rules_usergroup_modification$
patterns: '*.rules'
register: find_group
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_usergroup_modification_group
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80433-6
- PCI-DSS-Req-10.2.5
- DISA-STIG-RHEL-07-030871
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: If existing user/group modification ruleset not found, use /etc/audit/rules.d/privileged.rules
as the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/privileged.rules
when:
- find_group.matched is defined and find_group.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_usergroup_modification_group
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80433-6
- PCI-DSS-Req-10.2.5
- DISA-STIG-RHEL-07-030871
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_group.files | map(attribute=''path'') | list | first }}'
when:
- find_group.matched is defined and find_group.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_usergroup_modification_group
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80433-6
- PCI-DSS-Req-10.2.5
- DISA-STIG-RHEL-07-030871
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Inserts/replaces the group rule in rules.d when on x86
lineinfile:
path: '{{ all_files[0] }}'
line: -w /etc/group -p wa -k audit_rules_usergroup_modification
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_usergroup_modification_group
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80433-6
- PCI-DSS-Req-10.2.5
- DISA-STIG-RHEL-07-030871
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Inserts/replaces the group rule in /etc/audit/audit.rules
lineinfile:
line: -w /etc/group -p wa -k audit_rules_usergroup_modification
state: present
dest: /etc/audit/audit.rules
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_usergroup_modification_group
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80433-6
- PCI-DSS-Req-10.2.5
- DISA-STIG-RHEL-07-030871
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
Record Information on Kernel Modules Loading and UnloadingTo capture kernel module loading and unloading events, use following lines, setting ARCH to
either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S init_module,delete_module -F key=modules
Place to add the lines depends on a way auditd daemon is configured. If it is configured
to use the augenrules program (the default), add the lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl utility,
add the lines to file /etc/audit/audit.rules.Ensure auditd Collects Information on Kernel Module Loading and UnloadingTo capture kernel module loading and unloading events, use following lines, setting ARCH to
either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S init_module,finit_module,delete_module -F key=modules
The place to add the lines depends on a way auditd daemon is configured. If it is configured
to use the augenrules program (the default), add the lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl utility,
add the lines to file /etc/audit/audit.rules.5.2.17111121314151619234567895.4.1.1APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-0001724.2.3.104.3.2.6.74.3.3.3.94.3.3.5.84.3.3.6.64.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.13SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.2.1A.6.2.2AU-2(d)AU-12(c)AC-6(9)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-3PR.PT-1PR.PT-4RS.AN-1RS.AN-4Req-10.2.7The addition/removal of kernel modules can be used to alter the behavior of
the kernel and potentially introduce malicious code into kernel space. It is important
to have an audit trail of modules that have been introduced into the kernel.CCE-27129-6
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
# Note: 32-bit and 64-bit kernel syscall numbers not always line up =>
# it's required on a 64-bit system to check also for the presence
# of 32-bit's equivalent of the corresponding rule.
# (See `man 7 audit.rules` for details )
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
GROUP="modules"
PATTERN="-a always,exit -F arch=$ARCH -S init_module -S delete_module -S finit_module \(-F key=\|-k \).*"
FULL_RULE="-a always,exit -F arch=$ARCH -S init_module -S delete_module -S finit_module -k modules"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_moduleIf the auditd daemon is configured to use the augenrules program
to read audit rules during daemon startup (the default), add the following lines to a file
with suffix .rules in the directory /etc/audit/rules.d to capture kernel module
loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S finit_module -F key=modules
If the auditd daemon is configured to use the auditctl utility to read audit
rules during daemon startup, add the following lines to /etc/audit/audit.rules file
in order to capture kernel module loading and unloading events, setting ARCH to either b32 or
b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S finit_module -F key=modules5.2.1711112131415161923456789APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000172164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.2.3.104.3.2.6.74.3.3.3.94.3.3.5.84.3.3.6.64.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.13SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.2.1A.6.2.2AU-2(d)AU-12(c)AC-6(9)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-3PR.PT-1PR.PT-4RS.AN-1RS.AN-4FAU_GEN.1.1.cReq-10.2.7SRG-OS-000471-GPOS-00216SRG-OS-000477-GPOS-00222RHEL-07-030821SV-93707r3_ruleSRG-OS-000477-VMM-001970The addition/removal of kernel modules can be used to alter the behavior of
the kernel and potentially introduce malicious code into kernel space. It is important
to have an audit trail of modules that have been introduced into the kernel.CCE-80547-3
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
# Note: 32-bit and 64-bit kernel syscall numbers not always line up =>
# it's required on a 64-bit system to check also for the presence
# of 32-bit's equivalent of the corresponding rule.
# (See `man 7 audit.rules` for details )
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S finit_module \(-F key=\|-k \).*"
GROUP="modules"
FULL_RULE="-a always,exit -F arch=$ARCH -S finit_module -k modules"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
- name: Set architecture for audit finit_module tasks
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_kernel_module_loading_finit
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80547-3
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030821
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Search /etc/audit/rules.d for audit rule entries
find:
paths: /etc/audit/rules.d
recurse: false
contains: ^.*finit_module.*$
patterns: '*.rules'
register: find_finit_module
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_kernel_module_loading_finit
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80547-3
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030821
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/privileged.rules
when:
- find_finit_module.matched is defined and find_finit_module.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_kernel_module_loading_finit
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80547-3
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030821
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_finit_module.files | map(attribute=''path'') | list | first }}'
when:
- find_finit_module.matched is defined and find_finit_module.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_kernel_module_loading_finit
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80547-3
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030821
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the finit_module rule in rules.d
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F arch=b32 -S finit_module -k module-change
state: present
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_kernel_module_loading_finit
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80547-3
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030821
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the finit_module rule in rules.d on x86_64
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F arch=b64 -S finit_module -k module-change
state: present
create: true
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_kernel_module_loading_finit
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80547-3
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030821
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the finit_module rule in audit.rules
lineinfile:
path: /etc/audit/audit.rules
line: -a always,exit -F arch=b32 -S finit_module -k module-change
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_kernel_module_loading_finit
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80547-3
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030821
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the finit_module rule in audit.rules when on x86_64
lineinfile:
path: /etc/audit/audit.rules
line: -a always,exit -F arch=b64 -S finit_module -k module-change
create: true
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_kernel_module_loading_finit
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80547-3
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030821
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
Ensure auditd Collects Information on Kernel Module Loading - init_moduleTo capture kernel module loading events, use following line, setting ARCH to
either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S init_module -F key=modules
Place to add the line depends on a way auditd daemon is configured. If it is configured
to use the augenrules program (the default), add the line to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl utility,
add the line to file /etc/audit/audit.rules.5.2.1711112131415161923456789APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000172164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.2.3.104.3.2.6.74.3.3.3.94.3.3.5.84.3.3.6.64.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.13SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.2.1A.6.2.2AU-2(d)AU-12(c)AC-6(9)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-3PR.PT-1PR.PT-4RS.AN-1RS.AN-4FAU_GEN.1.1.cReq-10.2.7SRG-OS-000471-GPOS-00216SRG-OS-000477-GPOS-00222RHEL-07-030820SV-86811r5_ruleSRG-OS-000477-VMM-001970The addition of kernel modules can be used to alter the behavior of
the kernel and potentially introduce malicious code into kernel space. It is important
to have an audit trail of modules that have been introduced into the kernel.CCE-80414-6
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
# Note: 32-bit and 64-bit kernel syscall numbers not always line up =>
# it's required on a 64-bit system to check also for the presence
# of 32-bit's equivalent of the corresponding rule.
# (See `man 7 audit.rules` for details )
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S init_module \(-F key=\|-k \).*"
GROUP="modules"
FULL_RULE="-a always,exit -F arch=$ARCH -S init_module -k modules"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
- name: Set architecture for audit init_module tasks
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_kernel_module_loading_init
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80414-6
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030820
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Search /etc/audit/rules.d for audit rule entries
find:
paths: /etc/audit/rules.d
recurse: false
contains: ^.*init_module.*$
patterns: '*.rules'
register: find_init_module
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_kernel_module_loading_init
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80414-6
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030820
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/privileged.rules
when:
- find_init_module.matched is defined and find_init_module.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_kernel_module_loading_init
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80414-6
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030820
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_init_module.files | map(attribute=''path'') | list | first }}'
when:
- find_init_module.matched is defined and find_init_module.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_kernel_module_loading_init
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80414-6
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030820
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the init_module rule in rules.d
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F arch=b32 -S init_module -k module-change
state: present
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_kernel_module_loading_init
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80414-6
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030820
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the init_module rule in rules.d on x86_64
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F arch=b64 -S init_module -k module-change
state: present
create: true
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_kernel_module_loading_init
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80414-6
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030820
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the init_module rule in audit.rules
lineinfile:
path: /etc/audit/audit.rules
line: -a always,exit -F arch=b32 -S init_module -k module-change
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_kernel_module_loading_init
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80414-6
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030820
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the init_module rule in audit.rules when on x86_64
lineinfile:
path: /etc/audit/audit.rules
line: -a always,exit -F arch=b64 -S init_module -k module-change
create: true
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_kernel_module_loading_init
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80414-6
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030820
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
Ensure auditd Collects Information on Kernel Module Unloading - delete_moduleTo capture kernel module unloading events, use following line, setting ARCH to
either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S delete_module -F key=modules
Place to add the line depends on a way auditd daemon is configured. If it is configured
to use the augenrules program (the default), add the line to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl utility,
add the line to file /etc/audit/audit.rules.5.2.1711112131415161923456789APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000172164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.2.3.104.3.2.6.74.3.3.3.94.3.3.5.84.3.3.6.64.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.13SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.2.1A.6.2.2AU-2(d)AU-12(c)AC-6(9)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-3PR.PT-1PR.PT-4RS.AN-1RS.AN-4FAU_GEN.1.1.cReq-10.2.7SRG-OS-000471-GPOS-00216SRG-OS-000477-GPOS-00222RHEL-07-030830SV-86813r5_ruleSRG-OS-000477-VMM-001970The removal of kernel modules can be used to alter the behavior of
the kernel and potentially introduce malicious code into kernel space. It is important
to have an audit trail of modules that have been introduced into the kernel.CCE-80415-3
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
# Note: 32-bit and 64-bit kernel syscall numbers not always line up =>
# it's required on a 64-bit system to check also for the presence
# of 32-bit's equivalent of the corresponding rule.
# (See `man 7 audit.rules` for details )
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S delete_module \(-F key=\|-k \).*"
GROUP="modules"
FULL_RULE="-a always,exit -F arch=$ARCH -S delete_module -k modules"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
- name: Set architecture for audit delete_module tasks
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_kernel_module_loading_delete
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80415-3
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030830
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Search /etc/audit/rules.d for audit rule entries
find:
paths: /etc/audit/rules.d
recurse: false
contains: ^.*delete_module.*$
patterns: '*.rules'
register: find_delete_module
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_kernel_module_loading_delete
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80415-3
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030830
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/privileged.rules
when:
- find_delete_module.matched is defined and find_delete_module.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_kernel_module_loading_delete
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80415-3
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030830
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_delete_module.files | map(attribute=''path'') | list | first }}'
when:
- find_delete_module.matched is defined and find_delete_module.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_kernel_module_loading_delete
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80415-3
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030830
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the delete_module rule in rules.d
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F arch=b32 -S delete_module -k module-change
state: present
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_kernel_module_loading_delete
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80415-3
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030830
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the delete_module rule in rules.d on x86_64
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F arch=b64 -S delete_module -k module-change
state: present
create: true
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_kernel_module_loading_delete
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80415-3
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030830
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the delete_module rule in audit.rules
lineinfile:
path: /etc/audit/audit.rules
line: -a always,exit -F arch=b32 -S delete_module -k module-change
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_kernel_module_loading_delete
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80415-3
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030830
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the delete_module rule in audit.rules when on x86_64
lineinfile:
path: /etc/audit/audit.rules
line: -a always,exit -F arch=b64 -S delete_module -k module-change
create: true
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_kernel_module_loading_delete
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80415-3
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030830
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
Record Attempts to Alter Logon and Logout EventsThe audit system already collects login information for all users
and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d in order to watch for attempted manual
edits of files involved in storing logon events:
-w /var/log/tallylog -p wa -k logins
-w /var/run/faillock/ -p wa -k logins
-w /var/log/lastlog -p wa -k logins
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file in order to watch for unattempted manual
edits of files involved in storing logon events:
-w /var/log/tallylog -p wa -k logins
-w /var/run/faillock/ -p wa -k logins
-w /var/log/lastlog -p wa -k loginsRecord Attempts to Alter Logon and Logout EventsThe audit system already collects login information for all users
and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d in order to watch for attempted manual
edits of files involved in storing logon events:
-w /var/log/tallylog -p wa -k logins
-w /var/run/faillock -p wa -k logins
-w /var/log/lastlog -p wa -k logins
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file in order to watch for unattempted manual
edits of files involved in storing logon events:
-w /var/log/tallylog -p wa -k logins
-w /var/run/faillock -p wa -k logins
-w /var/log/lastlog -p wa -k loginsThis rule checks for multiple syscalls related to login events;
it was written with DISA STIG in mind. Other policies should use a
separate rule for each syscall that needs to be checked. For example:
audit_rules_login_events_tallylogaudit_rules_login_events_faillockaudit_rules_login_events_lastlog5.2.8111121314151619234567895.4.1.1APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000172CCI-0028844.2.3.104.3.2.6.74.3.3.3.94.3.3.5.84.3.3.6.64.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.13SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.2.1A.6.2.2AU-2(d)AU-12(c)AC-6(9)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-3PR.PT-1PR.PT-4RS.AN-1RS.AN-4Req-10.2.3Manual editing of these files may indicate nefarious activity, such
as an attacker attempting to remove evidence of an intrusion.CCE-27204-7
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_watch_rule "auditctl" "/var/log/tallylog" "wa" "logins"
fix_audit_watch_rule "augenrules" "/var/log/tallylog" "wa" "logins"
fix_audit_watch_rule "auditctl" "/var/run/faillock" "wa" "logins"
fix_audit_watch_rule "augenrules" "/var/run/faillock" "wa" "logins"
fix_audit_watch_rule "auditctl" "/var/log/lastlog" "wa" "logins"
fix_audit_watch_rule "augenrules" "/var/log/lastlog" "wa" "logins"
Record Attempts to Alter Logon and Logout Events - lastlogThe audit system already collects login information for all users
and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d in order to watch for attempted manual
edits of files involved in storing logon events:
-w /var/log/lastlog -p wa -k logins
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file in order to watch for unattempted manual
edits of files involved in storing logon events:
-w /var/log/lastlog -p wa -k logins5.2.811112131415161923456789APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000172CCI-002884CCI-000126164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.2.3.104.3.2.6.74.3.3.3.94.3.3.5.84.3.3.6.64.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.13SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.2.1A.6.2.2AU-2(d)AU-12(c)AC-6(9)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-3PR.PT-1PR.PT-4RS.AN-1RS.AN-4FAU_GEN.1.1.cReq-10.2.3SRG-OS-000392-GPOS-00172SRG-OS-000470-GPOS-00214SRG-OS-000473-GPOS-00218RHEL-07-030620SV-86771r3_ruleSRG-OS-000473-VMM-001930SRG-OS-000470-VMM-001900Manual editing of these files may indicate nefarious activity, such
as an attacker attempting to remove evidence of an intrusion.CCE-80384-1
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_watch_rule "auditctl" "/var/log/lastlog" "wa" "logins"
fix_audit_watch_rule "augenrules" "/var/log/lastlog" "wa" "logins"
- name: Set architecture for audit lastlog tasks
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_login_events_lastlog
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80384-1
- PCI-DSS-Req-10.2.3
- DISA-STIG-RHEL-07-030620
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Search /etc/audit/rules.d for other user/group modification audit rules
find:
paths: /etc/audit/rules.d
recurse: false
contains: -k logins$
patterns: '*.rules'
register: find_lastlog
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_login_events_lastlog
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80384-1
- PCI-DSS-Req-10.2.3
- DISA-STIG-RHEL-07-030620
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: If existing user/group modification ruleset not found, use /etc/audit/rules.d/logins.rules
as the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/logins.rules
when:
- find_lastlog.matched is defined and find_lastlog.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_login_events_lastlog
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80384-1
- PCI-DSS-Req-10.2.3
- DISA-STIG-RHEL-07-030620
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_lastlog.files | map(attribute=''path'') | list | first }}'
when:
- find_lastlog.matched is defined and find_lastlog.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_login_events_lastlog
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80384-1
- PCI-DSS-Req-10.2.3
- DISA-STIG-RHEL-07-030620
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the lastlog rule in rules.d when on x86
lineinfile:
path: '{{ all_files[0] }}'
line: -w /var/log/lastlog -p wa -k logins
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_login_events_lastlog
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80384-1
- PCI-DSS-Req-10.2.3
- DISA-STIG-RHEL-07-030620
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the lastlog rule in /etc/audit/audit.rules
lineinfile:
line: -w /var/log/lastlog -p wa -k logins
state: present
dest: /etc/audit/audit.rules
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_login_events_lastlog
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80384-1
- PCI-DSS-Req-10.2.3
- DISA-STIG-RHEL-07-030620
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
Record Attempts to Alter Logon and Logout Events - faillockThe audit system already collects login information for all users
and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d in order to watch for attempted manual
edits of files involved in storing logon events:
-w /var/run/faillock -p wa -k logins
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file in order to watch for unattempted manual
edits of files involved in storing logon events:
-w /var/run/faillock -p wa -k logins5.2.811112131415161923456789APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000172CCI-002884CCI-000126164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.2.3.104.3.2.6.74.3.3.3.94.3.3.5.84.3.3.6.64.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.13SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.2.1A.6.2.2AU-2(d)AU-12(c)AC-6(9)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-3PR.PT-1PR.PT-4RS.AN-1RS.AN-4FAU_GEN.1.1.cReq-10.2.3SRG-OS-000392-GPOS-00172SRG-OS-000470-GPOS-00214SRG-OS-000473-GPOS-00218RHEL-07-030610SV-86769r4_ruleSRG-OS-000473-VMM-001930SRG-OS-000470-VMM-001900Manual editing of these files may indicate nefarious activity, such
as an attacker attempting to remove evidence of an intrusion.CCE-80383-3
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_watch_rule "auditctl" "/var/run/faillock" "wa" "logins"
fix_audit_watch_rule "augenrules" "/var/run/faillock" "wa" "logins"
- name: Set architecture for audit faillock tasks
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_login_events_faillock
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80383-3
- PCI-DSS-Req-10.2.3
- DISA-STIG-RHEL-07-030610
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Search /etc/audit/rules.d for other user/group modification audit rules
find:
paths: /etc/audit/rules.d
recurse: false
contains: -k logins$
patterns: '*.rules'
register: find_faillock
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_login_events_faillock
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80383-3
- PCI-DSS-Req-10.2.3
- DISA-STIG-RHEL-07-030610
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: If existing user/group modification ruleset not found, use /etc/audit/rules.d/logins.rules
as the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/logins.rules
when:
- find_faillock.matched is defined and find_faillock.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_login_events_faillock
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80383-3
- PCI-DSS-Req-10.2.3
- DISA-STIG-RHEL-07-030610
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_faillock.files | map(attribute=''path'') | list | first }}'
when:
- find_faillock.matched is defined and find_faillock.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_login_events_faillock
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80383-3
- PCI-DSS-Req-10.2.3
- DISA-STIG-RHEL-07-030610
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the faillock rule in rules.d when on x86
lineinfile:
path: '{{ all_files[0] }}'
line: -w /var/run/faillock -p wa -k logins
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_login_events_faillock
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80383-3
- PCI-DSS-Req-10.2.3
- DISA-STIG-RHEL-07-030610
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the faillock rule in /etc/audit/audit.rules
lineinfile:
line: -w /var/run/faillock -p wa -k logins
state: present
dest: /etc/audit/audit.rules
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_login_events_faillock
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80383-3
- PCI-DSS-Req-10.2.3
- DISA-STIG-RHEL-07-030610
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
Record Attempts to Alter Logon and Logout Events - tallylogThe audit system already collects login information for all users
and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d in order to watch for attempted manual
edits of files involved in storing logon events:
-w /var/log/tallylog -p wa -k logins
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file in order to watch for unattempted manual
edits of files involved in storing logon events:
-w /var/log/tallylog -p wa -k logins5.2.811112131415161923456789APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000172CCI-002884CCI-000126164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.2.3.104.3.2.6.74.3.3.3.94.3.3.5.84.3.3.6.64.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.13SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.2.1A.6.2.2AU-2(d)AU-12(c)AC-6(9)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-3PR.PT-1PR.PT-4RS.AN-1RS.AN-4FAU_GEN.1.1.cReq-10.2.3SRG-OS-000392-GPOS-00172SRG-OS-000470-GPOS-00214SRG-OS-000473-GPOS-00218RHEL-07-030600SRG-OS-000473-VMM-001930SRG-OS-000470-VMM-001900Manual editing of these files may indicate nefarious activity, such
as an attacker attempting to remove evidence of an intrusion.CCE-80994-7
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_watch_rule "auditctl" "/var/log/tallylog" "wa" "logins"
fix_audit_watch_rule "augenrules" "/var/log/tallylog" "wa" "logins"
- name: Set architecture for audit tallylog tasks
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_login_events_tallylog
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80994-7
- PCI-DSS-Req-10.2.3
- DISA-STIG-RHEL-07-030600
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Search /etc/audit/rules.d for other user/group modification audit rules
find:
paths: /etc/audit/rules.d
recurse: false
contains: -k logins$
patterns: '*.rules'
register: find_tallylog
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_login_events_tallylog
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80994-7
- PCI-DSS-Req-10.2.3
- DISA-STIG-RHEL-07-030600
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: If existing user/group modification ruleset not found, use /etc/audit/rules.d/logins.rules
as the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/logins.rules
when:
- find_tallylog.matched is defined and find_tallylog.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_login_events_tallylog
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80994-7
- PCI-DSS-Req-10.2.3
- DISA-STIG-RHEL-07-030600
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_tallylog.files | map(attribute=''path'') | list | first }}'
when:
- find_tallylog.matched is defined and find_tallylog.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_login_events_tallylog
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80994-7
- PCI-DSS-Req-10.2.3
- DISA-STIG-RHEL-07-030600
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the tallylog rule in rules.d when on x86
lineinfile:
path: '{{ all_files[0] }}'
line: -w /var/log/tallylog -p wa -k logins
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_login_events_tallylog
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80994-7
- PCI-DSS-Req-10.2.3
- DISA-STIG-RHEL-07-030600
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the tallylog rule in /etc/audit/audit.rules
lineinfile:
line: -w /var/log/tallylog -p wa -k logins
state: present
dest: /etc/audit/audit.rules
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_login_events_tallylog
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80994-7
- PCI-DSS-Req-10.2.3
- DISA-STIG-RHEL-07-030600
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
Records Events that Modify Date and Time InformationArbitrary changes to the system time can be used to obfuscate
nefarious activities in log files, as well as to confuse network services that
are highly dependent upon an accurate system time. All changes to the system
time should be audited.Record Attempts to Alter Time Through stimeIf the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d for both 32 bit and 64 bit systems:
-a always,exit -F arch=b32 -S stime -F key=audit_time_rules
Since the 64 bit version of the "stime" system call is not defined in the audit
lookup table, the corresponding "-F arch=b64" form of this rule is not expected
to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule
form itself is sufficient for both 32 bit and 64 bit systems). If the
auditd daemon is configured to use the auditctl utility to
read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file for both 32 bit and 64 bit systems:
-a always,exit -F arch=b32 -S stime -F key=audit_time_rules
Since the 64 bit version of the "stime" system call is not defined in the audit
lookup table, the corresponding "-F arch=b64" form of this rule is not expected
to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule
form itself is sufficient for both 32 bit and 64 bit systems). The -k option
allows for the specification of a key in string form that can be used for
better reporting capability through ausearch and aureport. Multiple system
calls can be defined on the same line to save space if desired, but is not
required. See an example of multiple combined system calls:
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules111121314151619234567895.4.1.1APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-001487CCI-000169164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.2.3.104.3.2.6.74.3.3.3.94.3.3.5.84.3.3.6.64.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.13SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.2.1A.6.2.2AU-2(d)AU-12(c)AC-6(9)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-3PR.PT-1PR.PT-4RS.AN-1RS.AN-4Req-10.4.2.bArbitrary changes to the system time can be used to obfuscate
nefarious activities in log files, as well as to confuse network services that
are highly dependent upon an accurate system time (such as sshd). All changes
to the system time should be audited.CCE-27299-7
perform_audit_adjtimex_settimeofday_stime_remediation
Record attempts to alter time through settimeofdayIf the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules
The -k option allows for the specification of a key in string form that can be
used for better reporting capability through ausearch and aureport. Multiple
system calls can be defined on the same line to save space if desired, but is
not required. See an example of multiple combined syscalls:
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules5.2.4111121314151619234567895.4.1.1APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-001487CCI-000169164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.2.3.104.3.2.6.74.3.3.3.94.3.3.5.84.3.3.6.64.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.13SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.2.1A.6.2.2AU-2(d)AU-12(c)AC-6(9)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-3PR.PT-1PR.PT-4RS.AN-1RS.AN-4Req-10.4.2.bArbitrary changes to the system time can be used to obfuscate
nefarious activities in log files, as well as to confuse network services that
are highly dependent upon an accurate system time (such as sshd). All changes
to the system time should be audited.CCE-27216-1
perform_audit_adjtimex_settimeofday_stime_remediation
Record Attempts to Alter the localtime FileIf the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the default),
add the following line to a file with suffix .rules in the directory
/etc/audit/rules.d:
-w /etc/localtime -p wa -k audit_time_rules
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-w /etc/localtime -p wa -k audit_time_rules
The -k option allows for the specification of a key in string form that can
be used for better reporting capability through ausearch and aureport and
should always be used.5.2.4111121314151619234567895.4.1.1APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-001487CCI-000169164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.2.3.104.3.2.6.74.3.3.3.94.3.3.5.84.3.3.6.64.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.13SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.2.1A.6.2.2AU-2(d)AU-12(c)AC-6(9)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-3PR.PT-1PR.PT-4RS.AN-1RS.AN-4Req-10.4.2.bArbitrary changes to the system time can be used to obfuscate
nefarious activities in log files, as well as to confuse network services that
are highly dependent upon an accurate system time (such as sshd). All changes
to the system time should be audited.CCE-27310-2
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_watch_rule "auditctl" "/etc/localtime" "wa" "audit_time_rules"
fix_audit_watch_rule "augenrules" "/etc/localtime" "wa" "audit_time_rules"
Record Attempts to Alter Time Through clock_settimeIf the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
The -k option allows for the specification of a key in string form that can
be used for better reporting capability through ausearch and aureport.
Multiple system calls can be defined on the same line to save space if
desired, but is not required. See an example of multiple combined syscalls:
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules5.2.4111121314151619234567895.4.1.1APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-001487CCI-000169164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.2.3.104.3.2.6.74.3.3.3.94.3.3.5.84.3.3.6.64.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.13SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.2.1A.6.2.2AU-2(d)AU-12(c)AC-6(9)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-3PR.PT-1PR.PT-4RS.AN-1RS.AN-4Req-10.4.2.bArbitrary changes to the system time can be used to obfuscate
nefarious activities in log files, as well as to confuse network services that
are highly dependent upon an accurate system time (such as sshd). All changes
to the system time should be audited.CCE-27219-5
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S clock_settime -F a0=.* \(-F key=\|-k \).*"
GROUP="clock_settime"
FULL_RULE="-a always,exit -F arch=$ARCH -S clock_settime -F a0=0x0 -k time-change"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
Record attempts to alter time through adjtimexIf the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules
The -k option allows for the specification of a key in string form that can be
used for better reporting capability through ausearch and aureport. Multiple
system calls can be defined on the same line to save space if desired, but is
not required. See an example of multiple combined syscalls:
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules5.2.4111121314151619234567895.4.1.1APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-001487CCI-000169164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.2.3.104.3.2.6.74.3.3.3.94.3.3.5.84.3.3.6.64.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.13SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.2.1A.6.2.2AU-2(d)AU-12(c)AC-6(9)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-3PR.PT-1PR.PT-4RS.AN-1RS.AN-4Req-10.4.2.bArbitrary changes to the system time can be used to obfuscate
nefarious activities in log files, as well as to confuse network services that
are highly dependent upon an accurate system time (such as sshd). All changes
to the system time should be audited.CCE-27290-6
perform_audit_adjtimex_settimeofday_stime_remediation
Record Events that Modify the System's Discretionary Access ControlsAt a minimum, the audit system should collect file permission
changes for all users and root. Note that the "-F arch=b32" lines should be
present even on a 64 bit system. These commands identify system calls for
auditing. Even if the system is 64 bit it can still execute 32 bit system
calls. Additionally, these rules can be configured in a number of ways while
still achieving the desired effect. An example of this is that the "-S" calls
could be split up and placed on separate lines, however, this is less efficient.
Add the following to /etc/audit/audit.rules:
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If your system is 64 bit then these lines should be duplicated and the
arch=b32 replaced with arch=b64 as follows:
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_modRecord Events that Modify the System's Discretionary Access Controls - fchownAt a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_modNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.5.2.10111121314151619234567895.4.1.1APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000126CCI-000172164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.2.3.104.3.2.6.74.3.3.3.94.3.3.5.84.3.3.6.64.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.13SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.2.1A.6.2.2AU-2(d)AU-12(c)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-3PR.PT-1PR.PT-4RS.AN-1RS.AN-4FAU_GEN.1.1.cReq-10.5.5SRG-OS-000064-GPOS-00033SRG-OS-000392-GPOS-00172SRG-OS-000458-GPOS-00203SRG-OS-000474-GPOS-00219RHEL-07-030380SV-86723r5_ruleSRG-OS-000458-VMM-001810SRG-OS-000474-VMM-001940The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.CCE-27356-5
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S fchown.*"
GROUP="perm_mod"
FULL_RULE="-a always,exit -F arch=$ARCH -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
- name: Set architecture for audit fchown tasks
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_fchown
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27356-5
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030380
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Search /etc/audit/rules.d for other DAC audit rules
find:
paths: /etc/audit/rules.d
recurse: false
contains: -F key=perm_mod$
patterns: '*.rules'
register: find_fchown
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_fchown
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27356-5
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030380
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules
as the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/privileged.rules
when:
- find_fchown.matched is defined and find_fchown.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_fchown
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27356-5
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030380
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_fchown.files | map(attribute=''path'') | list | first }}'
when:
- find_fchown.matched is defined and find_fchown.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_fchown
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27356-5
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030380
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Inserts/replaces the fchown rule in rules.d when on x86
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_fchown
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27356-5
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030380
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Inserts/replaces the fchown rule in rules.d when on x86_64
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_fchown
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27356-5
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030380
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Inserts/replaces the fchown rule in /etc/audit/audit.rules when on x86
lineinfile:
line: -a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
state: present
dest: /etc/audit/audit.rules
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_fchown
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27356-5
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030380
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Inserts/replaces the fchown rule in audit.rules when on x86_64
lineinfile:
line: -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
state: present
dest: /etc/audit/audit.rules
create: true
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_fchown
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27356-5
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030380
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
Record Events that Modify the System's Discretionary Access Controls - setxattrAt a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_modNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.5.2.10111121314151619234567895.4.1.1APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000126CCI-000172164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.2.3.104.3.2.6.74.3.3.3.94.3.3.5.84.3.3.6.64.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.13SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.2.1A.6.2.2AU-2(d)AU-12(c)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-3PR.PT-1PR.PT-4RS.AN-1RS.AN-4FAU_GEN.1.1.cReq-10.5.5SRG-OS-000064-GPOS-00033SRG-OS-000392-GPOS-00172SRG-OS-000458-GPOS-00203RHEL-07-030440SV-86735r5_ruleSRG-OS-000458-VMM-001810SRG-OS-000474-VMM-001940The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.CCE-27213-8
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S setxattr.*"
GROUP="perm_mod"
FULL_RULE="-a always,exit -F arch=$ARCH -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
- name: Set architecture for audit setxattr tasks
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_setxattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27213-8
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030440
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Search /etc/audit/rules.d for other DAC audit rules
find:
paths: /etc/audit/rules.d
recurse: false
contains: -F key=perm_mod$
patterns: '*.rules'
register: find_setxattr
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_setxattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27213-8
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030440
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules
as the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/privileged.rules
when:
- find_setxattr.matched is defined and find_setxattr.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_setxattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27213-8
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030440
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_setxattr.files | map(attribute=''path'') | list | first }}'
when:
- find_setxattr.matched is defined and find_setxattr.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_setxattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27213-8
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030440
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Inserts/replaces the setxattr rule in rules.d when on x86
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_setxattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27213-8
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030440
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Inserts/replaces the setxattr rule in rules.d when on x86_64
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_setxattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27213-8
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030440
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Inserts/replaces the setxattr rule in /etc/audit/audit.rules when on x86
lineinfile:
line: -a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
state: present
dest: /etc/audit/audit.rules
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_setxattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27213-8
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030440
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Inserts/replaces the setxattr rule in audit.rules when on x86_64
lineinfile:
line: -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
state: present
dest: /etc/audit/audit.rules
create: true
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_setxattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27213-8
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030440
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
Record Events that Modify the System's Discretionary Access Controls - chownAt a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_modNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.5.2.10111121314151619234567895.4.1.1APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000126CCI-000172164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.2.3.104.3.2.6.74.3.3.3.94.3.3.5.84.3.3.6.64.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.13SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.2.1A.6.2.2AU-2(d)AU-12(c)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-3PR.PT-1PR.PT-4RS.AN-1RS.AN-4FAU_GEN.1.1.cReq-10.5.5SRG-OS-000064-GPOS-00033SRG-OS-000392-GPOS-00172SRG-OS-000458-GPOS-00203SRG-OS-000474-GPOS-00219RHEL-07-030370SV-86721r5_ruleSRG-OS-000458-VMM-001810SRG-OS-000474-VMM-001940The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.CCE-27364-9
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S chown.*"
GROUP="perm_mod"
FULL_RULE="-a always,exit -F arch=$ARCH -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
- name: Set architecture for audit chown tasks
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_chown
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27364-9
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030370
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Search /etc/audit/rules.d for other DAC audit rules
find:
paths: /etc/audit/rules.d
recurse: false
contains: -F key=perm_mod$
patterns: '*.rules'
register: find_chown
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_chown
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27364-9
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030370
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules
as the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/privileged.rules
when:
- find_chown.matched is defined and find_chown.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_chown
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27364-9
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030370
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_chown.files | map(attribute=''path'') | list | first }}'
when:
- find_chown.matched is defined and find_chown.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_chown
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27364-9
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030370
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Inserts/replaces the chown rule in rules.d when on x86
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_chown
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27364-9
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030370
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Inserts/replaces the chown rule in rules.d when on x86_64
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_chown
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27364-9
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030370
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Inserts/replaces the chown rule in /etc/audit/audit.rules when on x86
lineinfile:
line: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
state: present
dest: /etc/audit/audit.rules
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_chown
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27364-9
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030370
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Inserts/replaces the chown rule in audit.rules when on x86_64
lineinfile:
line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
state: present
dest: /etc/audit/audit.rules
create: true
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_chown
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27364-9
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030370
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
Record Events that Modify the System's Discretionary Access Controls - fchownatAt a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_modNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.5.2.10111121314151619234567895.4.1.1APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000126CCI-000172164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.2.3.104.3.2.6.74.3.3.3.94.3.3.5.84.3.3.6.64.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.13SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.2.1A.6.2.2AU-2(d)AU-12(c)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-3PR.PT-1PR.PT-4RS.AN-1RS.AN-4FAU_GEN.1.1.cReq-10.5.5SRG-OS-000064-GPOS-00033SRG-OS-000392-GPOS-00172SRG-OS-000458-GPOS-00203SRG-OS-000474-GPOS-00219RHEL-07-030400SV-86727r5_ruleSRG-OS-000458-VMM-001810SRG-OS-000474-VMM-001940The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.CCE-27387-0
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S fchownat.*"
GROUP="perm_mod"
FULL_RULE="-a always,exit -F arch=$ARCH -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
- name: Set architecture for audit fchownat tasks
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_fchownat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27387-0
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030400
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Search /etc/audit/rules.d for other DAC audit rules
find:
paths: /etc/audit/rules.d
recurse: false
contains: -F key=perm_mod$
patterns: '*.rules'
register: find_fchownat
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_fchownat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27387-0
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030400
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules
as the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/privileged.rules
when:
- find_fchownat.matched is defined and find_fchownat.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_fchownat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27387-0
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030400
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_fchownat.files | map(attribute=''path'') | list | first }}'
when:
- find_fchownat.matched is defined and find_fchownat.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_fchownat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27387-0
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030400
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Inserts/replaces the fchownat rule in rules.d when on x86
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_fchownat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27387-0
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030400
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Inserts/replaces the fchownat rule in rules.d when on x86_64
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_fchownat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27387-0
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030400
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Inserts/replaces the fchownat rule in /etc/audit/audit.rules when on x86
lineinfile:
line: -a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
state: present
dest: /etc/audit/audit.rules
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_fchownat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27387-0
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030400
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Inserts/replaces the fchownat rule in audit.rules when on x86_64
lineinfile:
line: -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
state: present
dest: /etc/audit/audit.rules
create: true
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_fchownat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27387-0
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030400
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
Record Events that Modify the System's Discretionary Access Controls - chmodAt a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_modNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.5.2.10111121314151619234567895.4.1.1APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000126CCI-000172164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.2.3.104.3.2.6.74.3.3.3.94.3.3.5.84.3.3.6.64.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.13SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.2.1A.6.2.2AU-2(d)AU-12(c)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-3PR.PT-1PR.PT-4RS.AN-1RS.AN-4FAU_GEN.1.1.cReq-10.5.5SRG-OS-000064-GPOS-00033SRG-OS-000392-GPOS-00172SRG-OS-000458-GPOS-00203RHEL-07-030410SV-86729r5_ruleSRG-OS-000458-VMM-001810SRG-OS-000474-VMM-001940The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.CCE-27339-1
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S chmod.*"
GROUP="perm_mod"
FULL_RULE="-a always,exit -F arch=$ARCH -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
- name: Set architecture for audit chmod tasks
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_chmod
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27339-1
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030410
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Search /etc/audit/rules.d for other DAC audit rules
find:
paths: /etc/audit/rules.d
recurse: false
contains: -F key=perm_mod$
patterns: '*.rules'
register: find_chmod
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_chmod
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27339-1
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030410
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules
as the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/privileged.rules
when:
- find_chmod.matched is defined and find_chmod.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_chmod
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27339-1
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030410
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_chmod.files | map(attribute=''path'') | list | first }}'
when:
- find_chmod.matched is defined and find_chmod.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_chmod
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27339-1
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030410
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Inserts/replaces the chmod rule in rules.d when on x86
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_chmod
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27339-1
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030410
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Inserts/replaces the chmod rule in rules.d when on x86_64
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_chmod
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27339-1
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030410
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Inserts/replaces the chmod rule in /etc/audit/audit.rules when on x86
lineinfile:
line: -a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
state: present
dest: /etc/audit/audit.rules
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_chmod
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27339-1
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030410
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Inserts/replaces the chmod rule in audit.rules when on x86_64
lineinfile:
line: -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
state: present
dest: /etc/audit/audit.rules
create: true
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_chmod
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27339-1
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030410
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
Record Events that Modify the System's Discretionary Access Controls - removexattrAt a minimum, the audit system should collect file permission
changes for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_modNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.5.2.10111121314151619234567895.4.1.1APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000172164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.2.3.104.3.2.6.74.3.3.3.94.3.3.5.84.3.3.6.64.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.13SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.2.1A.6.2.2AU-2(d)AU-12(c)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-3PR.PT-1PR.PT-4RS.AN-1RS.AN-4FAU_GEN.1.1.cReq-10.5.5SRG-OS-000064-GPOS-00033SRG-OS-000392-GPOS-00172SRG-OS-000458-GPOS-00203RHEL-07-030470SV-86741r5_ruleSRG-OS-000458-VMM-001810SRG-OS-000474-VMM-001940The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.CCE-27367-2
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S removexattr.*"
GROUP="perm_mod"
FULL_RULE="-a always,exit -F arch=$ARCH -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
- name: Set architecture for audit removexattr tasks
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_removexattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27367-2
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030470
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Search /etc/audit/rules.d for other DAC audit rules
find:
paths: /etc/audit/rules.d
recurse: false
contains: -F key=perm_mod$
patterns: '*.rules'
register: find_removexattr
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_removexattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27367-2
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030470
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules
as the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/privileged.rules
when:
- find_removexattr.matched is defined and find_removexattr.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_removexattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27367-2
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030470
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_removexattr.files | map(attribute=''path'') | list | first }}'
when:
- find_removexattr.matched is defined and find_removexattr.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_removexattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27367-2
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030470
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Inserts/replaces the removexattr rule in rules.d when on x86
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F
key=perm_mod
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_removexattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27367-2
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030470
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Inserts/replaces the removexattr rule in rules.d when on x86_64
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F
key=perm_mod
create: true
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_removexattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27367-2
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030470
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Inserts/replaces the removexattr rule in /etc/audit/audit.rules when on x86
lineinfile:
line: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F
key=perm_mod
state: present
dest: /etc/audit/audit.rules
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_removexattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27367-2
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030470
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Inserts/replaces the removexattr rule in audit.rules when on x86_64
lineinfile:
line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F
key=perm_mod
state: present
dest: /etc/audit/audit.rules
create: true
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_removexattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27367-2
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030470
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
Record Events that Modify the System's Discretionary Access Controls - fremovexattrAt a minimum, the audit system should collect file permission
changes for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_modNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.5.2.10111121314151619234567895.4.1.1APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000172164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.2.3.104.3.2.6.74.3.3.3.94.3.3.5.84.3.3.6.64.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.13SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.2.1A.6.2.2AU-2(d)AU-12(c)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-3PR.PT-1PR.PT-4RS.AN-1RS.AN-4FAU_GEN.1.1.cReq-10.5.5SRG-OS-000064-GPOS-00033SRG-OS-000392-GPOS-00172SRG-OS-000458-GPOS-00203RHEL-07-030480SV-86743r5_ruleSRG-OS-000458-VMM-001810SRG-OS-000474-VMM-001940The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.CCE-27353-2
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S fremovexattr.*"
GROUP="perm_mod"
FULL_RULE="-a always,exit -F arch=$ARCH -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
- name: Set architecture for audit fremovexattr tasks
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_fremovexattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27353-2
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030480
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Search /etc/audit/rules.d for other DAC audit rules
find:
paths: /etc/audit/rules.d
recurse: false
contains: -F key=perm_mod$
patterns: '*.rules'
register: find_fremovexattr
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_fremovexattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27353-2
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030480
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules
as the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/privileged.rules
when:
- find_fremovexattr.matched is defined and find_fremovexattr.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_fremovexattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27353-2
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030480
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_fremovexattr.files | map(attribute=''path'') | list | first }}'
when:
- find_fremovexattr.matched is defined and find_fremovexattr.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_fremovexattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27353-2
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030480
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Inserts/replaces the fremovexattr rule in rules.d when on x86
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset
-F key=perm_mod
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_fremovexattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27353-2
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030480
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Inserts/replaces the fremovexattr rule in rules.d when on x86_64
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset
-F key=perm_mod
create: true
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_fremovexattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27353-2
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030480
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Inserts/replaces the fremovexattr rule in /etc/audit/audit.rules when on x86
lineinfile:
line: -a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset
-F key=perm_mod
state: present
dest: /etc/audit/audit.rules
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_fremovexattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27353-2
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030480
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Inserts/replaces the fremovexattr rule in audit.rules when on x86_64
lineinfile:
line: -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset
-F key=perm_mod
state: present
dest: /etc/audit/audit.rules
create: true
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_fremovexattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27353-2
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030480
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
Record Events that Modify the System's Discretionary Access Controls - lsetxattrAt a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_modNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.5.2.10111121314151619234567895.4.1.1APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000126CCI-000172164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.2.3.104.3.2.6.74.3.3.3.94.3.3.5.84.3.3.6.64.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.13SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.2.1A.6.2.2AU-2(d)AU-12(c)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-3PR.PT-1PR.PT-4RS.AN-1RS.AN-4FAU_GEN.1.1.cReq-10.5.5SRG-OS-000064-GPOS-00033SRG-OS-000392-GPOS-00172SRG-OS-000458-GPOS-00203SRG-OS-000474-GPOS-00219RHEL-07-030460SV-86739r5_ruleSRG-OS-000458-VMM-001810SRG-OS-000474-VMM-001940The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.CCE-27280-7
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S lsetxattr.*"
GROUP="perm_mod"
FULL_RULE="-a always,exit -F arch=$ARCH -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
- name: Set architecture for audit lsetxattr tasks
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_lsetxattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27280-7
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030460
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Search /etc/audit/rules.d for other DAC audit rules
find:
paths: /etc/audit/rules.d
recurse: false
contains: -F key=perm_mod$
patterns: '*.rules'
register: find_lsetxattr
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_lsetxattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27280-7
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030460
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules
as the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/privileged.rules
when:
- find_lsetxattr.matched is defined and find_lsetxattr.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_lsetxattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27280-7
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030460
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_lsetxattr.files | map(attribute=''path'') | list | first }}'
when:
- find_lsetxattr.matched is defined and find_lsetxattr.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_lsetxattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27280-7
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030460
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Inserts/replaces the lsetxattr rule in rules.d when on x86
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F
key=perm_mod
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_lsetxattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27280-7
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030460
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Inserts/replaces the lsetxattr rule in rules.d when on x86_64
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F
key=perm_mod
create: true
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_lsetxattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27280-7
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030460
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Inserts/replaces the lsetxattr rule in /etc/audit/audit.rules when on x86
lineinfile:
line: -a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F
key=perm_mod
state: present
dest: /etc/audit/audit.rules
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_lsetxattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27280-7
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030460
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Inserts/replaces the lsetxattr rule in audit.rules when on x86_64
lineinfile:
line: -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F
key=perm_mod
state: present
dest: /etc/audit/audit.rules
create: true
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_lsetxattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27280-7
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030460
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
Record Events that Modify the System's Discretionary Access Controls - fchmodAt a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_modNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.5.2.10111121314151619234567895.4.1.1APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000126CCI-000172164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.2.3.104.3.2.6.74.3.3.3.94.3.3.5.84.3.3.6.64.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.13SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.2.1A.6.2.2AU-2(d)AU-12(c)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-3PR.PT-1PR.PT-4RS.AN-1RS.AN-4FAU_GEN.1.1.cReq-10.5.5SRG-OS-000064-GPOS-00033SRG-OS-000392-GPOS-00172SRG-OS-000458-GPOS-00203RHEL-07-030420SV-86731r5_ruleSRG-OS-000458-VMM-001810SRG-OS-000474-VMM-001940The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.CCE-27393-8
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S fchmod.*"
GROUP="perm_mod"
FULL_RULE="-a always,exit -F arch=$ARCH -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
- name: Set architecture for audit fchmod tasks
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_fchmod
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27393-8
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030420
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Search /etc/audit/rules.d for other DAC audit rules
find:
paths: /etc/audit/rules.d
recurse: false
contains: -F key=perm_mod$
patterns: '*.rules'
register: find_fchmod
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_fchmod
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27393-8
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030420
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules
as the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/privileged.rules
when:
- find_fchmod.matched is defined and find_fchmod.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_fchmod
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27393-8
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030420
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_fchmod.files | map(attribute=''path'') | list | first }}'
when:
- find_fchmod.matched is defined and find_fchmod.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_fchmod
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27393-8
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030420
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Inserts/replaces the fchmod rule in rules.d when on x86
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_fchmod
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27393-8
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030420
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Inserts/replaces the fchmod rule in rules.d when on x86_64
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_fchmod
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27393-8
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030420
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Inserts/replaces the fchmod rule in /etc/audit/audit.rules when on x86
lineinfile:
line: -a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
state: present
dest: /etc/audit/audit.rules
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_fchmod
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27393-8
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030420
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Inserts/replaces the fchmod rule in audit.rules when on x86_64
lineinfile:
line: -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
state: present
dest: /etc/audit/audit.rules
create: true
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_fchmod
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27393-8
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030420
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
Record Events that Modify the System's Discretionary Access Controls - lchownAt a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_modNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.5.2.10111121314151619234567895.4.1.1APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000126CCI-000172164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.2.3.104.3.2.6.74.3.3.3.94.3.3.5.84.3.3.6.64.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.13SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.2.1A.6.2.2AU-2(d)AU-12(c)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-3PR.PT-1PR.PT-4RS.AN-1RS.AN-4FAU_GEN.1.1.cReq-10.5.5SRG-OS-000064-GPOS-00033SRG-OS-000392-GPOS-00172SRG-OS-000458-GPOS-00203SRG-OS-000474-GPOS-00219RHEL-07-030390SV-86725r5_ruleSRG-OS-000458-VMM-001810SRG-OS-000474-VMM-001940The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.CCE-27083-5
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S lchown.*"
GROUP="perm_mod"
FULL_RULE="-a always,exit -F arch=$ARCH -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
- name: Set architecture for audit lchown tasks
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_lchown
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27083-5
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030390
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Search /etc/audit/rules.d for other DAC audit rules
find:
paths: /etc/audit/rules.d
recurse: false
contains: -F key=perm_mod$
patterns: '*.rules'
register: find_lchown
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_lchown
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27083-5
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030390
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules
as the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/privileged.rules
when:
- find_lchown.matched is defined and find_lchown.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_lchown
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27083-5
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030390
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_lchown.files | map(attribute=''path'') | list | first }}'
when:
- find_lchown.matched is defined and find_lchown.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_lchown
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27083-5
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030390
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Inserts/replaces the lchown rule in rules.d when on x86
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_lchown
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27083-5
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030390
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Inserts/replaces the lchown rule in rules.d when on x86_64
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_lchown
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27083-5
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030390
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Inserts/replaces the lchown rule in /etc/audit/audit.rules when on x86
lineinfile:
line: -a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
state: present
dest: /etc/audit/audit.rules
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_lchown
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27083-5
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030390
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Inserts/replaces the lchown rule in audit.rules when on x86_64
lineinfile:
line: -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
state: present
dest: /etc/audit/audit.rules
create: true
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_lchown
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27083-5
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030390
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
Record Events that Modify the System's Discretionary Access Controls - fsetxattrAt a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_modNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.5.2.10111121314151619234567895.4.1.1APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000126CCI-000172164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.2.3.104.3.2.6.74.3.3.3.94.3.3.5.84.3.3.6.64.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.13SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.2.1A.6.2.2AU-2(d)AU-12(c)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-3PR.PT-1PR.PT-4RS.AN-1RS.AN-4FAU_GEN.1.1.cReq-10.5.5SRG-OS-000064-GPOS-00033SRG-OS-000392-GPOS-00172SRG-OS-000458-GPOS-00203RHEL-07-030450SV-86737r5_ruleSRG-OS-000458-VMM-001810SRG-OS-000474-VMM-001940The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.CCE-27389-6
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S fsetxattr.*"
GROUP="perm_mod"
FULL_RULE="-a always,exit -F arch=$ARCH -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
- name: Set architecture for audit fsetxattr tasks
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_fsetxattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27389-6
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030450
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Search /etc/audit/rules.d for other DAC audit rules
find:
paths: /etc/audit/rules.d
recurse: false
contains: -F key=perm_mod$
patterns: '*.rules'
register: find_fsetxattr
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_fsetxattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27389-6
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030450
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules
as the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/privileged.rules
when:
- find_fsetxattr.matched is defined and find_fsetxattr.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_fsetxattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27389-6
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030450
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_fsetxattr.files | map(attribute=''path'') | list | first }}'
when:
- find_fsetxattr.matched is defined and find_fsetxattr.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_fsetxattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27389-6
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030450
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Inserts/replaces the fsetxattr rule in rules.d when on x86
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F
key=perm_mod
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_fsetxattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27389-6
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030450
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Inserts/replaces the fsetxattr rule in rules.d when on x86_64
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F
key=perm_mod
create: true
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_fsetxattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27389-6
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030450
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Inserts/replaces the fsetxattr rule in /etc/audit/audit.rules when on x86
lineinfile:
line: -a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F
key=perm_mod
state: present
dest: /etc/audit/audit.rules
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_fsetxattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27389-6
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030450
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Inserts/replaces the fsetxattr rule in audit.rules when on x86_64
lineinfile:
line: -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F
key=perm_mod
state: present
dest: /etc/audit/audit.rules
create: true
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_fsetxattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27389-6
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030450
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
Record Events that Modify the System's Discretionary Access Controls - fchmodatAt a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_modNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.5.2.10111121314151619234567895.4.1.1APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000126CCI-000172164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.2.3.104.3.2.6.74.3.3.3.94.3.3.5.84.3.3.6.64.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.13SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.2.1A.6.2.2AU-2(d)AU-12(c)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-3PR.PT-1PR.PT-4RS.AN-1RS.AN-4FAU_GEN.1.1.cReq-10.5.5SRG-OS-000064-GPOS-00033SRG-OS-000392-GPOS-00172SRG-OS-000458-GPOS-00203RHEL-07-030430SV-86733r5_ruleSRG-OS-000458-VMM-001810SRG-OS-000474-VMM-001940The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.CCE-27388-8
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S fchmodat.*"
GROUP="perm_mod"
FULL_RULE="-a always,exit -F arch=$ARCH -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
- name: Set architecture for audit fchmodat tasks
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_fchmodat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27388-8
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030430
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Search /etc/audit/rules.d for other DAC audit rules
find:
paths: /etc/audit/rules.d
recurse: false
contains: -F key=perm_mod$
patterns: '*.rules'
register: find_fchmodat
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_fchmodat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27388-8
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030430
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules
as the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/privileged.rules
when:
- find_fchmodat.matched is defined and find_fchmodat.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_fchmodat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27388-8
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030430
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_fchmodat.files | map(attribute=''path'') | list | first }}'
when:
- find_fchmodat.matched is defined and find_fchmodat.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_fchmodat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27388-8
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030430
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Inserts/replaces the fchmodat rule in rules.d when on x86
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_fchmodat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27388-8
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030430
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Inserts/replaces the fchmodat rule in rules.d when on x86_64
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_fchmodat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27388-8
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030430
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Inserts/replaces the fchmodat rule in /etc/audit/audit.rules when on x86
lineinfile:
line: -a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
state: present
dest: /etc/audit/audit.rules
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_fchmodat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27388-8
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030430
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Inserts/replaces the fchmodat rule in audit.rules when on x86_64
lineinfile:
line: -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
state: present
dest: /etc/audit/audit.rules
create: true
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_fchmodat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27388-8
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030430
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
Record Events that Modify the System's Discretionary Access Controls - lremovexattrAt a minimum, the audit system should collect file permission
changes for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_modNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.5.2.10111121314151619234567895.4.1.1APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000172164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.2.3.104.3.2.6.74.3.3.3.94.3.3.5.84.3.3.6.64.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.13SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.2.1A.6.2.2AU-2(d)AU-12(c)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-3PR.PT-1PR.PT-4RS.AN-1RS.AN-4FAU_GEN.1.1.cReq-10.5.5SRG-OS-000064-GPOS-00033SRG-OS-000392-GPOS-00172SRG-OS-000458-GPOS-00203RHEL-07-030490SV-86745r5_ruleSRG-OS-000458-VMM-001810SRG-OS-000474-VMM-001940The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.CCE-27410-0
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S lremovexattr.*"
GROUP="perm_mod"
FULL_RULE="-a always,exit -F arch=$ARCH -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
- name: Set architecture for audit lremovexattr tasks
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_lremovexattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27410-0
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030490
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Search /etc/audit/rules.d for other DAC audit rules
find:
paths: /etc/audit/rules.d
recurse: false
contains: -F key=perm_mod$
patterns: '*.rules'
register: find_lremovexattr
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_lremovexattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27410-0
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030490
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules
as the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/privileged.rules
when:
- find_lremovexattr.matched is defined and find_lremovexattr.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_lremovexattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27410-0
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030490
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_lremovexattr.files | map(attribute=''path'') | list | first }}'
when:
- find_lremovexattr.matched is defined and find_lremovexattr.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_lremovexattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27410-0
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030490
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Inserts/replaces the lremovexattr rule in rules.d when on x86
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset
-F key=perm_mod
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_lremovexattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27410-0
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030490
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Inserts/replaces the lremovexattr rule in rules.d when on x86_64
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset
-F key=perm_mod
create: true
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_lremovexattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27410-0
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030490
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Inserts/replaces the lremovexattr rule in /etc/audit/audit.rules when on x86
lineinfile:
line: -a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset
-F key=perm_mod
state: present
dest: /etc/audit/audit.rules
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_lremovexattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27410-0
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030490
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Inserts/replaces the lremovexattr rule in audit.rules when on x86_64
lineinfile:
line: -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset
-F key=perm_mod
state: present
dest: /etc/audit/audit.rules
create: true
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_dac_modification_lremovexattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-27410-0
- PCI-DSS-Req-10.5.5
- DISA-STIG-RHEL-07-030490
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
Record Unauthorized Access Attempts Events to Files (unsuccessful)At a minimum, the audit system should collect unauthorized file
accesses for all users and root. Note that the "-F arch=b32" lines should be
present even on a 64 bit system. These commands identify system calls for
auditing. Even if the system is 64 bit it can still execute 32 bit system
calls. Additionally, these rules can be configured in a number of ways while
still achieving the desired effect. An example of this is that the "-S" calls
could be split up and placed on separate lines, however, this is less efficient.
Add the following to /etc/audit/audit.rules:
-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If your system is 64 bit then these lines should be duplicated and the
arch=b32 replaced with arch=b64 as follows:
-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessRecord Successful Delete Attempts to Files - renameatAt a minimum, the audit system should collect file
deletion for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-deleteNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.File deletion attempts could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.CCE-82094-4Record Unsuccessul Delete Attempts to Files - renameatThe audit system should collect unsuccessful file deletion
attempts for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b32 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b64 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-deleteNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete5.2.1011112131415161923456789APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000172CCI-002884164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.2.3.104.3.2.6.74.3.3.3.94.3.3.5.84.3.3.6.64.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.13SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.2.1A.6.2.2AU-2(d)AU-12(c)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-3PR.PT-1PR.PT-4RS.AN-1RS.AN-4FAU_GEN.1.1.cReq-10.2.4Req-10.2.1SRG-OS-000064-GPOS-00033SRG-OS-000458-GPOS-00203SRG-OS-000461-GPOS-00205SRG-OS-000392-GPOS-00172SRG-OS-000458-VMM-001810SRG-OS-000461-VMM-001830Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.CCE-82082-9
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S renameat -F exit=-EACCES.*"
GROUP="access"
FULL_RULE="-a always,exit -F arch=$ARCH -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S renameat -F exit=-EPERM.*"
GROUP="access"
FULL_RULE="-a always,exit -F arch=$ARCH -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
- name: Set architecture for audit renameat tasks
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_renameat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-82082-9
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Search /etc/audit/rules.d for other DAC audit rules
find:
paths: /etc/audit/rules.d
recurse: false
contains: -F key=perm_mod$
patterns: '*.rules'
register: find_renameat
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_renameat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-82082-9
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as
the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/access.rules
when:
- find_renameat.matched is defined and find_renameat.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_renameat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-82082-9
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_renameat.files | map(attribute=''path'') | list | first }}'
when:
- find_renameat.matched is defined and find_renameat.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_renameat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-82082-9
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the renameat rule in rules.d when on x86
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
with_items:
- -a always,exit -F arch=b32 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b32 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_renameat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-82082-9
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the renameat rule in rules.d when on x86_64
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
with_items:
- -a always,exit -F arch=b64 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b64 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_renameat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-82082-9
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the renameat rule in /etc/audit/audit.rules when on x86
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
with_items:
- -a always,exit -F arch=b32 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b32 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_renameat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-82082-9
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the renameat rule in audit.rules when on x86_64
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
with_items:
- -a always,exit -F arch=b64 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b64 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_renameat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-82082-9
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
Record Successful Creation Attempts to Files - open O_TRUNC_WRITEThe audit system should collect detailed file access records for
all users and root. The open syscall can be used to modify
files if called for write operation with the O_TRUNC_WRITE flag.
The following audit rules will assure that successful attempts to create a
file via open syscall are collected.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
rules below to a file with suffix .rules in the directory
/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the rules below to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S open -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S open,openat -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modificationSuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.CCE-81143-0Record Unsuccessul Permission Changes to Files - chmodThe audit system should collect unsuccessful file permission change
attempts for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S chmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S chmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S chmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S chmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-changeNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-changeCCI-000172AU-2(d)AU-12(c)CM-6(a)SRG-OS-000458-VMM-001810SRG-OS-000461-VMM-001830Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.CCE-81086-1
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S chmod -F exit=-EACCES.*"
GROUP="access"
FULL_RULE="-a always,exit -F arch=$ARCH -S chmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S chmod -F exit=-EPERM.*"
GROUP="access"
FULL_RULE="-a always,exit -F arch=$ARCH -S chmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
- name: Set architecture for audit chmod tasks
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_chmod
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81086-1
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Search /etc/audit/rules.d for other DAC audit rules
find:
paths: /etc/audit/rules.d
recurse: false
contains: -F key=perm_mod$
patterns: '*.rules'
register: find_chmod
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_chmod
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81086-1
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as
the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/access.rules
when:
- find_chmod.matched is defined and find_chmod.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_chmod
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81086-1
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_chmod.files | map(attribute=''path'') | list | first }}'
when:
- find_chmod.matched is defined and find_chmod.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_chmod
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81086-1
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the chmod rule in rules.d when on x86
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
with_items:
- -a always,exit -F arch=b32 -S chmod -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b32 -S chmod -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_chmod
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81086-1
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the chmod rule in rules.d when on x86_64
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
with_items:
- -a always,exit -F arch=b64 -S chmod -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b64 -S chmod -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_chmod
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81086-1
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the chmod rule in /etc/audit/audit.rules when on x86
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
with_items:
- -a always,exit -F arch=b32 -S chmod -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b32 -S chmod -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_chmod
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81086-1
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the chmod rule in audit.rules when on x86_64
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
with_items:
- -a always,exit -F arch=b64 -S chmod -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b64 -S chmod -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_chmod
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81086-1
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
Record Unsuccessful Modification Attempts to Files - open O_TRUNC_WRITEThe audit system should collect detailed unauthorized file accesses for
all users and root. The open syscall can be used to modify files
if called for write operation of with O_TRUNC_WRITE flag.
The following auidt rules will asure that unsuccessful attempts to modify a
file via open syscall are collected.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
rules below to a file with suffix .rules in the directory
/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the rules below to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification5.2.1011112131415161923456789APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000172CCI-002884164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.2.3.104.3.2.6.74.3.3.3.94.3.3.5.84.3.3.6.64.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.13SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.2.1A.6.2.2AU-2(d)AU-12(c)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-3PR.PT-1PR.PT-4RS.AN-1RS.AN-4FAU_GEN.1.1.cReq-10.2.4Req-10.2.1SRG-OS-000064-GPOS-00033SRG-OS-000458-GPOS-00203SRG-OS-000461-GPOS-00205SRG-OS-000392-GPOS-00172SRG-OS-000458-VMM-001810SRG-OS-000461-VMM-001830Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.CCE-81121-6
create_audit_remediation_unsuccessful_file_modification_detailed /etc/audit/rules.d/30-ospp-v42-remediation.rules
- name: Add unsuccessful file operations audit rules
blockinfile:
path: /etc/audit/rules.d/30-ospp-v42-remediation.rules
create: true
block: |-
## This content is a section of an Audit config snapshot recommended for Red Hat Enterprise Linux 7 systems that target OSPP compliance.
## The following content has been retreived on 2019-03-11 from: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules
## The purpose of these rules is to meet the requirements for Operating
## System Protection Profile (OSPP)v4.2. These rules depends on having
## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed.
## Unsuccessful file creation (open with O_CREAT)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
## Unsuccessful file modifications (open for write or truncate)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
## Unsuccessful file access (any other opens) This has to go last.
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_open_o_trunc_write
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-81121-6
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
Record Unsuccessul Ownership Changes to Files - fchownatThe audit system should collect unsuccessful file ownership change
attempts for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-changeNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-changeCCI-000172AU-2(d)AU-12(c)CM-6(a)SRG-OS-000458-VMM-001810SRG-OS-000461-VMM-001830Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.CCE-81084-6
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S fchownat -F exit=-EACCES.*"
GROUP="access"
FULL_RULE="-a always,exit -F arch=$ARCH -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S fchownat -F exit=-EPERM.*"
GROUP="access"
FULL_RULE="-a always,exit -F arch=$ARCH -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
- name: Set architecture for audit fchownat tasks
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_fchownat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81084-6
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Search /etc/audit/rules.d for other DAC audit rules
find:
paths: /etc/audit/rules.d
recurse: false
contains: -F key=perm_mod$
patterns: '*.rules'
register: find_fchownat
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_fchownat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81084-6
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as
the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/access.rules
when:
- find_fchownat.matched is defined and find_fchownat.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_fchownat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81084-6
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_fchownat.files | map(attribute=''path'') | list | first }}'
when:
- find_fchownat.matched is defined and find_fchownat.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_fchownat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81084-6
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the fchownat rule in rules.d when on x86
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
with_items:
- -a always,exit -F arch=b32 -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b32 -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_fchownat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81084-6
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the fchownat rule in rules.d when on x86_64
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
with_items:
- -a always,exit -F arch=b64 -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b64 -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_fchownat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81084-6
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the fchownat rule in /etc/audit/audit.rules when on x86
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
with_items:
- -a always,exit -F arch=b32 -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b32 -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_fchownat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81084-6
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the fchownat rule in audit.rules when on x86_64
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
with_items:
- -a always,exit -F arch=b64 -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b64 -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_fchownat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81084-6
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
Record Unsuccessful Creation Attempts to Files - openat O_CREATThe audit system should collect unauthorized file accesses for
all users and root. The openat syscall can be used to create new files
when O_CREAT flag is specified.
The following auidt rules will asure that unsuccessful attempts to create a
file via openat syscall are collected.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
rules below to a file with suffix .rules in the directory
/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the rules below to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create5.2.1011112131415161923456789APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000172CCI-002884164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.2.3.104.3.2.6.74.3.3.3.94.3.3.5.84.3.3.6.64.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.13SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.2.1A.6.2.2AU-2(d)AU-12(c)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-3PR.PT-1PR.PT-4RS.AN-1RS.AN-4FAU_GEN.1.1.cReq-10.2.4Req-10.2.1SRG-OS-000064-GPOS-00033SRG-OS-000458-GPOS-00203SRG-OS-000461-GPOS-00205SRG-OS-000392-GPOS-00172SRG-OS-000458-VMM-001810SRG-OS-000461-VMM-001830Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.CCE-81115-8
create_audit_remediation_unsuccessful_file_modification_detailed /etc/audit/rules.d/30-ospp-v42-remediation.rules
- name: Add unsuccessful file operations audit rules
blockinfile:
path: /etc/audit/rules.d/30-ospp-v42-remediation.rules
create: true
block: |-
## This content is a section of an Audit config snapshot recommended for Red Hat Enterprise Linux 7 systems that target OSPP compliance.
## The following content has been retreived on 2019-03-11 from: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules
## The purpose of these rules is to meet the requirements for Operating
## System Protection Profile (OSPP)v4.2. These rules depends on having
## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed.
## Unsuccessful file creation (open with O_CREAT)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
## Unsuccessful file modifications (open for write or truncate)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
## Unsuccessful file access (any other opens) This has to go last.
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_openat_o_creat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-81115-8
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
Record Successful Permission Changes to Files - chmodAt a minimum, the audit system should collect file permission changes
for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S chmod -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S chmod -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S chmod -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S chmod -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-changeNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.File permission changes could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.CCE-82097-7Record Unsuccessul Ownership Changes to Files - lchownThe audit system should collect unsuccessful file ownership change
attempts for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-changeNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-changeCCI-000172AU-2(d)AU-12(c)CM-6(a)SRG-OS-000458-VMM-001810SRG-OS-000461-VMM-001830Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.CCE-81078-8
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S lchown -F exit=-EACCES.*"
GROUP="access"
FULL_RULE="-a always,exit -F arch=$ARCH -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S lchown -F exit=-EPERM.*"
GROUP="access"
FULL_RULE="-a always,exit -F arch=$ARCH -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
- name: Set architecture for audit lchown tasks
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_lchown
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81078-8
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Search /etc/audit/rules.d for other DAC audit rules
find:
paths: /etc/audit/rules.d
recurse: false
contains: -F key=perm_mod$
patterns: '*.rules'
register: find_lchown
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_lchown
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81078-8
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as
the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/access.rules
when:
- find_lchown.matched is defined and find_lchown.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_lchown
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81078-8
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_lchown.files | map(attribute=''path'') | list | first }}'
when:
- find_lchown.matched is defined and find_lchown.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_lchown
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81078-8
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the lchown rule in rules.d when on x86
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
with_items:
- -a always,exit -F arch=b32 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b32 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_lchown
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81078-8
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the lchown rule in rules.d when on x86_64
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
with_items:
- -a always,exit -F arch=b64 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b64 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_lchown
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81078-8
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the lchown rule in /etc/audit/audit.rules when on x86
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
with_items:
- -a always,exit -F arch=b32 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b32 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_lchown
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81078-8
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the lchown rule in audit.rules when on x86_64
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
with_items:
- -a always,exit -F arch=b64 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b64 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_lchown
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81078-8
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
Record Successful Permission Changes to Files - fsetxattrAt a minimum, the audit system should collect file permission changes
for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fsetxattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S fsetxattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fsetxattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S fsetxattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-changeNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.File permission changes could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.CCE-82112-4Record Unsuccessful Access Attempts to Files - truncateAt a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.5.2.1011112131415161923456789APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000172CCI-002884164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.2.3.104.3.2.6.74.3.3.3.94.3.3.5.84.3.3.6.64.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.13SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.2.1A.6.2.2AU-2(d)AU-12(c)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-3PR.PT-1PR.PT-4RS.AN-1RS.AN-4FAU_GEN.1.1.cReq-10.2.4Req-10.2.1SRG-OS-000064-GPOS-00033SRG-OS-000458-GPOS-00203SRG-OS-000461-GPOS-00205SRG-OS-000392-GPOS-00172RHEL-07-030540SV-86755r5_ruleSRG-OS-000458-VMM-001810SRG-OS-000461-VMM-001830Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.CCE-80389-0
create_audit_remediation_unsuccessful_file_modification_detailed /etc/audit/rules.d/30-ospp-v42-remediation.rules
- name: Set architecture for audit truncate tasks
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_truncate
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80389-0
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- DISA-STIG-RHEL-07-030540
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Search /etc/audit/rules.d for other DAC audit rules
find:
paths: /etc/audit/rules.d
recurse: false
contains: -F key=perm_mod$
patterns: '*.rules'
register: find_truncate
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_truncate
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80389-0
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- DISA-STIG-RHEL-07-030540
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as
the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/access.rules
when:
- find_truncate.matched is defined and find_truncate.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_truncate
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80389-0
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- DISA-STIG-RHEL-07-030540
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_truncate.files | map(attribute=''path'') | list | first }}'
when:
- find_truncate.matched is defined and find_truncate.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_truncate
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80389-0
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- DISA-STIG-RHEL-07-030540
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the truncate rule in rules.d when on x86
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
with_items:
- -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_truncate
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80389-0
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- DISA-STIG-RHEL-07-030540
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the truncate rule in rules.d when on x86_64
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
with_items:
- -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_truncate
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80389-0
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- DISA-STIG-RHEL-07-030540
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the truncate rule in /etc/audit/audit.rules when on x86
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
with_items:
- -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_truncate
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80389-0
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- DISA-STIG-RHEL-07-030540
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the truncate rule in audit.rules when on x86_64
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
with_items:
- -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_truncate
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80389-0
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- DISA-STIG-RHEL-07-030540
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
Record Unsuccessul Permission Changes to Files - removexattrThe audit system should collect unsuccessful file permission change
attempts for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S removexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S removexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S removexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S removexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-changeNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-changeCCI-000172AU-2(d)AU-12(c)CM-6(a)SRG-OS-000458-VMM-001810SRG-OS-000461-VMM-001830Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.CCE-81098-6
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S removexattr -F exit=-EACCES.*"
GROUP="access"
FULL_RULE="-a always,exit -F arch=$ARCH -S removexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S removexattr -F exit=-EPERM.*"
GROUP="access"
FULL_RULE="-a always,exit -F arch=$ARCH -S removexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
- name: Set architecture for audit removexattr tasks
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_removexattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81098-6
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Search /etc/audit/rules.d for other DAC audit rules
find:
paths: /etc/audit/rules.d
recurse: false
contains: -F key=perm_mod$
patterns: '*.rules'
register: find_removexattr
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_removexattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81098-6
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as
the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/access.rules
when:
- find_removexattr.matched is defined and find_removexattr.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_removexattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81098-6
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_removexattr.files | map(attribute=''path'') | list | first }}'
when:
- find_removexattr.matched is defined and find_removexattr.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_removexattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81098-6
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the removexattr rule in rules.d when on x86
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
with_items:
- -a always,exit -F arch=b32 -S removexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b32 -S removexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_removexattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81098-6
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the removexattr rule in rules.d when on x86_64
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
with_items:
- -a always,exit -F arch=b64 -S removexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b64 -S removexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_removexattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81098-6
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the removexattr rule in /etc/audit/audit.rules when on x86
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
with_items:
- -a always,exit -F arch=b32 -S removexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b32 -S removexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_removexattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81098-6
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the removexattr rule in audit.rules when on x86_64
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
with_items:
- -a always,exit -F arch=b64 -S removexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b64 -S removexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_removexattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81098-6
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
Record Unsuccessul Ownership Changes to Files - chownThe audit system should collect unsuccessful file ownership change
attempts for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-changeNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-changeCCI-000172AU-2(d)AU-12(c)CM-6(a)SRG-OS-000458-VMM-001810SRG-OS-000461-VMM-001830Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.CCE-81082-0
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S chown -F exit=-EACCES.*"
GROUP="access"
FULL_RULE="-a always,exit -F arch=$ARCH -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S chown -F exit=-EPERM.*"
GROUP="access"
FULL_RULE="-a always,exit -F arch=$ARCH -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
- name: Set architecture for audit chown tasks
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_chown
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81082-0
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Search /etc/audit/rules.d for other DAC audit rules
find:
paths: /etc/audit/rules.d
recurse: false
contains: -F key=perm_mod$
patterns: '*.rules'
register: find_chown
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_chown
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81082-0
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as
the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/access.rules
when:
- find_chown.matched is defined and find_chown.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_chown
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81082-0
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_chown.files | map(attribute=''path'') | list | first }}'
when:
- find_chown.matched is defined and find_chown.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_chown
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81082-0
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the chown rule in rules.d when on x86
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
with_items:
- -a always,exit -F arch=b32 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b32 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_chown
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81082-0
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the chown rule in rules.d when on x86_64
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
with_items:
- -a always,exit -F arch=b64 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b64 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_chown
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81082-0
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the chown rule in /etc/audit/audit.rules when on x86
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
with_items:
- -a always,exit -F arch=b32 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b32 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_chown
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81082-0
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the chown rule in audit.rules when on x86_64
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
with_items:
- -a always,exit -F arch=b64 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b64 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_chown
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81082-0
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
Record Unsuccessul Ownership Changes to Files - fchownThe audit system should collect unsuccessful file ownership change
attempts for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S fchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S fchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S fchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S fchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-changeNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-changeCCI-000172AU-2(d)AU-12(c)CM-6(a)SRG-OS-000458-VMM-001810SRG-OS-000461-VMM-001830Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.CCE-81080-4
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S fchown -F exit=-EACCES.*"
GROUP="access"
FULL_RULE="-a always,exit -F arch=$ARCH -S fchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S fchown -F exit=-EPERM.*"
GROUP="access"
FULL_RULE="-a always,exit -F arch=$ARCH -S fchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
- name: Set architecture for audit fchown tasks
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_fchown
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81080-4
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Search /etc/audit/rules.d for other DAC audit rules
find:
paths: /etc/audit/rules.d
recurse: false
contains: -F key=perm_mod$
patterns: '*.rules'
register: find_fchown
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_fchown
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81080-4
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as
the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/access.rules
when:
- find_fchown.matched is defined and find_fchown.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_fchown
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81080-4
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_fchown.files | map(attribute=''path'') | list | first }}'
when:
- find_fchown.matched is defined and find_fchown.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_fchown
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81080-4
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the fchown rule in rules.d when on x86
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
with_items:
- -a always,exit -F arch=b32 -S fchown -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b32 -S fchown -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_fchown
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81080-4
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the fchown rule in rules.d when on x86_64
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
with_items:
- -a always,exit -F arch=b64 -S fchown -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b64 -S fchown -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_fchown
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81080-4
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the fchown rule in /etc/audit/audit.rules when on x86
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
with_items:
- -a always,exit -F arch=b32 -S fchown -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b32 -S fchown -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_fchown
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81080-4
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the fchown rule in audit.rules when on x86_64
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
with_items:
- -a always,exit -F arch=b64 -S fchown -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b64 -S fchown -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_fchown
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81080-4
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
Record Unsuccessul Permission Changes to Files - fchmodatThe audit system should collect unsuccessful file permission change
attempts for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-changeNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-changeCCI-000172AU-2(d)AU-12(c)CM-6(a)SRG-OS-000458-VMM-001810SRG-OS-000461-VMM-001830Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.CCE-81090-3
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S fchmodat -F exit=-EACCES.*"
GROUP="access"
FULL_RULE="-a always,exit -F arch=$ARCH -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S fchmodat -F exit=-EPERM.*"
GROUP="access"
FULL_RULE="-a always,exit -F arch=$ARCH -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
- name: Set architecture for audit fchmodat tasks
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_fchmodat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81090-3
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Search /etc/audit/rules.d for other DAC audit rules
find:
paths: /etc/audit/rules.d
recurse: false
contains: -F key=perm_mod$
patterns: '*.rules'
register: find_fchmodat
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_fchmodat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81090-3
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as
the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/access.rules
when:
- find_fchmodat.matched is defined and find_fchmodat.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_fchmodat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81090-3
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_fchmodat.files | map(attribute=''path'') | list | first }}'
when:
- find_fchmodat.matched is defined and find_fchmodat.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_fchmodat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81090-3
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the fchmodat rule in rules.d when on x86
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
with_items:
- -a always,exit -F arch=b32 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b32 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_fchmodat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81090-3
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the fchmodat rule in rules.d when on x86_64
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
with_items:
- -a always,exit -F arch=b64 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b64 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_fchmodat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81090-3
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the fchmodat rule in /etc/audit/audit.rules when on x86
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
with_items:
- -a always,exit -F arch=b32 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b32 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_fchmodat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81090-3
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the fchmodat rule in audit.rules when on x86_64
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
with_items:
- -a always,exit -F arch=b64 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b64 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_fchmodat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81090-3
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
Record Unsuccessul Permission Changes to Files - setxattrThe audit system should collect unsuccessful file permission change
attempts for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S setxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S setxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S setxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S setxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-changeNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-changeCCI-000172AU-2(d)AU-12(c)CM-6(a)SRG-OS-000458-VMM-001810SRG-OS-000461-VMM-001830Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.CCE-81092-9
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S setxattr -F exit=-EACCES.*"
GROUP="access"
FULL_RULE="-a always,exit -F arch=$ARCH -S setxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S setxattr -F exit=-EPERM.*"
GROUP="access"
FULL_RULE="-a always,exit -F arch=$ARCH -S setxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
- name: Set architecture for audit setxattr tasks
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_setxattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81092-9
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Search /etc/audit/rules.d for other DAC audit rules
find:
paths: /etc/audit/rules.d
recurse: false
contains: -F key=perm_mod$
patterns: '*.rules'
register: find_setxattr
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_setxattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81092-9
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as
the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/access.rules
when:
- find_setxattr.matched is defined and find_setxattr.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_setxattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81092-9
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_setxattr.files | map(attribute=''path'') | list | first }}'
when:
- find_setxattr.matched is defined and find_setxattr.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_setxattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81092-9
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the setxattr rule in rules.d when on x86
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
with_items:
- -a always,exit -F arch=b32 -S setxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b32 -S setxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_setxattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81092-9
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the setxattr rule in rules.d when on x86_64
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
with_items:
- -a always,exit -F arch=b64 -S setxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b64 -S setxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_setxattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81092-9
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the setxattr rule in /etc/audit/audit.rules when on x86
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
with_items:
- -a always,exit -F arch=b32 -S setxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b32 -S setxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_setxattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81092-9
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the setxattr rule in audit.rules when on x86_64
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
with_items:
- -a always,exit -F arch=b64 -S setxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b64 -S setxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_setxattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81092-9
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
Record Successful Permission Changes to Files - fremovexattrAt a minimum, the audit system should collect file permission changes
for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-changeNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.File permission changes could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.CCE-82121-5Record Unsuccessful Access Attempts to Files - openatAt a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.5.2.1011112131415161923456789APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000172CCI-002884164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.2.3.104.3.2.6.74.3.3.3.94.3.3.5.84.3.3.6.64.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.13SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.2.1A.6.2.2AU-2(d)AU-12(c)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-3PR.PT-1PR.PT-4RS.AN-1RS.AN-4FAU_GEN.1.1.cReq-10.2.4Req-10.2.1SRG-OS-000064-GPOS-00033SRG-OS-000458-GPOS-00203SRG-OS-000461-GPOS-00205SRG-OS-000392-GPOS-00172RHEL-07-030520SV-86751r5_ruleSRG-OS-000458-VMM-001810SRG-OS-000461-VMM-001830Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.CCE-80387-4
create_audit_remediation_unsuccessful_file_modification_detailed /etc/audit/rules.d/30-ospp-v42-remediation.rules
- name: Set architecture for audit openat tasks
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_openat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80387-4
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- DISA-STIG-RHEL-07-030520
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Search /etc/audit/rules.d for other DAC audit rules
find:
paths: /etc/audit/rules.d
recurse: false
contains: -F key=perm_mod$
patterns: '*.rules'
register: find_openat
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_openat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80387-4
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- DISA-STIG-RHEL-07-030520
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as
the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/access.rules
when:
- find_openat.matched is defined and find_openat.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_openat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80387-4
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- DISA-STIG-RHEL-07-030520
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_openat.files | map(attribute=''path'') | list | first }}'
when:
- find_openat.matched is defined and find_openat.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_openat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80387-4
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- DISA-STIG-RHEL-07-030520
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the openat rule in rules.d when on x86
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
with_items:
- -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_openat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80387-4
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- DISA-STIG-RHEL-07-030520
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the openat rule in rules.d when on x86_64
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
with_items:
- -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_openat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80387-4
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- DISA-STIG-RHEL-07-030520
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the openat rule in /etc/audit/audit.rules when on x86
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
with_items:
- -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_openat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80387-4
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- DISA-STIG-RHEL-07-030520
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the openat rule in audit.rules when on x86_64
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
with_items:
- -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_openat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80387-4
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- DISA-STIG-RHEL-07-030520
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
Record Successful Ownership Changes to Files - fchownAt a minimum, the audit system should collect file ownership changes
for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchown -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S fchown -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchown -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S fchown -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-changeNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.File ownership attempts could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.CCE-82127-2Record Unsuccessful Modification Attempts to Files - openat O_TRUNC_WRITEThe audit system should collect detailed unauthorized file accesses for
all users and root. The openat syscall can be used to modify files
if called for write operation of with O_TRUNC_WRITE flag.
The following auidt rules will asure that unsuccessful attempts to modify a
file via openat syscall are collected.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
rules below to a file with suffix .rules in the directory
/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the rules below to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification5.2.1011112131415161923456789APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000172CCI-002884164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.2.3.104.3.2.6.74.3.3.3.94.3.3.5.84.3.3.6.64.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.13SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.2.1A.6.2.2AU-2(d)AU-12(c)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-3PR.PT-1PR.PT-4RS.AN-1RS.AN-4FAU_GEN.1.1.cReq-10.2.4Req-10.2.1SRG-OS-000064-GPOS-00033SRG-OS-000458-GPOS-00203SRG-OS-000461-GPOS-00205SRG-OS-000392-GPOS-00172SRG-OS-000458-VMM-001810SRG-OS-000461-VMM-001830Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.CCE-81123-2
create_audit_remediation_unsuccessful_file_modification_detailed /etc/audit/rules.d/30-ospp-v42-remediation.rules
- name: Add unsuccessful file operations audit rules
blockinfile:
path: /etc/audit/rules.d/30-ospp-v42-remediation.rules
create: true
block: |-
## This content is a section of an Audit config snapshot recommended for Red Hat Enterprise Linux 7 systems that target OSPP compliance.
## The following content has been retreived on 2019-03-11 from: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules
## The purpose of these rules is to meet the requirements for Operating
## System Protection Profile (OSPP)v4.2. These rules depends on having
## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed.
## Unsuccessful file creation (open with O_CREAT)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
## Unsuccessful file modifications (open for write or truncate)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
## Unsuccessful file access (any other opens) This has to go last.
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_openat_o_trunc_write
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-81123-2
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
Record Successful Permission Changes to Files - lsetxattrAt a minimum, the audit system should collect file permission changes
for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lsetxattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S lsetxattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lsetxattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S lsetxattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-changeNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.File permission changes could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.CCE-82109-0Record Successful Delete Attempts to Files - unlinkatAt a minimum, the audit system should collect file
deletion for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S unlinkat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S unlinkat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S unlinkat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S unlinkat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-deleteNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.File deletion attempts could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.CCE-82088-6Record Unsuccessul Permission Changes to Files - lremovexattrThe audit system should collect unsuccessful file permission change
attempts for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S lremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S lremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S lremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S lremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-changeNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-changeCCI-000172AU-2(d)AU-12(c)CM-6(a)SRG-OS-000458-VMM-001810SRG-OS-000461-VMM-001830Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.CCE-81100-0
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S lremovexattr -F exit=-EACCES.*"
GROUP="access"
FULL_RULE="-a always,exit -F arch=$ARCH -S lremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S lremovexattr -F exit=-EPERM.*"
GROUP="access"
FULL_RULE="-a always,exit -F arch=$ARCH -S lremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
- name: Set architecture for audit lremovexattr tasks
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_lremovexattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81100-0
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Search /etc/audit/rules.d for other DAC audit rules
find:
paths: /etc/audit/rules.d
recurse: false
contains: -F key=perm_mod$
patterns: '*.rules'
register: find_lremovexattr
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_lremovexattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81100-0
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as
the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/access.rules
when:
- find_lremovexattr.matched is defined and find_lremovexattr.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_lremovexattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81100-0
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_lremovexattr.files | map(attribute=''path'') | list | first }}'
when:
- find_lremovexattr.matched is defined and find_lremovexattr.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_lremovexattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81100-0
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the lremovexattr rule in rules.d when on x86
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
with_items:
- -a always,exit -F arch=b32 -S lremovexattr -F exit=-EACCES -F auid>=1000 -F
auid!=unset -F key=access
- -a always,exit -F arch=b32 -S lremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_lremovexattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81100-0
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the lremovexattr rule in rules.d when on x86_64
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
with_items:
- -a always,exit -F arch=b64 -S lremovexattr -F exit=-EACCES -F auid>=1000 -F
auid!=unset -F key=access
- -a always,exit -F arch=b64 -S lremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_lremovexattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81100-0
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the lremovexattr rule in /etc/audit/audit.rules when on x86
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
with_items:
- -a always,exit -F arch=b32 -S lremovexattr -F exit=-EACCES -F auid>=1000 -F
auid!=unset -F key=access
- -a always,exit -F arch=b32 -S lremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_lremovexattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81100-0
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the lremovexattr rule in audit.rules when on x86_64
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
with_items:
- -a always,exit -F arch=b64 -S lremovexattr -F exit=-EACCES -F auid>=1000 -F
auid!=unset -F key=access
- -a always,exit -F arch=b64 -S lremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_lremovexattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81100-0
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
Record Unsuccessful Access Attempts to Files - creatAt a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.5.2.1011112131415161923456789APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000172CCI-002884164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.2.3.104.3.2.6.74.3.3.3.94.3.3.5.84.3.3.6.64.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.13SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.2.1A.6.2.2AU-2(d)AU-12(c)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-3PR.PT-1PR.PT-4RS.AN-1RS.AN-4FAU_GEN.1.1.cReq-10.2.4Req-10.2.1SRG-OS-000064-GPOS-00033SRG-OS-000458-GPOS-00203SRG-OS-000461-GPOS-00205SRG-OS-000392-GPOS-00172RHEL-07-030500SV-86747r5_ruleSRG-OS-000458-VMM-001810SRG-OS-000461-VMM-001830Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.CCE-80385-8
create_audit_remediation_unsuccessful_file_modification_detailed /etc/audit/rules.d/30-ospp-v42-remediation.rules
- name: Add unsuccessful file operations audit rules
blockinfile:
path: /etc/audit/rules.d/30-ospp-v42-remediation.rules
create: true
block: |-
## This content is a section of an Audit config snapshot recommended for Red Hat Enterprise Linux 7 systems that target OSPP compliance.
## The following content has been retreived on 2019-03-11 from: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules
## The purpose of these rules is to meet the requirements for Operating
## System Protection Profile (OSPP)v4.2. These rules depends on having
## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed.
## Unsuccessful file creation (open with O_CREAT)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
## Unsuccessful file modifications (open for write or truncate)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
## Unsuccessful file access (any other opens) This has to go last.
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_creat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80385-8
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- DISA-STIG-RHEL-07-030500
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
Record Successful Permission Changes to Files - fchmodatAt a minimum, the audit system should collect file permission changes
for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchmodat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S fchmodat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchmodat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S fchmodat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-changeNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.File permission changes could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.CCE-82103-3Record Unsuccessful Creation Attempts to Files - open O_CREATThe audit system should collect unauthorized file accesses for
all users and root. The open syscall can be used to create new files
when O_CREAT flag is specified.
The following auidt rules will asure that unsuccessful attempts to create a
file via open syscall are collected.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
rules below to a file with suffix .rules in the directory
/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the rules below to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create5.2.1011112131415161923456789APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000172CCI-002884164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.2.3.104.3.2.6.74.3.3.3.94.3.3.5.84.3.3.6.64.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.13SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.2.1A.6.2.2AU-2(d)AU-12(c)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-3PR.PT-1PR.PT-4RS.AN-1RS.AN-4FAU_GEN.1.1.cReq-10.2.4Req-10.2.1SRG-OS-000064-GPOS-00033SRG-OS-000458-GPOS-00203SRG-OS-000461-GPOS-00205SRG-OS-000392-GPOS-00172SRG-OS-000458-VMM-001810SRG-OS-000461-VMM-001830Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.CCE-81119-0
create_audit_remediation_unsuccessful_file_modification_detailed /etc/audit/rules.d/30-ospp-v42-remediation.rules
- name: Add unsuccessful file operations audit rules
blockinfile:
path: /etc/audit/rules.d/30-ospp-v42-remediation.rules
create: true
block: |-
## This content is a section of an Audit config snapshot recommended for Red Hat Enterprise Linux 7 systems that target OSPP compliance.
## The following content has been retreived on 2019-03-11 from: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules
## The purpose of these rules is to meet the requirements for Operating
## System Protection Profile (OSPP)v4.2. These rules depends on having
## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed.
## Unsuccessful file creation (open with O_CREAT)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
## Unsuccessful file modifications (open for write or truncate)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
## Unsuccessful file access (any other opens) This has to go last.
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_open_o_creat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-81119-0
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
Record Unsuccessul Permission Changes to Files - fremovexattrThe audit system should collect unsuccessful file permission change
attempts for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-changeNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-changeCCI-000172AU-2(d)AU-12(c)CM-6(a)SRG-OS-000458-VMM-001810SRG-OS-000461-VMM-001830Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.CCE-81102-6
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S fremovexattr -F exit=-EACCES.*"
GROUP="access"
FULL_RULE="-a always,exit -F arch=$ARCH -S fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S fremovexattr -F exit=-EPERM.*"
GROUP="access"
FULL_RULE="-a always,exit -F arch=$ARCH -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
- name: Set architecture for audit fremovexattr tasks
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_fremovexattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81102-6
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Search /etc/audit/rules.d for other DAC audit rules
find:
paths: /etc/audit/rules.d
recurse: false
contains: -F key=perm_mod$
patterns: '*.rules'
register: find_fremovexattr
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_fremovexattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81102-6
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as
the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/access.rules
when:
- find_fremovexattr.matched is defined and find_fremovexattr.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_fremovexattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81102-6
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_fremovexattr.files | map(attribute=''path'') | list | first }}'
when:
- find_fremovexattr.matched is defined and find_fremovexattr.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_fremovexattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81102-6
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the fremovexattr rule in rules.d when on x86
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
with_items:
- -a always,exit -F arch=b32 -S fremovexattr -F exit=-EACCES -F auid>=1000 -F
auid!=unset -F key=access
- -a always,exit -F arch=b32 -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_fremovexattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81102-6
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the fremovexattr rule in rules.d when on x86_64
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
with_items:
- -a always,exit -F arch=b64 -S fremovexattr -F exit=-EACCES -F auid>=1000 -F
auid!=unset -F key=access
- -a always,exit -F arch=b64 -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_fremovexattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81102-6
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the fremovexattr rule in /etc/audit/audit.rules when on x86
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
with_items:
- -a always,exit -F arch=b32 -S fremovexattr -F exit=-EACCES -F auid>=1000 -F
auid!=unset -F key=access
- -a always,exit -F arch=b32 -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_fremovexattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81102-6
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the fremovexattr rule in audit.rules when on x86_64
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
with_items:
- -a always,exit -F arch=b64 -S fremovexattr -F exit=-EACCES -F auid>=1000 -F
auid!=unset -F key=access
- -a always,exit -F arch=b64 -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_fremovexattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81102-6
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
Record Successful Ownership Changes to Files - lchownAt a minimum, the audit system should collect file ownership changes
for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lchown -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S lchown -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lchown -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S lchown -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-changeNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.File ownership attempts could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.CCE-82124-9Record Unsuccessul Delete Attempts to Files - unlinkThe audit system should collect unsuccessful file deletion
attempts for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b32 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b64 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-deleteNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete5.2.1011112131415161923456789APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000172CCI-002884164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.2.3.104.3.2.6.74.3.3.3.94.3.3.5.84.3.3.6.64.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.13SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.2.1A.6.2.2AU-2(d)AU-12(c)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-3PR.PT-1PR.PT-4RS.AN-1RS.AN-4FAU_GEN.1.1.cReq-10.2.4Req-10.2.1SRG-OS-000064-GPOS-00033SRG-OS-000458-GPOS-00203SRG-OS-000461-GPOS-00205SRG-OS-000392-GPOS-00172SRG-OS-000458-VMM-001810SRG-OS-000461-VMM-001830Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.CCE-81106-7
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S unlink -F exit=-EACCES.*"
GROUP="access"
FULL_RULE="-a always,exit -F arch=$ARCH -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S unlink -F exit=-EPERM.*"
GROUP="access"
FULL_RULE="-a always,exit -F arch=$ARCH -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
- name: Set architecture for audit unlink tasks
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_unlink
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81106-7
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Search /etc/audit/rules.d for other DAC audit rules
find:
paths: /etc/audit/rules.d
recurse: false
contains: -F key=perm_mod$
patterns: '*.rules'
register: find_unlink
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_unlink
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81106-7
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as
the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/access.rules
when:
- find_unlink.matched is defined and find_unlink.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_unlink
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81106-7
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_unlink.files | map(attribute=''path'') | list | first }}'
when:
- find_unlink.matched is defined and find_unlink.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_unlink
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81106-7
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the unlink rule in rules.d when on x86
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
with_items:
- -a always,exit -F arch=b32 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b32 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_unlink
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81106-7
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the unlink rule in rules.d when on x86_64
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
with_items:
- -a always,exit -F arch=b64 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b64 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_unlink
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81106-7
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the unlink rule in /etc/audit/audit.rules when on x86
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
with_items:
- -a always,exit -F arch=b32 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b32 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_unlink
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81106-7
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the unlink rule in audit.rules when on x86_64
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
with_items:
- -a always,exit -F arch=b64 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b64 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_unlink
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81106-7
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
Record Successful Permission Changes to Files - setxattrAt a minimum, the audit system should collect file permission changes
for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S setxattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S setxattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S setxattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S setxattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-changeNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.File deletion attempts could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.CCE-82106-6Record Successful Access Attempts to Files - openAt a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-accessNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.File access attempts could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.CCE-81146-3Record Unsuccessul Permission Changes to Files - fsetxattrThe audit system should collect unsuccessful file permission change
attempts for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-changeNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-changeCCI-000172AU-2(d)AU-12(c)CM-6(a)SRG-OS-000458-VMM-001810SRG-OS-000461-VMM-001830Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.CCE-81096-0
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S fsetxattr -F exit=-EACCES.*"
GROUP="access"
FULL_RULE="-a always,exit -F arch=$ARCH -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S fsetxattr -F exit=-EPERM.*"
GROUP="access"
FULL_RULE="-a always,exit -F arch=$ARCH -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
- name: Set architecture for audit fsetxattr tasks
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_fsetxattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81096-0
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Search /etc/audit/rules.d for other DAC audit rules
find:
paths: /etc/audit/rules.d
recurse: false
contains: -F key=perm_mod$
patterns: '*.rules'
register: find_fsetxattr
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_fsetxattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81096-0
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as
the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/access.rules
when:
- find_fsetxattr.matched is defined and find_fsetxattr.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_fsetxattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81096-0
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_fsetxattr.files | map(attribute=''path'') | list | first }}'
when:
- find_fsetxattr.matched is defined and find_fsetxattr.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_fsetxattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81096-0
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the fsetxattr rule in rules.d when on x86
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
with_items:
- -a always,exit -F arch=b32 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b32 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_fsetxattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81096-0
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the fsetxattr rule in rules.d when on x86_64
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
with_items:
- -a always,exit -F arch=b64 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b64 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_fsetxattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81096-0
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the fsetxattr rule in /etc/audit/audit.rules when on x86
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
with_items:
- -a always,exit -F arch=b32 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b32 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_fsetxattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81096-0
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the fsetxattr rule in audit.rules when on x86_64
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
with_items:
- -a always,exit -F arch=b64 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b64 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_fsetxattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81096-0
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
Record Successful Access Attempts to Files - open_by_handle_atAt a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-accessNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.File access attempts could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.CCE-82012-6Ensure auditd Rules For Unauthorized Attempts To openat Are Ordered CorrectlyThe audit system should collect detailed unauthorized file
accesses for all users and root.
To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access
of files via openat syscall the audit rules collecting these events need to be in certain order.
The more specific rules need to come before the less specific rules. The reason for that is that more
specific rules cover a subset of events covered in the less specific rules, thus, they need to come
before to not be overshadowed by less specific rules, which match a bigger set of events.
Make sure that rules for unsuccessful calls of openat syscall are in the order shown below.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), check the order of
rules below in a file with suffix .rules in the directory
/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, check the order of rules below in
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
5.2.1011112131415161923456789APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000172CCI-002884164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.2.3.104.3.2.6.74.3.3.3.94.3.3.5.84.3.3.6.64.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.13SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.2.1A.6.2.2AU-2(d)AU-12(c)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-3PR.PT-1PR.PT-4RS.AN-1RS.AN-4FAU_GEN.1.1.cReq-10.2.4Req-10.2.1SRG-OS-000064-GPOS-00033SRG-OS-000458-GPOS-00203SRG-OS-000461-GPOS-00205SRG-OS-000392-GPOS-00172SRG-OS-000458-VMM-001810SRG-OS-000461-VMM-001830The more specific rules cover a subset of events covered by the less specific rules.
By ordering them from more specific to less specific, it is assured that the less specific
rule will not catch events better recorded by the more specific rule.
create_audit_remediation_unsuccessful_file_modification_detailed /etc/audit/rules.d/30-ospp-v42-remediation.rules
Ensure auditd Rules For Unauthorized Attempts To open Are Ordered CorrectlyThe audit system should collect detailed unauthorized file
accesses for all users and root.
To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access
of files via open syscall the audit rules collecting these events need to be in certain order.
The more specific rules need to come before the less specific rules. The reason for that is that more
specific rules cover a subset of events covered in the less specific rules, thus, they need to come
before to not be overshadowed by less specific rules, which match a bigger set of events.
Make sure that rules for unsuccessful calls of open syscall are in the order shown below.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), check the order of
rules below in a file with suffix .rules in the directory
/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, check the order of rules below in
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
5.2.1011112131415161923456789APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000172CCI-002884164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.2.3.104.3.2.6.74.3.3.3.94.3.3.5.84.3.3.6.64.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.13SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.2.1A.6.2.2AU-2(d)AU-12(c)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-3PR.PT-1PR.PT-4RS.AN-1RS.AN-4FAU_GEN.1.1.cReq-10.2.4Req-10.2.1SRG-OS-000064-GPOS-00033SRG-OS-000458-GPOS-00203SRG-OS-000461-GPOS-00205SRG-OS-000392-GPOS-00172SRG-OS-000458-VMM-001810SRG-OS-000461-VMM-001830The more specific rules cover a subset of events covered by the less specific rules.
By ordering them from more specific to less specific, it is assured that the less specific
rule will not catch events better recorded by the more specific rule.
create_audit_remediation_unsuccessful_file_modification_detailed /etc/audit/rules.d/30-ospp-v42-remediation.rules
Record Unsuccessful Access Attempts to Files - openAt a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.5.2.1011112131415161923456789APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000172CCI-002884164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.2.3.104.3.2.6.74.3.3.3.94.3.3.5.84.3.3.6.64.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.13SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.2.1A.6.2.2AU-2(d)AU-12(c)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-3PR.PT-1PR.PT-4RS.AN-1RS.AN-4FAU_GEN.1.1.cReq-10.2.4Req-10.2.1SRG-OS-000064-GPOS-00033SRG-OS-000458-GPOS-00203SRG-OS-000461-GPOS-00205SRG-OS-000392-GPOS-00172RHEL-07-030510SV-86749r5_ruleSRG-OS-000458-VMM-001810SRG-OS-000461-VMM-001830Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.CCE-80386-6
create_audit_remediation_unsuccessful_file_modification_detailed /etc/audit/rules.d/30-ospp-v42-remediation.rules
- name: Set architecture for audit open tasks
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_open
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80386-6
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- DISA-STIG-RHEL-07-030510
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Search /etc/audit/rules.d for other DAC audit rules
find:
paths: /etc/audit/rules.d
recurse: false
contains: -F key=perm_mod$
patterns: '*.rules'
register: find_open
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_open
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80386-6
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- DISA-STIG-RHEL-07-030510
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as
the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/access.rules
when:
- find_open.matched is defined and find_open.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_open
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80386-6
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- DISA-STIG-RHEL-07-030510
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_open.files | map(attribute=''path'') | list | first }}'
when:
- find_open.matched is defined and find_open.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_open
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80386-6
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- DISA-STIG-RHEL-07-030510
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the open rule in rules.d when on x86
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
with_items:
- -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_open
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80386-6
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- DISA-STIG-RHEL-07-030510
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the open rule in rules.d when on x86_64
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
with_items:
- -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_open
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80386-6
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- DISA-STIG-RHEL-07-030510
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the open rule in /etc/audit/audit.rules when on x86
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
with_items:
- -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_open
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80386-6
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- DISA-STIG-RHEL-07-030510
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the open rule in audit.rules when on x86_64
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
with_items:
- -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_open
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80386-6
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- DISA-STIG-RHEL-07-030510
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
Record Successful Permission Changes to Files - removexattrAt a minimum, the audit system should collect file permission changes
for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S removexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S removexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S removexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S removexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-changeNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.File permission changes could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.CCE-82115-7Record Unsuccessul Permission Changes to Files - lsetxattrThe audit system should collect unsuccessful file permission change
attempts for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S lsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S lsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S lsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S lsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-changeNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-changeCCI-000172AU-2(d)AU-12(c)CM-6(a)SRG-OS-000458-VMM-001810SRG-OS-000461-VMM-001830Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.CCE-81094-5
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S lsetxattr -F exit=-EACCES.*"
GROUP="access"
FULL_RULE="-a always,exit -F arch=$ARCH -S lsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S lsetxattr -F exit=-EPERM.*"
GROUP="access"
FULL_RULE="-a always,exit -F arch=$ARCH -S lsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
- name: Set architecture for audit lsetxattr tasks
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_lsetxattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81094-5
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Search /etc/audit/rules.d for other DAC audit rules
find:
paths: /etc/audit/rules.d
recurse: false
contains: -F key=perm_mod$
patterns: '*.rules'
register: find_lsetxattr
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_lsetxattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81094-5
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as
the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/access.rules
when:
- find_lsetxattr.matched is defined and find_lsetxattr.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_lsetxattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81094-5
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_lsetxattr.files | map(attribute=''path'') | list | first }}'
when:
- find_lsetxattr.matched is defined and find_lsetxattr.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_lsetxattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81094-5
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the lsetxattr rule in rules.d when on x86
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
with_items:
- -a always,exit -F arch=b32 -S lsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b32 -S lsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_lsetxattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81094-5
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the lsetxattr rule in rules.d when on x86_64
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
with_items:
- -a always,exit -F arch=b64 -S lsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b64 -S lsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_lsetxattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81094-5
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the lsetxattr rule in /etc/audit/audit.rules when on x86
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
with_items:
- -a always,exit -F arch=b32 -S lsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b32 -S lsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_lsetxattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81094-5
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the lsetxattr rule in audit.rules when on x86_64
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
with_items:
- -a always,exit -F arch=b64 -S lsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b64 -S lsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_lsetxattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81094-5
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
Record Successful Access Attempts to Files - ftruncateAt a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-accessNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.File access attempts could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.CCE-82004-3Record Successful Ownership Changes to Files - chownAt a minimum, the audit system should collect file ownership changes
for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S chown -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S chown -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S chown -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S chown -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-changeNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.File ownership attempts could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.CCE-82130-6Record Unsuccessful Creation Attempts to Files - open_by_handle_at O_CREATThe audit system should collect unauthorized file accesses for
all users and root. The open_by_handle_at syscall can be used to create new files
when O_CREAT flag is specified.
The following auidt rules will asure that unsuccessful attempts to create a
file via open_by_handle_at syscall are collected.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
rules below to a file with suffix .rules in the directory
/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the rules below to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create5.2.1011112131415161923456789APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000172CCI-002884164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.2.3.104.3.2.6.74.3.3.3.94.3.3.5.84.3.3.6.64.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.13SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.2.1A.6.2.2AU-2(d)AU-12(c)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-3PR.PT-1PR.PT-4RS.AN-1RS.AN-4FAU_GEN.1.1.cReq-10.2.4Req-10.2.1SRG-OS-000064-GPOS-00033SRG-OS-000458-GPOS-00203SRG-OS-000461-GPOS-00205SRG-OS-000392-GPOS-00172SRG-OS-000458-VMM-001810SRG-OS-000461-VMM-001830Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.CCE-81117-4
create_audit_remediation_unsuccessful_file_modification_detailed /etc/audit/rules.d/30-ospp-v42-remediation.rules
- name: Add unsuccessful file operations audit rules
blockinfile:
path: /etc/audit/rules.d/30-ospp-v42-remediation.rules
create: true
block: |-
## This content is a section of an Audit config snapshot recommended for Red Hat Enterprise Linux 7 systems that target OSPP compliance.
## The following content has been retreived on 2019-03-11 from: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules
## The purpose of these rules is to meet the requirements for Operating
## System Protection Profile (OSPP)v4.2. These rules depends on having
## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed.
## Unsuccessful file creation (open with O_CREAT)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
## Unsuccessful file modifications (open for write or truncate)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
## Unsuccessful file access (any other opens) This has to go last.
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-81117-4
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
Record Unsuccessful Access Attempts to Files - open_by_handle_atAt a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.5.2.1011112131415161923456789APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000172CCI-002884164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.2.3.104.3.2.6.74.3.3.3.94.3.3.5.84.3.3.6.64.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.13SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.2.1A.6.2.2AU-2(d)AU-12(c)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-3PR.PT-1PR.PT-4RS.AN-1RS.AN-4FAU_GEN.1.1.cReq-10.2.4Req-10.2.1SRG-OS-000064-GPOS-00033SRG-OS-000458-GPOS-00203SRG-OS-000461-GPOS-00205SRG-OS-000392-GPOS-00172RHEL-07-030530SV-86753r5_ruleSRG-OS-000458-VMM-001810SRG-OS-000461-VMM-001830Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.CCE-80388-2
create_audit_remediation_unsuccessful_file_modification_detailed /etc/audit/rules.d/30-ospp-v42-remediation.rules
- name: Set architecture for audit open_by_handle_at tasks
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_open_by_handle_at
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80388-2
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- DISA-STIG-RHEL-07-030530
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Search /etc/audit/rules.d for other DAC audit rules
find:
paths: /etc/audit/rules.d
recurse: false
contains: -F key=perm_mod$
patterns: '*.rules'
register: find_open_by_handle_at
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_open_by_handle_at
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80388-2
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- DISA-STIG-RHEL-07-030530
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as
the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/access.rules
when:
- find_open_by_handle_at.matched is defined and find_open_by_handle_at.matched
== 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_open_by_handle_at
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80388-2
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- DISA-STIG-RHEL-07-030530
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_open_by_handle_at.files | map(attribute=''path'') | list | first
}}'
when:
- find_open_by_handle_at.matched is defined and find_open_by_handle_at.matched
> 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_open_by_handle_at
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80388-2
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- DISA-STIG-RHEL-07-030530
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the open_by_handle_at rule in rules.d when on x86
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
with_items:
- -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000
-F auid!=unset -F key=access
- -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000
-F auid!=unset -F key=access
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_open_by_handle_at
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80388-2
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- DISA-STIG-RHEL-07-030530
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the open_by_handle_at rule in rules.d when on x86_64
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
with_items:
- -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000
-F auid!=unset -F key=access
- -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000
-F auid!=unset -F key=access
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_open_by_handle_at
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80388-2
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- DISA-STIG-RHEL-07-030530
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the open_by_handle_at rule in /etc/audit/audit.rules when
on x86
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
with_items:
- -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000
-F auid!=unset -F key=access
- -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000
-F auid!=unset -F key=access
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_open_by_handle_at
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80388-2
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- DISA-STIG-RHEL-07-030530
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the open_by_handle_at rule in audit.rules when on x86_64
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
with_items:
- -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000
-F auid!=unset -F key=access
- -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000
-F auid!=unset -F key=access
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_open_by_handle_at
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80388-2
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- DISA-STIG-RHEL-07-030530
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
Record Successful Access Attempts to Files - truncateAt a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S truncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S truncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S truncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S truncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-accessNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.File access attempts could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.CCE-82001-9Record Unsuccessful Access Attempts to Files - ftruncateAt a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S ftruncate -F exiu=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.5.2.1011112131415161923456789APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000172CCI-002884164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.2.3.104.3.2.6.74.3.3.3.94.3.3.5.84.3.3.6.64.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.13SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.2.1A.6.2.2AU-2(d)AU-12(c)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-3PR.PT-1PR.PT-4RS.AN-1RS.AN-4FAU_GEN.1.1.cReq-10.2.4Req-10.2.1SRG-OS-000064-GPOS-00033SRG-OS-000458-GPOS-00203SRG-OS-000461-GPOS-00205SRG-OS-000392-GPOS-00172RHEL-07-030550SV-86757r5_ruleSRG-OS-000458-VMM-001810SRG-OS-000461-VMM-001830Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.CCE-80390-8
create_audit_remediation_unsuccessful_file_modification_detailed /etc/audit/rules.d/30-ospp-v42-remediation.rules
- name: Set architecture for audit ftruncate tasks
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_ftruncate
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80390-8
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- DISA-STIG-RHEL-07-030550
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Search /etc/audit/rules.d for other DAC audit rules
find:
paths: /etc/audit/rules.d
recurse: false
contains: -F key=perm_mod$
patterns: '*.rules'
register: find_ftruncate
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_ftruncate
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80390-8
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- DISA-STIG-RHEL-07-030550
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as
the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/access.rules
when:
- find_ftruncate.matched is defined and find_ftruncate.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_ftruncate
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80390-8
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- DISA-STIG-RHEL-07-030550
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_ftruncate.files | map(attribute=''path'') | list | first }}'
when:
- find_ftruncate.matched is defined and find_ftruncate.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_ftruncate
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80390-8
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- DISA-STIG-RHEL-07-030550
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the ftruncate rule in rules.d when on x86
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
with_items:
- -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_ftruncate
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80390-8
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- DISA-STIG-RHEL-07-030550
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the ftruncate rule in rules.d when on x86_64
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
with_items:
- -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_ftruncate
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80390-8
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- DISA-STIG-RHEL-07-030550
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the ftruncate rule in /etc/audit/audit.rules when on x86
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
with_items:
- -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_ftruncate
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80390-8
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- DISA-STIG-RHEL-07-030550
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the ftruncate rule in audit.rules when on x86_64
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
with_items:
- -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_ftruncate
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80390-8
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- DISA-STIG-RHEL-07-030550
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
Ensure auditd Unauthorized Access Attempts To open_by_handle_at Are Ordered CorrectlyThe audit system should collect detailed unauthorized file
accesses for all users and root.
To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access
of files via open_by_handle_at syscall the audit rules collecting these events need to be in certain order.
The more specific rules need to come before the less specific rules. The reason for that is that more
specific rules cover a subset of events covered in the less specific rules, thus, they need to come
before to not be overshadowed by less specific rules, which match a bigger set of events.
Make sure that rules for unsuccessful calls of open_by_handle_at syscall are in the order shown below.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), check the order of
rules below in a file with suffix .rules in the directory
/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, check the order of rules below in
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
5.2.1011112131415161923456789APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000172CCI-002884164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.2.3.104.3.2.6.74.3.3.3.94.3.3.5.84.3.3.6.64.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.13SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.2.1A.6.2.2AU-2(d)AU-12(c)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-3PR.PT-1PR.PT-4RS.AN-1RS.AN-4FAU_GEN.1.1.cReq-10.2.4Req-10.2.1SRG-OS-000064-GPOS-00033SRG-OS-000458-GPOS-00203SRG-OS-000461-GPOS-00205SRG-OS-000392-GPOS-00172SRG-OS-000458-VMM-001810SRG-OS-000461-VMM-001830The more specific rules cover a subset of events covered by the less specific rules.
By ordering them from more specific to less specific, it is assured that the less specific
rule will not catch events better recorded by the more specific rule.
create_audit_remediation_unsuccessful_file_modification_detailed /etc/audit/rules.d/30-ospp-v42-remediation.rules
Record Successful Creation Attempts to Files - openat O_CREATThe openat syscall can be used to create new files
when O_CREAT flag is specified.
The following audit rules will assure that successful attempts to create a
file via openat syscall are collected.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
rules below to a file with suffix .rules in the directory
/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the rules below to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S openat -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S openat -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-createSuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.CCE-81127-3Record Successful Access Attempts to Files - creatAt a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-accessNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.File access attempts could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.CCE-81149-7Record Successful Delete Attempts to Files - unlinkAt a minimum, the audit system should collect file
deletion for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S unlink -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S unlink -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S unlink -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S unlink -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-deleteNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.File deletion attempts could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.CCE-82085-2Record Successful Creation Attempts to Files - open_by_handle_at O_TRUNC_WRITEThe audit system should collect detailed file access records for
all users and root. The open_by_handle_at syscall can be used to modify
files if called for write operation with the O_TRUNC_WRITE flag.
The following audit rules will assure that successful attempts to create a
file via open_by_handle_at syscall are collected.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
rules below to a file with suffix .rules in the directory
/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the rules below to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S open,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modificationSuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.CCE-81140-6Record Successful Ownership Changes to Files - fchownatAt a minimum, the audit system should collect file ownership changes
for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-changeNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.File ownership attempts could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.CCE-82133-0Record Unsuccessul Delete Attempts to Files - unlinkatThe audit system should collect unsuccessful file deletion
attempts for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b32 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b64 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-deleteNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete5.2.1011112131415161923456789APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000172CCI-002884164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.2.3.104.3.2.6.74.3.3.3.94.3.3.5.84.3.3.6.64.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.13SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.2.1A.6.2.2AU-2(d)AU-12(c)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-3PR.PT-1PR.PT-4RS.AN-1RS.AN-4FAU_GEN.1.1.cReq-10.2.4Req-10.2.1SRG-OS-000064-GPOS-00033SRG-OS-000458-GPOS-00203SRG-OS-000461-GPOS-00205SRG-OS-000392-GPOS-00172SRG-OS-000458-VMM-001810SRG-OS-000461-VMM-001830Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.CCE-81104-2
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S unlinkat -F exit=-EACCES.*"
GROUP="access"
FULL_RULE="-a always,exit -F arch=$ARCH -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S unlinkat -F exit=-EPERM.*"
GROUP="access"
FULL_RULE="-a always,exit -F arch=$ARCH -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
- name: Set architecture for audit unlinkat tasks
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_unlinkat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81104-2
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Search /etc/audit/rules.d for other DAC audit rules
find:
paths: /etc/audit/rules.d
recurse: false
contains: -F key=perm_mod$
patterns: '*.rules'
register: find_unlinkat
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_unlinkat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81104-2
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as
the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/access.rules
when:
- find_unlinkat.matched is defined and find_unlinkat.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_unlinkat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81104-2
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_unlinkat.files | map(attribute=''path'') | list | first }}'
when:
- find_unlinkat.matched is defined and find_unlinkat.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_unlinkat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81104-2
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the unlinkat rule in rules.d when on x86
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
with_items:
- -a always,exit -F arch=b32 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b32 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_unlinkat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81104-2
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the unlinkat rule in rules.d when on x86_64
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
with_items:
- -a always,exit -F arch=b64 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b64 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_unlinkat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81104-2
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the unlinkat rule in /etc/audit/audit.rules when on x86
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
with_items:
- -a always,exit -F arch=b32 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b32 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_unlinkat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81104-2
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the unlinkat rule in audit.rules when on x86_64
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
with_items:
- -a always,exit -F arch=b64 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b64 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_unlinkat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81104-2
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
Record Successful Delete Attempts to Files - renameAt a minimum, the audit system should collect file
deletion for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S rename -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S rename -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S rename -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S rename -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-deleteNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.File deletion attempts could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.CCE-82091-0Record Successful Access Attempts to Files - openatAt a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S openat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S openat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S openat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S openat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-accessNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.File access attempts could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.CCE-82009-2Record Successful Creation Attempts to Files - openat O_TRUNC_WRITEThe audit system should collect detailed file access records for
all users and root. The openat syscall can be used to modify
files if called for write operation with the O_TRUNC_WRITE flag.
The following audit rules will assure that successful attempts to create a
file via openat syscall are collected.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
rules below to a file with suffix .rules in the directory
/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the rules below to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S openat -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S openat -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S open,openat -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modificationSuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.CCE-81137-2Record Successful Permission Changes to Files - lremovexattrAt a minimum, the audit system should collect file permission changes
for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S lremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S lremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-changeNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.File permission changes could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.CCE-82118-1Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)At a minimum the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessThis rule checks for multiple syscalls related to unsuccessful file modification;
it was written with DISA STIG in mind. Other policies should use a
separate rule for each syscall that needs to be checked. For example:
audit_rules_unsuccessful_file_modification_openaudit_rules_unsuccessful_file_modification_ftruncateaudit_rules_unsuccessful_file_modification_creat5.2.10111121314151619234567895.4.1.1APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000172CCI-0028844.2.3.104.3.2.6.74.3.3.3.94.3.3.5.84.3.3.6.64.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.13SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.2.1A.6.2.2AU-2(d)AU-12(c)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-3PR.PT-1PR.PT-4RS.AN-1RS.AN-4Req-10.2.4Req-10.2.1Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.CCE-27347-4
# Perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
# First fix the -EACCES requirement
PATTERN="-a always,exit -F arch=$ARCH -S .* -F exit=-EACCES -F auid>=1000 -F auid!=unset -k *"
# Use escaped BRE regex to specify rule group
GROUP="\(creat\|open\|truncate\)"
FULL_RULE="-a always,exit -F arch=$ARCH -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
# Then fix the -EPERM requirement
PATTERN="-a always,exit -F arch=$ARCH -S .* -F exit=-EPERM -F auid>=1000 -F auid!=unset -k *"
# No need to change content of $GROUP variable - it's the same as for -EACCES case above
FULL_RULE="-a always,exit -F arch=$ARCH -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
Record Unsuccessul Permission Changes to Files - fchmodThe audit system should collect unsuccessful file permission change
attempts for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S fchmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S fchmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S fchmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S fchmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-changeNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-changeCCI-000172AU-2(d)AU-12(c)CM-6(a)SRG-OS-000458-VMM-001810SRG-OS-000461-VMM-001830Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.CCE-81088-7
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S fchmod -F exit=-EACCES.*"
GROUP="access"
FULL_RULE="-a always,exit -F arch=$ARCH -S fchmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S fchmod -F exit=-EPERM.*"
GROUP="access"
FULL_RULE="-a always,exit -F arch=$ARCH -S fchmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
- name: Set architecture for audit fchmod tasks
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_fchmod
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81088-7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Search /etc/audit/rules.d for other DAC audit rules
find:
paths: /etc/audit/rules.d
recurse: false
contains: -F key=perm_mod$
patterns: '*.rules'
register: find_fchmod
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_fchmod
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81088-7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as
the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/access.rules
when:
- find_fchmod.matched is defined and find_fchmod.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_fchmod
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81088-7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_fchmod.files | map(attribute=''path'') | list | first }}'
when:
- find_fchmod.matched is defined and find_fchmod.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_fchmod
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81088-7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the fchmod rule in rules.d when on x86
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
with_items:
- -a always,exit -F arch=b32 -S fchmod -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b32 -S fchmod -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_fchmod
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81088-7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the fchmod rule in rules.d when on x86_64
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
with_items:
- -a always,exit -F arch=b64 -S fchmod -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b64 -S fchmod -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_fchmod
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81088-7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the fchmod rule in /etc/audit/audit.rules when on x86
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
with_items:
- -a always,exit -F arch=b32 -S fchmod -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b32 -S fchmod -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_fchmod
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81088-7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the fchmod rule in audit.rules when on x86_64
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
with_items:
- -a always,exit -F arch=b64 -S fchmod -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b64 -S fchmod -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_fchmod
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81088-7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
Record Unsuccessful Modification Attempts to Files - open_by_handle_at O_TRUNC_WRITEThe audit system should collect detailed unauthorized file accesses for
all users and root. The open_by_handle_at syscall can be used to modify files
if called for write operation of with O_TRUNC_WRITE flag.
The following auidt rules will asure that unsuccessful attempts to modify a
file via open_by_handle_at syscall are collected.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
rules below to a file with suffix .rules in the directory
/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the rules below to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification5.2.1011112131415161923456789APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000172CCI-002884164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.2.3.104.3.2.6.74.3.3.3.94.3.3.5.84.3.3.6.64.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.13SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.2.1A.6.2.2AU-2(d)AU-12(c)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-3PR.PT-1PR.PT-4RS.AN-1RS.AN-4FAU_GEN.1.1.cReq-10.2.4Req-10.2.1SRG-OS-000064-GPOS-00033SRG-OS-000458-GPOS-00203SRG-OS-000461-GPOS-00205SRG-OS-000392-GPOS-00172SRG-OS-000458-VMM-001810SRG-OS-000461-VMM-001830Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.CCE-81125-7
create_audit_remediation_unsuccessful_file_modification_detailed /etc/audit/rules.d/30-ospp-v42-remediation.rules
- name: Add unsuccessful file operations audit rules
blockinfile:
path: /etc/audit/rules.d/30-ospp-v42-remediation.rules
create: true
block: |-
## This content is a section of an Audit config snapshot recommended for Red Hat Enterprise Linux 7 systems that target OSPP compliance.
## The following content has been retreived on 2019-03-11 from: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules
## The purpose of these rules is to meet the requirements for Operating
## System Protection Profile (OSPP)v4.2. These rules depends on having
## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed.
## Unsuccessful file creation (open with O_CREAT)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
## Unsuccessful file modifications (open for write or truncate)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
## Unsuccessful file access (any other opens) This has to go last.
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-81125-7
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
Record Successful Creation Attempts to Files - open O_CREATThe open syscall can be used to create new files
when O_CREAT flag is specified.
The following audit rules will assure that successful attempts to create a
file via open syscall are collected.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
rules below to a file with suffix .rules in the directory
/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the rules below to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S open -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S open,open -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-createSuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.CCE-81134-9Record Unsuccessul Delete Attempts to Files - renameThe audit system should collect unsuccessful file deletion
attempts for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b32 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b64 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-deleteNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete5.2.1011112131415161923456789APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000172CCI-002884164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.2.3.104.3.2.6.74.3.3.3.94.3.3.5.84.3.3.6.64.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.13SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.2.1A.6.2.2AU-2(d)AU-12(c)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-3PR.PT-1PR.PT-4RS.AN-1RS.AN-4FAU_GEN.1.1.cReq-10.2.4Req-10.2.1SRG-OS-000064-GPOS-00033SRG-OS-000458-GPOS-00203SRG-OS-000461-GPOS-00205SRG-OS-000392-GPOS-00172SRG-OS-000458-VMM-001810SRG-OS-000461-VMM-001830Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.CCE-81108-3
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S rename -F exit=-EACCES.*"
GROUP="access"
FULL_RULE="-a always,exit -F arch=$ARCH -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S rename -F exit=-EPERM.*"
GROUP="access"
FULL_RULE="-a always,exit -F arch=$ARCH -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
- name: Set architecture for audit rename tasks
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_rename
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81108-3
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Search /etc/audit/rules.d for other DAC audit rules
find:
paths: /etc/audit/rules.d
recurse: false
contains: -F key=perm_mod$
patterns: '*.rules'
register: find_rename
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_rename
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81108-3
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as
the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/access.rules
when:
- find_rename.matched is defined and find_rename.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_rename
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81108-3
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_rename.files | map(attribute=''path'') | list | first }}'
when:
- find_rename.matched is defined and find_rename.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_rename
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81108-3
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the rename rule in rules.d when on x86
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
with_items:
- -a always,exit -F arch=b32 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b32 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_rename
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81108-3
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the rename rule in rules.d when on x86_64
lineinfile:
path: '{{ all_files[0] }}'
line: '{{ item }}'
create: true
with_items:
- -a always,exit -F arch=b64 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b64 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_rename
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81108-3
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the rename rule in /etc/audit/audit.rules when on x86
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
with_items:
- -a always,exit -F arch=b32 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b32 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_rename
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81108-3
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the rename rule in audit.rules when on x86_64
lineinfile:
line: '{{ item }}'
state: present
dest: /etc/audit/audit.rules
create: true
with_items:
- -a always,exit -F arch=b64 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset
-F key=access
- -a always,exit -F arch=b64 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset
-F key=access
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_unsuccessful_file_modification_rename
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-81108-3
- PCI-DSS-Req-10.2.4
- PCI-DSS-Req-10.2.1
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
Record Successful Creation Attempts to Files - open_by_handle_at O_CREATThe open_by_handle_at syscall can be used to create new files
when O_CREAT flag is specified.
The following audit rules will assure that successful attempts to create a
file via open_by_handle_at syscall are collected.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
rules below to a file with suffix .rules in the directory
/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the rules below to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S open_by_handle_at,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-createSuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.CCE-81131-5Record Successful Permission Changes to Files - fchmodAt a minimum, the audit system should collect file permission changes
for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchmod -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S fchmod -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchmod -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S fchmod -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-changeNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.File permission changes could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.CCE-82100-9Record Execution Attempts to Run SELinux Privileged CommandsAt a minimum, the audit system should collect the execution of
SELinux privileged commands for all users and root.Record Any Attempts to Run seunshareAt a minimum, the audit system should collect any execution attempt
of the seunshare command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_changeCCI-000172AU-2(d)AU-12(c)AC-6(9)CM-6(a)FAU_GEN.1.1.cSRG-OS-000463-VMM-001850Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.CCE-82362-5
PATTERN="-a always,exit -F path=/usr/sbin/seunshare\\s\\+.*"
GROUP="privileged"
# Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation
ARCH=""
FULL_RULE="-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
- name: Search /etc/audit/rules.d for audit rule entries
find:
paths: /etc/audit/rules.d
recurse: false
contains: ^.*path=/usr/sbin/seunshare.*$
patterns: '*.rules'
register: find_seunshare
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_execution_seunshare
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82362-5
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/privileged.rules
when:
- find_seunshare.matched is defined and find_seunshare.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_execution_seunshare
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82362-5
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_seunshare.files | map(attribute=''path'') | list | first }}'
when:
- find_seunshare.matched is defined and find_seunshare.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_execution_seunshare
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82362-5
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the seunshare rule in rules.d
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset
-F key=privileged
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_execution_seunshare
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82362-5
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the seunshare rule in audit.rules
lineinfile:
path: /etc/audit/audit.rules
line: -a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset
-F key=privileged
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_execution_seunshare
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82362-5
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
Record Any Attempts to Run setfilesAt a minimum, the audit system should collect any execution attempt
of the setfiles command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_changeCCI-000172CCI-002884AU-2(d)AU-12(c)AC-6(9)CM-6(a)SRG-OS-000392-GPOS-00172SRG-OS-000463-GPOS-00207SRG-OS-000465-GPOS-00209RHEL-07-030590SV-86765r5_ruleSRG-OS-000463-VMM-001850Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.CCE-80660-4
PATTERN="-a always,exit -F path=/usr/sbin/setfiles\\s\\+.*"
GROUP="privileged"
# Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation
ARCH=""
FULL_RULE="-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
- name: Search /etc/audit/rules.d for audit rule entries
find:
paths: /etc/audit/rules.d
recurse: false
contains: ^.*path=/usr/sbin/setfiles.*$
patterns: '*.rules'
register: find_setfiles
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_execution_setfiles
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80660-4
- DISA-STIG-RHEL-07-030590
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/privileged.rules
when:
- find_setfiles.matched is defined and find_setfiles.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_execution_setfiles
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80660-4
- DISA-STIG-RHEL-07-030590
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_setfiles.files | map(attribute=''path'') | list | first }}'
when:
- find_setfiles.matched is defined and find_setfiles.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_execution_setfiles
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80660-4
- DISA-STIG-RHEL-07-030590
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the setfiles rule in rules.d
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset
-F key=privileged
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_execution_setfiles
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80660-4
- DISA-STIG-RHEL-07-030590
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the setfiles rule in audit.rules
lineinfile:
path: /etc/audit/audit.rules
line: -a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset
-F key=privileged
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_execution_setfiles
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80660-4
- DISA-STIG-RHEL-07-030590
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
Record Any Attempts to Run setseboolAt a minimum, the audit system should collect any execution attempt
of the setsebool command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change112131415162356789APO10.01APO10.03APO10.04APO10.05APO11.04BAI03.05DSS01.03DSS03.05DSS05.02DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000172CCI-002884164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.3.2.6.74.3.3.3.94.3.3.5.84.3.4.4.74.4.2.14.4.2.24.4.2.4SR 2.10SR 2.11SR 2.12SR 2.8SR 2.9SR 6.1SR 6.2A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.14.2.7A.15.2.1A.15.2.2AU-2(d)AU-12(c)AC-6(9)CM-6(a)DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.PT-1FAU_GEN.1.1.cSRG-OS-000392-GPOS-00172SRG-OS-000463-GPOS-00207SRG-OS-000465-GPOS-00209RHEL-07-030570SV-86761r4_ruleSRG-OS-000463-VMM-001850Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.CCE-80392-4
PATTERN="-a always,exit -F path=/usr/sbin/setsebool\\s\\+.*"
GROUP="privileged"
# Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation
ARCH=""
FULL_RULE="-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
- name: Search /etc/audit/rules.d for audit rule entries
find:
paths: /etc/audit/rules.d
recurse: false
contains: ^.*path=/usr/sbin/setsebool.*$
patterns: '*.rules'
register: find_setsebool
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_execution_setsebool
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80392-4
- DISA-STIG-RHEL-07-030570
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/privileged.rules
when:
- find_setsebool.matched is defined and find_setsebool.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_execution_setsebool
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80392-4
- DISA-STIG-RHEL-07-030570
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_setsebool.files | map(attribute=''path'') | list | first }}'
when:
- find_setsebool.matched is defined and find_setsebool.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_execution_setsebool
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80392-4
- DISA-STIG-RHEL-07-030570
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the setsebool rule in rules.d
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset
-F key=privileged
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_execution_setsebool
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80392-4
- DISA-STIG-RHEL-07-030570
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the setsebool rule in audit.rules
lineinfile:
path: /etc/audit/audit.rules
line: -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset
-F key=privileged
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_execution_setsebool
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80392-4
- DISA-STIG-RHEL-07-030570
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
Record Any Attempts to Run semanageAt a minimum, the audit system should collect any execution attempt
of the semanage command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change112131415162356789APO10.01APO10.03APO10.04APO10.05APO11.04BAI03.05DSS01.03DSS03.05DSS05.02DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000172CCI-002884164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.3.2.6.74.3.3.3.94.3.3.5.84.3.4.4.74.4.2.14.4.2.24.4.2.4SR 2.10SR 2.11SR 2.12SR 2.8SR 2.9SR 6.1SR 6.2A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.14.2.7A.15.2.1A.15.2.2AC-2(4)AU-2(d)AU-12(c)AC-6(9)CM-6(a)DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.PT-1FAU_GEN.1.1.cSRG-OS-000392-GPOS-00172SRG-OS-000463-GPOS-00207SRG-OS-000465-GPOS-00209RHEL-07-030560SV-86759r4_ruleSRG-OS-000463-VMM-001850Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.CCE-80391-6
PATTERN="-a always,exit -F path=/usr/sbin/semanage\\s\\+.*"
GROUP="privileged"
# Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation
ARCH=""
FULL_RULE="-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
- name: Search /etc/audit/rules.d for audit rule entries
find:
paths: /etc/audit/rules.d
recurse: false
contains: ^.*path=/usr/sbin/semanage.*$
patterns: '*.rules'
register: find_semanage
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_execution_semanage
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80391-6
- DISA-STIG-RHEL-07-030560
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/privileged.rules
when:
- find_semanage.matched is defined and find_semanage.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_execution_semanage
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80391-6
- DISA-STIG-RHEL-07-030560
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_semanage.files | map(attribute=''path'') | list | first }}'
when:
- find_semanage.matched is defined and find_semanage.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_execution_semanage
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80391-6
- DISA-STIG-RHEL-07-030560
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the semanage rule in rules.d
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset
-F key=privileged
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_execution_semanage
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80391-6
- DISA-STIG-RHEL-07-030560
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the semanage rule in audit.rules
lineinfile:
path: /etc/audit/audit.rules
line: -a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset
-F key=privileged
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_execution_semanage
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80391-6
- DISA-STIG-RHEL-07-030560
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
Record Any Attempts to Run chconAt a minimum, the audit system should collect any execution attempt
of the chcon command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change112131415162356789APO10.01APO10.03APO10.04APO10.05APO11.04BAI03.05DSS01.03DSS03.05DSS05.02DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000172CCI-002884164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.3.2.6.74.3.3.3.94.3.3.5.84.3.4.4.74.4.2.14.4.2.24.4.2.4SR 2.10SR 2.11SR 2.12SR 2.8SR 2.9SR 6.1SR 6.2A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.14.2.7A.15.2.1A.15.2.2AU-2(d)AU-12(c)AC-6(9)CM-6(a)DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.PT-1FAU_GEN.1.1.cSRG-OS-000392-GPOS-00172SRG-OS-000463-GPOS-00207SRG-OS-000465-GPOS-00209RHEL-07-030580SV-86763r4_ruleSRG-OS-000463-VMM-001850Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.CCE-80393-2
PATTERN="-a always,exit -F path=/usr/bin/chcon\\s\\+.*"
GROUP="privileged"
# Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation
ARCH=""
FULL_RULE="-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
- name: Search /etc/audit/rules.d for audit rule entries
find:
paths: /etc/audit/rules.d
recurse: false
contains: ^.*path=/usr/bin/chcon.*$
patterns: '*.rules'
register: find_chcon
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_execution_chcon
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80393-2
- DISA-STIG-RHEL-07-030580
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/privileged.rules
when:
- find_chcon.matched is defined and find_chcon.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_execution_chcon
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80393-2
- DISA-STIG-RHEL-07-030580
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_chcon.files | map(attribute=''path'') | list | first }}'
when:
- find_chcon.matched is defined and find_chcon.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_execution_chcon
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80393-2
- DISA-STIG-RHEL-07-030580
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the chcon rule in rules.d
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset
-F key=privileged
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_execution_chcon
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80393-2
- DISA-STIG-RHEL-07-030580
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the chcon rule in audit.rules
lineinfile:
path: /etc/audit/audit.rules
line: -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset
-F key=privileged
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_execution_chcon
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80393-2
- DISA-STIG-RHEL-07-030580
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
Record Any Attempts to Run restoreconAt a minimum, the audit system should collect any execution attempt
of the restorecon command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change112131415162356789APO10.01APO10.03APO10.04APO10.05APO11.04BAI03.05DSS01.03DSS03.05DSS05.02DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000172CCI-002884164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.3.2.6.74.3.3.3.94.3.3.5.84.3.4.4.74.4.2.14.4.2.24.4.2.4SR 2.10SR 2.11SR 2.12SR 2.8SR 2.9SR 6.1SR 6.2A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.14.2.7A.15.2.1A.15.2.2AU-2(d)AU-12(c)AC-6(9)CM-6(a)DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.PT-1FAU_GEN.1.1.cSRG-OS-000392-GPOS-00172SRG-OS-000463-GPOS-00207SRG-OS-000465-GPOS-00209SRG-OS-000463-VMM-001850Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.CCE-80394-0
PATTERN="-a always,exit -F path=/usr/sbin/restorecon\\s\\+.*"
GROUP="privileged"
# Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation
ARCH=""
FULL_RULE="-a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
- name: Search /etc/audit/rules.d for audit rule entries
find:
paths: /etc/audit/rules.d
recurse: false
contains: ^.*path=/usr/sbin/restorecon.*$
patterns: '*.rules'
register: find_restorecon
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_execution_restorecon
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80394-0
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/privileged.rules
when:
- find_restorecon.matched is defined and find_restorecon.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_execution_restorecon
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80394-0
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_restorecon.files | map(attribute=''path'') | list | first }}'
when:
- find_restorecon.matched is defined and find_restorecon.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_execution_restorecon
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80394-0
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the restorecon rule in rules.d
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=unset
-F key=privileged
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_execution_restorecon
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80394-0
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the restorecon rule in audit.rules
lineinfile:
path: /etc/audit/audit.rules
line: -a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=unset
-F key=privileged
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_execution_restorecon
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80394-0
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
Record File Deletion Events by UserAt a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -F key=deleteEnsure auditd Collects File Deletion Events by User - rmdirAt a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete5.2.1411112131415161923456789APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000366CCI-000172CCI-002884164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.2.3.104.3.2.6.74.3.3.3.94.3.3.5.84.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.13SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.4A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.1.1A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.2.1A.6.2.2AU-2(d)AU-12(c)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-3PR.MA-2PR.PT-1PR.PT-4RS.AN-1RS.AN-4FAU_GEN.1.1.cReq-10.2.7SRG-OS-000466-GPOS-00210SRG-OS-000467-GPOS-00210SRG-OS-000468-GPOS-00212SRG-OS-000392-GPOS-00172RHEL-07-030900SV-86827r5_ruleSRG-OS-000466-VMM-001870SRG-OS-000468-VMM-001890Auditing file deletions will create an audit trail for files that are removed
from the system. The audit trail could aid in system troubleshooting, as well as, detecting
malicious processes that attempt to delete log files to conceal their presence.CCE-80412-0
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S rmdir.*"
GROUP="delete"
FULL_RULE="-a always,exit -F arch=$ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
- name: Set architecture for audit rmdir tasks
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_file_deletion_events_rmdir
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80412-0
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030900
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Search /etc/audit/rules.d for other DAC audit rules
find:
paths: /etc/audit/rules.d
recurse: false
contains: -F key=delete$
patterns: '*.rules'
register: find_rmdir
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_file_deletion_events_rmdir
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80412-0
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030900
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: If existing DAC ruleset not found, use /etc/audit/rules.d/delete.rules as
the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/delete.rules
when:
- find_rmdir.matched is defined and find_rmdir.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_file_deletion_events_rmdir
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80412-0
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030900
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_rmdir.files | map(attribute=''path'') | list | first }}'
when:
- find_rmdir.matched is defined and find_rmdir.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_file_deletion_events_rmdir
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80412-0
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030900
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the rmdir rule in rules.d when on x86
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F arch=b32 -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_file_deletion_events_rmdir
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80412-0
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030900
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the rmdir rule in rules.d when on x86_64
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F arch=b64 -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
create: true
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_file_deletion_events_rmdir
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80412-0
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030900
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the rmdir rule in /etc/audit/audit.rules when on x86
lineinfile:
line: -a always,exit -F arch=b32 -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
state: present
dest: /etc/audit/audit.rules
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_file_deletion_events_rmdir
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80412-0
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030900
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the rmdir rule in audit.rules when on x86_64
lineinfile:
line: -a always,exit -F arch=b64 -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
state: present
dest: /etc/audit/audit.rules
create: true
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_file_deletion_events_rmdir
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80412-0
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030900
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
Ensure auditd Collects File Deletion Events by User - unlinkatAt a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete5.2.1411112131415161923456789APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000366CCI-000172CCI-002884164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.2.3.104.3.2.6.74.3.3.3.94.3.3.5.84.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.13SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.4A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.1.1A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.2.1A.6.2.2AU-2(d)AU-12(c)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-3PR.MA-2PR.PT-1PR.PT-4RS.AN-1RS.AN-4FAU_GEN.1.1.cReq-10.2.7SRG-OS-000466-GPOS-00210SRG-OS-000467-GPOS-00210SRG-OS-000468-GPOS-00212SRG-OS-000392-GPOS-00172RHEL-07-030920SV-86831r5_ruleSRG-OS-000466-VMM-001870SRG-OS-000468-VMM-001890Auditing file deletions will create an audit trail for files that are removed
from the system. The audit trail could aid in system troubleshooting, as well as, detecting
malicious processes that attempt to delete log files to conceal their presence.CCE-80662-0
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S unlinkat.*"
GROUP="delete"
FULL_RULE="-a always,exit -F arch=$ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
- name: Set architecture for audit unlinkat tasks
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_file_deletion_events_unlinkat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80662-0
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030920
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Search /etc/audit/rules.d for other DAC audit rules
find:
paths: /etc/audit/rules.d
recurse: false
contains: -F key=delete$
patterns: '*.rules'
register: find_unlinkat
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_file_deletion_events_unlinkat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80662-0
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030920
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: If existing DAC ruleset not found, use /etc/audit/rules.d/delete.rules as
the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/delete.rules
when:
- find_unlinkat.matched is defined and find_unlinkat.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_file_deletion_events_unlinkat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80662-0
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030920
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_unlinkat.files | map(attribute=''path'') | list | first }}'
when:
- find_unlinkat.matched is defined and find_unlinkat.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_file_deletion_events_unlinkat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80662-0
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030920
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the unlinkat rule in rules.d when on x86
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F arch=b32 -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_file_deletion_events_unlinkat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80662-0
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030920
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the unlinkat rule in rules.d when on x86_64
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
create: true
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_file_deletion_events_unlinkat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80662-0
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030920
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the unlinkat rule in /etc/audit/audit.rules when on x86
lineinfile:
line: -a always,exit -F arch=b32 -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
state: present
dest: /etc/audit/audit.rules
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_file_deletion_events_unlinkat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80662-0
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030920
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the unlinkat rule in audit.rules when on x86_64
lineinfile:
line: -a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
state: present
dest: /etc/audit/audit.rules
create: true
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_file_deletion_events_unlinkat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80662-0
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030920
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
Ensure auditd Collects File Deletion Events by UserAt a minimum the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=unset -F key=deleteThis rule checks for multiple syscalls related to file deletion;
it was written with DISA STIG in mind. Other policies should use a
separate rule for each syscall that needs to be checked. For example:
audit_rules_file_deletion_events_rmdiraudit_rules_file_deletion_events_unlinkaudit_rules_file_deletion_events_unlinkat5.2.14111121314151619234567895.4.1.1APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000366CCI-000172CCI-0028844.2.3.104.3.2.6.74.3.3.3.94.3.3.5.84.3.3.6.64.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.13SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.2.1A.6.2.2AU-2(d)AU-12(c)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-3PR.PT-1PR.PT-4RS.AN-1RS.AN-4FAU_GEN.1.1.cReq-10.2.7Auditing file deletions will create an audit trail for files that are removed
from the system. The audit trail could aid in system troubleshooting, as well as, detecting
malicious processes that attempt to delete log files to conceal their presence.CCE-27206-2
# Perform the remediation for the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S .* -F auid>=1000 -F auid!=unset -k *"
# Use escaped BRE regex to specify rule group
GROUP="\(rmdir\|unlink\|rename\)"
FULL_RULE="-a always,exit -F arch=$ARCH -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=unset -k delete"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
Ensure auditd Collects File Deletion Events by User - renameAt a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete5.2.1411112131415161923456789APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000366CCI-000172CCI-002884164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.2.3.104.3.2.6.74.3.3.3.94.3.3.5.84.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.13SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.4A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.1.1A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.2.1A.6.2.2AU-2(d)AU-12(c)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-3PR.MA-2PR.PT-1PR.PT-4RS.AN-1RS.AN-4FAU_GEN.1.1.cReq-10.2.7SRG-OS-000466-GPOS-00210SRG-OS-000467-GPOS-00210SRG-OS-000468-GPOS-00212SRG-OS-000392-GPOS-00172RHEL-07-030880SV-86823r5_ruleSRG-OS-000466-VMM-001870SRG-OS-000468-VMM-001890Auditing file deletions will create an audit trail for files that are removed
from the system. The audit trail could aid in system troubleshooting, as well as, detecting
malicious processes that attempt to delete log files to conceal their presence.CCE-80995-4
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S rename.*"
GROUP="delete"
FULL_RULE="-a always,exit -F arch=$ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
- name: Set architecture for audit rename tasks
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_file_deletion_events_rename
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80995-4
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030880
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Search /etc/audit/rules.d for other DAC audit rules
find:
paths: /etc/audit/rules.d
recurse: false
contains: -F key=delete$
patterns: '*.rules'
register: find_rename
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_file_deletion_events_rename
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80995-4
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030880
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: If existing DAC ruleset not found, use /etc/audit/rules.d/delete.rules as
the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/delete.rules
when:
- find_rename.matched is defined and find_rename.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_file_deletion_events_rename
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80995-4
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030880
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_rename.files | map(attribute=''path'') | list | first }}'
when:
- find_rename.matched is defined and find_rename.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_file_deletion_events_rename
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80995-4
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030880
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the rename rule in rules.d when on x86
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F arch=b32 -S rename -F auid>=1000 -F auid!=unset -F key=delete
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_file_deletion_events_rename
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80995-4
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030880
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the rename rule in rules.d when on x86_64
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F arch=b64 -S rename -F auid>=1000 -F auid!=unset -F key=delete
create: true
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_file_deletion_events_rename
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80995-4
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030880
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the rename rule in /etc/audit/audit.rules when on x86
lineinfile:
line: -a always,exit -F arch=b32 -S rename -F auid>=1000 -F auid!=unset -F key=delete
state: present
dest: /etc/audit/audit.rules
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_file_deletion_events_rename
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80995-4
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030880
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the rename rule in audit.rules when on x86_64
lineinfile:
line: -a always,exit -F arch=b64 -S rename -F auid>=1000 -F auid!=unset -F key=delete
state: present
dest: /etc/audit/audit.rules
create: true
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_file_deletion_events_rename
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80995-4
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030880
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
Ensure auditd Collects File Deletion Events by User - renameatAt a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete5.2.1411112131415161923456789APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000366CCI-000172CCI-002884164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.2.3.104.3.2.6.74.3.3.3.94.3.3.5.84.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.13SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.4A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.1.1A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.2.1A.6.2.2AU-2(d)AU-12(c)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-3PR.MA-2PR.PT-1PR.PT-4RS.AN-1RS.AN-4FAU_GEN.1.1.cReq-10.2.7SRG-OS-000466-GPOS-00210SRG-OS-000467-GPOS-00210SRG-OS-000468-GPOS-00212SRG-OS-000392-GPOS-00172RHEL-07-030890SV-86825r5_ruleSRG-OS-000466-VMM-001870SRG-OS-000468-VMM-001890Auditing file deletions will create an audit trail for files that are removed
from the system. The audit trail could aid in system troubleshooting, as well as, detecting
malicious processes that attempt to delete log files to conceal their presence.CCE-80413-8
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S renameat.*"
GROUP="delete"
FULL_RULE="-a always,exit -F arch=$ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
- name: Set architecture for audit renameat tasks
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_file_deletion_events_renameat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80413-8
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030890
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Search /etc/audit/rules.d for other DAC audit rules
find:
paths: /etc/audit/rules.d
recurse: false
contains: -F key=delete$
patterns: '*.rules'
register: find_renameat
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_file_deletion_events_renameat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80413-8
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030890
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: If existing DAC ruleset not found, use /etc/audit/rules.d/delete.rules as
the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/delete.rules
when:
- find_renameat.matched is defined and find_renameat.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_file_deletion_events_renameat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80413-8
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030890
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_renameat.files | map(attribute=''path'') | list | first }}'
when:
- find_renameat.matched is defined and find_renameat.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_file_deletion_events_renameat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80413-8
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030890
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the renameat rule in rules.d when on x86
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F arch=b32 -S renameat -F auid>=1000 -F auid!=unset -F key=delete
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_file_deletion_events_renameat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80413-8
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030890
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the renameat rule in rules.d when on x86_64
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F arch=b64 -S renameat -F auid>=1000 -F auid!=unset -F key=delete
create: true
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_file_deletion_events_renameat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80413-8
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030890
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the renameat rule in /etc/audit/audit.rules when on x86
lineinfile:
line: -a always,exit -F arch=b32 -S renameat -F auid>=1000 -F auid!=unset -F key=delete
state: present
dest: /etc/audit/audit.rules
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_file_deletion_events_renameat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80413-8
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030890
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the renameat rule in audit.rules when on x86_64
lineinfile:
line: -a always,exit -F arch=b64 -S renameat -F auid>=1000 -F auid!=unset -F key=delete
state: present
dest: /etc/audit/audit.rules
create: true
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_file_deletion_events_renameat
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80413-8
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030890
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
Ensure auditd Collects File Deletion Events by User - unlinkAt a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete5.2.1411112131415161923456789APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000366CCI-000172CCI-002884164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.2.3.104.3.2.6.74.3.3.3.94.3.3.5.84.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.4.4.74.3.4.5.64.3.4.5.74.3.4.5.84.4.2.14.4.2.24.4.2.4SR 1.13SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.4A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.1.1A.15.2.1A.15.2.2A.16.1.4A.16.1.5A.16.1.7A.6.2.1A.6.2.2AU-2(d)AU-12(c)CM-6(a)DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.AC-3PR.MA-2PR.PT-1PR.PT-4RS.AN-1RS.AN-4FAU_GEN.1.1.cReq-10.2.7SRG-OS-000466-GPOS-00210SRG-OS-000467-GPOS-00210SRG-OS-000468-GPOS-00212SRG-OS-000392-GPOS-00172RHEL-07-030910SV-86829r5_ruleSRG-OS-000466-VMM-001870SRG-OS-000468-VMM-001890Auditing file deletions will create an audit trail for files that are removed
from the system. The audit trail could aid in system troubleshooting, as well as, detecting
malicious processes that attempt to delete log files to conceal their presence.CCE-80996-2
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S unlink.*"
GROUP="delete"
FULL_RULE="-a always,exit -F arch=$ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
- name: Set architecture for audit unlink tasks
set_fact:
audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }}
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_file_deletion_events_unlink
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80996-2
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030910
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Search /etc/audit/rules.d for other DAC audit rules
find:
paths: /etc/audit/rules.d
recurse: false
contains: -F key=delete$
patterns: '*.rules'
register: find_unlink
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_file_deletion_events_unlink
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80996-2
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030910
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: If existing DAC ruleset not found, use /etc/audit/rules.d/delete.rules as
the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/delete.rules
when:
- find_unlink.matched is defined and find_unlink.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_file_deletion_events_unlink
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80996-2
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030910
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_unlink.files | map(attribute=''path'') | list | first }}'
when:
- find_unlink.matched is defined and find_unlink.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_file_deletion_events_unlink
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80996-2
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030910
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the unlink rule in rules.d when on x86
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F arch=b32 -S unlink -F auid>=1000 -F auid!=unset -F key=delete
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_file_deletion_events_unlink
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80996-2
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030910
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the unlink rule in rules.d when on x86_64
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F arch=b64 -S unlink -F auid>=1000 -F auid!=unset -F key=delete
create: true
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_file_deletion_events_unlink
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80996-2
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030910
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the unlink rule in /etc/audit/audit.rules when on x86
lineinfile:
line: -a always,exit -F arch=b32 -S unlink -F auid>=1000 -F auid!=unset -F key=delete
state: present
dest: /etc/audit/audit.rules
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_file_deletion_events_unlink
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80996-2
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030910
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the unlink rule in audit.rules when on x86_64
lineinfile:
line: -a always,exit -F arch=b64 -S unlink -F auid>=1000 -F auid!=unset -F key=delete
state: present
dest: /etc/audit/audit.rules
create: true
when:
- audit_arch is defined and audit_arch == 'b64'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_file_deletion_events_unlink
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- reboot_required
- CCE-80996-2
- PCI-DSS-Req-10.2.7
- DISA-STIG-RHEL-07-030910
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-CM-6(a)
Record Information on the Use of Privileged CommandsAt a minimum, the audit system should collect the execution of
privileged commands for all users and root.Ensure auditd Collects Information on the Use of Privileged Commands - passwdAt a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes112131415162356789APO10.01APO10.03APO10.04APO10.05APO11.04BAI03.05DSS01.03DSS03.05DSS05.02DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000135CCI-000172CCI-002884164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.3.2.6.74.3.3.3.94.3.3.5.84.3.4.4.74.4.2.14.4.2.24.4.2.4SR 2.10SR 2.11SR 2.12SR 2.8SR 2.9SR 6.1SR 6.2A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.14.2.7A.15.2.1A.15.2.2AC-2(4)AU-2(d)AU-12(c)AC-6(9)CM-6(a)DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.PT-1FAU_GEN.1.1.cSRG-OS-000042-GPOS-00020SRG-OS-000392-GPOS-00172SRG-OS-000471-GPOS-00215RHEL-07-030630SV-86773r5_ruleSRG-OS-000471-VMM-001910Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.CCE-80395-7
PATTERN="-a always,exit -F path=/usr/bin/passwd\\s\\+.*"
GROUP="privileged"
# Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation
ARCH=""
FULL_RULE="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
- name: Search /etc/audit/rules.d for audit rule entries
find:
paths: /etc/audit/rules.d
recurse: false
contains: ^.*path=/usr/bin/passwd.*$
patterns: '*.rules'
register: find_passwd
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_passwd
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80395-7
- DISA-STIG-RHEL-07-030630
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/privileged.rules
when:
- find_passwd.matched is defined and find_passwd.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_passwd
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80395-7
- DISA-STIG-RHEL-07-030630
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_passwd.files | map(attribute=''path'') | list | first }}'
when:
- find_passwd.matched is defined and find_passwd.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_passwd
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80395-7
- DISA-STIG-RHEL-07-030630
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the passwd rule in rules.d
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset
-F key=privileged
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_passwd
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80395-7
- DISA-STIG-RHEL-07-030630
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the passwd rule in audit.rules
lineinfile:
path: /etc/audit/audit.rules
line: -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset
-F key=privileged
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_passwd
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80395-7
- DISA-STIG-RHEL-07-030630
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
Ensure auditd Collects Information on the Use of Privileged Commands - sudoAt a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes112131415162356789APO10.01APO10.03APO10.04APO10.05APO11.04BAI03.05DSS01.03DSS03.05DSS05.02DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000135CCI-000172CCI-002884164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.3.2.6.74.3.3.3.94.3.3.5.84.3.4.4.74.4.2.14.4.2.24.4.2.4SR 2.10SR 2.11SR 2.12SR 2.8SR 2.9SR 6.1SR 6.2A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.14.2.7A.15.2.1A.15.2.2AU-2(d)AU-12(c)AC-6(9)CM-6(a)DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.PT-1FAU_GEN.1.1.cSRG-OS-000042-GPOS-00020SRG-OS-000392-GPOS-00172SRG-OS-000471-GPOS-00215RHEL-07-030690SV-86785r4_ruleSRG-OS-000471-VMM-001910Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.CCE-80401-3
PATTERN="-a always,exit -F path=/usr/bin/sudo\\s\\+.*"
GROUP="privileged"
# Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation
ARCH=""
FULL_RULE="-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
- name: Search /etc/audit/rules.d for audit rule entries
find:
paths: /etc/audit/rules.d
recurse: false
contains: ^.*path=/usr/bin/sudo.*$
patterns: '*.rules'
register: find_sudo
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_sudo
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80401-3
- DISA-STIG-RHEL-07-030690
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/privileged.rules
when:
- find_sudo.matched is defined and find_sudo.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_sudo
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80401-3
- DISA-STIG-RHEL-07-030690
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_sudo.files | map(attribute=''path'') | list | first }}'
when:
- find_sudo.matched is defined and find_sudo.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_sudo
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80401-3
- DISA-STIG-RHEL-07-030690
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the sudo rule in rules.d
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset
-F key=privileged
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_sudo
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80401-3
- DISA-STIG-RHEL-07-030690
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the sudo rule in audit.rules
lineinfile:
path: /etc/audit/audit.rules
line: -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset
-F key=privileged
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_sudo
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80401-3
- DISA-STIG-RHEL-07-030690
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
Ensure auditd Collects Information on the Use of Privileged Commands - usernetctlAt a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changesCCI-000172AC-2(4)AU-2(d)AU-12(c)AC-6(9)CM-6(a)FAU_GEN.1.1.cSRG-OS-000471-VMM-001910Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.CCE-82074-6
PATTERN="-a always,exit -F path=/usr/sbin/usernetctl\\s\\+.*"
GROUP="privileged"
# Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation
ARCH=""
FULL_RULE="-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
- name: Search /etc/audit/rules.d for audit rule entries
find:
paths: /etc/audit/rules.d
recurse: false
contains: ^.*path=/usr/sbin/usernetctl.*$
patterns: '*.rules'
register: find_usernetctl
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_usernetctl
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82074-6
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/privileged.rules
when:
- find_usernetctl.matched is defined and find_usernetctl.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_usernetctl
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82074-6
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_usernetctl.files | map(attribute=''path'') | list | first }}'
when:
- find_usernetctl.matched is defined and find_usernetctl.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_usernetctl
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82074-6
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the usernetctl rule in rules.d
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset
-F key=privileged
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_usernetctl
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82074-6
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the usernetctl rule in audit.rules
lineinfile:
path: /etc/audit/audit.rules
line: -a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset
-F key=privileged
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_usernetctl
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82074-6
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
Ensure auditd Collects Information on the Use of Privileged Commands - postdropAt a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes112131415162356789APO10.01APO10.03APO10.04APO10.05APO11.04BAI03.05DSS01.03DSS03.05DSS05.02DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000135CCI-000172CCI-002884164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.3.2.6.74.3.3.3.94.3.3.5.84.3.4.4.74.4.2.14.4.2.24.4.2.4SR 2.10SR 2.11SR 2.12SR 2.8SR 2.9SR 6.1SR 6.2A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.14.2.7A.15.2.1A.15.2.2AU-2(d)AU-12(c)AC-6(9)CM-6(a)DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.PT-1SRG-OS-000042-GPOS-00020SRG-OS-000392-GPOS-00172SRG-OS-000471-GPOS-00215RHEL-07-030760SV-86799r4_ruleSRG-OS-000471-VMM-001910Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.CCE-80406-2
PATTERN="-a always,exit -F path=/usr/sbin/postdrop\\s\\+.*"
GROUP="privileged"
# Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation
ARCH=""
FULL_RULE="-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
- name: Search /etc/audit/rules.d for audit rule entries
find:
paths: /etc/audit/rules.d
recurse: false
contains: ^.*path=/usr/sbin/postdrop.*$
patterns: '*.rules'
register: find_postdrop
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_postdrop
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80406-2
- DISA-STIG-RHEL-07-030760
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/privileged.rules
when:
- find_postdrop.matched is defined and find_postdrop.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_postdrop
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80406-2
- DISA-STIG-RHEL-07-030760
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_postdrop.files | map(attribute=''path'') | list | first }}'
when:
- find_postdrop.matched is defined and find_postdrop.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_postdrop
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80406-2
- DISA-STIG-RHEL-07-030760
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the postdrop rule in rules.d
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset
-F key=privileged
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_postdrop
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80406-2
- DISA-STIG-RHEL-07-030760
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the postdrop rule in audit.rules
lineinfile:
path: /etc/audit/audit.rules
line: -a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset
-F key=privileged
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_postdrop
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80406-2
- DISA-STIG-RHEL-07-030760
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
Ensure auditd Collects Information on the Use of Privileged Commands - chshAt a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes112131415162356789APO10.01APO10.03APO10.04APO10.05APO11.04BAI03.05DSS01.03DSS03.05DSS05.02DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000135CCI-000172CCI-002884164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.3.2.6.74.3.3.3.94.3.3.5.84.3.4.4.74.4.2.14.4.2.24.4.2.4SR 2.10SR 2.11SR 2.12SR 2.8SR 2.9SR 6.1SR 6.2A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.14.2.7A.15.2.1A.15.2.2AC-2(4)AU-2(d)AU-12(c)AC-6(9)CM-6(a)DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.PT-1SRG-OS-000042-GPOS-00020SRG-OS-000392-GPOS-00172SRG-OS-000471-GPOS-00215RHEL-07-030720SV-86791r4_ruleSRG-OS-000471-VMM-001910Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.CCE-80404-7
PATTERN="-a always,exit -F path=/usr/bin/chsh\\s\\+.*"
GROUP="privileged"
# Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation
ARCH=""
FULL_RULE="-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
- name: Search /etc/audit/rules.d for audit rule entries
find:
paths: /etc/audit/rules.d
recurse: false
contains: ^.*path=/usr/bin/chsh.*$
patterns: '*.rules'
register: find_chsh
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_chsh
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80404-7
- DISA-STIG-RHEL-07-030720
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/privileged.rules
when:
- find_chsh.matched is defined and find_chsh.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_chsh
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80404-7
- DISA-STIG-RHEL-07-030720
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_chsh.files | map(attribute=''path'') | list | first }}'
when:
- find_chsh.matched is defined and find_chsh.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_chsh
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80404-7
- DISA-STIG-RHEL-07-030720
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the chsh rule in rules.d
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset
-F key=privileged
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_chsh
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80404-7
- DISA-STIG-RHEL-07-030720
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the chsh rule in audit.rules
lineinfile:
path: /etc/audit/audit.rules
line: -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset
-F key=privileged
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_chsh
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80404-7
- DISA-STIG-RHEL-07-030720
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
Ensure auditd Collects Information on the Use of Privileged Commands - newgidmapAt a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changesCCI-000172AC-2(4)AU-2(d)AU-12(c)AC-6(9)CM-6(a)FAU_GEN.1.1.cSRG-OS-000471-VMM-001910Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.CCE-82200-7
PATTERN="-a always,exit -F path=/usr/bin/newgidmap\\s\\+.*"
GROUP="privileged"
# Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation
ARCH=""
FULL_RULE="-a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
- name: Search /etc/audit/rules.d for audit rule entries
find:
paths: /etc/audit/rules.d
recurse: false
contains: ^.*path=/usr/bin/newgidmap.*$
patterns: '*.rules'
register: find_newgidmap
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_newgidmap
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82200-7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/privileged.rules
when:
- find_newgidmap.matched is defined and find_newgidmap.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_newgidmap
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82200-7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_newgidmap.files | map(attribute=''path'') | list | first }}'
when:
- find_newgidmap.matched is defined and find_newgidmap.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_newgidmap
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82200-7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the newgidmap rule in rules.d
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset
-F key=privileged
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_newgidmap
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82200-7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the newgidmap rule in audit.rules
lineinfile:
path: /etc/audit/audit.rules
line: -a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset
-F key=privileged
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_newgidmap
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82200-7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
Ensure auditd Collects Information on the Use of Privileged Commands - gpasswdAt a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes112131415162356789APO10.01APO10.03APO10.04APO10.05APO11.04BAI03.05DSS01.03DSS03.05DSS05.02DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000135CCI-000172CCI-002884164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.3.2.6.74.3.3.3.94.3.3.5.84.3.4.4.74.4.2.14.4.2.24.4.2.4SR 2.10SR 2.11SR 2.12SR 2.8SR 2.9SR 6.1SR 6.2A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.14.2.7A.15.2.1A.15.2.2AC-2(4)AU-2(d)AU-12(c)AC-6(9)CM-6(a)DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.PT-1FAU_GEN.1.1.cSRG-OS-000042-GPOS-00020SRG-OS-000392-GPOS-00172SRG-OS-000471-GPOS-00215RHEL-07-030650SV-86777r5_ruleSRG-OS-000471-VMM-001910Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.CCE-80397-3
PATTERN="-a always,exit -F path=/usr/bin/gpasswd\\s\\+.*"
GROUP="privileged"
# Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation
ARCH=""
FULL_RULE="-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
- name: Search /etc/audit/rules.d for audit rule entries
find:
paths: /etc/audit/rules.d
recurse: false
contains: ^.*path=/usr/bin/gpasswd.*$
patterns: '*.rules'
register: find_gpasswd
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_gpasswd
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80397-3
- DISA-STIG-RHEL-07-030650
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/privileged.rules
when:
- find_gpasswd.matched is defined and find_gpasswd.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_gpasswd
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80397-3
- DISA-STIG-RHEL-07-030650
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_gpasswd.files | map(attribute=''path'') | list | first }}'
when:
- find_gpasswd.matched is defined and find_gpasswd.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_gpasswd
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80397-3
- DISA-STIG-RHEL-07-030650
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the gpasswd rule in rules.d
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset
-F key=privileged
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_gpasswd
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80397-3
- DISA-STIG-RHEL-07-030650
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the gpasswd rule in audit.rules
lineinfile:
path: /etc/audit/audit.rules
line: -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset
-F key=privileged
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_gpasswd
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80397-3
- DISA-STIG-RHEL-07-030650
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
Ensure auditd Collects Information on the Use of Privileged Commands - chageAt a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes112131415162356789APO10.01APO10.03APO10.04APO10.05APO11.04BAI03.05DSS01.03DSS03.05DSS05.02DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000135CCI-000172CCI-002884164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.3.2.6.74.3.3.3.94.3.3.5.84.3.4.4.74.4.2.14.4.2.24.4.2.4SR 2.10SR 2.11SR 2.12SR 2.8SR 2.9SR 6.1SR 6.2A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.14.2.7A.15.2.1A.15.2.2AC-2(4)AU-2(d)AU-12(c)AC-6(9)CM-6(a)DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.PT-1SRG-OS-000042-GPOS-00020SRG-OS-000392-GPOS-00172SRG-OS-000471-GPOS-00215RHEL-07-030660SV-86779r5_ruleSRG-OS-000471-VMM-001910Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.CCE-80398-1
PATTERN="-a always,exit -F path=/usr/bin/chage\\s\\+.*"
GROUP="privileged"
# Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation
ARCH=""
FULL_RULE="-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
- name: Search /etc/audit/rules.d for audit rule entries
find:
paths: /etc/audit/rules.d
recurse: false
contains: ^.*path=/usr/bin/chage.*$
patterns: '*.rules'
register: find_chage
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_chage
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80398-1
- DISA-STIG-RHEL-07-030660
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/privileged.rules
when:
- find_chage.matched is defined and find_chage.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_chage
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80398-1
- DISA-STIG-RHEL-07-030660
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_chage.files | map(attribute=''path'') | list | first }}'
when:
- find_chage.matched is defined and find_chage.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_chage
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80398-1
- DISA-STIG-RHEL-07-030660
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the chage rule in rules.d
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset
-F key=privileged
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_chage
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80398-1
- DISA-STIG-RHEL-07-030660
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the chage rule in audit.rules
lineinfile:
path: /etc/audit/audit.rules
line: -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset
-F key=privileged
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_chage
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80398-1
- DISA-STIG-RHEL-07-030660
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
Ensure auditd Collects Information on the Use of Privileged Commands - userhelperAt a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes112131415162356789APO10.01APO10.03APO10.04APO10.05APO11.04BAI03.05DSS01.03DSS03.05DSS05.02DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000135CCI-000172CCI-002884164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.3.2.6.74.3.3.3.94.3.3.5.84.3.4.4.74.4.2.14.4.2.24.4.2.4SR 2.10SR 2.11SR 2.12SR 2.8SR 2.9SR 6.1SR 6.2A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.14.2.7A.15.2.1A.15.2.2AU-2(d)AU-12(c)AC-6(9)CM-6(a)DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.PT-1FAU_GEN.1.1.cSRG-OS-000042-GPOS-00020SRG-OS-000392-GPOS-00172SRG-OS-000471-GPOS-00215RHEL-07-030670SV-86781r5_ruleSRG-OS-000471-VMM-001910Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.CCE-80399-9
PATTERN="-a always,exit -F path=/usr/sbin/userhelper\\s\\+.*"
GROUP="privileged"
# Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation
ARCH=""
FULL_RULE="-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
- name: Search /etc/audit/rules.d for audit rule entries
find:
paths: /etc/audit/rules.d
recurse: false
contains: ^.*path=/usr/sbin/userhelper.*$
patterns: '*.rules'
register: find_userhelper
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_userhelper
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80399-9
- DISA-STIG-RHEL-07-030670
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/privileged.rules
when:
- find_userhelper.matched is defined and find_userhelper.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_userhelper
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80399-9
- DISA-STIG-RHEL-07-030670
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_userhelper.files | map(attribute=''path'') | list | first }}'
when:
- find_userhelper.matched is defined and find_userhelper.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_userhelper
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80399-9
- DISA-STIG-RHEL-07-030670
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the userhelper rule in rules.d
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset
-F key=privileged
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_userhelper
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80399-9
- DISA-STIG-RHEL-07-030670
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the userhelper rule in audit.rules
lineinfile:
path: /etc/audit/audit.rules
line: -a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset
-F key=privileged
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_userhelper
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80399-9
- DISA-STIG-RHEL-07-030670
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
Ensure auditd Collects Information on the Use of Privileged Commands - atAt a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changesCCI-000172AU-2(d)AU-12(c)AC-6(9)CM-6(a)FAU_GEN.1.1.cSRG-OS-000471-VMM-001910Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.CCE-81060-6
PATTERN="-a always,exit -F path=/usr/bin/at\\s\\+.*"
GROUP="privileged"
# Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation
ARCH=""
FULL_RULE="-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
- name: Search /etc/audit/rules.d for audit rule entries
find:
paths: /etc/audit/rules.d
recurse: false
contains: ^.*path=/usr/bin/at.*$
patterns: '*.rules'
register: find_at
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_at
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-81060-6
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/privileged.rules
when:
- find_at.matched is defined and find_at.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_at
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-81060-6
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_at.files | map(attribute=''path'') | list | first }}'
when:
- find_at.matched is defined and find_at.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_at
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-81060-6
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the at rule in rules.d
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset
-F key=privileged
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_at
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-81060-6
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the at rule in audit.rules
lineinfile:
path: /etc/audit/audit.rules
line: -a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset
-F key=privileged
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_at
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-81060-6
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_checkAt a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes112131415162356789APO10.01APO10.03APO10.04APO10.05APO11.04BAI03.05DSS01.03DSS03.05DSS05.02DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000135CCI-000172CCI-002884164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.3.2.6.74.3.3.3.94.3.3.5.84.3.4.4.74.4.2.14.4.2.24.4.2.4SR 2.10SR 2.11SR 2.12SR 2.8SR 2.9SR 6.1SR 6.2A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.14.2.7A.15.2.1A.15.2.2AU-2(d)AU-12(c)AC-6(9)CM-6(a)DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.PT-1SRG-OS-000042-GPOS-00020SRG-OS-000392-GPOS-00172SRG-OS-000471-GPOS-00215RHEL-07-030810SV-86809r4_ruleSRG-OS-000471-VMM-001910Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.CCE-80411-2
PATTERN="-a always,exit -F path=/usr/sbin/pam_timestamp_check\\s\\+.*"
GROUP="privileged"
# Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation
ARCH=""
FULL_RULE="-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
- name: Search /etc/audit/rules.d for audit rule entries
find:
paths: /etc/audit/rules.d
recurse: false
contains: ^.*path=/usr/sbin/pam_timestamp_check.*$
patterns: '*.rules'
register: find_pam_timestamp_check
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_pam_timestamp_check
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80411-2
- DISA-STIG-RHEL-07-030810
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/privileged.rules
when:
- find_pam_timestamp_check.matched is defined and find_pam_timestamp_check.matched
== 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_pam_timestamp_check
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80411-2
- DISA-STIG-RHEL-07-030810
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_pam_timestamp_check.files | map(attribute=''path'') | list | first
}}'
when:
- find_pam_timestamp_check.matched is defined and find_pam_timestamp_check.matched
> 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_pam_timestamp_check
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80411-2
- DISA-STIG-RHEL-07-030810
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the pam_timestamp_check rule in rules.d
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000
-F auid!=unset -F key=privileged
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_pam_timestamp_check
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80411-2
- DISA-STIG-RHEL-07-030810
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the pam_timestamp_check rule in audit.rules
lineinfile:
path: /etc/audit/audit.rules
line: -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000
-F auid!=unset -F key=privileged
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_pam_timestamp_check
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80411-2
- DISA-STIG-RHEL-07-030810
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
Ensure auditd Collects Information on the Use of Privileged Commands - crontabAt a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes112131415162356789APO10.01APO10.03APO10.04APO10.05APO11.04BAI03.05DSS01.03DSS03.05DSS05.02DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000135CCI-000172CCI-002884164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.3.2.6.74.3.3.3.94.3.3.5.84.3.4.4.74.4.2.14.4.2.24.4.2.4SR 2.10SR 2.11SR 2.12SR 2.8SR 2.9SR 6.1SR 6.2A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.14.2.7A.15.2.1A.15.2.2AU-2(d)AU-12(c)AC-6(9)CM-6(a)DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.PT-1SRG-OS-000042-GPOS-00020SRG-OS-000392-GPOS-00172SRG-OS-000471-GPOS-00215RHEL-07-030800SV-86807r3_ruleSRG-OS-000471-VMM-001910Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.CCE-80410-4
PATTERN="-a always,exit -F path=/usr/bin/crontab\\s\\+.*"
GROUP="privileged"
# Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation
ARCH=""
FULL_RULE="-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
- name: Search /etc/audit/rules.d for audit rule entries
find:
paths: /etc/audit/rules.d
recurse: false
contains: ^.*path=/usr/bin/crontab.*$
patterns: '*.rules'
register: find_crontab
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_crontab
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80410-4
- DISA-STIG-RHEL-07-030800
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/privileged.rules
when:
- find_crontab.matched is defined and find_crontab.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_crontab
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80410-4
- DISA-STIG-RHEL-07-030800
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_crontab.files | map(attribute=''path'') | list | first }}'
when:
- find_crontab.matched is defined and find_crontab.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_crontab
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80410-4
- DISA-STIG-RHEL-07-030800
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the crontab rule in rules.d
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset
-F key=privileged
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_crontab
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80410-4
- DISA-STIG-RHEL-07-030800
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the crontab rule in audit.rules
lineinfile:
path: /etc/audit/audit.rules
line: -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset
-F key=privileged
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_crontab
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80410-4
- DISA-STIG-RHEL-07-030800
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
Ensure auditd Collects Information on the Use of Privileged Commands - umountAt a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes112131415162356789APO10.01APO10.03APO10.04APO10.05APO11.04BAI03.05DSS01.03DSS03.05DSS05.02DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000135CCI-000172CCI-002884164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.3.2.6.74.3.3.3.94.3.3.5.84.3.4.4.74.4.2.14.4.2.24.4.2.4SR 2.10SR 2.11SR 2.12SR 2.8SR 2.9SR 6.1SR 6.2A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.14.2.7A.15.2.1A.15.2.2AU-2(d)AU-12(c)AC-6(9)CM-6(a)DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.PT-1SRG-OS-000042-GPOS-00020SRG-OS-000392-GPOS-00172SRG-OS-000471-GPOS-00215RHEL-07-030750SV-86797r5_ruleSRG-OS-000471-VMM-001910Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.CCE-80405-4
PATTERN="-a always,exit -F path=/usr/bin/umount\\s\\+.*"
GROUP="privileged"
# Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation
ARCH=""
FULL_RULE="-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
- name: Search /etc/audit/rules.d for audit rule entries
find:
paths: /etc/audit/rules.d
recurse: false
contains: ^.*path=/usr/bin/umount.*$
patterns: '*.rules'
register: find_umount
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_umount
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80405-4
- DISA-STIG-RHEL-07-030750
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/privileged.rules
when:
- find_umount.matched is defined and find_umount.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_umount
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80405-4
- DISA-STIG-RHEL-07-030750
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_umount.files | map(attribute=''path'') | list | first }}'
when:
- find_umount.matched is defined and find_umount.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_umount
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80405-4
- DISA-STIG-RHEL-07-030750
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the umount rule in rules.d
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset
-F key=privileged
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_umount
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80405-4
- DISA-STIG-RHEL-07-030750
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the umount rule in audit.rules
lineinfile:
path: /etc/audit/audit.rules
line: -a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset
-F key=privileged
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_umount
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80405-4
- DISA-STIG-RHEL-07-030750
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwdAt a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes112131415162356789APO10.01APO10.03APO10.04APO10.05APO11.04BAI03.05DSS01.03DSS03.05DSS05.02DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000135CCI-000172CCI-002884164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.3.2.6.74.3.3.3.94.3.3.5.84.3.4.4.74.4.2.14.4.2.24.4.2.4SR 2.10SR 2.11SR 2.12SR 2.8SR 2.9SR 6.1SR 6.2A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.14.2.7A.15.2.1A.15.2.2AC-2(4)AU-2(d)AU-12(c)AC-6(9)CM-6(a)DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.PT-1FAU_GEN.1.1.cSRG-OS-000042-GPOS-00020SRG-OS-000392-GPOS-00172SRG-OS-000471-GPOS-00215RHEL-07-030640SV-86775r5_ruleSRG-OS-000471-VMM-001910Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.CCE-80396-5
PATTERN="-a always,exit -F path=/usr/sbin/unix_chkpwd\\s\\+.*"
GROUP="privileged"
# Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation
ARCH=""
FULL_RULE="-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
- name: Search /etc/audit/rules.d for audit rule entries
find:
paths: /etc/audit/rules.d
recurse: false
contains: ^.*path=/usr/sbin/unix_chkpwd.*$
patterns: '*.rules'
register: find_unix_chkpwd
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_unix_chkpwd
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80396-5
- DISA-STIG-RHEL-07-030640
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/privileged.rules
when:
- find_unix_chkpwd.matched is defined and find_unix_chkpwd.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_unix_chkpwd
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80396-5
- DISA-STIG-RHEL-07-030640
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_unix_chkpwd.files | map(attribute=''path'') | list | first }}'
when:
- find_unix_chkpwd.matched is defined and find_unix_chkpwd.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_unix_chkpwd
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80396-5
- DISA-STIG-RHEL-07-030640
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the unix_chkpwd rule in rules.d
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F
auid!=unset -F key=privileged
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_unix_chkpwd
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80396-5
- DISA-STIG-RHEL-07-030640
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the unix_chkpwd rule in audit.rules
lineinfile:
path: /etc/audit/audit.rules
line: -a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F
auid!=unset -F key=privileged
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_unix_chkpwd
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80396-5
- DISA-STIG-RHEL-07-030640
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
Ensure auditd Collects Information on the Use of Privileged Commands - pt_chownAt a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes112131415162356789APO10.01APO10.03APO10.04APO10.05APO11.04BAI03.05DSS01.03DSS03.05DSS05.02DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000135CCI-000172CCI-0028844.3.2.6.74.3.3.3.94.3.3.5.84.3.4.4.74.4.2.14.4.2.24.4.2.4SR 2.10SR 2.11SR 2.12SR 2.8SR 2.9SR 6.1SR 6.2A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.14.2.7A.15.2.1A.15.2.2AU-2(d)AU-12(c)AC-6(9)CM-6(a)DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.PT-1SRG-OS-000042-GPOS-00020SRG-OS-000392-GPOS-00172SRG-OS-000471-GPOS-00215SRG-OS-000471-VMM-001910Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.CCE-80409-6
PATTERN="-a always,exit -F path=/usr/libexec/pt_chown\\s\\+.*"
GROUP="privileged"
# Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation
ARCH=""
FULL_RULE="-a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
- name: Search /etc/audit/rules.d for audit rule entries
find:
paths: /etc/audit/rules.d
recurse: false
contains: ^.*path=/usr/libexec/pt_chown.*$
patterns: '*.rules'
register: find_pt_chown
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_pt_chown
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80409-6
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/privileged.rules
when:
- find_pt_chown.matched is defined and find_pt_chown.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_pt_chown
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80409-6
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_pt_chown.files | map(attribute=''path'') | list | first }}'
when:
- find_pt_chown.matched is defined and find_pt_chown.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_pt_chown
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80409-6
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the pt_chown rule in rules.d
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F
auid!=unset -F key=privileged
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_pt_chown
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80409-6
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the pt_chown rule in audit.rules
lineinfile:
path: /etc/audit/audit.rules
line: -a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F
auid!=unset -F key=privileged
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_pt_chown
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80409-6
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysignAt a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/libexec/openssh/key-sign -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes112131415162356789APO10.01APO10.03APO10.04APO10.05APO11.04BAI03.05DSS01.03DSS03.05DSS05.02DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000135CCI-000172CCI-002884164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.3.2.6.74.3.3.3.94.3.3.5.84.3.4.4.74.4.2.14.4.2.24.4.2.4SR 2.10SR 2.11SR 2.12SR 2.8SR 2.9SR 6.1SR 6.2A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.14.2.7A.15.2.1A.15.2.2AU-2(d)AU-12(c)AC-6(9)CM-6(a)DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.PT-1FAU_GEN.1.1.cSRG-OS-000042-GPOS-00020SRG-OS-000392-GPOS-00172SRG-OS-000471-GPOS-00215RHEL-07-030780SV-86803r3_ruleSRG-OS-000471-VMM-001910Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.CCE-80408-8
PATTERN="-a always,exit -F path=/usr/libexec/openssh/ssh-keysign\\s\\+.*"
GROUP="privileged"
# Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation
ARCH=""
FULL_RULE="-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
- name: Search /etc/audit/rules.d for audit rule entries
find:
paths: /etc/audit/rules.d
recurse: false
contains: ^.*path=/usr/libexec/openssh/ssh-keysign.*$
patterns: '*.rules'
register: find_ssh_keysign
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_ssh_keysign
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80408-8
- DISA-STIG-RHEL-07-030780
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/privileged.rules
when:
- find_ssh_keysign.matched is defined and find_ssh_keysign.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_ssh_keysign
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80408-8
- DISA-STIG-RHEL-07-030780
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_ssh_keysign.files | map(attribute=''path'') | list | first }}'
when:
- find_ssh_keysign.matched is defined and find_ssh_keysign.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_ssh_keysign
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80408-8
- DISA-STIG-RHEL-07-030780
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the ssh_keysign rule in rules.d
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000
-F auid!=unset -F key=privileged
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_ssh_keysign
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80408-8
- DISA-STIG-RHEL-07-030780
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the ssh_keysign rule in audit.rules
lineinfile:
path: /etc/audit/audit.rules
line: -a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000
-F auid!=unset -F key=privileged
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_ssh_keysign
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80408-8
- DISA-STIG-RHEL-07-030780
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
Ensure auditd Collects Information on the Use of Privileged Commands - sudoeditAt a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes112131415162356789APO10.01APO10.03APO10.04APO10.05APO11.04BAI03.05DSS01.03DSS03.05DSS05.02DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000135CCI-000172CCI-002884164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.3.2.6.74.3.3.3.94.3.3.5.84.3.4.4.74.4.2.14.4.2.24.4.2.4SR 2.10SR 2.11SR 2.12SR 2.8SR 2.9SR 6.1SR 6.2A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.14.2.7A.15.2.1A.15.2.2AU-2(d)AU-12(c)AC-6(9)CM-6(a)DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.PT-1FAU_GEN.1.1.cSRG-OS-000042-GPOS-00020SRG-OS-000392-GPOS-00172SRG-OS-000471-GPOS-00215RHEL-07-030730SRG-OS-000471-VMM-001910Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.CCE-80402-1
PATTERN="-a always,exit -F path=/usr/bin/sudoedit\\s\\+.*"
GROUP="privileged"
# Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation
ARCH=""
FULL_RULE="-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
- name: Search /etc/audit/rules.d for audit rule entries
find:
paths: /etc/audit/rules.d
recurse: false
contains: ^.*path=/usr/bin/sudoedit.*$
patterns: '*.rules'
register: find_sudoedit
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_sudoedit
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80402-1
- DISA-STIG-RHEL-07-030730
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/privileged.rules
when:
- find_sudoedit.matched is defined and find_sudoedit.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_sudoedit
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80402-1
- DISA-STIG-RHEL-07-030730
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_sudoedit.files | map(attribute=''path'') | list | first }}'
when:
- find_sudoedit.matched is defined and find_sudoedit.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_sudoedit
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80402-1
- DISA-STIG-RHEL-07-030730
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the sudoedit rule in rules.d
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset
-F key=privileged
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_sudoedit
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80402-1
- DISA-STIG-RHEL-07-030730
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the sudoedit rule in audit.rules
lineinfile:
path: /etc/audit/audit.rules
line: -a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset
-F key=privileged
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_sudoedit
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80402-1
- DISA-STIG-RHEL-07-030730
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
Ensure auditd Collects Information on the Use of Privileged Commands - mountAt a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changesCCI-000172AU-2(d)AU-12(c)AC-6(9)CM-6(a)FAU_GEN.1.1.cSRG-OS-000471-VMM-001910Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.CCE-81064-8
PATTERN="-a always,exit -F path=/usr/bin/mount\\s\\+.*"
GROUP="privileged"
# Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation
ARCH=""
FULL_RULE="-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
- name: Search /etc/audit/rules.d for audit rule entries
find:
paths: /etc/audit/rules.d
recurse: false
contains: ^.*path=/usr/bin/mount.*$
patterns: '*.rules'
register: find_mount
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_mount
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-81064-8
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/privileged.rules
when:
- find_mount.matched is defined and find_mount.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_mount
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-81064-8
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_mount.files | map(attribute=''path'') | list | first }}'
when:
- find_mount.matched is defined and find_mount.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_mount
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-81064-8
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the mount rule in rules.d
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset
-F key=privileged
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_mount
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-81064-8
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the mount rule in audit.rules
lineinfile:
path: /etc/audit/audit.rules
line: -a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset
-F key=privileged
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_mount
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-81064-8
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
Ensure auditd Collects Information on the Use of Privileged Commands - newuidmapAt a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changesCCI-000172AC-2(4)AU-2(d)AU-12(c)AC-6(9)CM-6(a)FAU_GEN.1.1.cSRG-OS-000471-VMM-001910Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.CCE-81070-5
PATTERN="-a always,exit -F path=/usr/bin/newuidmap\\s\\+.*"
GROUP="privileged"
# Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation
ARCH=""
FULL_RULE="-a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
- name: Search /etc/audit/rules.d for audit rule entries
find:
paths: /etc/audit/rules.d
recurse: false
contains: ^.*path=/usr/bin/newuidmap.*$
patterns: '*.rules'
register: find_newuidmap
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_newuidmap
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-81070-5
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/privileged.rules
when:
- find_newuidmap.matched is defined and find_newuidmap.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_newuidmap
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-81070-5
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_newuidmap.files | map(attribute=''path'') | list | first }}'
when:
- find_newuidmap.matched is defined and find_newuidmap.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_newuidmap
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-81070-5
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the newuidmap rule in rules.d
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset
-F key=privileged
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_newuidmap
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-81070-5
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the newuidmap rule in audit.rules
lineinfile:
path: /etc/audit/audit.rules
line: -a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset
-F key=privileged
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_newuidmap
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-81070-5
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
Ensure auditd Collects Information on the Use of Privileged Commands - postqueueAt a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes112131415162356789APO10.01APO10.03APO10.04APO10.05APO11.04BAI03.05DSS01.03DSS03.05DSS05.02DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000135CCI-000172CCI-002884164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.3.2.6.74.3.3.3.94.3.3.5.84.3.4.4.74.4.2.14.4.2.24.4.2.4SR 2.10SR 2.11SR 2.12SR 2.8SR 2.9SR 6.1SR 6.2A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.14.2.7A.15.2.1A.15.2.2AU-2(d)AU-12(c)AC-6(9)CM-6(a)DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.PT-1SRG-OS-000042-GPOS-00020SRG-OS-000392-GPOS-00172SRG-OS-000471-GPOS-00215RHEL-07-030770SV-86801r3_ruleSRG-OS-000471-VMM-001910Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.CCE-80407-0
PATTERN="-a always,exit -F path=/usr/sbin/postqueue\\s\\+.*"
GROUP="privileged"
# Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation
ARCH=""
FULL_RULE="-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
- name: Search /etc/audit/rules.d for audit rule entries
find:
paths: /etc/audit/rules.d
recurse: false
contains: ^.*path=/usr/sbin/postqueue.*$
patterns: '*.rules'
register: find_postqueue
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_postqueue
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80407-0
- DISA-STIG-RHEL-07-030770
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/privileged.rules
when:
- find_postqueue.matched is defined and find_postqueue.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_postqueue
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80407-0
- DISA-STIG-RHEL-07-030770
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_postqueue.files | map(attribute=''path'') | list | first }}'
when:
- find_postqueue.matched is defined and find_postqueue.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_postqueue
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80407-0
- DISA-STIG-RHEL-07-030770
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the postqueue rule in rules.d
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset
-F key=privileged
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_postqueue
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80407-0
- DISA-STIG-RHEL-07-030770
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the postqueue rule in audit.rules
lineinfile:
path: /etc/audit/audit.rules
line: -a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset
-F key=privileged
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_postqueue
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80407-0
- DISA-STIG-RHEL-07-030770
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
Ensure auditd Collects Information on the Use of Privileged CommandsAt a minimum, the audit system should collect the execution of
privileged commands for all users and root. To find the relevant setuid /
setgid programs, run the following command for each local partition
PART:
$ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add a line of
the following form to a file with suffix .rules in the directory
/etc/audit/rules.d for each setuid / setgid program on the system,
replacing the SETUID_PROG_PATH part with the full path of that setuid /
setgid program in the list:
-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules for each setuid / setgid program on the
system, replacing the SETUID_PROG_PATH part with the full path of that
setuid / setgid program in the list:
-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changesThis rule checks for multiple syscalls related to privileged commands;
it was written with DISA STIG in mind. Other policies should use a
separate rule for each syscall that needs to be checked. For example:
audit_rules_privileged_commands_suaudit_rules_privileged_commands_umountaudit_rules_privileged_commands_passwd5.2.10111121314151619234567895.4.1.1APO08.04APO10.01APO10.03APO10.04APO10.05APO11.04APO12.06APO13.01BAI03.05BAI08.02DSS01.03DSS01.04DSS02.02DSS02.04DSS02.05DSS02.07DSS03.01DSS03.05DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-0022344.2.3.104.3.2.6.74.3.3.3.94.3.3.5.84.3.3.6.64.3.4.4.74.3.4.5.54.3.4.5.64.3.4.5.74.3.4.5.84.3.4.5.94.4.2.14.4.2.24.4.2.4SR 1.13SR 2.10SR 2.11SR 2.12SR 2.6SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 3.9SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.11.2.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.7A.15.2.1A.15.2.2A.16.1.1A.16.1.2A.16.1.3A.16.1.4A.16.1.5A.16.1.7A.6.1.3A.6.2.1A.6.2.2AC-2(4)AU-2(d)AU-12(c)AC-6(9)CM-6(a)DE.AE-2DE.AE-3DE.AE-5DE.CM-1DE.CM-3DE.CM-7DE.DP-4ID.SC-4PR.AC-3PR.PT-1PR.PT-4RS.AN-1RS.AN-4RS.CO-2Req-10.2.2SRG-OS-000327-GPOS-00127RHEL-07-030360SV-86719r7_ruleSRG-OS-000471-VMM-001910Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.CCE-27437-3
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
perform_audit_rules_privileged_commands_remediation "auditctl" "1000"
perform_audit_rules_privileged_commands_remediation "augenrules" "1000"
- name: Search for privileged commands
shell: find / -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null
args:
warn: false
executable: /bin/bash
check_mode: false
register: find_result
changed_when: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27437-3
- PCI-DSS-Req-10.2.2
- DISA-STIG-RHEL-07-030360
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Search /etc/audit/rules.d for audit rule entries
find:
paths: /etc/audit/rules.d
recurse: false
contains: ^.*path={{ item }} .*$
patterns: '*.rules'
with_items:
- '{{ find_result.stdout_lines }}'
register: files_result
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27437-3
- PCI-DSS-Req-10.2.2
- DISA-STIG-RHEL-07-030360
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Overwrites the rule in rules.d
lineinfile:
path: '{{ item.1.path }}'
line: -a always,exit -F path={{ item.0.item }} -F perm=x -F auid>=1000 -F auid!=unset
-F key=special-config-changes
create: false
regexp: ^.*path={{ item.0.item }} .*$
with_subelements:
- '{{ files_result.results }}'
- files
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27437-3
- PCI-DSS-Req-10.2.2
- DISA-STIG-RHEL-07-030360
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Adds the rule in rules.d
lineinfile:
path: /etc/audit/rules.d/privileged.rules
line: -a always,exit -F path={{ item.item }} -F perm=x -F auid>=1000 -F auid!=unset
-F key=special-config-changes
create: true
with_items:
- '{{ files_result.results }}'
when:
- files_result.results is defined and item.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27437-3
- PCI-DSS-Req-10.2.2
- DISA-STIG-RHEL-07-030360
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
- name: Inserts/replaces the rule in audit.rules
lineinfile:
path: /etc/audit/audit.rules
line: -a always,exit -F path={{ item.item }} -F perm=x -F auid>=1000 -F auid!=unset
-F key=special-config-changes
create: true
regexp: ^.*path={{ item.item }} .*$
with_items:
- '{{ files_result.results }}'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27437-3
- PCI-DSS-Req-10.2.2
- DISA-STIG-RHEL-07-030360
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- CJIS-5.4.1.1
Ensure auditd Collects Information on the Use of Privileged Commands - suAt a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes112131415162356789APO10.01APO10.03APO10.04APO10.05APO11.04BAI03.05DSS01.03DSS03.05DSS05.02DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000135CCI-000172CCI-002884164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.3.2.6.74.3.3.3.94.3.3.5.84.3.4.4.74.4.2.14.4.2.24.4.2.4SR 2.10SR 2.11SR 2.12SR 2.8SR 2.9SR 6.1SR 6.2A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.14.2.7A.15.2.1A.15.2.2AU-2(d)AU-12(c)AC-6(9)CM-6(a)DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.PT-1FAU_GEN.1.1.cSRG-OS-000042-GPOS-00020SRG-OS-000392-GPOS-00172SRG-OS-000471-GPOS-00215RHEL-07-030680SV-86783r5_ruleSRG-OS-000471-VMM-001910Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.CCE-80400-5
PATTERN="-a always,exit -F path=/usr/bin/su\\s\\+.*"
GROUP="privileged"
# Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation
ARCH=""
FULL_RULE="-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
- name: Search /etc/audit/rules.d for audit rule entries
find:
paths: /etc/audit/rules.d
recurse: false
contains: ^.*path=/usr/bin/su.*$
patterns: '*.rules'
register: find_su
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_su
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80400-5
- DISA-STIG-RHEL-07-030680
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/privileged.rules
when:
- find_su.matched is defined and find_su.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_su
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80400-5
- DISA-STIG-RHEL-07-030680
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_su.files | map(attribute=''path'') | list | first }}'
when:
- find_su.matched is defined and find_su.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_su
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80400-5
- DISA-STIG-RHEL-07-030680
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the su rule in rules.d
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset
-F key=privileged
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_su
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80400-5
- DISA-STIG-RHEL-07-030680
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the su rule in audit.rules
lineinfile:
path: /etc/audit/audit.rules
line: -a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset
-F key=privileged
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_su
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80400-5
- DISA-STIG-RHEL-07-030680
- NIST-800-171-3.1.7
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
Ensure auditd Collects Information on the Use of Privileged Commands - newgrpAt a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes112131415162356789APO10.01APO10.03APO10.04APO10.05APO11.04BAI03.05DSS01.03DSS03.05DSS05.02DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.013.1.7CCI-000135CCI-000172CCI-002884164.308(a)(1)(ii)(D)164.308(a)(3)(ii)(A)164.308(a)(5)(ii)(C)164.312(a)(2)(i)164.312(b)164.312(d)164.312(e)4.3.2.6.74.3.3.3.94.3.3.5.84.3.4.4.74.4.2.14.4.2.24.4.2.4SR 2.10SR 2.11SR 2.12SR 2.8SR 2.9SR 6.1SR 6.2A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.14.2.7A.15.2.1A.15.2.2AC-2(4)AU-2(d)AU-12(c)AC-6(9)CM-6(a)DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.PT-1FAU_GEN.1.1.cSRG-OS-000042-GPOS-00020SRG-OS-000392-GPOS-00172SRG-OS-000471-GPOS-00215RHEL-07-030710SV-86789r4_ruleSRG-OS-000471-VMM-001910Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.CCE-80403-9
PATTERN="-a always,exit -F path=/usr/bin/newgrp\\s\\+.*"
GROUP="privileged"
# Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation
ARCH=""
FULL_RULE="-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
- name: Search /etc/audit/rules.d for audit rule entries
find:
paths: /etc/audit/rules.d
recurse: false
contains: ^.*path=/usr/bin/newgrp.*$
patterns: '*.rules'
register: find_newgrp
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_newgrp
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80403-9
- DISA-STIG-RHEL-07-030710
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/privileged.rules
when:
- find_newgrp.matched is defined and find_newgrp.matched == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_newgrp
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80403-9
- DISA-STIG-RHEL-07-030710
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- '{{ find_newgrp.files | map(attribute=''path'') | list | first }}'
when:
- find_newgrp.matched is defined and find_newgrp.matched > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_newgrp
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80403-9
- DISA-STIG-RHEL-07-030710
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the newgrp rule in rules.d
lineinfile:
path: '{{ all_files[0] }}'
line: -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset
-F key=privileged
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_newgrp
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80403-9
- DISA-STIG-RHEL-07-030710
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- name: Inserts/replaces the newgrp rule in audit.rules
lineinfile:
path: /etc/audit/audit.rules
line: -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset
-F key=privileged
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- audit_rules_privileged_commands_newgrp
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80403-9
- DISA-STIG-RHEL-07-030710
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(c)
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
System Accounting with auditdThe auditd program can perform comprehensive
monitoring of system activity. This section makes use of recommended
configuration settings for specific policies or use cases.
The rules in this section make use of rules defined in /usr/share/doc/audit-VERSION/rules.Configure audit according to OSPP requirementsConfigure audit to meet requirements for Operating System Protection Profile (OSPP) v4.2.1.
Audit defines groups of rules in /usr/share/doc/audit/rules to satisfy specific policies.
To fulfill requirements for compliance with OSPP v4.2.1, the following files are necessary:
/usr/share/doc/audit-VERSION/rules/10-base-config.rules/usr/share/doc/audit-VERSION/rules/11-loginuid.rules/usr/share/doc/audit-VERSION/rules/30-ospp-v42.rules/usr/share/doc/audit-VERSION/rules/43-module-load.rules
Copy the files from /usr/share/doc/audit/rules to /etc/audit/rules.d:
cp /usr/share/doc/audit*/rules/{10-base-config,11-loginuid,30-ospp-v42,43-module-load}.rules /etc/audit/rules.d/
NONEFAU_GEN.1.1.cSRG-OS-000004-GPOS-00004SRG-OS-000240-GPOS-00090SRG-OS-000241-GPOS-00091SRG-OS-000303-GPOS-00120SRG-OS-000476-GPOS-00221SRG-OS-000327-GPOS-00127SRG-OS-000064-GPOS-00033SRG-OS-000365-GPOS-00152SRG-OS-000458-GPOS-00203SRG-OS-000461-GPOS-00205SRG-OS-000462-GPOS-00206SRG-OS-000463-GPOS-00207SRG-OS-000465-GPOS-00209SRG-OS-000466-GPOS-00210SRG-OS-000467-GPOS-00211SRG-OS-000468-GPOS-00212SRG-OS-000470-GPOS-00214SRG-OS-000471-GPOS-00215SRG-OS-000471-GPOS-00216SRG-OS-000472-GPOS-00217SRG-OS-000474-GPOS-00219SRG-OS-000475-GPOS-00220SRG-OS-000477-GPOS-00222The audit rules defined in /usr/share/doc/audit/rules are the recommended way to meet compliance with OSPP v4.2.1.CCE-82370-8
cp /usr/share/doc/audit*/rules/10-base-config.rules /etc/audit/rules.d
cp /usr/share/doc/audit*/rules/11-loginuid.rules /etc/audit/rules.d
cp /usr/share/doc/audit*/rules/30-ospp-v42.rules /etc/audit/rules.d
cp /usr/share/doc/audit*/rules/43-module-load.rules /etc/audit/rules.d
augenrules --load
Installing and Maintaining SoftwareThe following sections contain information on
security-relevant choices during the initial operating system
installation process and the setup of software
updates.GNOME Desktop EnvironmentGNOME is a graphical desktop environment bundled with many Linux distributions that
allow users to easily interact with the operating system graphically rather than
textually. The GNOME Graphical Display Manager (GDM) provides login, logout, and user
switching contexts as well as display server management.
GNOME is developed by the GNOME Project and is considered the default
Red Hat Graphical environment.
For more information on GNOME and the GNOME Project, see https://www.gnome.org.Remove the GDM Package GroupBy removing the gdm package, the system no longer has GNOME installed
installed. If X Windows is not installed then the system cannot boot into graphical user mode.
This prevents the system from being accidentally or maliciously booted into a graphical.target
mode. To do so, run the following command:
$ sudo yum remove gdmCM-7(a)CM-7(b)CM-6(a)SRG-OS-000480-GPOS-00227Unnecessary service packages must not be installed to decrease the attack surface of the system.
A graphical environment is unnecessary for certain types of systems including a virtualization
hypervisor.CCE-82348-4
# CAUTION: This remediation script will remove gdm
# from the system, and may remove any packages
# that depend on gdm. Execute this
# remediation AFTER testing on a non-production
# system!
if rpm -q --quiet "gdm" ; then
yum remove -y "gdm"
fi
- name: Ensure gdm is removed
package:
name: gdm
state: absent
tags:
- package_gdm_removed
- medium_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82348-4
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
include remove_gdm
class remove_gdm {
package { 'gdm':
ensure => 'purged',
}
}
package --remove=gdm
Make sure that the dconf databases are up-to-date with regards to respective keyfilesBy default, DConf uses a binary database as a data backend.
The system-level database is compiled from keyfiles in the /etc/dconf/db/ directory by the dconf update command.SRG-OS-000480-GPOS-00227Unlike text-based keyfiles, the binary database is impossible to check by OVAL.
Therefore, in order to evaluate dconf configuration, both have to be true at the same time -
configuration files have to be compliant, and the database needs to be more recent than those keyfiles,
which gives confidence that it reflects them.CCE-81004-4
dconf update
Configure GNOME3 DConf User ProfileBy default, DConf provides a standard user profile. This profile contains a list
of DConf configuration databases. The user profile and database always take the
highest priority. As such the DConf User profile should always exist and be
configured correctly.
To make sure that the user profile is configured correctly, the /etc/dconf/profile/user
should be set as follows:
user-db:user
system-db:local
system-db:site
system-db:distro
Failure to have a functional DConf profile prevents GNOME3 configuration settings
from being enforced for all users and allows various security risks.CCE-27446-4Configure GNOME Screen Locking
In the default GNOME3 desktop, the screen can be locked
by selecting the user name in the far right corner of the main panel and
selecting Lock.
The following sections detail commands to enforce idle activation of the screensaver,
screen locking, a blank-screen screensaver, and an idle activation time.
Because users should be trained to lock the screen when they
step away from the computer, the automatic locking feature is only
meant as a backup.
The root account can be screen-locked; however, the root account should
never be used to log into an X Windows environment and should only
be used to for direct login via console in emergency circumstances.
For more information about enforcing preferences in the GNOME3 environment using the DConf
configuration system, see http://wiki.gnome.org/dconf and
the man page dconf(1).
For Red Hat specific information on configuring DConf
settings, see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Desktop_Migration_and_Administration_Guide/part-Configuration_and_Administration.htmlScreensaver Inactivity timeoutChoose allowed duration (in seconds) of inactive graphical sessions9003001800900600Screensaver Lock DelayChoose allowed duration (in seconds) after a screensaver becomes active before displaying an authentication prompt05010Implement Blank ScreensaverRun the following command to set the screensaver mode
in the GNOME desktop to a blank screen:
$ sudo gconftool-2 --direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type string \
--set /apps/gnome-screensaver/mode blank-only1121516DSS05.04DSS05.10DSS06.104.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.9SR 1.1SR 1.10SR 1.2SR 1.5SR 1.7SR 1.8SR 1.9A.18.1.4A.9.2.1A.9.2.4A.9.3.1A.9.4.2A.9.4.3AC-11(b)CM-6(a)PR.AC-7Req-8.1.8Setting the screensaver mode to blank-only conceals the
contents of the display from passersby.Enable Screen Lock Activation After Idle PeriodRun the following command to activate locking of the screensaver
in the GNOME desktop when it is activated:
$ sudo gconftool-2 --direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type bool \
--set /apps/gnome-screensaver/lock_enabled true1121516DSS05.04DSS05.10DSS06.104.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.9SR 1.1SR 1.10SR 1.2SR 1.5SR 1.7SR 1.8SR 1.9A.18.1.4A.9.2.1A.9.2.4A.9.3.1A.9.4.2A.9.4.3CM-6(a)PR.AC-7Req-8.1.8Enabling the activation of the screen lock after an idle period
ensures password entry will be required in order to
access the system, preventing access by passersby.Ensure Users Cannot Change GNOME3 Session Idle SettingsIf not already configured, ensure that users cannot change GNOME3 session idle settings
by adding /org/gnome/desktop/session/idle-delay
to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/session/idle-delay
After the settings have been set, run dconf update.1121516DSS05.04DSS05.10DSS06.103.1.10CCI-0000574.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.9SR 1.1SR 1.10SR 1.2SR 1.5SR 1.7SR 1.8SR 1.9A.18.1.4A.9.2.1A.9.2.4A.9.3.1A.9.4.2A.9.4.3CM-6(a)PR.AC-7FMT_MOF_EXT.1SRG-OS-00029-GPOS-0010RHEL-07-010082SV-87809r4_ruleA session time-out lock is a temporary action taken when a user stops work and moves away from the immediate
physical vicinity of the information system but does not logout because of the temporary nature of the absence.
Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity,
GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the
session lock. As such, users should not be allowed to change session settings.CCE-80544-0
# Check for setting in any of the DConf db directories
LOCKFILES=$(grep -r "^/org/gnome/desktop/session/idle-delay$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
LOCKSFOLDER="/etc/dconf/db/local.d/locks"
mkdir -p "${LOCKSFOLDER}"
if [[ -z "${LOCKFILES}" ]]
then
echo "/org/gnome/desktop/session/idle-delay" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
fi
dconf update
- name: Prevent user modification of GNOME Session idle-delay
lineinfile:
path: /etc/dconf/db/local.d/locks/00-security-settings-lock
regexp: ^/org/gnome/desktop/session/idle-delay
line: /org/gnome/desktop/session/idle-delay
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- dconf_gnome_session_idle_user_locks
- medium_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80544-0
- DISA-STIG-RHEL-07-010082
- NIST-800-171-3.1.10
- NIST-800-53-CM-6(a)
Set GNOME3 Screensaver Lock Delay After Activation PeriodTo activate the locking delay of the screensaver in the GNOME3 desktop when
the screensaver is activated, add or set lock-delay to uint32 in
/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/desktop/screensaver]
lock-delay=uint32
Once the setting has been added, add a lock to
/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/lock-delay
After the settings have been set, run dconf update.1121516DSS05.04DSS05.10DSS06.103.1.10CCI-0000564.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.9SR 1.1SR 1.10SR 1.2SR 1.5SR 1.7SR 1.8SR 1.9A.18.1.4A.9.2.1A.9.2.4A.9.3.1A.9.4.2A.9.4.3AC-11(a)CM-6(a)PR.AC-7FMT_MOF_EXT.1Req-8.1.8SRG-OS-000029-GPOS-00010RHEL-07-010110SV-86525r3_ruleA session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity
of the information system but does not want to logout because of the temporary nature of the absense.CCE-80370-0
var_screensaver_lock_delay=""
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/screensaver\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
DBDIR="/etc/dconf/db/local.d"
mkdir -p "${DBDIR}"
if [ "${#SETTINGSFILES[@]}" -eq 0 ]
then
[ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE}
printf '%s\n' "[org/gnome/desktop/screensaver]" >> ${DCONFFILE}
printf '%s=%s\n' "lock-delay" "uint32 ${var_screensaver_lock_delay}" >> ${DCONFFILE}
else
escaped_value="$(sed -e 's/\\/\\\\/g' <<< "uint32 ${var_screensaver_lock_delay}")"
if grep -q "^\\s*lock-delay" "${SETTINGSFILES[@]}"
then
sed -i "s/\\s*lock-delay\\s*=\\s*.*/lock-delay=${escaped_value}/g" "${SETTINGSFILES[@]}"
else
sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\lock-delay=${escaped_value}" "${SETTINGSFILES[@]}"
fi
fi
dconf update
# Check for setting in any of the DConf db directories
LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/lock-delay$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
LOCKSFOLDER="/etc/dconf/db/local.d/locks"
mkdir -p "${LOCKSFOLDER}"
if [[ -z "${LOCKFILES}" ]]
then
echo "/org/gnome/desktop/screensaver/lock-delay" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
fi
dconf update
- name: Set GNOME3 Screensaver Lock Delay After Activation Period
ini_file:
dest: /etc/dconf/db/local.d/00-security-settings
section: org/gnome/desktop/screensaver
option: lock-delay
value: uint32 5
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- dconf_gnome_screensaver_lock_delay
- medium_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80370-0
- PCI-DSS-Req-8.1.8
- DISA-STIG-RHEL-07-010110
- NIST-800-171-3.1.10
- NIST-800-53-AC-11(a)
- NIST-800-53-CM-6(a)
- name: Prevent user modification of GNOME lock-delay
lineinfile:
path: /etc/dconf/db/local.d/locks/00-security-settings-lock
regexp: ^/org/gnome/desktop/screensaver/lock-delay
line: /org/gnome/desktop/screensaver/lock-delay
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- dconf_gnome_screensaver_lock_delay
- medium_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80370-0
- PCI-DSS-Req-8.1.8
- DISA-STIG-RHEL-07-010110
- NIST-800-171-3.1.10
- NIST-800-53-AC-11(a)
- NIST-800-53-CM-6(a)
Implement Blank ScreensaverTo set the screensaver mode in the GNOME3 desktop to a blank screen,
add or set picture-uri to string '' in
/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/desktop/screensaver]
picture-uri=''
Once the settings have been added, add a lock to
/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/picture-uri
After the settings have been set, run dconf update.11215165.5.5DSS05.04DSS05.10DSS06.103.1.10CCI-0000604.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.9SR 1.1SR 1.10SR 1.2SR 1.5SR 1.7SR 1.8SR 1.9A.18.1.4A.9.2.1A.9.2.4A.9.3.1A.9.4.2A.9.4.3AC-11(1)CM-6(a)PR.AC-7FMT_MOF_EXT.1Req-8.1.8Setting the screensaver mode to blank-only conceals the
contents of the display from passersby.CCE-80113-4
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/screensaver\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
DBDIR="/etc/dconf/db/local.d"
mkdir -p "${DBDIR}"
if [ "${#SETTINGSFILES[@]}" -eq 0 ]
then
[ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE}
printf '%s\n' "[org/gnome/desktop/screensaver]" >> ${DCONFFILE}
printf '%s=%s\n' "picture-uri" "string ''" >> ${DCONFFILE}
else
escaped_value="$(sed -e 's/\\/\\\\/g' <<< "string ''")"
if grep -q "^\\s*picture-uri" "${SETTINGSFILES[@]}"
then
sed -i "s/\\s*picture-uri\\s*=\\s*.*/picture-uri=${escaped_value}/g" "${SETTINGSFILES[@]}"
else
sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\picture-uri=${escaped_value}" "${SETTINGSFILES[@]}"
fi
fi
dconf update
# Check for setting in any of the DConf db directories
LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/picture-uri$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
LOCKSFOLDER="/etc/dconf/db/local.d/locks"
mkdir -p "${LOCKSFOLDER}"
if [[ -z "${LOCKFILES}" ]]
then
echo "/org/gnome/desktop/screensaver/picture-uri" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
fi
dconf update
- name: Implement Blank Screensaver
ini_file:
dest: /etc/dconf/db/local.d/00-security-settings
section: org/gnome/desktop/screensaver
option: picture-uri
value: string ''
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- dconf_gnome_screensaver_mode_blank
- medium_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80113-4
- PCI-DSS-Req-8.1.8
- NIST-800-171-3.1.10
- NIST-800-53-AC-11(1)
- NIST-800-53-CM-6(a)
- CJIS-5.5.5
- name: Prevent user modification of GNOME picture-uri
lineinfile:
path: /etc/dconf/db/local.d/locks/00-security-settings-lock
regexp: ^/org/gnome/desktop/screensaver/picture-uri
line: /org/gnome/desktop/screensaver/picture-uri
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- dconf_gnome_screensaver_mode_blank
- medium_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80113-4
- PCI-DSS-Req-8.1.8
- NIST-800-171-3.1.10
- NIST-800-53-AC-11(1)
- NIST-800-53-CM-6(a)
- CJIS-5.5.5
Disable Full User Name on Splash ShieldBy default when the screen is locked, the splash shield will show the user's
full name. This should be disabled to prevent casual observers from seeing
who has access to the system. This can be disabled by adding or setting
show-full-name-in-top-bar to false in
/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/desktop/screensaver]
show-full-name-in-top-bar=false
Once the settings have been added, add a lock to
/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/show-full-name-in-top-bar
After the settings have been set, run dconf update.FMT_MOF_EXT.1Setting the splash screen to not reveal the logged in user's name
conceals who has access to the system from passersby.CCE-80114-2
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/screensaver\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
DBDIR="/etc/dconf/db/local.d"
mkdir -p "${DBDIR}"
if [ "${#SETTINGSFILES[@]}" -eq 0 ]
then
[ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE}
printf '%s\n' "[org/gnome/desktop/screensaver]" >> ${DCONFFILE}
printf '%s=%s\n' "show-full-name-in-top-bar" "false" >> ${DCONFFILE}
else
escaped_value="$(sed -e 's/\\/\\\\/g' <<< "false")"
if grep -q "^\\s*show-full-name-in-top-bar" "${SETTINGSFILES[@]}"
then
sed -i "s/\\s*show-full-name-in-top-bar\\s*=\\s*.*/show-full-name-in-top-bar=${escaped_value}/g" "${SETTINGSFILES[@]}"
else
sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\show-full-name-in-top-bar=${escaped_value}" "${SETTINGSFILES[@]}"
fi
fi
dconf update
# Check for setting in any of the DConf db directories
LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/show-full-name-in-top-bar$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
LOCKSFOLDER="/etc/dconf/db/local.d/locks"
mkdir -p "${LOCKSFOLDER}"
if [[ -z "${LOCKFILES}" ]]
then
echo "/org/gnome/desktop/screensaver/show-full-name-in-top-bar" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
fi
dconf update
- name: Disable Full Username on Splash Screen
ini_file:
dest: /etc/dconf/db/local.d/00-security-settings
section: org/gnome/desktop/screensaver
option: show-full-name-in-top-bar
value: 'false'
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- dconf_gnome_screensaver_user_info
- medium_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80114-2
- name: Prevent user modification of GNOME show-full-name-in-top-bar
lineinfile:
path: /etc/dconf/db/local.d/locks/00-security-settings-lock
regexp: ^/org/gnome/desktop/screensaver/show-full-name-in-top-bar
line: /org/gnome/desktop/screensaver/show-full-name-in-top-bar
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- dconf_gnome_screensaver_user_info
- medium_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80114-2
Ensure Users Cannot Change GNOME3 Screensaver SettingsIf not already configured, ensure that users cannot change GNOME3 screensaver lock settings
by adding /org/gnome/desktop/screensaver/lock-delay
to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/lock-delay
After the settings have been set, run dconf update.1121516DSS05.04DSS05.10DSS06.103.1.10CCI-0000574.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.9SR 1.1SR 1.10SR 1.2SR 1.5SR 1.7SR 1.8SR 1.9A.18.1.4A.9.2.1A.9.2.4A.9.3.1A.9.4.2A.9.4.3CM-6(a)PR.AC-7FMT_MOF_EXT.1SRG-OS-00029-GPOS-0010RHEL-07-010081SV-87807r4_ruleA session time-out lock is a temporary action taken when a user stops work and moves away from the immediate
physical vicinity of the information system but does not logout because of the temporary nature of the absence.
Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity,
GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the
session lock. As such, users should not be allowed to change session settings.CCE-80371-8
# Check for setting in any of the DConf db directories
LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/lock-delay$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
LOCKSFOLDER="/etc/dconf/db/local.d/locks"
mkdir -p "${LOCKSFOLDER}"
if [[ -z "${LOCKFILES}" ]]
then
echo "/org/gnome/desktop/screensaver/lock-delay" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
fi
dconf update
- name: Prevent user modification of GNOME lock-delay
lineinfile:
path: /etc/dconf/db/local.d/locks/00-security-settings-lock
regexp: ^/org/gnome/desktop/screensaver/lock-delay
line: /org/gnome/desktop/screensaver/lock-delay
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- dconf_gnome_screensaver_user_locks
- medium_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80371-8
- DISA-STIG-RHEL-07-010081
- NIST-800-171-3.1.10
- NIST-800-53-CM-6(a)
GNOME Desktop Screensaver Mandatory UseRun the following command to activate the screensaver
in the GNOME desktop after a period of inactivity:
$ sudo gconftool-2 --direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type bool \
--set /apps/gnome-screensaver/idle_activation_enabled true1121516DSS05.04DSS05.10DSS06.104.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.9SR 1.1SR 1.10SR 1.2SR 1.5SR 1.7SR 1.8SR 1.9A.18.1.4A.9.2.1A.9.2.4A.9.3.1A.9.4.2A.9.4.3AC-11(a)CM-6(a)PR.AC-7Req-8.1.8Enabling idle activation of the screensaver ensures the screensaver will
be activated after the idle delay. Applications requiring continuous,
real-time screen display (such as network management products) require the
login session does not have administrator rights and the display station is located in a
controlled-access area.Enable GNOME3 Screensaver Idle ActivationTo activate the screensaver in the GNOME3 desktop after a period of inactivity,
add or set idle-activation-enabled to true in
/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/desktop/screensaver]
idle-activation-enabled=true
Once the setting has been added, add a lock to
/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/idle-activation-enabled
After the settings have been set, run dconf update.11215165.5.5DSS05.04DSS05.10DSS06.103.1.10CCI-0000574.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.9SR 1.1SR 1.10SR 1.2SR 1.5SR 1.7SR 1.8SR 1.9A.18.1.4A.9.2.1A.9.2.4A.9.3.1A.9.4.2A.9.4.3CM-6(a)AC-11(a)PR.AC-7FMT_MOF_EXT.1Req-8.1.8SRG-OS-000029-GPOS-00010RHEL-07-010100SV-86523r5_ruleA session time-out lock is a temporary action taken when a user stops work and moves away from the immediate
physical vicinity of the information system but does not logout because of the temporary nature of the absence.
Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity,
GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the
session lock.
Enabling idle activation of the screensaver ensures the screensaver will
be activated after the idle delay. Applications requiring continuous,
real-time screen display (such as network management products) require the
login session does not have administrator rights and the display station is located in a
controlled-access area.CCE-80111-8
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/screensaver\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
DBDIR="/etc/dconf/db/local.d"
mkdir -p "${DBDIR}"
if [ "${#SETTINGSFILES[@]}" -eq 0 ]
then
[ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE}
printf '%s\n' "[org/gnome/desktop/screensaver]" >> ${DCONFFILE}
printf '%s=%s\n' "idle-activation-enabled" "true" >> ${DCONFFILE}
else
escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
if grep -q "^\\s*idle-activation-enabled" "${SETTINGSFILES[@]}"
then
sed -i "s/\\s*idle-activation-enabled\\s*=\\s*.*/idle-activation-enabled=${escaped_value}/g" "${SETTINGSFILES[@]}"
else
sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\idle-activation-enabled=${escaped_value}" "${SETTINGSFILES[@]}"
fi
fi
dconf update
# Check for setting in any of the DConf db directories
LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/idle-activation-enabled$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
LOCKSFOLDER="/etc/dconf/db/local.d/locks"
mkdir -p "${LOCKSFOLDER}"
if [[ -z "${LOCKFILES}" ]]
then
echo "/org/gnome/desktop/screensaver/idle-activation-enabled" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
fi
dconf update
- name: Enable GNOME3 Screensaver Idle Activation
ini_file:
dest: /etc/dconf/db/local.d/00-security-settings
section: org/gnome/desktop/screensaver
option: idle_activation_enabled
value: 'true'
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- dconf_gnome_screensaver_idle_activation_enabled
- medium_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80111-8
- PCI-DSS-Req-8.1.8
- DISA-STIG-RHEL-07-010100
- NIST-800-171-3.1.10
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-11(a)
- CJIS-5.5.5
- name: Prevent user modification of GNOME idle_activation_enabled
lineinfile:
path: /etc/dconf/db/local.d/locks/00-security-settings-lock
regexp: ^/org/gnome/desktop/screensaver/idle-activation-enabled
line: /org/gnome/desktop/screensaver/idle-activation-enabled
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- dconf_gnome_screensaver_idle_activation_enabled
- medium_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80111-8
- PCI-DSS-Req-8.1.8
- DISA-STIG-RHEL-07-010100
- NIST-800-171-3.1.10
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-11(a)
- CJIS-5.5.5
Set GNOME Screen Locking KeybindingsRun the following command to prevent changes to the screensaver lock
keybindings:
$ sudo gconftool-2 --direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type string \
--set /apps/gnome_settings_daemon/keybindings/screensaver "<Control><Alt>l"12131415161835APO01.06DSS05.04DSS05.07DSS06.024.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5AC-11(a)CM-6(a)PR.AC-4PR.DS-5The ability to lock graphical desktop sessions manually allows users to
easily secure their accounts should they need to depart from their workstations
temporarily.Set GNOME3 Screensaver Inactivity TimeoutThe idle time-out value for inactivity in the GNOME3 desktop is configured via the idle-delay
setting must be set under an appropriate configuration file(s) in the /etc/dconf/db/local.d directory
and locked in /etc/dconf/db/local.d/locks directory to prevent user modification.
For example, to configure the system for a 15 minute delay, add the following to
/etc/dconf/db/local.d/00-security-settings:
[org/gnome/desktop/session]
idle-delay=uint32 900
Once the setting has been added, add a lock to
/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/session/idle-delay
After the settings have been set, run dconf update.11215165.5.5DSS05.04DSS05.10DSS06.103.1.10CCI-0000574.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.9SR 1.1SR 1.10SR 1.2SR 1.5SR 1.7SR 1.8SR 1.9A.18.1.4A.9.2.1A.9.2.4A.9.3.1A.9.4.2A.9.4.3AC-11(a)CM-6(a)PR.AC-7FMT_MOF_EXT.1Req-8.1.8SRG-OS-000029-GPOS-00010RHEL-07-010070SV-86517r5_ruleA session time-out lock is a temporary action taken when a user stops work and moves away from
the immediate physical vicinity of the information system but does not logout because of the
temporary nature of the absence. Rather than relying on the user to manually lock their operating
system session prior to vacating the vicinity, GNOME3 can be configured to identify when
a user's session has idled and take action to initiate a session lock.CCE-80110-0
inactivity_timeout_value=""
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/session\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
DBDIR="/etc/dconf/db/local.d"
mkdir -p "${DBDIR}"
if [ "${#SETTINGSFILES[@]}" -eq 0 ]
then
[ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE}
printf '%s\n' "[org/gnome/desktop/session]" >> ${DCONFFILE}
printf '%s=%s\n' "idle-delay" "uint32 ${inactivity_timeout_value}" >> ${DCONFFILE}
else
escaped_value="$(sed -e 's/\\/\\\\/g' <<< "uint32 ${inactivity_timeout_value}")"
if grep -q "^\\s*idle-delay" "${SETTINGSFILES[@]}"
then
sed -i "s/\\s*idle-delay\\s*=\\s*.*/idle-delay=${escaped_value}/g" "${SETTINGSFILES[@]}"
else
sed -i "\\|\\[org/gnome/desktop/session\\]|a\\idle-delay=${escaped_value}" "${SETTINGSFILES[@]}"
fi
fi
dconf update
# Check for setting in any of the DConf db directories
LOCKFILES=$(grep -r "^/org/gnome/desktop/session/idle-delay$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
LOCKSFOLDER="/etc/dconf/db/local.d/locks"
mkdir -p "${LOCKSFOLDER}"
if [[ -z "${LOCKFILES}" ]]
then
echo "/org/gnome/desktop/session/idle-delay" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
fi
dconf update
- name: XCCDF Value inactivity_timeout_value # promote to variable
set_fact:
inactivity_timeout_value: !!str
tags:
- always
- name: Set GNOME3 Screensaver Inactivity Timeout
ini_file:
dest: /etc/dconf/db/local.d/00-security-settings
section: org/gnome/desktop/screensaver
option: idle-delay
value: '{{ inactivity_timeout_value }}'
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- dconf_gnome_screensaver_idle_delay
- medium_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80110-0
- PCI-DSS-Req-8.1.8
- DISA-STIG-RHEL-07-010070
- NIST-800-171-3.1.10
- NIST-800-53-AC-11(a)
- NIST-800-53-CM-6(a)
- CJIS-5.5.5
- name: Prevent user modification of GNOME idle-delay
lineinfile:
path: /etc/dconf/db/local.d/locks/00-security-settings-lock
regexp: ^/org/gnome/desktop/screensaver/idle-delay
line: /org/gnome/desktop/screensaver/idle-delay
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- dconf_gnome_screensaver_idle_delay
- medium_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80110-0
- PCI-DSS-Req-8.1.8
- DISA-STIG-RHEL-07-010070
- NIST-800-171-3.1.10
- NIST-800-53-AC-11(a)
- NIST-800-53-CM-6(a)
- CJIS-5.5.5
Ensure Users Cannot Change GNOME3 Screensaver Lock After Idle PeriodIf not already configured, ensure that users cannot change GNOME3 screensaver lock settings
by adding /org/gnome/desktop/screensaver/lock-enabled
to /etc/dconf/db/local.d/00-security-settings.
For example:
/org/gnome/desktop/screensaver/lock-enabled
After the settings have been set, run dconf update.11215165.5.5DSS05.04DSS05.10DSS06.103.1.10CCI-0000564.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.9SR 1.1SR 1.10SR 1.2SR 1.5SR 1.7SR 1.8SR 1.9A.18.1.4A.9.2.1A.9.2.4A.9.3.1A.9.4.2A.9.4.3CM-6(a)PR.AC-7FMT_MOF_EXT.1Req-8.1.8SRG-OS-000029-GPOS-00010RHEL-07-010062SV-93701r2_ruleA session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity
of the information system but does not want to logout because of the temporary nature of the absense.CCE-80563-0
# Check for setting in any of the DConf db directories
LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/lock-enabled$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
LOCKSFOLDER="/etc/dconf/db/local.d/locks"
mkdir -p "${LOCKSFOLDER}"
if [[ -z "${LOCKFILES}" ]]
then
echo "/org/gnome/desktop/screensaver/lock-enabled" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
fi
dconf update
Set GNOME Login Maximum Allowed InactivityRun the following command to set the maximum allowed period of inactivity for an
inactive user in the GNOME desktop to minutes:
$ sudo gconftool-2 \
--direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type int \
--set /desktop/gnome/session/max_idle_time Terminating an idle session within a short time period reduces the window of
opportunity for unauthorized personnel to take control of a management session
and will also free up resources utilized by an idle session.Set GNOME Login Maximum Allowed Inactivity ActionRun the following command to set force logout an inactive user when the
maximum allowed inactivity period has expired:
$ sudo gconftool-2 --direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type string \
--set /desktop/gnome/session/max_idle_action "forced-logout"Terminating an idle session within a short time period reduces the window of
opportunity for unauthorized personnel to take control of a management session
and will also free up resources utilized by an idle session.Set GNOME Login Inactivity TimeoutRun the following command to set the idle time-out value for
inactivity in the GNOME desktop to minutes:
$ sudo gconftool-2 \
--direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type int \
--set /desktop/gnome/session/idle_delay 1121516DSS05.04DSS05.10DSS06.104.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.9SR 1.1SR 1.10SR 1.2SR 1.5SR 1.7SR 1.8SR 1.9A.18.1.4A.9.2.1A.9.2.4A.9.3.1A.9.4.2A.9.4.3AC-11(a)CM-6(a)PR.AC-7Req-8.1.8Setting the idle delay controls when the
screensaver will start, and can be combined with
screen locking to prevent access from passersby.Enable GNOME3 Screensaver Lock After Idle PeriodTo activate locking of the screensaver in the GNOME3 desktop when it is activated,
add or set lock-enabled to true in
/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/desktop/screensaver]
lock-enabled=true
Once the settings have been added, add a lock to
/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/lock-enabled
After the settings have been set, run dconf update.11215165.5.5DSS05.04DSS05.10DSS06.103.1.10CCI-0000564.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.9SR 1.1SR 1.10SR 1.2SR 1.5SR 1.7SR 1.8SR 1.9A.18.1.4A.9.2.1A.9.2.4A.9.3.1A.9.4.2A.9.4.3CM-6(a)PR.AC-7FMT_MOF_EXT.1Req-8.1.8SRG-OS-000028-GPOS-00009SRG-OS-000030-GPOS-00011RHEL-07-010060SV-86515r6_ruleA session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity
of the information system but does not want to logout because of the temporary nature of the absense.CCE-80112-6
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/screensaver\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
DBDIR="/etc/dconf/db/local.d"
mkdir -p "${DBDIR}"
if [ "${#SETTINGSFILES[@]}" -eq 0 ]
then
[ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE}
printf '%s\n' "[org/gnome/desktop/screensaver]" >> ${DCONFFILE}
printf '%s=%s\n' "lock-enabled" "true" >> ${DCONFFILE}
else
escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
if grep -q "^\\s*lock-enabled" "${SETTINGSFILES[@]}"
then
sed -i "s/\\s*lock-enabled\\s*=\\s*.*/lock-enabled=${escaped_value}/g" "${SETTINGSFILES[@]}"
else
sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\lock-enabled=${escaped_value}" "${SETTINGSFILES[@]}"
fi
fi
dconf update
# Check for setting in any of the DConf db directories
LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/lock-enabled$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
LOCKSFOLDER="/etc/dconf/db/local.d/locks"
mkdir -p "${LOCKSFOLDER}"
if [[ -z "${LOCKFILES}" ]]
then
echo "/org/gnome/desktop/screensaver/lock-enabled" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
fi
dconf update
- name: Enable GNOME3 Screensaver Lock After Idle Period
ini_file:
dest: /etc/dconf/db/local.d/00-security-settings
section: org/gnome/desktop/screensaver
option: lock-enabled
value: 'true'
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- dconf_gnome_screensaver_lock_enabled
- medium_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80112-6
- PCI-DSS-Req-8.1.8
- DISA-STIG-RHEL-07-010060
- NIST-800-171-3.1.10
- NIST-800-53-CM-6(a)
- CJIS-5.5.5
- name: Prevent user modification of GNOME lock-enabled
lineinfile:
path: /etc/dconf/db/local.d/locks/00-security-settings-lock
regexp: ^/org/gnome/desktop/screensaver/lock-enabled
line: /org/gnome/desktop/screensaver/lock-enabled
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- dconf_gnome_screensaver_lock_enabled
- medium_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80112-6
- PCI-DSS-Req-8.1.8
- DISA-STIG-RHEL-07-010060
- NIST-800-171-3.1.10
- NIST-800-53-CM-6(a)
- CJIS-5.5.5
Ensure Users Cannot Change GNOME3 Screensaver Idle ActivationIf not already configured, ensure that users cannot change GNOME3 screensaver lock settings
by adding /org/gnome/desktop/screensaver/idle-activation-enabled
to /etc/dconf/db/local.d/00-security-settings.
For example:
/org/gnome/desktop/screensaver/idle-activation-enabled
After the settings have been set, run dconf update.11215165.5.5DSS05.04DSS05.10DSS06.103.1.10CCI-0000574.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.9SR 1.1SR 1.10SR 1.2SR 1.5SR 1.7SR 1.8SR 1.9A.18.1.4A.9.2.1A.9.2.4A.9.3.1A.9.4.2A.9.4.3CM-6(a)PR.AC-7FMT_MOF_EXT.1Req-8.1.8SRG-OS-000029-GPOS-00010RHEL-07-010101SV-93703r2_ruleA session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity
of the information system but does not want to logout because of the temporary nature of the absense.CCE-80564-8
# Check for setting in any of the DConf db directories
LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/idle-activation-enabled$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
LOCKSFOLDER="/etc/dconf/db/local.d/locks"
mkdir -p "${LOCKSFOLDER}"
if [[ -z "${LOCKFILES}" ]]
then
echo "/org/gnome/desktop/screensaver/idle-activation-enabled" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
fi
dconf update
GNOME Media SettingsGNOME media settings that apply to the graphical interface.Disable GNOME AutomountingThe system's default desktop environment, GNOME, will mount
devices and removable media (such as DVDs, CDs and USB flash drives) whenever
they are inserted into the system. Disable automount and autorun within GNOME
by running the following:
$ sudo gconftool-2 --direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type bool \
--set /apps/nautilus/preferences/media_automount false
$ sudo gconftool-2 --direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type bool \
--set /apps/nautilus/preferences/media_autorun_never true1216APO13.01DSS01.04DSS05.03DSS05.04DSS05.05DSS05.07DSS06.034.3.3.2.24.3.3.5.24.3.3.6.64.3.3.7.24.3.3.7.4SR 1.1SR 1.13SR 1.2SR 1.4SR 1.5SR 1.9SR 2.1SR 2.6A.11.2.6A.13.1.1A.13.2.1A.6.2.1A.6.2.2A.7.1.1A.9.2.1CM-7(a)CM-7(b)CM-6(a)PR.AC-3PR.AC-6Disabling automatic mounting in GNOME can prevent
the introduction of malware via removable media.
It will, however, also prevent desktop users from legitimate use
of removable media.Disable All GNOME ThumbnailersThe system's default desktop environment, GNOME, uses
a number of different thumbnailer programs to generate thumbnails
for any new or modified content in an opened folder. The following
command can disable the execution of these thumbnail applications:
$ sudo gconftool-2 --direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type bool \
--set /desktop/gnome/thumbnailers/disable_all true
This effectively prevents an attacker from gaining access to a
system through a flaw in GNOME's Nautilus thumbnail creators.111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.064.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.IP-1PR.PT-3An attacker with knowledge of a flaw in a GNOME thumbnailer application could craft a malicious
file to exploit this flaw. Assuming the attacker could place the malicious file on the local filesystem
(via a web upload for example) and assuming a user browses the same location using Nautilus, the
malicious file would exploit the thumbnailer with the potential for malicious code execution. It
is best to disable these thumbnailer applications unless they are explicitly required.Disable All GNOME3 ThumbnailersThe system's default desktop environment, GNOME3, uses
a number of different thumbnailer programs to generate thumbnails
for any new or modified content in an opened folder. To disable the
execution of these thumbnail applications, add or set disable-all
to true in /etc/dconf/db/local.d/00-security-settings.
For example:
[org/gnome/desktop/thumbnailers]
disable-all=true
Once the settings have been added, add a lock to
/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/thumbnailers/disable-all
After the settings have been set, run dconf update.
This effectively prevents an attacker from gaining access to a
system through a flaw in GNOME3's Nautilus thumbnail creators.111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.064.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.IP-1PR.PT-3An attacker with knowledge of a flaw in a GNOME3 thumbnailer application could craft a malicious
file to exploit this flaw. Assuming the attacker could place the malicious file on the local filesystem
(via a web upload for example) and assuming a user browses the same location using Nautilus, the
malicious file would exploit the thumbnailer with the potential for malicious code execution. It
is best to disable these thumbnailer applications unless they are explicitly required.CCE-80123-3
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/thumbnailers\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
DBDIR="/etc/dconf/db/local.d"
mkdir -p "${DBDIR}"
if [ "${#SETTINGSFILES[@]}" -eq 0 ]
then
[ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE}
printf '%s\n' "[org/gnome/desktop/thumbnailers]" >> ${DCONFFILE}
printf '%s=%s\n' "disable-all" "true" >> ${DCONFFILE}
else
escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
if grep -q "^\\s*disable-all" "${SETTINGSFILES[@]}"
then
sed -i "s/\\s*disable-all\\s*=\\s*.*/disable-all=${escaped_value}/g" "${SETTINGSFILES[@]}"
else
sed -i "\\|\\[org/gnome/desktop/thumbnailers\\]|a\\disable-all=${escaped_value}" "${SETTINGSFILES[@]}"
fi
fi
dconf update
# Check for setting in any of the DConf db directories
LOCKFILES=$(grep -r "^/org/gnome/desktop/thumbnailers/disable-all$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
LOCKSFOLDER="/etc/dconf/db/local.d/locks"
mkdir -p "${LOCKSFOLDER}"
if [[ -z "${LOCKFILES}" ]]
then
echo "/org/gnome/desktop/thumbnailers/disable-all" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
fi
dconf update
- name: Disable All GNOME3 Thumbnailers
ini_file:
dest: /etc/dconf/db/local.d/00-security-settings
section: org/gnome/desktop/thumbnailers
option: disable-all
value: 'true'
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- dconf_gnome_disable_thumbnailers
- unknown_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80123-3
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Prevent user modification of GNOME3 Thumbnailers
lineinfile:
path: /etc/dconf/db/local.d/locks/00-security-settings-lock
regexp: ^/org/gnome/desktop/thumbnailers/disable-all
line: /org/gnome/desktop/thumbnailers/disable-all
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- dconf_gnome_disable_thumbnailers
- unknown_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80123-3
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
Disable GNOME3 AutomountingThe system's default desktop environment, GNOME3, will mount
devices and removable media (such as DVDs, CDs and USB flash drives) whenever
they are inserted into the system. To disable automount and autorun within GNOME3, add or set
automount to false, automount-open to false, and
autorun-never to true in /etc/dconf/db/local.d/00-security-settings.
For example:
[org/gnome/desktop/media-handling]
automount=false
automount-open=false
autorun-never=true
Once the settings have been added, add a lock to
/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/media-handling/automount
/org/gnome/desktop/media-handling/automount-open
/org/gnome/desktop/media-handling/autorun-never
After the settings have been set, run dconf update.1216APO13.01DSS01.04DSS05.03DSS05.04DSS05.05DSS05.07DSS06.033.1.74.3.3.2.24.3.3.5.24.3.3.6.64.3.3.7.24.3.3.7.4SR 1.1SR 1.13SR 1.2SR 1.4SR 1.5SR 1.9SR 2.1SR 2.6A.11.2.6A.13.1.1A.13.2.1A.6.2.1A.6.2.2A.7.1.1A.9.2.1CM-7(a)CM-7(b)CM-6(a)PR.AC-3PR.AC-6Disabling automatic mounting in GNOME3 can prevent
the introduction of malware via removable media.
It will, however, also prevent desktop users from legitimate use
of removable media.CCE-80122-5
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/media-handling\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
DBDIR="/etc/dconf/db/local.d"
mkdir -p "${DBDIR}"
if [ "${#SETTINGSFILES[@]}" -eq 0 ]
then
[ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE}
printf '%s\n' "[org/gnome/desktop/media-handling]" >> ${DCONFFILE}
printf '%s=%s\n' "automount" "false" >> ${DCONFFILE}
else
escaped_value="$(sed -e 's/\\/\\\\/g' <<< "false")"
if grep -q "^\\s*automount" "${SETTINGSFILES[@]}"
then
sed -i "s/\\s*automount\\s*=\\s*.*/automount=${escaped_value}/g" "${SETTINGSFILES[@]}"
else
sed -i "\\|\\[org/gnome/desktop/media-handling\\]|a\\automount=${escaped_value}" "${SETTINGSFILES[@]}"
fi
fi
dconf update
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/media-handling\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
DBDIR="/etc/dconf/db/local.d"
mkdir -p "${DBDIR}"
if [ "${#SETTINGSFILES[@]}" -eq 0 ]
then
[ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE}
printf '%s\n' "[org/gnome/desktop/media-handling]" >> ${DCONFFILE}
printf '%s=%s\n' "automount-open" "false" >> ${DCONFFILE}
else
escaped_value="$(sed -e 's/\\/\\\\/g' <<< "false")"
if grep -q "^\\s*automount-open" "${SETTINGSFILES[@]}"
then
sed -i "s/\\s*automount-open\\s*=\\s*.*/automount-open=${escaped_value}/g" "${SETTINGSFILES[@]}"
else
sed -i "\\|\\[org/gnome/desktop/media-handling\\]|a\\automount-open=${escaped_value}" "${SETTINGSFILES[@]}"
fi
fi
dconf update
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/media-handling\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
DBDIR="/etc/dconf/db/local.d"
mkdir -p "${DBDIR}"
if [ "${#SETTINGSFILES[@]}" -eq 0 ]
then
[ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE}
printf '%s\n' "[org/gnome/desktop/media-handling]" >> ${DCONFFILE}
printf '%s=%s\n' "autorun-never" "true" >> ${DCONFFILE}
else
escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
if grep -q "^\\s*autorun-never" "${SETTINGSFILES[@]}"
then
sed -i "s/\\s*autorun-never\\s*=\\s*.*/autorun-never=${escaped_value}/g" "${SETTINGSFILES[@]}"
else
sed -i "\\|\\[org/gnome/desktop/media-handling\\]|a\\autorun-never=${escaped_value}" "${SETTINGSFILES[@]}"
fi
fi
dconf update
# Check for setting in any of the DConf db directories
LOCKFILES=$(grep -r "^/org/gnome/desktop/media-handling/automount$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
LOCKSFOLDER="/etc/dconf/db/local.d/locks"
mkdir -p "${LOCKSFOLDER}"
if [[ -z "${LOCKFILES}" ]]
then
echo "/org/gnome/desktop/media-handling/automount" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
fi
dconf update
# Check for setting in any of the DConf db directories
LOCKFILES=$(grep -r "^/org/gnome/desktop/media-handling/automount-open$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
LOCKSFOLDER="/etc/dconf/db/local.d/locks"
mkdir -p "${LOCKSFOLDER}"
if [[ -z "${LOCKFILES}" ]]
then
echo "/org/gnome/desktop/media-handling/automount-open" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
fi
dconf update
# Check for setting in any of the DConf db directories
LOCKFILES=$(grep -r "^/org/gnome/desktop/media-handling/autorun-never$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
LOCKSFOLDER="/etc/dconf/db/local.d/locks"
mkdir -p "${LOCKSFOLDER}"
if [[ -z "${LOCKFILES}" ]]
then
echo "/org/gnome/desktop/media-handling/autorun-never" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
fi
dconf update
- name: Disable GNOME3 Automounting - automount
ini_file:
dest: /etc/dconf/db/local.d/00-security-settings
section: org/gnome/desktop/media-handling
option: automount
value: 'false'
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- dconf_gnome_disable_automount
- unknown_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80122-5
- NIST-800-171-3.1.7
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Prevent user modification of GNOME3 Automounting - automount
lineinfile:
path: /etc/dconf/db/local.d/locks/00-security-settings-lock
regexp: ^/org/gnome/desktop/media-handling/automount
line: /org/gnome/desktop/media-handling/automount
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- dconf_gnome_disable_automount
- unknown_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80122-5
- NIST-800-171-3.1.7
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Disable GNOME3 Automounting - automount-open
ini_file:
dest: /etc/dconf/db/local.d/00-security-settings
section: org/gnome/desktop/media-handling
option: automount-open
value: 'false'
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- dconf_gnome_disable_automount
- unknown_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80122-5
- NIST-800-171-3.1.7
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Prevent user modification of GNOME3 Automounting - automount-open
lineinfile:
path: /etc/dconf/db/local.d/locks/00-security-settings-lock
regexp: ^/org/gnome/desktop/media-handling/automount-open
line: /org/gnome/desktop/media-handling/automount-open
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- dconf_gnome_disable_automount
- unknown_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80122-5
- NIST-800-171-3.1.7
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Disable GNOME3 Automounting - autorun-never
ini_file:
dest: /etc/dconf/db/local.d/00-security-settings
section: org/gnome/desktop/media-handling
option: autorun-never
value: 'true'
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- dconf_gnome_disable_automount
- unknown_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80122-5
- NIST-800-171-3.1.7
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Prevent user modification of GNOME3 Automounting - autorun-never
lineinfile:
path: /etc/dconf/db/local.d/locks/00-security-settings-lock
regexp: ^/org/gnome/desktop/media-handling/autorun-never
line: /org/gnome/desktop/media-handling/autorun-never
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- dconf_gnome_disable_automount
- unknown_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80122-5
- NIST-800-171-3.1.7
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
GNOME System SettingsGNOME provides configuration and functionality to a graphical desktop environment
that changes grahical configurations or allow a user to perform
actions that users normally would not be able to do in non-graphical mode such as
remote access configuration, power policies, Geo-location, etc.
Configuring such settings in GNOME will prevent accidential graphical configuration
changes by users from taking place.Disable Geolocation in GNOME3GNOME allows the clock and applications to track and access
location information. This setting should be disabled as applications
should not track system location. To configure the system to disable
location tracking, add or set enabled to false in
/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/system/location]
enabled=false
To configure the clock to disable location tracking, add or set
geolocation to false in
/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/clocks]
geolocation=false
Once the settings have been added, add a lock to
/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent
user modification. For example:
/org/gnome/system/location/enabled
/org/gnome/clocks/geolocation
After the settings have been set, run dconf update.Power settings should not be enabled on systems that are not mobile devices.
Enabling power settings on non-mobile devices could have unintended processing
consequences on standard systems.CCE-80117-5
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/system/location\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
DBDIR="/etc/dconf/db/local.d"
mkdir -p "${DBDIR}"
if [ "${#SETTINGSFILES[@]}" -eq 0 ]
then
[ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE}
printf '%s\n' "[org/gnome/system/location]" >> ${DCONFFILE}
printf '%s=%s\n' "enabled" "false" >> ${DCONFFILE}
else
escaped_value="$(sed -e 's/\\/\\\\/g' <<< "false")"
if grep -q "^\\s*enabled" "${SETTINGSFILES[@]}"
then
sed -i "s/\\s*enabled\\s*=\\s*.*/enabled=${escaped_value}/g" "${SETTINGSFILES[@]}"
else
sed -i "\\|\\[org/gnome/system/location\\]|a\\enabled=${escaped_value}" "${SETTINGSFILES[@]}"
fi
fi
dconf update
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/clocks\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
DBDIR="/etc/dconf/db/local.d"
mkdir -p "${DBDIR}"
if [ "${#SETTINGSFILES[@]}" -eq 0 ]
then
[ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE}
printf '%s\n' "[org/gnome/clocks]" >> ${DCONFFILE}
printf '%s=%s\n' "geolocation" "false" >> ${DCONFFILE}
else
escaped_value="$(sed -e 's/\\/\\\\/g' <<< "false")"
if grep -q "^\\s*geolocation" "${SETTINGSFILES[@]}"
then
sed -i "s/\\s*geolocation\\s*=\\s*.*/geolocation=${escaped_value}/g" "${SETTINGSFILES[@]}"
else
sed -i "\\|\\[org/gnome/clocks\\]|a\\geolocation=${escaped_value}" "${SETTINGSFILES[@]}"
fi
fi
dconf update
# Check for setting in any of the DConf db directories
LOCKFILES=$(grep -r "^/org/gnome/system/location/enabled$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
LOCKSFOLDER="/etc/dconf/db/local.d/locks"
mkdir -p "${LOCKSFOLDER}"
if [[ -z "${LOCKFILES}" ]]
then
echo "/org/gnome/system/location/enabled" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
fi
dconf update
# Check for setting in any of the DConf db directories
LOCKFILES=$(grep -r "^/org/gnome/clocks/geolocation$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
LOCKSFOLDER="/etc/dconf/db/local.d/locks"
mkdir -p "${LOCKSFOLDER}"
if [[ -z "${LOCKFILES}" ]]
then
echo "/org/gnome/clocks/geolocation" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
fi
dconf update
- name: Disable Geolocation in GNOME3 - location tracking
ini_file:
dest: /etc/dconf/db/local.d/00-security-settings
section: org/gnome/system/location
option: enabled
value: 'false'
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- dconf_gnome_disable_geolocation
- medium_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80117-5
- name: Disable Geolocation in GNOME3 - clock location tracking
ini_file:
dest: /etc/dconf/db/local.d/00-security-settings
section: org/gnome/clocks
option: gelocation
value: 'false'
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- dconf_gnome_disable_geolocation
- medium_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80117-5
- name: Prevent user modification of GNOME geolocation - location tracking
lineinfile:
path: /etc/dconf/db/local.d/locks/00-security-settings-lock
regexp: ^/org/gnome/system/location/enabled
line: /org/gnome/system/location/enabled
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- dconf_gnome_disable_geolocation
- medium_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80117-5
- name: Prevent user modification of GNOME geolocation - clock location tracking
lineinfile:
path: /etc/dconf/db/local.d/locks/00-security-settings-lock
regexp: ^/org/gnome/clocks/geolocation
line: /org/gnome/clocks/geolocation
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- dconf_gnome_disable_geolocation
- medium_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80117-5
Disable Ctrl-Alt-Del Reboot Key Sequence in GNOMEBy default, GNOME will reboot the system if the Ctrl-Alt-Del
key sequence is pressed.
To configure the system to ignore the Ctrl-Alt-Del key sequence from the
Graphical User Interface (GUI) instead of rebooting the system, run the following:
$ sudo gconftool-2 --direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type string \
--set /apps/gnome_settings_daemon/keybindings/power ""12131415161835APO01.06DSS05.04DSS05.07DSS06.024.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)AC-6(1)CM-7(b)PR.AC-4PR.DS-5A locally logged-in user who presses Ctrl-Alt-Del, when at the console,
can reboot the system. If accidentally pressed, as could happen in
the case of mixed OS environment, this can create the risk of short-term
loss of availability of systems due to unintentional reboot.Disable the GNOME Clock Weather FeatureRun the following command to activate locking of the screensaver
in the GNOME desktop when it is activated:
$ sudo gconftool-2 --direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type bool \
--set /apps/panel/applets/clock/prefs/show_weather falseDisabling the weather feature in the GNOME clock prevents the
system from connecting to the internet and diclosing the system
location when set by a user.Disable the GNOME Clock Temperature FeatureRun the following command to activate locking of the screensaver
in the GNOME desktop when it is activated:
$ sudo gconftool-2 --direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type bool \
--set /apps/panel/applets/clock/prefs/show_temperature falseDisabling the temperature feature in the GNOME clock prevents the
system from connecting to the internet and diclosing the system
location when set by a user.Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3By default, GNOME will reboot the system if the
Ctrl-Alt-Del key sequence is pressed.
To configure the system to ignore the Ctrl-Alt-Del key sequence
from the Graphical User Interface (GUI) instead of rebooting the system,
add or set logout to string '' in
/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/settings-daemon/plugins/media-keys]
logout=''
Once the settings have been added, add a lock to
/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent
user modification. For example:
/org/gnome/settings-daemon/plugins/media-keys/logout
After the settings have been set, run dconf update.12131415161835APO01.06DSS05.04DSS05.07DSS06.023.1.2CCI-0003664.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)AC-6(1)CM-7(b)PR.AC-4PR.DS-5SRG-OS-000480-GPOS-00227A locally logged-in user who presses Ctrl-Alt-Del, when at the console,
can reboot the system. If accidentally pressed, as could happen in
the case of mixed OS environment, this can create the risk of short-term
loss of availability of systems due to unintentional reboot.CCE-80124-1
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/settings-daemon/plugins/media-keys\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
DBDIR="/etc/dconf/db/local.d"
mkdir -p "${DBDIR}"
if [ "${#SETTINGSFILES[@]}" -eq 0 ]
then
[ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE}
printf '%s\n' "[org/gnome/settings-daemon/plugins/media-keys]" >> ${DCONFFILE}
printf '%s=%s\n' "logout" "string ''" >> ${DCONFFILE}
else
escaped_value="$(sed -e 's/\\/\\\\/g' <<< "string ''")"
if grep -q "^\\s*logout" "${SETTINGSFILES[@]}"
then
sed -i "s/\\s*logout\\s*=\\s*.*/logout=${escaped_value}/g" "${SETTINGSFILES[@]}"
else
sed -i "\\|\\[org/gnome/settings-daemon/plugins/media-keys\\]|a\\logout=${escaped_value}" "${SETTINGSFILES[@]}"
fi
fi
dconf update
# Check for setting in any of the DConf db directories
LOCKFILES=$(grep -r "^/org/gnome/settings-daemon/plugins/media-keys/logout$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
LOCKSFOLDER="/etc/dconf/db/local.d/locks"
mkdir -p "${LOCKSFOLDER}"
if [[ -z "${LOCKFILES}" ]]
then
echo "/org/gnome/settings-daemon/plugins/media-keys/logout" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
fi
dconf update
- name: Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3
ini_file:
dest: /etc/dconf/db/local.d/00-security-settings
section: org/gnome/settings-daemon/plugins/media-keys
option: logout
value: string ''
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- dconf_gnome_disable_ctrlaltdel_reboot
- high_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80124-1
- NIST-800-171-3.1.2
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-7(b)
- name: Prevent user modification of GNOME disablement of Ctrl-Alt-Del
lineinfile:
path: /etc/dconf/db/local.d/locks/00-security-settings-lock
regexp: ^/org/gnome/settings-daemon/plugins/media-keys/logout
line: /org/gnome/settings-daemon/plugins/media-keys/logout
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- dconf_gnome_disable_ctrlaltdel_reboot
- high_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80124-1
- NIST-800-171-3.1.2
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-7(b)
Disable Power Settings in GNOME3By default, GNOME enables a power profile designed for mobile devices
with battery usage. While useful for mobile devices, this setting should be disabled
for all other systems. To configure the system to disable the power setting, add or set
active to false in
/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/settings-daemon/plugins/power]
active=false
Once the settings have been added, add a lock to
/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/settings-daemon/plugins/power
After the settings have been set, run dconf update.Power settings should not be enabled on systems that are not mobile devices.
Enabling power settings on non-mobile devices could have unintended processing
consequences on standard systems.CCE-80116-7Disable User Administration in GNOME3By default, GNOME will allow all users to have some administratrion
capability. This should be disabled so that non-administrative users are not making
configuration changes. To configure the system to disable user administration
capability in the Graphical User Interface (GUI), add or set
user-administration-disabled to true in
/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/desktop/lockdown]
user-administration-disabled=true
Once the settings have been added, add a lock to
/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/lockdown/user-administration-disabled
After the settings have been set, run dconf update.3.1.5FMT_MOD_EXT.1Allowing all users to have some administratrive capabilities to the system through
the Graphical User Interface (GUI) when they would not have them otherwise could allow
unintended configuration changes as well as a nefarious user the capability to make system
changes such as adding new accounts, etc.CCE-80115-9
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/lockdown\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
DBDIR="/etc/dconf/db/local.d"
mkdir -p "${DBDIR}"
if [ "${#SETTINGSFILES[@]}" -eq 0 ]
then
[ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE}
printf '%s\n' "[org/gnome/desktop/lockdown]" >> ${DCONFFILE}
printf '%s=%s\n' "user-administration-disabled" "true" >> ${DCONFFILE}
else
escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
if grep -q "^\\s*user-administration-disabled" "${SETTINGSFILES[@]}"
then
sed -i "s/\\s*user-administration-disabled\\s*=\\s*.*/user-administration-disabled=${escaped_value}/g" "${SETTINGSFILES[@]}"
else
sed -i "\\|\\[org/gnome/desktop/lockdown\\]|a\\user-administration-disabled=${escaped_value}" "${SETTINGSFILES[@]}"
fi
fi
dconf update
# Check for setting in any of the DConf db directories
LOCKFILES=$(grep -r "^/org/gnome/desktop/lockdown/user-administration-disabled$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
LOCKSFOLDER="/etc/dconf/db/local.d/locks"
mkdir -p "${LOCKSFOLDER}"
if [[ -z "${LOCKFILES}" ]]
then
echo "/org/gnome/desktop/lockdown/user-administration-disabled" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
fi
dconf update
- name: Disable User Administration in GNOME3
ini_file:
dest: /etc/dconf/db/local.d/00-security-settings
section: org/gnome/desktop/lockdown
option: user-administration-disabled
value: 'true'
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- dconf_gnome_disable_user_admin
- high_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80115-9
- NIST-800-171-3.1.5
- name: Prevent user modification of GNOME3 Thumbnailers
lineinfile:
path: /etc/dconf/db/local.d/locks/00-security-settings-lock
regexp: ^/org/gnome/desktop/lockdown/user-administration-disabled
line: /org/gnome/desktop/lockdown/user-administration-disabled
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- dconf_gnome_disable_user_admin
- high_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80115-9
- NIST-800-171-3.1.5
Configure GNOME Login ScreenIn the default GNOME desktop, the login is displayed after system boot
and can display user accounts, allow users to reboot the system, and allow users to
login automatically and/or with a guest account. The login screen should be configured
to prevent such behavior.
For more information about enforcing preferences in the GNOME3 environment using the DConf
configuration system, see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Desktop_Migration_and_Administration_Guide/index.html/> and the man page dconf(1).Enable the GNOME3 Login Smartcard AuthenticationIn the default graphical environment, smart card authentication
can be enabled on the login screen by setting enable-smartcard-authentication
to true.
To enable, add or edit enable-smartcard-authentication to
/etc/dconf/db/gdm.d/00-security-settings. For example:
[org/gnome/login-screen]
enable-smartcard-authentication=true
Once the setting has been added, add a lock to
/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/login-screen/enable-smartcard-authentication
After the settings have been set, run dconf update.CCI-000765CCI-000766CCI-000767CCI-000768CCI-000771CCI-000772CCI-000884CCI-001954IA-2(3)IA-2(4)IA-2(8)IA-2(9)IA-2(11)Req-8.3SRG-OS-000375-GPOS-00160RHEL-07-010061SV-92515r2_ruleSmart card login provides two-factor authentication stronger than
that provided by a username and password combination. Smart cards leverage PKI
(public key infrastructure) in order to provide and verify credentials.CCE-80108-4
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
DCONFFILE="/etc/dconf/db/gdm.d/00-security-settings"
DBDIR="/etc/dconf/db/gdm.d"
mkdir -p "${DBDIR}"
if [ "${#SETTINGSFILES[@]}" -eq 0 ]
then
[ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE}
printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE}
printf '%s=%s\n' "enable-smartcard-authentication" "true" >> ${DCONFFILE}
else
escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
if grep -q "^\\s*enable-smartcard-authentication" "${SETTINGSFILES[@]}"
then
sed -i "s/\\s*enable-smartcard-authentication\\s*=\\s*.*/enable-smartcard-authentication=${escaped_value}/g" "${SETTINGSFILES[@]}"
else
sed -i "\\|\\[org/gnome/login-screen\\]|a\\enable-smartcard-authentication=${escaped_value}" "${SETTINGSFILES[@]}"
fi
fi
dconf update
# Check for setting in any of the DConf db directories
LOCKFILES=$(grep -r "^/org/gnome/login-screen/enable-smartcard-authentication$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
LOCKSFOLDER="/etc/dconf/db/gdm.d/locks"
mkdir -p "${LOCKSFOLDER}"
if [[ -z "${LOCKFILES}" ]]
then
echo "/org/gnome/login-screen/enable-smartcard-authentication" >> "/etc/dconf/db/gdm.d/locks/00-security-settings-lock"
fi
dconf update
- name: Enable the GNOME3 Login Smartcard Authentication
ini_file:
dest: /etc/dconf/db/gdm.d/00-security-settings
section: org/gnome/login-screen
option: enable-smartcard-authentication
value: 'true'
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- dconf_gnome_enable_smartcard_auth
- medium_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80108-4
- PCI-DSS-Req-8.3
- DISA-STIG-RHEL-07-010061
- NIST-800-53-IA-2(3)
- NIST-800-53-IA-2(4)
- NIST-800-53-IA-2(8)
- NIST-800-53-IA-2(9)
- NIST-800-53-IA-2(11)
- name: Prevent user modification of GNOME3 disablement of Smartcard Authentication
lineinfile:
path: /etc/dconf/db/gdm.d/locks/00-security-settings-lock
regexp: ^/org/gnome/login-screen/enable-smartcard-authentication
line: /org/gnome/login-screen/enable-smartcard-authentication
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- dconf_gnome_enable_smartcard_auth
- medium_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80108-4
- PCI-DSS-Req-8.3
- DISA-STIG-RHEL-07-010061
- NIST-800-53-IA-2(3)
- NIST-800-53-IA-2(4)
- NIST-800-53-IA-2(8)
- NIST-800-53-IA-2(9)
- NIST-800-53-IA-2(11)
Disable the GNOME3 Login Restart and Shutdown ButtonsIn the default graphical environment, users logging directly into the
system are greeted with a login screen that allows any user, known or
unknown, the ability the ability to shutdown or restart the system. This
functionality should be disabled by setting
disable-restart-buttons to true.
To disable, add or edit disable-restart-buttons to
/etc/dconf/db/gdm.d/00-security-settings. For example:
[org/gnome/login-screen]
disable-restart-buttons=true
Once the setting has been added, add a lock to
/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent
user modification. For example:
/org/gnome/login-screen/disable-restart-buttons
After the settings have been set, run dconf update.12131415161835APO01.06DSS05.04DSS05.07DSS06.023.1.2CCI-0003664.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)AC-6(1)CM-7(b)PR.AC-4PR.DS-5SRG-OS-000480-GPOS-00227A user who is at the console can reboot the system at the login screen. If restart or shutdown buttons
are pressed at the login screen, this can create the risk of short-term loss of availability of systems
due to reboot.CCE-80107-6
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
DCONFFILE="/etc/dconf/db/gdm.d/00-security-settings"
DBDIR="/etc/dconf/db/gdm.d"
mkdir -p "${DBDIR}"
if [ "${#SETTINGSFILES[@]}" -eq 0 ]
then
[ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE}
printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE}
printf '%s=%s\n' "disable-restart-buttons" "true" >> ${DCONFFILE}
else
escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
if grep -q "^\\s*disable-restart-buttons" "${SETTINGSFILES[@]}"
then
sed -i "s/\\s*disable-restart-buttons\\s*=\\s*.*/disable-restart-buttons=${escaped_value}/g" "${SETTINGSFILES[@]}"
else
sed -i "\\|\\[org/gnome/login-screen\\]|a\\disable-restart-buttons=${escaped_value}" "${SETTINGSFILES[@]}"
fi
fi
dconf update
# Check for setting in any of the DConf db directories
LOCKFILES=$(grep -r "^/org/gnome/login-screen/disable-restart-buttons$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
LOCKSFOLDER="/etc/dconf/db/gdm.d/locks"
mkdir -p "${LOCKSFOLDER}"
if [[ -z "${LOCKFILES}" ]]
then
echo "/org/gnome/login-screen/disable-restart-buttons" >> "/etc/dconf/db/gdm.d/locks/00-security-settings-lock"
fi
dconf update
- name: Disable the GNOME3 Login Restart and Shutdown Buttons
ini_file:
dest: /etc/dconf/db/gdm.d/00-security-settings
section: org/gnome/login-screen
option: disable-restart-buttons
value: 'true'
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- dconf_gnome_disable_restart_shutdown
- high_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80107-6
- NIST-800-171-3.1.2
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-7(b)
- name: Prevent user modification of GNOME disablement of Login Restart and Shutdown
Buttons
lineinfile:
path: /etc/dconf/db/gdm.d/locks/00-security-settings-lock
regexp: ^/org/gnome/login-screen/disable-restart-buttons
line: /org/gnome/login-screen/disable-restart-buttons
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- dconf_gnome_disable_restart_shutdown
- high_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80107-6
- NIST-800-171-3.1.2
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-7(b)
Disable the GNOME Login Restart and Shutdown ButtonsIn the default graphical environment, users logging
directly into the system are greeted with a login screen that allows
any user, known or unknown, the ability shutdown or restart
the system. This functionality should be disabled by running the following:
$ sudo gconftool-2 --direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type bool \
--set /apps/gdm/simple-greeter/disable_restart_buttons true12131415161835APO01.06DSS05.04DSS05.07DSS06.024.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)AC-6(1)CM-7(b)PR.AC-4PR.DS-5A user who is at the console can reboot the system at the login screen. If restart or shutdown buttons
are pressed at the login screen, this can create the risk of short-term loss of availability of systems
due to reboot.Disable GDM Automatic LoginThe GNOME Display Manager (GDM) can allow users to automatically login without
user interaction or credentials. User should always be required to authenticate themselves
to the system that they are authorized to use. To disable user ability to automatically
login to the system, set the AutomaticLoginEnable to false in the
[daemon] section in /etc/gdm/custom.conf. For example:
[daemon]
AutomaticLoginEnable=false1139BAI10.01BAI10.02BAI10.03BAI10.053.1.1CCI-0003664.3.4.3.24.3.4.3.3SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4CM-6(a)AC-6(1)CM-7(b)PR.IP-1FIA_AFL.1SRG-OS-000480-GPOS-00229RHEL-07-010440SV-86577r2_ruleFailure to restrict system access to authenticated users negatively impacts operating
system security.CCE-80104-3
if rpm --quiet -q gdm
then
if ! grep -q "^AutomaticLoginEnable=" /etc/gdm/custom.conf
then
sed -i "/^\[daemon\]/a \
AutomaticLoginEnable=False" /etc/gdm/custom.conf
else
sed -i "s/^AutomaticLoginEnable=.*/AutomaticLoginEnable=False/g" /etc/gdm/custom.conf
fi
fi
- name: Disable GDM Automatic Login
ini_file:
dest: /etc/gdm/custom.conf
section: daemon
option: AutomaticLoginEnable
value: 'false'
no_extra_spaces: true
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- gnome_gdm_disable_automatic_login
- high_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80104-3
- DISA-STIG-RHEL-07-010440
- NIST-800-171-3.1.1
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-7(b)
Set the GNOME3 Login Number of FailuresIn the default graphical environment, the GNOME3 login
screen and be configured to restart the authentication process after
a configured number of attempts. This can be configured by setting
allowed-failures to 3 or less.
To enable, add or edit allowed-failures to
/etc/dconf/db/gdm.d/00-security-settings. For example:
[org/gnome/login-screen]
allowed-failures=3
Once the setting has been added, add a lock to
/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/login-screen/allowed-failures
After the settings have been set, run dconf update.3.1.8FMT_MOF_EXT.1Setting the password retry prompts that are permitted on a per-session basis to a low value
requires some software, such as SSH, to re-connect. This can slow down and
draw additional attention to some types of password-guessing attacks.CCE-80109-2
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
DCONFFILE="/etc/dconf/db//"
DBDIR="/etc/dconf/db/"
mkdir -p "${DBDIR}"
if [ "${#SETTINGSFILES[@]}" -eq 0 ]
then
[ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE}
printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE}
printf '%s=%s\n' "allowed-failures3gdm.d" "00-security-settings" >> ${DCONFFILE}
else
escaped_value="$(sed -e 's/\\/\\\\/g' <<< "00-security-settings")"
if grep -q "^\\s*allowed-failures3gdm.d" "${SETTINGSFILES[@]}"
then
sed -i "s/\\s*allowed-failures3gdm.d\\s*=\\s*.*/allowed-failures3gdm.d=${escaped_value}/g" "${SETTINGSFILES[@]}"
else
sed -i "\\|\\[org/gnome/login-screen\\]|a\\allowed-failures3gdm.d=${escaped_value}" "${SETTINGSFILES[@]}"
fi
fi
dconf update
# Check for setting in any of the DConf db directories
LOCKFILES=$(grep -r "^/org/gnome/login-screen/allowed-failures$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
LOCKSFOLDER="/etc/dconf/db/gdm.d/locks"
mkdir -p "${LOCKSFOLDER}"
if [[ -z "${LOCKFILES}" ]]
then
echo "/org/gnome/login-screen/allowed-failures" >> "/etc/dconf/db/gdm.d/locks/00-security-settings-lock"
fi
dconf update
- name: Enable the GNOME3 Login Number of Failures
ini_file:
dest: /etc/dconf/db/gdm.d/00-security-settings
section: org/gnome/login-screen
option: allowed-failures
value: '3'
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- dconf_gnome_login_retries
- medium_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80109-2
- NIST-800-171-3.1.8
- name: Prevent user modification of GNOME3 Login Number of Failures
lineinfile:
path: /etc/dconf/db/gdm.d/locks/00-security-settings-lock
regexp: ^/org/gnome/login-screen/allowed-failures
line: /org/gnome/login-screen/allowed-failures
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- dconf_gnome_login_retries
- medium_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80109-2
- NIST-800-171-3.1.8
Disable the GNOME3 Login User ListIn the default graphical environment, users logging directly into the
system are greeted with a login screen that displays all known users.
This functionality should be disabled by setting disable-user-list
to true.
To disable, add or edit disable-user-list to
/etc/dconf/db/gdm.d/00-security-settings. For example:
[org/gnome/login-screen]
disable-user-list=true
Once the setting has been added, add a lock to
/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent
user modification. For example:
/org/gnome/login-screen/disable-user-list
After the settings have been set, run dconf update.CM-6(a)AC-23Leaving the user list enabled is a security risk since it allows anyone
with physical access to the system to quickly enumerate known user accounts
without logging in.CCE-80106-8
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
DCONFFILE="/etc/dconf/db/gdm.d/00-security-settings"
DBDIR="/etc/dconf/db/gdm.d"
mkdir -p "${DBDIR}"
if [ "${#SETTINGSFILES[@]}" -eq 0 ]
then
[ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE}
printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE}
printf '%s=%s\n' "disable-user-list" "true" >> ${DCONFFILE}
else
escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
if grep -q "^\\s*disable-user-list" "${SETTINGSFILES[@]}"
then
sed -i "s/\\s*disable-user-list\\s*=\\s*.*/disable-user-list=${escaped_value}/g" "${SETTINGSFILES[@]}"
else
sed -i "\\|\\[org/gnome/login-screen\\]|a\\disable-user-list=${escaped_value}" "${SETTINGSFILES[@]}"
fi
fi
dconf update
# Check for setting in any of the DConf db directories
LOCKFILES=$(grep -r "^/org/gnome/login-screen/disable-user-list$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
LOCKSFOLDER="/etc/dconf/db/gdm.d/locks"
mkdir -p "${LOCKSFOLDER}"
if [[ -z "${LOCKFILES}" ]]
then
echo "/org/gnome/login-screen/disable-user-list" >> "/etc/dconf/db/gdm.d/locks/00-security-settings-lock"
fi
dconf update
- name: Disable the GNOME3 Login User List
ini_file:
dest: /etc/dconf/db/gdm.d/00-security-settings
section: org/gnome/login-screen
option: disable-user-list
value: 'true'
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- dconf_gnome_disable_user_list
- medium_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80106-8
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-23
- name: Prevent user modification of GNOME3 disablement of Login User List
lineinfile:
path: /etc/dconf/db/gdm.d/locks/00-security-settings-lock
regexp: ^/org/gnome/login-screen/disable-user-list
line: /org/gnome/login-screen/disable-user-list
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- dconf_gnome_disable_user_list
- medium_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80106-8
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-23
Disable the User ListIn the default graphical environment, users logging
directly into the system are greeted with a login screen that displays
all known users. This functionality should be disabled.
Run the following command to disable the user list:
$ sudo gconftool-2 --direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type bool \
--set /apps/gdm/simple-greeter/disable_user_list trueCM-6(a)AC-23CM-7(b)Leaving the user list enabled is a security risk since it allows anyone
with physical access to the system to quickly enumerate known user accounts
without logging in.Disable GDM Guest LoginThe GNOME Display Manager (GDM) can allow users to login without credentials
which can be useful for public kiosk scenarios. Allowing users to login without credentials
or "guest" account access has inherent security risks and should be disabled. To do disable
timed logins or guest account access, set the TimedLoginEnable to false in
the [daemon] section in /etc/gdm/custom.conf. For example:
[daemon]
TimedLoginEnable=false1139BAI10.01BAI10.02BAI10.03BAI10.053.1.1CCI-0003664.3.4.3.24.3.4.3.3SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4CM-7(a)CM-7(b)CM-6(a)IA-2PR.IP-1FIA_AFL.1SRG-OS-000480-GPOS-00229RHEL-07-010450SV-86579r3_ruleFailure to restrict system access to authenticated users negatively impacts operating
system security.CCE-80105-0
if rpm --quiet -q gdm
then
if ! grep -q "^TimedLoginEnable=" /etc/gdm/custom.conf
then
sed -i "/^\[daemon\]/a \
TimedLoginEnable=False" /etc/gdm/custom.conf
else
sed -i "s/^TimedLoginEnable=.*/TimedLoginEnable=False/g" /etc/gdm/custom.conf
fi
fi
- name: Disable GDM Guest Login
ini_file:
dest: /etc/gdm/custom.conf
section: daemon
option: TimedLoginEnable
value: 'false'
no_extra_spaces: true
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- gnome_gdm_disable_guest_login
- high_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80105-0
- DISA-STIG-RHEL-07-010450
- NIST-800-171-3.1.1
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-2
GNOME Network SettingsGNOME network settings that apply to the graphical interface.Disable WIFI Network Connection Creation in GNOME3GNOME allows users to create ad-hoc wireless connections through the
NetworkManager applet. Wireless connections should be disabled by
adding or setting disable-wifi-create to true in
/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/nm-applet]
disable-wifi-create=true
Once the settings have been added, add a lock to
/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/nm-applet/disable-wifi-create
After the settings have been set, run dconf update.3.1.16Wireless network connections should not be allowed to be configured by general
users on a given system as it could open the system to backdoor attacks.CCE-80118-3
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/nm-applet\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
DBDIR="/etc/dconf/db/local.d"
mkdir -p "${DBDIR}"
if [ "${#SETTINGSFILES[@]}" -eq 0 ]
then
[ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE}
printf '%s\n' "[org/gnome/nm-applet]" >> ${DCONFFILE}
printf '%s=%s\n' "disable-wifi-create" "true" >> ${DCONFFILE}
else
escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
if grep -q "^\\s*disable-wifi-create" "${SETTINGSFILES[@]}"
then
sed -i "s/\\s*disable-wifi-create\\s*=\\s*.*/disable-wifi-create=${escaped_value}/g" "${SETTINGSFILES[@]}"
else
sed -i "\\|\\[org/gnome/nm-applet\\]|a\\disable-wifi-create=${escaped_value}" "${SETTINGSFILES[@]}"
fi
fi
dconf update
# Check for setting in any of the DConf db directories
LOCKFILES=$(grep -r "^/org/gnome/nm-applet/disable-wifi-create$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
LOCKSFOLDER="/etc/dconf/db/local.d/locks"
mkdir -p "${LOCKSFOLDER}"
if [[ -z "${LOCKFILES}" ]]
then
echo "/org/gnome/nm-applet/disable-wifi-create" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
fi
dconf update
- name: Disable WiFi Network Connection Creation in GNOME3
ini_file:
dest: /etc/dconf/db/local.d/00-security-settings
section: org/gnome/nm-applet
option: disable-wifi-create
value: 'true'
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- dconf_gnome_disable_wifi_create
- medium_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80118-3
- NIST-800-171-3.1.16
- name: Prevent user modification of GNOME3 disablement of WiFi
lineinfile:
path: /etc/dconf/db/local.d/locks/00-security-settings-lock
regexp: ^/org/gnome/nm-applet/disable-wifi-create
line: /org/gnome/nm-applet/disable-wifi-create
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- dconf_gnome_disable_wifi_create
- medium_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80118-3
- NIST-800-171-3.1.16
Disable WIFI Network Disconnect Notification in GNOMEBy default, GNOME disables WIFI notification when disconnecting from a
wireless network. This should be permanently set so that users do not connect to
a wireless network when the system finds one. While useful for mobile devices,
this setting should be disabled for all other systems. To configure the system
to disable the WIFI notication, run the following:
$ sudo gconftool-2 --direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type bool \
--set /apps/nm-applet/disable-disconnected-notifications trueWireless network connections should not be allowed to be configured by general
users on a given system as it could open the system to backdoor attacks.Disable WIFI Network Connection Creation in GNOMEGNOME allows users to create ad-hoc wireless connections through the
NetworkManager applet. Wireless connections should be disabled by
running the following:
$ sudo gconftool-2 --direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type bool \
--set /apps/nm-applet/disable-wifi-create trueWireless network connections should not be allowed to be configured by general
users on a given system as it could open the system to backdoor attacks.Disable WIFI Network Connection Notification in GNOMEBy default, GNOME disables WIFI notification when connecting to a wireless
network. This should be permanently set so that users do not connect to a wireless
network when the system finds one. While useful for mobile devices, this setting
should be disabled for all other systems. To configure the system to disable the
WIFI notication, run the following:
$ sudo gconftool-2 --direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type bool \
--set /apps/nm-applet/disable-connected-notifications trueWireless network connections should not be allowed to be configured by general
users on a given system as it could open the system to backdoor attacks.Disable WIFI Network Notification in GNOME3By default, GNOME disables WIFI notification. This should be permanently set
so that users do not connect to a wireless network when the system finds one.
While useful for mobile devices, this setting should be disabled for all other systems.
To configure the system to disable the WIFI notication, add or set
suppress-wireless-networks-available to true in
/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/nm-applet]
suppress-wireless-networks-available=true
Once the settings have been added, add a lock to
/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/nm-applet/suppress-wireless-networks-available
After the settings have been set, run dconf update.3.1.16Wireless network connections should not be allowed to be configured by general
users on a given system as it could open the system to backdoor attacks.CCE-80119-1
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/nm-applet\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
DBDIR="/etc/dconf/db/local.d"
mkdir -p "${DBDIR}"
if [ "${#SETTINGSFILES[@]}" -eq 0 ]
then
[ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE}
printf '%s\n' "[org/gnome/nm-applet]" >> ${DCONFFILE}
printf '%s=%s\n' "suppress-wireless-networks-available" "true" >> ${DCONFFILE}
else
escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
if grep -q "^\\s*suppress-wireless-networks-available" "${SETTINGSFILES[@]}"
then
sed -i "s/\\s*suppress-wireless-networks-available\\s*=\\s*.*/suppress-wireless-networks-available=${escaped_value}/g" "${SETTINGSFILES[@]}"
else
sed -i "\\|\\[org/gnome/nm-applet\\]|a\\suppress-wireless-networks-available=${escaped_value}" "${SETTINGSFILES[@]}"
fi
fi
dconf update
# Check for setting in any of the DConf db directories
LOCKFILES=$(grep -r "^/org/gnome/nm-applet/suppress-wireless-networks-available$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
LOCKSFOLDER="/etc/dconf/db/local.d/locks"
mkdir -p "${LOCKSFOLDER}"
if [[ -z "${LOCKFILES}" ]]
then
echo "/org/gnome/nm-applet/suppress-wireless-networks-available" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
fi
dconf update
- name: Disable WiFi Network Notification in GNOME3
ini_file:
dest: /etc/dconf/db/local.d/00-security-settings
section: org/gnome/nm-applet
option: suppress-wireless-networks-available
value: 'true'
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- dconf_gnome_disable_wifi_notification
- medium_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80119-1
- NIST-800-171-3.1.16
- name: Prevent user modification of GNOME3 disablement of WiFi
lineinfile:
path: /etc/dconf/db/local.d/locks/00-security-settings-lock
regexp: ^/org/gnome/nm-applet/suppress-wireless-networks-available
line: /org/gnome/nm-applet/suppress-wireless-networks-available
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- dconf_gnome_disable_wifi_notification
- medium_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80119-1
- NIST-800-171-3.1.16
GNOME Remote Access SettingsGNOME remote access settings that apply to the graphical interface.Require Encryption for Remote Access in GNOME3By default, GNOME requires encryption when using Vino for remote access.
To prevent remote access encryption from being disabled, add or set
require-encryption to true in
/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/Vino]
require-encryption=true
Once the settings have been added, add a lock to
/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/Vino/require-encryption
After the settings have been set, run dconf update.1111213151618203469BAI03.08BAI07.04BAI10.01BAI10.02BAI10.03BAI10.05DSS03.013.1.13CCI-000366164.308(a)(4)(i)164.308(b)(1)164.308(b)(3)164.310(b)164.312(e)(1)164.312(e)(2)(ii)4.3.4.3.24.3.4.3.34.4.3.3SR 7.6A.12.1.1A.12.1.2A.12.1.4A.12.5.1A.12.6.2A.13.1.1A.13.1.2A.14.2.2A.14.2.3A.14.2.4CM-6(a)AC-17(a)AC-17(2)DE.AE-1PR.DS-7PR.IP-1SRG-OS-000480-GPOS-00227Open X displays allow an attacker to capture keystrokes and to execute commands
remotely.CCE-80121-7
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/Vino\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
DBDIR="/etc/dconf/db/local.d"
mkdir -p "${DBDIR}"
if [ "${#SETTINGSFILES[@]}" -eq 0 ]
then
[ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE}
printf '%s\n' "[org/gnome/Vino]" >> ${DCONFFILE}
printf '%s=%s\n' "require-encryption" "true" >> ${DCONFFILE}
else
escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
if grep -q "^\\s*require-encryption" "${SETTINGSFILES[@]}"
then
sed -i "s/\\s*require-encryption\\s*=\\s*.*/require-encryption=${escaped_value}/g" "${SETTINGSFILES[@]}"
else
sed -i "\\|\\[org/gnome/Vino\\]|a\\require-encryption=${escaped_value}" "${SETTINGSFILES[@]}"
fi
fi
dconf update
# Check for setting in any of the DConf db directories
LOCKFILES=$(grep -r "^/org/gnome/Vino/require-encryption$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
LOCKSFOLDER="/etc/dconf/db/local.d/locks"
mkdir -p "${LOCKSFOLDER}"
if [[ -z "${LOCKFILES}" ]]
then
echo "/org/gnome/Vino/require-encryption" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
fi
dconf update
- name: Require Encryption for Remote Access in GNOME3
ini_file:
dest: /etc/dconf/db/local.d/00-security-settings
section: org/gnome/Vino
option: require-encryption
value: 'true'
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- dconf_gnome_remote_access_encryption
- medium_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80121-7
- NIST-800-171-3.1.13
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-17(2)
- name: Prevent user modification of GNOME3 Encryption for Remote Access
lineinfile:
path: /etc/dconf/db/local.d/locks/00-security-settings-lock
regexp: ^/org/gnome/Vino/require-encryption
line: /org/gnome/Vino/require-encryption
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- dconf_gnome_remote_access_encryption
- medium_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80121-7
- NIST-800-171-3.1.13
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-17(2)
Require Credential Prompting for Remote Access in GNOME3By default, GNOME does not require credentials when using Vino for
remote access. To configure the system to require remote credentials, add or set
authentication-methods to ['vnc'] in
/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/Vino]
authentication-methods=['vnc']
Once the settings have been added, add a lock to
/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/Vino/authentication-methods
After the settings have been set, run dconf update.3.1.12164.308(a)(4)(i)164.308(b)(1)164.308(b)(3)164.310(b)164.312(e)(1)164.312(e)(2)(ii)Username and password prompting is required for remote access. Otherwise, non-authorized
and nefarious users can access the system freely.CCE-80120-9
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/Vino\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
DBDIR="/etc/dconf/db/local.d"
mkdir -p "${DBDIR}"
if [ "${#SETTINGSFILES[@]}" -eq 0 ]
then
[ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE}
printf '%s\n' "[org/gnome/Vino]" >> ${DCONFFILE}
printf '%s=%s\n' "authentication-methods" "['vnc']" >> ${DCONFFILE}
else
escaped_value="$(sed -e 's/\\/\\\\/g' <<< "['vnc']")"
if grep -q "^\\s*authentication-methods" "${SETTINGSFILES[@]}"
then
sed -i "s/\\s*authentication-methods\\s*=\\s*.*/authentication-methods=${escaped_value}/g" "${SETTINGSFILES[@]}"
else
sed -i "\\|\\[org/gnome/Vino\\]|a\\authentication-methods=${escaped_value}" "${SETTINGSFILES[@]}"
fi
fi
dconf update
# Check for setting in any of the DConf db directories
LOCKFILES=$(grep -r "^/org/gnome/Vino/authentication-methods$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
LOCKSFOLDER="/etc/dconf/db/local.d/locks"
mkdir -p "${LOCKSFOLDER}"
if [[ -z "${LOCKFILES}" ]]
then
echo "/org/gnome/Vino/authentication-methods" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
fi
dconf update
- name: Require Credential Prompting for Remote Access in GNOME3
ini_file:
dest: /etc/dconf/db/local.d/00-security-settings
section: org/gnome/Vino
option: authentication-methods
value: '[''vnc'']'
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- dconf_gnome_remote_access_credential_prompt
- medium_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80120-9
- NIST-800-171-3.1.12
- name: Prevent user modification of GNOME3 Credential Prompting for Remote Access
lineinfile:
path: /etc/dconf/db/local.d/locks/00-security-settings-lock
regexp: ^/org/gnome/Vino/authentication-methods
line: /org/gnome/Vino/authentication-methods
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- dconf_gnome_remote_access_credential_prompt
- medium_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80120-9
- NIST-800-171-3.1.12
SudoSudo, which stands for "su 'do'", provides the ability to delegate authority
to certain users, groups of users, or system administrators. When configured for system
users and/or groups, Sudo can allow a user or group to execute privileged commands
that normally only root is allowed to execute.
For more information on Sudo and addition Sudo configuration options, see
https://www.sudo.ws.Install sudo PackageThe sudo package can be installed with the following command:
$ sudo yum install sudoCM-6(a)SRG-OS-000324-GPOS-00125sudo is a program designed to allow a system administrator to give
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done.CCE-82213-0
if ! rpm -q --quiet "sudo" ; then
yum install -y "sudo"
fi
- name: Ensure sudo is installed
package:
name: sudo
state: present
tags:
- package_sudo_installed
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82213-0
- NIST-800-53-CM-6(a)
include install_sudo
class install_sudo {
package { 'sudo':
ensure => 'installed',
}
}
package --add=sudo
Only the VDSM User Can Use sudo NOPASSWDThe sudo NOPASSWD tag, when specified, allows a user to execute commands using sudo without having to authenticate. Only the vdsm user should have this capability in any sudo configuration snippets in /etc/sudoers.d/.Without re-authentication, users may access resources or perform tasks for which they
do not have authorization.
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate.CCE-82349-2Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticateThe sudo !authenticate option, when specified, allows a user to execute commands using
sudo without having to authenticate. This should be disabled by making sure that the
!authenticate option does not exist in /etc/sudoers configuration file or
any sudo configuration snippets in /etc/sudoers.d/.NT28(R5)NT28(R59)11215165DSS05.04DSS05.10DSS06.03DSS06.10CCI-0020384.3.3.5.14.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.9SR 1.1SR 1.10SR 1.2SR 1.3SR 1.4SR 1.5SR 1.7SR 1.8SR 1.9A.18.1.4A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.2.6A.9.3.1A.9.4.2A.9.4.3IA-11CM-6(a)PR.AC-1PR.AC-7SRG-OS-000373-GPOS-00156SRG-OS-000373-GPOS-00157SRG-OS-000373-GPOS-00158RHEL-07-010350SV-86573r3_ruleSRG-OS-000373-VMM-001470SRG-OS-000373-VMM-001480SRG-OS-000373-VMM-001490Without re-authentication, users may access resources or perform tasks for which they
do not have authorization.
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate.CCE-80350-2Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWDThe sudo NOPASSWD tag, when specified, allows a user to execute
commands using sudo without having to authenticate. This should be disabled
by making sure that the NOPASSWD tag does not exist in
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/.NT28(R5)NT28(R59)11215165DSS05.04DSS05.10DSS06.03DSS06.10CCI-0020384.3.3.5.14.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.9SR 1.1SR 1.10SR 1.2SR 1.3SR 1.4SR 1.5SR 1.7SR 1.8SR 1.9A.18.1.4A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.2.6A.9.3.1A.9.4.2A.9.4.3IA-11CM-6(a)PR.AC-1PR.AC-7SRG-OS-000373-GPOS-00156SRG-OS-000373-GPOS-00157SRG-OS-000373-GPOS-00158RHEL-07-010340SV-86571r3_ruleSRG-OS-000373-VMM-001470SRG-OS-000373-VMM-001480SRG-OS-000373-VMM-001490Without re-authentication, users may access resources or perform tasks for which they
do not have authorization.
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate.CCE-80351-0Ensure Users Re-Authenticate for Privilege Escalation - sudoThe sudo NOPASSWD and !authenticate option, when
specified, allows a user to execute commands using sudo without having to
authenticate. This should be disabled by making sure that
NOPASSWD and/or !authenticate do not exist in
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/."11215165DSS05.04DSS05.10DSS06.03DSS06.104.3.3.5.14.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.9SR 1.1SR 1.10SR 1.2SR 1.3SR 1.4SR 1.5SR 1.7SR 1.8SR 1.9A.18.1.4A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.2.6A.9.3.1A.9.4.2A.9.4.3IA-11CM-6(a)PR.AC-1PR.AC-7Without re-authentication, users may access resources or perform tasks for which they
do not have authorization.
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate.CCE-82278-3System Tooling / UtilitiesThe following checks evaluate the system for recommended base packages -- both for installation
and removal.Install binutils PackageThe binutils package can be installed with the following command:
$ sudo yum install binutilsbinutils is a collection of binary utilities required for
foundational system operator activities, such as ld,
nm, objcopy and readelf.CCE-82990-3
if ! rpm -q --quiet "binutils" ; then
yum install -y "binutils"
fi
- name: Ensure binutils is installed
package:
name: binutils
state: present
tags:
- package_binutils_installed
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82990-3
include install_binutils
class install_binutils {
package { 'binutils':
ensure => 'installed',
}
}
package --add=binutils
Install libcap-ng-utils PackageThe libcap-ng-utils package can be installed with the following command:
$ sudo yum install libcap-ng-utilsSRG-OS-000445-GPOS-00199libcap-ng-utils contains applications to analyze the posix
posix capabilities of all the programs running on a system.
libcap-ng-utils also lets system operators set the file
system based capabilities.CCE-82980-4
if ! rpm -q --quiet "libcap-ng-utils" ; then
yum install -y "libcap-ng-utils"
fi
- name: Ensure libcap-ng-utils is installed
package:
name: libcap-ng-utils
state: present
tags:
- package_libcap-ng-utils_installed
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82980-4
include install_libcap-ng-utils
class install_libcap-ng-utils {
package { 'libcap-ng-utils':
ensure => 'installed',
}
}
package --add=libcap-ng-utils
Install vim PackageThe vim package can be installed with the following command:
$ sudo yum install vimVim (Vi IMproved) is an almost compatible version of the UNIX editor vi. CCE-82957-2
if ! rpm -q --quiet "vim" ; then
yum install -y "vim"
fi
- name: Ensure vim is installed
package:
name: vim
state: present
tags:
- package_vim_installed
- low_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82957-2
include install_vim
class install_vim {
package { 'vim':
ensure => 'installed',
}
}
package --add=vim
Install scap-security-guide PackageThe scap-security-guide package can be installed with the following command:
$ sudo yum install scap-security-guideSRG-OS-000480-GPOS-00227The scap-security-guide package provides a guide for configuration of the system
from the final system's security point of view. The guidance is specified in the Security
Content Automation Protocol (SCAP) format and constitutes a catalog of practical hardening
advice, linked to government requirements where applicable. The SCAP Security Guide project
bridges the gap between generalized policy requirements and specific implementation guidelines.
A system administrator can use the oscap CLI tool from the openscap-scanner
package, or the SCAP Workbench GUI tool from the scap-workbench package, to verify
that the system conforms to provided guidelines. Refer to the scap-security-guide(8) manual
page for futher information.CCE-82951-5
if ! rpm -q --quiet "scap-security-guide" ; then
yum install -y "scap-security-guide"
fi
- name: Ensure scap-security-guide is installed
package:
name: scap-security-guide
state: present
tags:
- package_scap-security-guide_installed
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82951-5
include install_scap-security-guide
class install_scap-security-guide {
package { 'scap-security-guide':
ensure => 'installed',
}
}
package --add=scap-security-guide
Install tar PackageThe tar package can be installed with the following command:
$ sudo yum install tarThe GNU tar program saves many files together into one archive and
can restore individual files (or all of the files) from the archive. tar
includes multivolume support, automatic archive compression/decompression, the
the ability to perform incremental and full backups. If CCE-82966-3
if ! rpm -q --quiet "tar" ; then
yum install -y "tar"
fi
- name: Ensure tar is installed
package:
name: tar
state: present
tags:
- package_tar_installed
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82966-3
include install_tar
class install_tar {
package { 'tar':
ensure => 'installed',
}
}
package --add=tar
Install rng-tools PackageThe rng-tools package can be installed with the following command:
$ sudo yum install rng-toolsSRG-OS-000480-GPOS-00227rng-tools provides hardware random number generator tools,
such as those used in the formation of x509/PKI certificates.CCE-82969-7
if ! rpm -q --quiet "rng-tools" ; then
yum install -y "rng-tools"
fi
- name: Ensure rng-tools is installed
package:
name: rng-tools
state: present
tags:
- package_rng-tools_installed
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82969-7
include install_rng-tools
class install_rng-tools {
package { 'rng-tools':
ensure => 'installed',
}
}
package --add=rng-tools
Ensure nss-tools is installedThe nss-tools package can be installed with the following command:
$ sudo yum install nss-toolsFMT_SMF_EXT.1SRG-OS-000480-GPOS-00227Network Security Services (NSS) is a set of libraries designed to
support cross-platform development of security-enabled client and
server applications. Install the nss-tools package
to install command-line tools to manipulate the NSS certificate
and key database.
if ! rpm -q --quiet "nss-tools" ; then
yum install -y "nss-tools"
fi
- name: Ensure nss-tools is installed
package:
name: nss-tools
state: present
tags:
- package_nss-tools_installed
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
include install_nss-tools
class install_nss-tools {
package { 'nss-tools':
ensure => 'installed',
}
}
package --add=nss-tools
Ensure gnutls-utils is installedThe gnutls-utils package can be installed with the following command:
$ sudo yum install gnutls-utilsFMT_SMF_EXT.1SRG-OS-000480-GPOS-00227GnuTLS is a secure communications library implementing the SSL, TLS and DTLS
protocols and technologies around them. It provides a simple C language
application programming interface (API) to access the secure communications
protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and
other required structures.
This package contains command line TLS client and server and certificate
manipulation tools.
if ! rpm -q --quiet "gnutls-utils" ; then
yum install -y "gnutls-utils"
fi
- name: Ensure gnutls-utils is installed
package:
name: gnutls-utils
state: present
tags:
- package_gnutls-utils_installed
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
include install_gnutls-utils
class install_gnutls-utils {
package { 'gnutls-utils':
ensure => 'installed',
}
}
package --add=gnutls-utils
Install openscap-scanner PackageThe openscap-scanner package can be installed with the following command:
$ sudo yum install openscap-scannerSRG-OS-000480-GPOS-00227SRG-OS-000191-GPOS-00080openscap-scanner contains the oscap command line tool. This tool is a
configuration and vulnerability scanner, capable of performing compliance checking using
SCAP content.CCE-82219-7
if ! rpm -q --quiet "openscap-scanner" ; then
yum install -y "openscap-scanner"
fi
- name: Ensure openscap-scanner is installed
package:
name: openscap-scanner
state: present
tags:
- package_openscap-scanner_installed
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82219-7
include install_openscap-scanner
class install_openscap-scanner {
package { 'openscap-scanner':
ensure => 'installed',
}
}
package --add=openscap-scanner
Install subscription-manager PackageThe subscription-manager package can be installed with the following command:
$ sudo yum install subscription-managerFPT_TUD_EXT.1FPT_TUD_EXT.2SRG-OS-000366-GPOS-00153Red Hat Subscription Manager is a local service which tracks installed products
and subscriptions on a local system to help manage subscription assignments.
It communicates with the backend subscription service (the Customer Portal
or an on-premise server such as Subscription Asset Manager) and works with
content management tools such as yum.CCE-82638-8
if ! rpm -q --quiet "subscription-manager" ; then
yum install -y "subscription-manager"
fi
- name: Ensure subscription-manager is installed
package:
name: subscription-manager
state: present
tags:
- package_subscription-manager_installed
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82638-8
include install_subscription-manager
class install_subscription-manager {
package { 'subscription-manager':
ensure => 'installed',
}
}
package --add=subscription-manager
Install cryptsetup-luks PackageThe cryptsetup-luks package can be installed with the following command:
$ sudo yum install cryptsetup-luksLUKS is the upcoming standard for Linux hard disk encryption. By providing a standard
on-disk format, it does not only facilitate compatibility among distributions, but also
provide secure management of multiple user passwords. In contrast to existing solution,
LUKS stores all necessary setup information in the partition header, enabling the user
to transport or migrate their data seamlessly. LUKS for dm-crypt is implemented in
cryptsetup. cryptsetup-luks is intended as a complete replacement for the
original cryptsetup. It provides all the functionality of the original
version plus all LUKS features, that are accessible by luks* action.CCE-82996-0
if ! rpm -q --quiet "cryptsetup-luks" ; then
yum install -y "cryptsetup-luks"
fi
- name: Ensure cryptsetup-luks is installed
package:
name: cryptsetup-luks
state: present
tags:
- package_cryptsetup-luks_installed
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82996-0
include install_cryptsetup-luks
class install_cryptsetup-luks {
package { 'cryptsetup-luks':
ensure => 'installed',
}
}
package --add=cryptsetup-luks
Uninstall abrt-plugin-sosreport PackageThe abrt-plugin-sosreport package can be removed with the following command:
$ sudo yum erase abrt-plugin-sosreportSRG-OS-000095-GPOS-00049abrt-plugin-sosreport provides a plugin to include an sosreport in an ABRT report.CCE-82911-9
# CAUTION: This remediation script will remove abrt-plugin-sosreport
# from the system, and may remove any packages
# that depend on abrt-plugin-sosreport. Execute this
# remediation AFTER testing on a non-production
# system!
if rpm -q --quiet "abrt-plugin-sosreport" ; then
yum remove -y "abrt-plugin-sosreport"
fi
- name: Ensure abrt-plugin-sosreport is removed
package:
name: abrt-plugin-sosreport
state: absent
tags:
- package_abrt-plugin-sosreport_removed
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82911-9
include remove_abrt-plugin-sosreport
class remove_abrt-plugin-sosreport {
package { 'abrt-plugin-sosreport':
ensure => 'purged',
}
}
package --remove=abrt-plugin-sosreport
Uninstall abrt-plugin-rhtsupport PackageThe abrt-plugin-rhtsupport package can be removed with the following command:
$ sudo yum erase abrt-plugin-rhtsupportSRG-OS-000095-GPOS-00049abrt-plugin-rhtsupport is a ABRT plugin to report bugs into the
Red Hat Support system.CCE-82917-6
# CAUTION: This remediation script will remove abrt-plugin-rhtsupport
# from the system, and may remove any packages
# that depend on abrt-plugin-rhtsupport. Execute this
# remediation AFTER testing on a non-production
# system!
if rpm -q --quiet "abrt-plugin-rhtsupport" ; then
yum remove -y "abrt-plugin-rhtsupport"
fi
- name: Ensure abrt-plugin-rhtsupport is removed
package:
name: abrt-plugin-rhtsupport
state: absent
tags:
- package_abrt-plugin-rhtsupport_removed
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82917-6
include remove_abrt-plugin-rhtsupport
class remove_abrt-plugin-rhtsupport {
package { 'abrt-plugin-rhtsupport':
ensure => 'purged',
}
}
package --remove=abrt-plugin-rhtsupport
Uninstall krb5-workstation PackageThe krb5-workstation package can be removed with the following command:
$ sudo yum erase krb5-workstationSRG-OS-000095-GPOS-00049SRG-OS-000120-GPOS-00061Kerberos is a network authentication system. The krb5-workstation package contains the basic
Kerberos programs (kinit, klist, kdestroy, kpasswd).
Currently, Kerberos does not utilize FIPS 140-2 cryptography and is not permitted on Government networks,
nor is it permitted in many regulatory environments such as HIPAA.CCE-82930-9
# CAUTION: This remediation script will remove krb5-workstation
# from the system, and may remove any packages
# that depend on krb5-workstation. Execute this
# remediation AFTER testing on a non-production
# system!
if rpm -q --quiet "krb5-workstation" ; then
yum remove -y "krb5-workstation"
fi
- name: Ensure krb5-workstation is removed
package:
name: krb5-workstation
state: absent
tags:
- package_krb5-workstation_removed
- medium_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82930-9
include remove_krb5-workstation
class remove_krb5-workstation {
package { 'krb5-workstation':
ensure => 'purged',
}
}
package --remove=krb5-workstation
Uninstall geolite2-country PackageThe geolite2-country package can be removed with the following command:
$ sudo yum erase geolite2-countrygeolite2-country is part of the GeoLite2 database packages, offering geolocation databases and tooling.CCE-82937-4
# CAUTION: This remediation script will remove geolite2-country
# from the system, and may remove any packages
# that depend on geolite2-country. Execute this
# remediation AFTER testing on a non-production
# system!
if rpm -q --quiet "geolite2-country" ; then
yum remove -y "geolite2-country"
fi
- name: Ensure geolite2-country is removed
package:
name: geolite2-country
state: absent
tags:
- package_geolite2-country_removed
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82937-4
include remove_geolite2-country
class remove_geolite2-country {
package { 'geolite2-country':
ensure => 'purged',
}
}
package --remove=geolite2-country
Uninstall abrt-addon-kerneloops PackageThe abrt-addon-kerneloops package can be removed with the following command:
$ sudo yum erase abrt-addon-kerneloopsSRG-OS-000095-GPOS-00049abrt-addon-kerneloops contains plugins for collecting kernel crash information and
reporter plugin which sends this information to a specified server, usually to kerneloops.org.CCE-82927-5
# CAUTION: This remediation script will remove abrt-addon-kerneloops
# from the system, and may remove any packages
# that depend on abrt-addon-kerneloops. Execute this
# remediation AFTER testing on a non-production
# system!
if rpm -q --quiet "abrt-addon-kerneloops" ; then
yum remove -y "abrt-addon-kerneloops"
fi
- name: Ensure abrt-addon-kerneloops is removed
package:
name: abrt-addon-kerneloops
state: absent
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- package_abrt-addon-kerneloops_removed
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82927-5
include remove_abrt-addon-kerneloops
class remove_abrt-addon-kerneloops {
package { 'abrt-addon-kerneloops':
ensure => 'purged',
}
}
package --remove=abrt-addon-kerneloops
Uninstall iprutils PackageThe iprutils package can be removed with the following command:
$ sudo yum erase iprutilsSRG-OS-000095-GPOS-00049iprutils provides a suite of utlilities to manage and configure SCSI devices
supported by the ipr SCSI storage device driver.CCE-82947-3
# CAUTION: This remediation script will remove iprutils
# from the system, and may remove any packages
# that depend on iprutils. Execute this
# remediation AFTER testing on a non-production
# system!
if rpm -q --quiet "iprutils" ; then
yum remove -y "iprutils"
fi
- name: Ensure iprutils is removed
package:
name: iprutils
state: absent
tags:
- package_iprutils_removed
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82947-3
include remove_iprutils
class remove_iprutils {
package { 'iprutils':
ensure => 'purged',
}
}
package --remove=iprutils
Uninstall abrt-plugin-logger PackageThe abrt-plugin-logger package can be removed with the following command:
$ sudo yum erase abrt-plugin-loggerSRG-OS-000095-GPOS-00049abrt-plugin-logger is an ABRT plugin which writes a report
to a specified file.CCE-82914-3
# CAUTION: This remediation script will remove abrt-plugin-logger
# from the system, and may remove any packages
# that depend on abrt-plugin-logger. Execute this
# remediation AFTER testing on a non-production
# system!
if rpm -q --quiet "abrt-plugin-logger" ; then
yum remove -y "abrt-plugin-logger"
fi
- name: Ensure abrt-plugin-logger is removed
package:
name: abrt-plugin-logger
state: absent
tags:
- package_abrt-plugin-logger_removed
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82914-3
include remove_abrt-plugin-logger
class remove_abrt-plugin-logger {
package { 'abrt-plugin-logger':
ensure => 'purged',
}
}
package --remove=abrt-plugin-logger
Uninstall geolite2-city PackageThe geolite2-city package can be removed with the following command:
$ sudo yum erase geolite2-citygeolite2-city is part of the GeoLite2 database packages, offering geolocation databases and tooling.CCE-82940-8
# CAUTION: This remediation script will remove geolite2-city
# from the system, and may remove any packages
# that depend on geolite2-city. Execute this
# remediation AFTER testing on a non-production
# system!
if rpm -q --quiet "geolite2-city" ; then
yum remove -y "geolite2-city"
fi
- name: Ensure geolite2-city is removed
package:
name: geolite2-city
state: absent
tags:
- package_geolite2-city_removed
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82940-8
include remove_geolite2-city
class remove_geolite2-city {
package { 'geolite2-city':
ensure => 'purged',
}
}
package --remove=geolite2-city
Uninstall gssproxy PackageThe gssproxy package can be removed with the following command:
$ sudo yum erase gssproxySRG-OS-000095-GPOS-00049gssproxy is a proxy for GSS API credential handling.CCE-82944-0
# CAUTION: This remediation script will remove gssproxy
# from the system, and may remove any packages
# that depend on gssproxy. Execute this
# remediation AFTER testing on a non-production
# system!
if rpm -q --quiet "gssproxy" ; then
yum remove -y "gssproxy"
fi
- name: Ensure gssproxy is removed
package:
name: gssproxy
state: absent
tags:
- package_gssproxy_removed
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82944-0
include remove_gssproxy
class remove_gssproxy {
package { 'gssproxy':
ensure => 'purged',
}
}
package --remove=gssproxy
Uninstall abrt-addon-ccpp PackageThe abrt-addon-ccpp package can be removed with the following command:
$ sudo yum erase abrt-addon-ccppSRG-OS-000095-GPOS-00049abrt-addon-ccpp contains hooks for C/C++ crashed programs and abrt's
C/C++ analyzer plugin.CCE-82920-0
# CAUTION: This remediation script will remove abrt-addon-ccpp
# from the system, and may remove any packages
# that depend on abrt-addon-ccpp. Execute this
# remediation AFTER testing on a non-production
# system!
if rpm -q --quiet "abrt-addon-ccpp" ; then
yum remove -y "abrt-addon-ccpp"
fi
- name: Ensure abrt-addon-ccpp is removed
package:
name: abrt-addon-ccpp
state: absent
tags:
- package_abrt-addon-ccpp_removed
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82920-0
include remove_abrt-addon-ccpp
class remove_abrt-addon-ccpp {
package { 'abrt-addon-ccpp':
ensure => 'purged',
}
}
package --remove=abrt-addon-ccpp
Uninstall abrt-cli PackageThe abrt-cli package can be removed with the following command:
$ sudo yum erase abrt-cliSRG-OS-000095-GPOS-00049abrt-cli contains a command line client for controlling abrt daemon
over sockets.CCE-82908-5
# CAUTION: This remediation script will remove abrt-cli
# from the system, and may remove any packages
# that depend on abrt-cli. Execute this
# remediation AFTER testing on a non-production
# system!
if rpm -q --quiet "abrt-cli" ; then
yum remove -y "abrt-cli"
fi
- name: Ensure abrt-cli is removed
package:
name: abrt-cli
state: absent
tags:
- package_abrt-cli_removed
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82908-5
include remove_abrt-cli
class remove_abrt-cli {
package { 'abrt-cli':
ensure => 'purged',
}
}
package --remove=abrt-cli
Uninstall tuned PackageThe tuned package can be removed with the following command:
$ sudo yum erase tunedSRG-OS-000095-GPOS-00049tuned contains a daemon that tunes the system settings dynamically.
It does so by monitoring the usage of several system components periodically. Based
on that information, components will then be put into lower or higher power savings
modes to adapt to the current usage.CCE-82905-1
# CAUTION: This remediation script will remove tuned
# from the system, and may remove any packages
# that depend on tuned. Execute this
# remediation AFTER testing on a non-production
# system!
if rpm -q --quiet "tuned" ; then
yum remove -y "tuned"
fi
- name: Ensure tuned is removed
package:
name: tuned
state: absent
tags:
- package_tuned_removed
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82905-1
include remove_tuned
class remove_tuned {
package { 'tuned':
ensure => 'purged',
}
}
package --remove=tuned
Uninstall abrt-addon-python PackageThe abrt-addon-python package can be removed with the following command:
$ sudo yum erase abrt-addon-pythonSRG-OS-000095-GPOS-00049abrt-addon-python contains python hook and python analyzer
plugin for handling uncaught exceptions in python programs.CCE-82924-2
# CAUTION: This remediation script will remove abrt-addon-python
# from the system, and may remove any packages
# that depend on abrt-addon-python. Execute this
# remediation AFTER testing on a non-production
# system!
if rpm -q --quiet "abrt-addon-python" ; then
yum remove -y "abrt-addon-python"
fi
- name: Ensure abrt-addon-python is removed
package:
name: abrt-addon-python
state: absent
tags:
- package_abrt-addon-python_removed
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82924-2
include remove_abrt-addon-python
class remove_abrt-addon-python {
package { 'abrt-addon-python':
ensure => 'purged',
}
}
package --remove=abrt-addon-python
System and Software IntegritySystem and software integrity can be gained by installing antivirus, increasing
system encryption strength with FIPS, verifying installed software, enabling SELinux,
installing an Intrusion Prevention System, etc. However, installing or enabling integrity
checking tools cannot prevent intrusions, but they can detect that an intrusion
may have occurred. Requirements for integrity checking may be highly dependent on
the environment in which the system will be used. Snapshot-based approaches such
as AIDE may induce considerable overhead in the presence of frequent software updates.Disable PrelinkingThe prelinking feature changes binaries in an attempt to decrease their startup
time. In order to disable it, change or add the following line inside the file
/etc/sysconfig/prelink:
PRELINKING=no
Next, run the following command to return binaries to a normal, non-prelinked state:
$ sudo /usr/sbin/prelink -ua1.5.41113142395.10.1.3APO01.06BAI02.01BAI03.05BAI06.01BAI10.01BAI10.02BAI10.03BAI10.05DSS04.07DSS05.03DSS06.02DSS06.063.13.11CCI-000803CCI-0024504.3.4.3.24.3.4.3.34.3.4.4.4SR 3.1SR 3.3SR 3.4SR 3.8SR 4.1SR 7.6A.11.2.4A.12.1.2A.12.2.1A.12.5.1A.12.6.2A.14.1.2A.14.1.3A.14.2.2A.14.2.3A.14.2.4A.8.2.3SC-13CM-6(a)PR.DS-1PR.DS-6PR.DS-8PR.IP-1Req-11.5SRG-OS-000120-VMM-000600SRG-OS-000478-VMM-001980SRG-OS-000396-VMM-001590Because the prelinking feature changes binaries, it can interfere with the
operation of certain software and/or modes such as AIDE, FIPS, etc.CCE-27078-5# prelink not installed
if test -e /etc/sysconfig/prelink -o -e /usr/sbin/prelink; then
if grep -q ^PRELINKING /etc/sysconfig/prelink
then
sed -i 's/^PRELINKING[:blank:]*=[:blank:]*[:alpha:]*/PRELINKING=no/' /etc/sysconfig/prelink
else
printf '\n' >> /etc/sysconfig/prelink
printf '%s\n' '# Set PRELINKING=no per security requirements' 'PRELINKING=no' >> /etc/sysconfig/prelink
fi
# Undo previous prelink changes to binaries if prelink is available.
if test -x /usr/sbin/prelink; then
/usr/sbin/prelink -ua
fi
fi
- name: Does prelink file exist
stat:
path: /etc/sysconfig/prelink
register: prelink_exists
tags:
- disable_prelink
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27078-5
- PCI-DSS-Req-11.5
- NIST-800-171-3.13.11
- NIST-800-53-SC-13
- NIST-800-53-CM-6(a)
- CJIS-5.10.1.3
- name: disable prelinking
lineinfile:
path: /etc/sysconfig/prelink
regexp: ^PRELINKING=
line: PRELINKING=no
when: prelink_exists.stat.exists
tags:
- disable_prelink
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27078-5
- PCI-DSS-Req-11.5
- NIST-800-171-3.13.11
- NIST-800-53-SC-13
- NIST-800-53-CM-6(a)
- CJIS-5.10.1.3
Federal Information Processing Standard (FIPS)The Federal Information Processing Standard (FIPS) is a computer security standard which
is developed by the U.S. Government and industry working groups to validate the quality
of cryptographic modules. The FIPS standard provides four security levels to ensure
adequate coverage of different industries, implementation of cryptographic modules, and
organizational sizes and requirements.
FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules
utilize authentication that meets industry and government requirements. For government systems, this allows
Security Levels 1, 2, 3, or 4 for use on Red Hat Enterprise Linux 7.
See http://csrc.nist.gov/publications/PubsFIPS.html for more information.Install the dracut-fips PackageTo enable FIPS, the system requires that the dracut-fips
package be installed.
The dracut-fips package can be installed with the following command:
$ sudo yum install dracut-fipsSystem Crypto Modules must be provided by a vendor that undergoes
FIPS-140 certifications.
FIPS-140 is applicable to all Federal agencies that use
cryptographic-based security systems to protect sensitive information
in computer and telecommunication systems (including voice systems) as
defined in Section 5131 of the Information Technology Management Reform
Act of 1996, Public Law 104-106. This standard shall be used in
designing and implementing cryptographic modules that Federal
departments and agencies operate or are operated for them under
contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf
To meet this, the system has to have cryptographic software provided by
a vendor that has undergone this certification. This means providing
documentation, test results, design information, and independent third
party review by an accredited lab. While open source software is
capable of meeting this, it does not meet FIPS-140 unless the vendor
submits to this process.121585.10.1.2APO13.01DSS01.04DSS05.02DSS05.033.13.113.13.8CCI-000068CCI-000803CCI-0024504.3.3.6.6SR 1.13SR 2.6SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 7.1SR 7.6A.11.2.6A.13.1.1A.13.2.1A.14.1.3A.6.2.1A.6.2.2SC-12(2)SC-12(3)IA-7SC-13CM-6(a)SC-12PR.AC-3PR.PT-4SRG-OS-000033-GPOS-00014SRG-OS-000396-GPOS-00176SRG-OS-000478-GPOS-00223SRG-OS-000120-VMM-000600SRG-OS-000478-VMM-001980SRG-OS-000396-VMM-001590Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated.CCE-80358-5
if ! rpm -q --quiet "dracut-fips" ; then
yum install -y "dracut-fips"
fi
- name: Ensure dracut-fips is installed
package:
name: dracut-fips
state: present
when:
- ansible_distribution == 'RedHat'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- package_dracut-fips_installed
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80358-5
- NIST-800-171-3.13.11
- NIST-800-171-3.13.8
- NIST-800-53-SC-12(2)
- NIST-800-53-SC-12(3)
- NIST-800-53-IA-7
- NIST-800-53-SC-13
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-12
- CJIS-5.10.1.2
package --add=dracut-fips
Install the dracut-fips-aesni PackageTo enable FIPS on system that support the Advanced Encryption Standard (AES) or New
Instructions (AES-NI) engine, the system requires that the dracut-fips-aesni
package be installed.
The dracut-fips-aesni package can be installed with the following command:
$ sudo yum install dracut-fips-aesniThe system needs to be rebooted for these changes to take effect.System Crypto Modules must be provided by a vendor that undergoes
FIPS-140 certifications.
FIPS-140 is applicable to all Federal agencies that use
cryptographic-based security systems to protect sensitive information
in computer and telecommunication systems (including voice systems) as
defined in Section 5131 of the Information Technology Management Reform
Act of 1996, Public Law 104-106. This standard shall be used in
designing and implementing cryptographic modules that Federal
departments and agencies operate or are operated for them under
contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf
To meet this, the system has to have cryptographic software provided by
a vendor that has undergone this certification. This means providing
documentation, test results, design information, and independent third
party review by an accredited lab. While open source software is
capable of meeting this, it does not meet FIPS-140 unless the vendor
submits to this process.121585.10.1.2APO13.01DSS01.04DSS05.02DSS05.033.13.113.13.8CCI-000068CCI-000803CCI-0024504.3.3.6.6SR 1.13SR 2.6SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 7.1SR 7.6A.11.2.6A.13.1.1A.13.2.1A.14.1.3A.6.2.1A.6.2.2SC-12(2)SC-12(3)IA-7SC-13CM-6(a)SC-12PR.AC-3PR.PT-4SRG-OS-000033-GPOS-00014SRG-OS-000396-GPOS-00176SRG-OS-000478-GPOS-00223SRG-OS-000120-VMM-000600SRG-OS-000478-VMM-001980SRG-OS-000396-VMM-001590Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated.
if grep -q -m1 -o aes /proc/cpuinfo; then
if ! rpm -q --quiet "dracut-fips-aesni" ; then
yum install -y "dracut-fips-aesni"
fi
fi
- name: Check if system supports AES-NI
command: grep -q -m1 -o aes /proc/cpuinfo
failed_when: aesni_supported.rc > 1
register: aesni_supported
check_mode: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- package_dracut-fips-aesni_installed
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- NIST-800-171-3.13.11
- NIST-800-171-3.13.8
- NIST-800-53-SC-12(2)
- NIST-800-53-SC-12(3)
- NIST-800-53-IA-7
- NIST-800-53-SC-13
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-12
- CJIS-5.10.1.2
- name: Ensure dracut-fips-aesni is installed
package:
name: dracut-fips-aesni
state: present
when:
- aesni_supported.rc == 0
- ansible_distribution == 'RedHat'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- package_dracut-fips-aesni_installed
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- NIST-800-171-3.13.11
- NIST-800-171-3.13.8
- NIST-800-53-SC-12(2)
- NIST-800-53-SC-12(3)
- NIST-800-53-IA-7
- NIST-800-53-SC-13
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-12
- CJIS-5.10.1.2
Enable FIPS Mode in GRUB2To ensure FIPS mode is enabled, install package dracut-fips, and rebuild initramfs by running the following commands:
$ sudo yum install dracut-fips
dracut -f
After the dracut command has been run, add the argument fips=1 to the default
GRUB 2 command line for the Linux operating system in
/etc/default/grub, in the manner below:
GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap rhgb quiet rd.shell=0 fips=1"
Finally, rebuild the grub.cfg file by using the
grub2-mkconfig -o command as follows:
On BIOS-based machines, issue the following command as root:
~]# grub2-mkconfig -o /boot/grub2/grub.cfgOn UEFI-based machines, issue the following command as root:
~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfgRunning dracut -f will overwrite the existing initramfs file.The system needs to be rebooted for these changes to take effect.System Crypto Modules must be provided by a vendor that undergoes
FIPS-140 certifications.
FIPS-140 is applicable to all Federal agencies that use
cryptographic-based security systems to protect sensitive information
in computer and telecommunication systems (including voice systems) as
defined in Section 5131 of the Information Technology Management Reform
Act of 1996, Public Law 104-106. This standard shall be used in
designing and implementing cryptographic modules that Federal
departments and agencies operate or are operated for them under
contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf
To meet this, the system has to have cryptographic software provided by
a vendor that has undergone this certification. This means providing
documentation, test results, design information, and independent third
party review by an accredited lab. While open source software is
capable of meeting this, it does not meet FIPS-140 unless the vendor
submits to this process.121585.10.1.2APO13.01DSS01.04DSS05.02DSS05.033.13.83.13.11CCI-000068CCI-000803CCI-0024504.3.3.6.6SR 1.13SR 2.6SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 7.1SR 7.6A.11.2.6A.13.1.1A.13.2.1A.14.1.3A.6.2.1A.6.2.2SC-12(2)SC-12(3)IA-7SC-13CM-6(a)SC-12PR.AC-3PR.PT-4SRG-OS-000033-GPOS-00014SRG-OS-000396-GPOS-00176SRG-OS-000478-GPOS-00223RHEL-07-021350SV-86691r4_ruleSRG-OS-000120-VMM-000600SRG-OS-000478-VMM-001980SRG-OS-000396-VMM-001590Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated.CCE-80359-3
# prelink not installed
if test -e /etc/sysconfig/prelink -o -e /usr/sbin/prelink; then
if grep -q ^PRELINKING /etc/sysconfig/prelink
then
sed -i 's/^PRELINKING[:blank:]*=[:blank:]*[:alpha:]*/PRELINKING=no/' /etc/sysconfig/prelink
else
printf '\n' >> /etc/sysconfig/prelink
printf '%s\n' '# Set PRELINKING=no per security requirements' 'PRELINKING=no' >> /etc/sysconfig/prelink
fi
# Undo previous prelink changes to binaries if prelink is available.
if test -x /usr/sbin/prelink; then
/usr/sbin/prelink -ua
fi
fi
if grep -q -m1 -o aes /proc/cpuinfo; then
if ! rpm -q --quiet "dracut-fips-aesni" ; then
yum install -y "dracut-fips-aesni"
fi
fi
if ! rpm -q --quiet "dracut-fips" ; then
yum install -y "dracut-fips"
fi
dracut -f
# Correct the form of default kernel command line in grub
if grep -q '^GRUB_CMDLINE_LINUX=.*fips=.*"' /etc/default/grub; then
# modify the GRUB command-line if a fips= arg already exists
sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)fips=[^[:space:]]*\(.*"\)/\1 fips=1 \2/' /etc/default/grub
else
# no existing fips=arg is present, append it
sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 fips=1"/' /etc/default/grub
fi
# Get the UUID of the device mounted at /boot.
BOOT_UUID=$(findmnt --noheadings --output uuid --target /boot)
if grep -q '^GRUB_CMDLINE_LINUX=".*boot=.*"' /etc/default/grub; then
# modify the GRUB command-line if a boot= arg already exists
sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)boot=[^[:space:]]*\(.*"\)/\1 boot=UUID='"${BOOT_UUID} \2/" /etc/default/ grub
else
# no existing boot=arg is present, append it
sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 boot=UUID='${BOOT_UUID}'"/' /etc/default/grub
fi
# Correct the form of kernel command line for each installed kernel in the bootloader
/sbin/grubby --update-kernel=ALL --args="fips=1 boot=UUID=${BOOT_UUID}"
- name: check prelink binary installed
stat:
path: /usr/sbin/prelink
register: prelink_exists
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- grub2_enable_fips_mode
- high_severity
- restrict_strategy
- high_complexity
- medium_disruption
- reboot_required
- CCE-80359-3
- DISA-STIG-RHEL-07-021350
- NIST-800-171-3.13.8
- NIST-800-171-3.13.11
- NIST-800-53-SC-12(2)
- NIST-800-53-SC-12(3)
- NIST-800-53-IA-7
- NIST-800-53-SC-13
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-12
- CJIS-5.10.1.2
- name: disable prelink
lineinfile:
dest: /etc/sysconfig/prelink
regexp: ^#?PRELINKING
line: PRELINKING=no
when:
- prelink_exists.stat.exists
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- grub2_enable_fips_mode
- high_severity
- restrict_strategy
- high_complexity
- medium_disruption
- reboot_required
- CCE-80359-3
- DISA-STIG-RHEL-07-021350
- NIST-800-171-3.13.8
- NIST-800-171-3.13.11
- NIST-800-53-SC-12(2)
- NIST-800-53-SC-12(3)
- NIST-800-53-IA-7
- NIST-800-53-SC-13
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-12
- CJIS-5.10.1.2
- name: revert prelinking binaries
command: /usr/sbin/prelink -ua
when:
- prelink_exists.stat.exists
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- grub2_enable_fips_mode
- high_severity
- restrict_strategy
- high_complexity
- medium_disruption
- reboot_required
- CCE-80359-3
- DISA-STIG-RHEL-07-021350
- NIST-800-171-3.13.8
- NIST-800-171-3.13.11
- NIST-800-53-SC-12(2)
- NIST-800-53-SC-12(3)
- NIST-800-53-IA-7
- NIST-800-53-SC-13
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-12
- CJIS-5.10.1.2
- name: Check if system supports AES-NI
command: grep -q -m1 -o aes /proc/cpuinfo
failed_when: aesni_supported.rc > 1
register: aesni_supported
check_mode: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- grub2_enable_fips_mode
- high_severity
- restrict_strategy
- high_complexity
- medium_disruption
- reboot_required
- CCE-80359-3
- DISA-STIG-RHEL-07-021350
- NIST-800-171-3.13.8
- NIST-800-171-3.13.11
- NIST-800-53-SC-12(2)
- NIST-800-53-SC-12(3)
- NIST-800-53-IA-7
- NIST-800-53-SC-13
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-12
- CJIS-5.10.1.2
- name: Ensure dracut-fips-aesni is installed
package:
name: dracut-fips-aesni
state: present
when:
- aesni_supported.rc == 0
- ansible_distribution == 'RedHat'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- grub2_enable_fips_mode
- high_severity
- restrict_strategy
- high_complexity
- medium_disruption
- reboot_required
- CCE-80359-3
- DISA-STIG-RHEL-07-021350
- NIST-800-171-3.13.8
- NIST-800-171-3.13.11
- NIST-800-53-SC-12(2)
- NIST-800-53-SC-12(3)
- NIST-800-53-IA-7
- NIST-800-53-SC-13
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-12
- CJIS-5.10.1.2
- name: install dracut-fips
package:
name: dracut-fips
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- grub2_enable_fips_mode
- high_severity
- restrict_strategy
- high_complexity
- medium_disruption
- reboot_required
- CCE-80359-3
- DISA-STIG-RHEL-07-021350
- NIST-800-171-3.13.8
- NIST-800-171-3.13.11
- NIST-800-53-SC-12(2)
- NIST-800-53-SC-12(3)
- NIST-800-53-IA-7
- NIST-800-53-SC-13
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-12
- CJIS-5.10.1.2
- name: Rebuild initramfs
command: dracut -f
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- grub2_enable_fips_mode
- high_severity
- restrict_strategy
- high_complexity
- medium_disruption
- reboot_required
- CCE-80359-3
- DISA-STIG-RHEL-07-021350
- NIST-800-171-3.13.8
- NIST-800-171-3.13.11
- NIST-800-53-SC-12(2)
- NIST-800-53-SC-12(3)
- NIST-800-53-IA-7
- NIST-800-53-SC-13
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-12
- CJIS-5.10.1.2
- name: check fips argument exists
command: grep 'GRUB_CMDLINE_LINUX.*fips=' /etc/default/grub
failed_when: false
register: fipsargcheck
check_mode: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- grub2_enable_fips_mode
- high_severity
- restrict_strategy
- high_complexity
- medium_disruption
- reboot_required
- CCE-80359-3
- DISA-STIG-RHEL-07-021350
- NIST-800-171-3.13.8
- NIST-800-171-3.13.11
- NIST-800-53-SC-12(2)
- NIST-800-53-SC-12(3)
- NIST-800-53-IA-7
- NIST-800-53-SC-13
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-12
- CJIS-5.10.1.2
- name: replace existing fips argument
replace:
path: /etc/default/grub
regexp: fips=.
replace: fips=1
when:
- fipsargcheck.rc == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- grub2_enable_fips_mode
- high_severity
- restrict_strategy
- high_complexity
- medium_disruption
- reboot_required
- CCE-80359-3
- DISA-STIG-RHEL-07-021350
- NIST-800-171-3.13.8
- NIST-800-171-3.13.11
- NIST-800-53-SC-12(2)
- NIST-800-53-SC-12(3)
- NIST-800-53-IA-7
- NIST-800-53-SC-13
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-12
- CJIS-5.10.1.2
- name: add fips argument
replace:
path: /etc/default/grub
regexp: (GRUB_CMDLINE_LINUX=.*)"
replace: \1 fips=1"
when:
- fipsargcheck.rc != 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- grub2_enable_fips_mode
- high_severity
- restrict_strategy
- high_complexity
- medium_disruption
- reboot_required
- CCE-80359-3
- DISA-STIG-RHEL-07-021350
- NIST-800-171-3.13.8
- NIST-800-171-3.13.11
- NIST-800-53-SC-12(2)
- NIST-800-53-SC-12(3)
- NIST-800-53-IA-7
- NIST-800-53-SC-13
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-12
- CJIS-5.10.1.2
- name: get boot device uuid
command: findmnt --noheadings --output uuid --target /boot
register: bootuuid
check_mode: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- grub2_enable_fips_mode
- high_severity
- restrict_strategy
- high_complexity
- medium_disruption
- reboot_required
- CCE-80359-3
- DISA-STIG-RHEL-07-021350
- NIST-800-171-3.13.8
- NIST-800-171-3.13.11
- NIST-800-53-SC-12(2)
- NIST-800-53-SC-12(3)
- NIST-800-53-IA-7
- NIST-800-53-SC-13
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-12
- CJIS-5.10.1.2
- name: check boot argument exists
command: grep 'GRUB_CMDLINE_LINUX.*boot=' /etc/default/grub
failed_when: false
register: bootargcheck
check_mode: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- grub2_enable_fips_mode
- high_severity
- restrict_strategy
- high_complexity
- medium_disruption
- reboot_required
- CCE-80359-3
- DISA-STIG-RHEL-07-021350
- NIST-800-171-3.13.8
- NIST-800-171-3.13.11
- NIST-800-53-SC-12(2)
- NIST-800-53-SC-12(3)
- NIST-800-53-IA-7
- NIST-800-53-SC-13
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-12
- CJIS-5.10.1.2
- name: replace existing boot argument
replace:
path: /etc/default/grub
regexp: boot=\w*-\w*-\w*-\w*-\w*
replace: boot={{ bootuuid.stdout }}
when:
- bootargcheck.rc == 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- grub2_enable_fips_mode
- high_severity
- restrict_strategy
- high_complexity
- medium_disruption
- reboot_required
- CCE-80359-3
- DISA-STIG-RHEL-07-021350
- NIST-800-171-3.13.8
- NIST-800-171-3.13.11
- NIST-800-53-SC-12(2)
- NIST-800-53-SC-12(3)
- NIST-800-53-IA-7
- NIST-800-53-SC-13
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-12
- CJIS-5.10.1.2
- name: add boot argument
replace:
path: /etc/default/grub
regexp: (GRUB_CMDLINE_LINUX=.*)"
replace: \1 boot=UUID={{ bootuuid.stdout }}"
when:
- bootargcheck.rc != 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- grub2_enable_fips_mode
- high_severity
- restrict_strategy
- high_complexity
- medium_disruption
- reboot_required
- CCE-80359-3
- DISA-STIG-RHEL-07-021350
- NIST-800-171-3.13.8
- NIST-800-171-3.13.11
- NIST-800-53-SC-12(2)
- NIST-800-53-SC-12(3)
- NIST-800-53-IA-7
- NIST-800-53-SC-13
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-12
- CJIS-5.10.1.2
- name: update bootloader menu
command: /sbin/grubby --update-kernel=ALL --args="fips=1 boot=UUID={{ bootuuid.stdout
}}"
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- grub2_enable_fips_mode
- high_severity
- restrict_strategy
- high_complexity
- medium_disruption
- reboot_required
- CCE-80359-3
- DISA-STIG-RHEL-07-021350
- NIST-800-171-3.13.8
- NIST-800-171-3.13.11
- NIST-800-53-SC-12(2)
- NIST-800-53-SC-12(3)
- NIST-800-53-IA-7
- NIST-800-53-SC-13
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-12
- CJIS-5.10.1.2
package --add=dracut-fips --add=dracut-fips-aesni
System Cryptographic PoliciesLinux has the capability to centrally configure cryptographic polices. The command
update-crypto-policies is used to set the policy applicable for the various
cryptographic back-ends, such as SSL/TLS libraries. The configured cryptographic
policies will be the default policy used by these backends unless the application
user configures them otherwise. When the system has been configured to use the
centralized cryptographic policies, the administrator is assured that any application
that utilizes the supported backends will follow a policy that adheres to the
configured profile.
Currently the supported backends are:
GnuTLS libraryOpenSSL libraryNSS libraryOpenJDKLibkrb5BINDOpenSSH
Applications and languages which rely on any of these backends will follow the
system policies as well. Examples are apache httpd, nginx, php, and others.The system-provided crypto policiesSpecify the crypto policy for the system.DEFAULT:NO-SHA1LEGACYFIPS:OSPPDEFAULTFIPSFUTURENEXTHarden SSH client Crypto PolicyCrypto Policies are means of enforcing certain cryptographic settings for selected applications including OpenSSH client.
To override the system wide crypto policy for Openssh client, place a file in the /etc/ssh/ssh_config.d/ so that it is loaded before the 05-redhat.conf. In this case it is file named 02-ospp.conf containing parameters which need to be changed with respect to the crypto policy.
This rule checks if the file exists and if it contains required parameters and values which modify the Crypto Policy.
During the parsing process, as soon as Openssh client parses some configuration option and its value, it remembers it and ignores any subsequent overrides. The customization mechanism provided by crypto policies appends eventual customizations at the end of the system wide crypto policy. Therefore, if the crypto policy customization overrides some parameter which is already configured in the system wide crypto policy, the SSH client will not honor that customized parameter.AC-17(a)AC-17(2)CM-6(a)MA-4(6)SC-13FCS_SSHC_EXT.1SRG-OS-000033-GPOS-00014SRG-OS-000250-GPOS-00093SRG-OS-000393-GPOS-00173SRG-OS-000394-GPOS-00174The Common Criteria requirements specify how certain parameters for OpenSSH Client are configured. Particular parameters are RekeyLimit, GSSAPIAuthentication, Ciphers, PubkeyAcceptedKeyTypes, MACs and KexAlgorithms. Currently particular requirements specified by CC are stricter compared to any existing Crypto Policy.Harden SSHD Crypto PolicyCrypto Policies are means of enforcing certain cryptographic settings for selected applications including OpenSSH server.
The SSHD service is by default configured to modify its configuration based on currently configured Crypto-Policy. However, in certain cases it might be needed to override the Crypto Policy specific to OpenSSH Server and leave rest of the Crypto Policy intact.
This can be done by dropping a file named opensshserver-xxx.config, replacing xxx with arbitrary identifier, into /etc/crypto-policies/local.d. This has to be followed by running update-crypto-policies so that changes are applied.
Changes are propagated into /etc/crypto-policies/back-ends/opensshserver.config. This rule checks if this file contains predefined CRYPTO_POLICY environment variable configured with predefined value.AC-17(a)AC-17(2)CM-6(a)MA-4(6)SC-13SC-12(2)SC-12(3)FCS_SSHS_EXT.1SRG-OS-000250-GPOS-00093SRG-OS-000033-GPOS-00014SRG-OS-000120-GPOS-00061The Common Criteria requirements specify that certain parameters for OpenSSH Server are configured e.g. supported ciphers, accepted host key algorithms, public key types, key exchange algorithms, HMACs and GSSAPI key exchange is disabled. Currently particular requirements specified by CC are stricter compared to any existing Crypto Policy.Operating System Vendor Support and CertificationThe assurance of a vendor to provide operating system support and maintenance
for their product is an important criterion to ensure product stability and
security over the life of the product. A certified product that follows the
necessary standards and government certification requirements guarantees that
known software vulnerabilities will be remediated, and proper guidance for
protecting and securing the operating system will be given.The Installed Operating System Is Vendor SupportedThe installed operating system must be maintained by a vendor.
Red Hat Enterprise Linux is supported by Red Hat, Inc. As the Red Hat Enterprise
Linux vendor, Red Hat, Inc. is responsible for providing security patches.There is no remediation besides switching to a different operating system.18204APO12.01APO12.02APO12.03APO12.04BAI03.10DSS05.01DSS05.02CCI-0003664.2.34.2.3.124.2.3.74.2.3.9A.12.6.1A.14.2.3A.16.1.3A.18.2.2A.18.2.3CM-6(a)MA-6SA-13(a)ID.RA-1PR.IP-12SRG-OS-000480-GPOS-00227RHEL-07-020250SV-86621r5_ruleAn operating system is considered "supported" if the vendor continues to
provide security patches for the product. With an unsupported release, it
will not be possible to resolve any security issue discovered in the system
software.CCE-82371-6The Installed Operating System Is FIPS 140-2 CertifiedTo enable processing of sensitive information the operating system must
provide certified cryptographic modules compliant with FIPS 140-2
standard.
Red Hat Enterprise Linux is supported by Red Hat, Inc. As the Red Hat Enterprise
Linux vendor, Red Hat, Inc. is responsible for maintaining government certifications and standards.There is no remediation besides switching to a different operating system.System Crypto Modules must be provided by a vendor that undergoes
FIPS-140 certifications.
FIPS-140 is applicable to all Federal agencies that use
cryptographic-based security systems to protect sensitive information
in computer and telecommunication systems (including voice systems) as
defined in Section 5131 of the Information Technology Management Reform
Act of 1996, Public Law 104-106. This standard shall be used in
designing and implementing cryptographic modules that Federal
departments and agencies operate or are operated for them under
contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf
To meet this, the system has to have cryptographic software provided by
a vendor that has undergone this certification. This means providing
documentation, test results, design information, and independent third
party review by an accredited lab. While open source software is
capable of meeting this, it does not meet FIPS-140 unless the vendor
submits to this process.CCI-000803CCI-002450SC-12(2)SC-12(3)IA-7SC-13CM-6(a)SC-12SRG-OS-000120-VMM-000600SRG-OS-000478-VMM-001980SRG-OS-000396-VMM-001590The Federal Information Processing Standard (FIPS) Publication 140-2, (FIPS
PUB 140-2) is a computer security standard. The standard specifies security
requirements for cryptographic modules used to protect sensitive
unclassified information. Refer to the full FIPS 140-2 standard at
http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf
for further details on the requirements.
FIPS 140-2 validation is required by U.S. law when information systems use
cryptography to protect sensitive government information. In order to
achieve FIPS 140-2 certification, cryptographic modules are subject to
extensive testing by independent laboratories, accredited by National
Institute of Standards and Technology (NIST).CCE-80657-0Endpoint Protection SoftwareEndpoint protection security software that is not provided or supported
by Red Hat can be installed to provide complementary or duplicative
security capabilities to those provided by the base platform. Add-on
software may not be appropriate for some specialized systems.Configure Backups of User DataThe operating system must conduct backups of user data contained
in the operating system. The operating system provides utilities for
automating backups of user data. Commercial and open-source products
are also available.Operating system backup is a critical step in maintaining data assurance and
availability. User-level information is data generated by information system
and/or application users. Backups shall be consistent with organizational
recovery time and recovery point objectives.falseInstall Virus Scanning SoftwareVirus scanning software can be used to protect a system from penetration from
computer viruses and to limit their spread through intermediate systems.
The virus scanning software should be configured to perform scans dynamically
on accessed files. If this capability is not available, the system must be
configured to scan, at a minimum, all altered files on the system on a daily
basis.
If the system processes inbound SMTP mail, the virus scanner must be configured
to scan all received mail.121314478APO01.06APO13.02BAI02.01BAI06.01DSS04.07DSS05.01DSS05.02DSS05.03DSS06.06CCI-000366CCI-001239CCI-0016684.3.4.3.84.4.3.2SR 3.2SR 3.3SR 3.4SR 4.1A.12.2.1A.14.2.8A.8.2.3CM-6(a)DE.CM-4DE.DP-3PR.DS-1SRG-OS-000480-GPOS-00227RHEL-07-032000SV-86837r3_ruleVirus scanning software can be used to detect if a system has been compromised by
computer viruses, as well as to limit their spread to other systems.CCE-27140-3Install Intrusion Detection SoftwareThe base Red Hat Enterprise Linux 7 platform already includes a sophisticated auditing system that
can detect intruder activity, as well as SELinux, which provides host-based
intrusion prevention capabilities by confining privileged programs and user
sessions which may become compromised.In DoD environments, supplemental intrusion detection and antivirus tools,
such as the McAfee Host-based Security System, are available to integrate with
existing infrastructure. Per DISA guidance, when these supplemental tools interfere
with proper functioning of SELinux, SELinux takes precedence. Should further
clarification be required, DISA contact information is published publicly at
https://public.cyber.mil/stigs/1121314151618789APO01.06APO13.01DSS01.03DSS01.05DSS03.05DSS05.02DSS05.04DSS05.07DSS06.02CCI-0012634.3.3.4SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.2SR 7.1SR 7.6A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)DE.CM-1PR.AC-5PR.DS-5PR.PT-4Req-11.4Host-based intrusion detection tools provide a system-level defense when an
intruder gains access to a system or network.CCE-26818-5McAfee Endpoint Security SoftwareIn DoD environments, McAfee Host-based Security System (HBSS) and
VirusScan Enterprise for Linux (VSEL) is required to be installed on all systems.The age of McAfee defintion file before requiring updatingSpecify the amount of time (in seconds) before McAfee definition files need to be
updated.2592000259200060480086400Enable nails ServiceThe nails service is used to run McAfee VirusScan Enterprise
for Linux and McAfee Host-based Security System (HBSS) services.
The nails service can be enabled with the following command:
$ sudo systemctl enable nails.service121314478APO01.06APO13.02BAI02.01BAI06.01DSS04.07DSS05.01DSS05.02DSS05.03DSS06.06CCI-000366CCI-001239CCI-0016684.3.4.3.84.4.3.2SR 3.2SR 3.3SR 3.4SR 4.1A.12.2.1A.14.2.8A.8.2.3CM-6(a)SC-28SI-3(a)DE.CM-4DE.DP-3PR.DS-1SRG-OS-000480-GPOS-00227Virus scanning software can be used to detect if a system has been compromised by
computer viruses, as well as to limit their spread to other systems.CCE-80128-2
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" start 'nails.service'
"$SYSTEMCTL_EXEC" enable 'nails.service'
- name: Enable service nails
block:
- name: Gather the package facts
package_facts:
manager: auto
- name: Enable service nails
service:
name: nails
enabled: 'yes'
state: started
when:
- '"nails" in ansible_facts.packages'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_nails_enabled
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80128-2
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-28
- NIST-800-53-SI-3(a)
include enable_nails
class enable_nails {
service {'nails':
enable => true,
ensure => 'running',
}
}
Install the McAfee Runtime Libraries and Linux AgentInstall the McAfee Runtime Libraries (MFErt) and Linux Agent (MFEcma).The McAfee Runtime Libraries (MFErt) and Linux Agent (MFEcma) are dependencies
for VirusScan Enterprise for Linux (VSEL) and Host-based Security System (HBSS)
to run.CCE-80367-6Virus Scanning Software Definitions Are UpdatedEnsure virus definition files are no older than 7 days or their last release.121314478APO01.06APO13.02BAI02.01BAI06.01DSS04.07DSS05.01DSS05.02DSS05.03DSS06.06CCI-000366CCI-001239CCI-0016684.3.4.3.84.4.3.2SR 3.2SR 3.3SR 3.4SR 4.1A.12.2.1A.14.2.8A.8.2.3CM-6(a)SC-28SI-3(a)SI-3(b)SI-3(2)DE.CM-4DE.DP-3PR.DS-1SRG-OS-000480-GPOS-00227RHEL-07-032010Virus scanning software can be used to detect if a system has been compromised by
computer viruses, as well as to limit their spread to other systems.CCE-80129-0Install McAfee Virus Scanning SoftwareInstall McAfee VirusScan Enterprise for Linux antivirus software
which is provided for DoD systems and uses signatures to search for the
presence of viruses on the filesystem.Due to McAfee HIPS being 3rd party software, automated
remediation is not available for this configuration check.121314478APO01.06APO13.02BAI02.01BAI06.01DSS04.07DSS05.01DSS05.02DSS05.03DSS06.06CCI-000366CCI-001239CCI-0016684.3.4.3.84.4.3.2SR 3.2SR 3.3SR 3.4SR 4.1A.12.2.1A.14.2.8A.8.2.3CM-6(a)SC-28SI-3(a)DE.CM-4DE.DP-3PR.DS-1SRG-OS-000480-GPOS-00227RHEL-07-032000SV-86837r3_ruleVirus scanning software can be used to detect if a system has been compromised by
computer viruses, as well as to limit their spread to other systems.CCE-80127-4McAfee Host-Based Intrusion Detection Software (HBSS)McAfee Host-based Security System (HBSS) is a suite of software applications
used to monitor, detect, and defend computer networks and systems.Install the Policy Auditor (PA) ModuleInstall the Policy Auditor (PA) Module.Due to McAfee being 3rd party software, automated
remediation is not available for this configuration check.1111213141516181923456789APO01.06APO07.06APO08.04APO10.05APO11.06APO12.01APO12.02APO12.03APO12.04APO12.06APO13.01APO13.02BAI08.02BAI08.04DSS01.03DSS01.05DSS02.04DSS02.05DSS02.07DSS03.01DSS03.04DSS03.05DSS04.05DSS05.01DSS05.02DSS05.04DSS05.05DSS05.07DSS06.01DSS06.02MEA03.03MEA03.04CCI-000366CCI-0012634.2.34.2.3.124.2.3.74.2.3.94.3.3.44.3.4.5.24.3.4.5.64.3.4.5.74.3.4.5.84.3.4.5.94.4.3.24.4.3.34.4.3.4SR 2.10SR 2.11SR 2.12SR 2.4SR 2.8SR 2.9SR 3.1SR 3.3SR 3.5SR 3.8SR 3.9SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.12.1.1A.12.1.2A.12.4.1A.12.4.3A.12.5.1A.12.6.1A.12.6.2A.13.1.1A.13.1.2A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.14.2.7A.14.2.8A.15.2.1A.16.1.1A.16.1.2A.16.1.3A.16.1.4A.16.1.5A.16.1.6A.16.1.7A.18.1.4A.18.2.2A.18.2.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5Clause 16.1.2Clause 7.4CM-6(a)DE.AE-1DE.AE-2DE.AE-3DE.AE-4DE.CM-1DE.CM-5DE.CM-6DE.CM-7DE.DP-2DE.DP-3DE.DP-4DE.DP-5ID.RA-1PR.AC-5PR.DS-5PR.IP-8PR.PT-4RS.AN-1RS.CO-3Req-11.4STG-OS-000480-GPOS-00227Without a host-based intrusion detection tool, there is no system-level defense
when an intruder gains access to a system or network. Additionally, a host-based
intrusion prevention tool can provide methods to immediately lock out detected
intrusion attempts.CCE-80369-2Install the Asset Configuration Compliance Module (ACCM)Install the Asset Configuration Compliance Module (ACCM).Due to HBSS ACCM being 3rd party software, automated
remediation is not available for this configuration check.1111213141516181923456789APO01.06APO07.06APO08.04APO10.05APO11.06APO12.01APO12.02APO12.03APO12.04APO12.06APO13.01APO13.02BAI08.02BAI08.04DSS01.03DSS01.05DSS02.04DSS02.05DSS02.07DSS03.01DSS03.04DSS03.05DSS04.05DSS05.01DSS05.02DSS05.04DSS05.05DSS05.07DSS06.01DSS06.02MEA03.03MEA03.04CCI-000366CCI-0012634.2.34.2.3.124.2.3.74.2.3.94.3.3.44.3.4.5.24.3.4.5.64.3.4.5.74.3.4.5.84.3.4.5.94.4.3.24.4.3.34.4.3.4SR 2.10SR 2.11SR 2.12SR 2.4SR 2.8SR 2.9SR 3.1SR 3.3SR 3.5SR 3.8SR 3.9SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.12.1.1A.12.1.2A.12.4.1A.12.4.3A.12.5.1A.12.6.1A.12.6.2A.13.1.1A.13.1.2A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.14.2.7A.14.2.8A.15.2.1A.16.1.1A.16.1.2A.16.1.3A.16.1.4A.16.1.5A.16.1.6A.16.1.7A.18.1.4A.18.2.2A.18.2.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5Clause 16.1.2Clause 7.4CM-6(a)DE.AE-1DE.AE-2DE.AE-3DE.AE-4DE.CM-1DE.CM-5DE.CM-6DE.CM-7DE.DP-2DE.DP-3DE.DP-4DE.DP-5ID.RA-1PR.AC-5PR.DS-5PR.IP-8PR.PT-4RS.AN-1RS.CO-3Req-11.4STG-OS-000480-GPOS-00227Without a host-based intrusion detection tool, there is no system-level defense
when an intruder gains access to a system or network. Additionally, a host-based
intrusion prevention tool can provide methods to immediately lock out detected
intrusion attempts.CCE-80126-6Install the Host Intrusion Prevention System (HIPS) ModuleInstall the McAfee Host Intrusion Prevention System (HIPS) Module if it is absolutely
necessary. If SELinux is enabled, do not install or enable this module.Installing and enabling this module conflicts with SELinux.
Per DoD/DISA guidance, SELinux takes precedence over this module.Due to McAfee HIPS being 3rd party software, automated
remediation is not available for this configuration check.1111213141516181923456789APO01.06APO07.06APO08.04APO10.05APO11.06APO12.01APO12.02APO12.03APO12.04APO12.06APO13.01APO13.02BAI08.02BAI08.04DSS01.03DSS01.05DSS02.04DSS02.05DSS02.07DSS03.01DSS03.04DSS03.05DSS04.05DSS05.01DSS05.02DSS05.04DSS05.05DSS05.07DSS06.01DSS06.02MEA03.03MEA03.04CCI-000366CCI-0012634.2.34.2.3.124.2.3.74.2.3.94.3.3.44.3.4.5.24.3.4.5.64.3.4.5.74.3.4.5.84.3.4.5.94.4.3.24.4.3.34.4.3.4SR 2.10SR 2.11SR 2.12SR 2.4SR 2.8SR 2.9SR 3.1SR 3.3SR 3.5SR 3.8SR 3.9SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 6.1SR 6.2SR 7.1SR 7.6A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.12.1.1A.12.1.2A.12.4.1A.12.4.3A.12.5.1A.12.6.1A.12.6.2A.13.1.1A.13.1.2A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.14.2.7A.14.2.8A.15.2.1A.16.1.1A.16.1.2A.16.1.3A.16.1.4A.16.1.5A.16.1.6A.16.1.7A.18.1.4A.18.2.2A.18.2.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5Clause 16.1.2Clause 7.4CM-6(a)DE.AE-1DE.AE-2DE.AE-3DE.AE-4DE.CM-1DE.CM-5DE.CM-6DE.CM-7DE.DP-2DE.DP-3DE.DP-4DE.DP-5ID.RA-1PR.AC-5PR.DS-5PR.IP-8PR.PT-4RS.AN-1RS.CO-3Req-11.4STG-OS-000480-GPOS-00227Without a host-based intrusion detection tool, there is no system-level defense
when an intruder gains access to a system or network. Additionally, a host-based
intrusion prevention tool can provide methods to immediately lock out detected
intrusion attempts.CCE-80368-4Software Integrity CheckingBoth the AIDE (Advanced Intrusion Detection Environment)
software and the RPM package management system provide
mechanisms for verifying the integrity of installed software.
AIDE uses snapshots of file metadata (such as hashes) and compares these
to current system files in order to detect changes.
The RPM package management system can conduct integrity
checks by comparing information in its metadata database with
files installed on the system.Verify Integrity with RPMThe RPM package management system includes the ability
to verify the integrity of installed packages by comparing the
installed files with information about the files taken from the
package metadata stored in the RPM database. Although an attacker
could corrupt the RPM database (analogous to attacking the AIDE
database as described above), this check can still reveal
modification of important files. To list which files on the system differ from what is expected by the RPM database:
$ rpm -qVa
See the man page for rpm to see a complete explanation of each column.Verify and Correct File Permissions with RPMThe RPM package management system can check file access permissions
of installed software packages, including many that are important
to system security.
Verify that the file permissions of system files
and commands match vendor values. Check the file permissions
with the following command:
$ sudo rpm -Va | awk '{ if (substr($0,2,1)=="M") print $NF }'
Output indicates files that do not match vendor defaults.
After locating a file with incorrect permissions,
run the following command to determine which package owns it:
$ rpm -qf FILENAME
Next, run the following command to reset its permissions to
the correct values:
$ sudo rpm --setperms PACKAGENAME1.2.66.1.36.1.46.1.56.1.66.1.76.1.86.1.96.2.311112131415161835695.10.4.1APO01.06APO11.04BAI03.05BAI10.01BAI10.02BAI10.03BAI10.05DSS05.04DSS05.07DSS06.02MEA02.013.3.83.4.1CCI-001494CCI-001496164.308(a)(1)(ii)(D)164.312(b)164.312(c)(1)164.312(c)(2)164.312(e)(2)(i)4.3.3.3.94.3.3.5.84.3.3.7.34.3.4.3.24.3.4.3.34.3.4.4.74.4.2.14.4.2.24.4.2.4SR 2.1SR 2.10SR 2.11SR 2.12SR 2.8SR 2.9SR 5.2SR 7.6A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.12.1.2A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.5.1A.12.6.2A.12.7.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.14.2.2A.14.2.3A.14.2.4A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(d)CM-6(c)SI-7SI-7(1)SI-7(6)AU-9(3)CM-6(a)PR.AC-4PR.DS-5PR.IP-1PR.PT-1Req-11.5SRG-OS-000257-GPOS-00098SRG-OS-000278-GPOS-00108RHEL-07-010010SV-86473r4_rulePermissions on system binaries and configuration files that are too generous
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated.CCE-27209-6
# Declare array to hold set of RPM packages we need to correct permissions for
declare -A SETPERMS_RPM_DICT
# Create a list of files on the system having permissions different from what
# is expected by the RPM database
readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
do
RPM_PACKAGE=$(rpm -qf "$FILE_PATH")
# Use an associative array to store packages as it's keys, not having to care about duplicates.
SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
done
# For each of the RPM packages left in the list -- reset its permissions to the
# correct values
for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
do
rpm --setperms "${RPM_PACKAGE}"
done
- name: Read list of files with incorrect permissions
command: rpm -Va --nodeps --nosignature --nofiledigest --nosize --nomtime --nordev
--nocaps --nolinkto --nouser --nogroup
args:
warn: false
register: files_with_incorrect_permissions
failed_when: files_with_incorrect_permissions.rc > 1
changed_when: false
check_mode: false
tags:
- rpm_verify_permissions
- high_severity
- restrict_strategy
- high_complexity
- medium_disruption
- no_reboot_needed
- CCE-27209-6
- PCI-DSS-Req-11.5
- DISA-STIG-RHEL-07-010010
- NIST-800-171-3.3.8
- NIST-800-171-3.4.1
- NIST-800-53-CM-6(d)
- NIST-800-53-CM-6(c)
- NIST-800-53-SI-7
- NIST-800-53-SI-7(1)
- NIST-800-53-SI-7(6)
- NIST-800-53-AU-9(3)
- NIST-800-53-CM-6(a)
- CJIS-5.10.4.1
- name: Create list of packages
command: rpm -qf "{{ item }}"
args:
warn: false
with_items: '{{ files_with_incorrect_permissions.stdout_lines | map(''regex_findall'',
''^[.]+[M]+.* (\/.*)'', ''\1'') | map(''join'') | select(''match'', ''(\/.*)'')
| list | unique }}'
register: list_of_packages
changed_when: false
check_mode: false
when: (files_with_incorrect_permissions.stdout_lines | length > 0)
tags:
- rpm_verify_permissions
- high_severity
- restrict_strategy
- high_complexity
- medium_disruption
- no_reboot_needed
- CCE-27209-6
- PCI-DSS-Req-11.5
- DISA-STIG-RHEL-07-010010
- NIST-800-171-3.3.8
- NIST-800-171-3.4.1
- NIST-800-53-CM-6(d)
- NIST-800-53-CM-6(c)
- NIST-800-53-SI-7
- NIST-800-53-SI-7(1)
- NIST-800-53-SI-7(6)
- NIST-800-53-AU-9(3)
- NIST-800-53-CM-6(a)
- CJIS-5.10.4.1
- name: Correct file permissions with RPM
command: rpm --setperms '{{ item }}'
args:
warn: false
with_items: '{{ list_of_packages.results | map(attribute=''stdout_lines'') | list
| unique }}'
when: (files_with_incorrect_permissions.stdout_lines | length > 0)
tags:
- rpm_verify_permissions
- high_severity
- restrict_strategy
- high_complexity
- medium_disruption
- no_reboot_needed
- CCE-27209-6
- PCI-DSS-Req-11.5
- DISA-STIG-RHEL-07-010010
- NIST-800-171-3.3.8
- NIST-800-171-3.4.1
- NIST-800-53-CM-6(d)
- NIST-800-53-CM-6(c)
- NIST-800-53-SI-7
- NIST-800-53-SI-7(1)
- NIST-800-53-SI-7(6)
- NIST-800-53-AU-9(3)
- NIST-800-53-CM-6(a)
- CJIS-5.10.4.1
Verify and Correct Ownership with RPMThe RPM package management system can check file ownership
permissions of installed software packages, including many that are
important to system security. After locating a file with incorrect
permissions, which can be found with
rpm -Va | awk '{ if (substr($0,6,1)=="U" || substr($0,7,1)=="G") print $NF }'
run the following command to determine which package owns it:
$ rpm -qf FILENAME
Next, run the following command to reset its permissions to
the correct values:
$ sudo rpm --setugids PACKAGENAME1.2.66.1.36.1.46.1.56.1.66.1.76.1.86.1.96.2.311112131415161835695.10.4.1APO01.06APO11.04BAI03.05BAI10.01BAI10.02BAI10.03BAI10.05DSS05.04DSS05.07DSS06.02MEA02.013.3.83.4.1CCI-001494CCI-0014964.3.3.3.94.3.3.5.84.3.3.7.34.3.4.3.24.3.4.3.34.3.4.4.74.4.2.14.4.2.24.4.2.4SR 2.1SR 2.10SR 2.11SR 2.12SR 2.8SR 2.9SR 5.2SR 7.6A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.12.1.2A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.5.1A.12.6.2A.12.7.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.14.2.2A.14.2.3A.14.2.4A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(d)CM-6(c)SI-7SI-7(1)SI-7(6)AU-9(3)PR.AC-4PR.DS-5PR.IP-1PR.PT-1Req-11.5SRG-OS-000257-GPOS-00098SRG-OS-000278-GPOS-00108Ownership of binaries and configuration files that is incorrect
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated.CCE-80545-7
# Declare array to hold set of RPM packages we need to correct permissions for
declare -A SETPERMS_RPM_DICT
# Create a list of files on the system having permissions different from what
# is expected by the RPM database
readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,6,1)=="U" || substr($0,7,1)=="G") print $NF }')
for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
do
RPM_PACKAGE=$(rpm -qf "$FILE_PATH")
# Use an associative array to store packages as it's keys, not having to care about duplicates.
SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
done
# For each of the RPM packages left in the list -- reset its permissions to the
# correct values
for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
do
rpm --setugids "${RPM_PACKAGE}"
done
- name: Read list of files with incorrect ownership
command: rpm -Va --nodeps --nosignature --nofiledigest --nosize --nomtime --nordev
--nocaps --nolinkto --nomode
args:
warn: false
register: files_with_incorrect_ownership
failed_when: files_with_incorrect_ownership.rc > 1
changed_when: false
check_mode: false
tags:
- rpm_verify_ownership
- high_severity
- restrict_strategy
- high_complexity
- medium_disruption
- no_reboot_needed
- CCE-80545-7
- PCI-DSS-Req-11.5
- NIST-800-171-3.3.8
- NIST-800-171-3.4.1
- NIST-800-53-CM-6(d)
- NIST-800-53-CM-6(c)
- NIST-800-53-SI-7
- NIST-800-53-SI-7(1)
- NIST-800-53-SI-7(6)
- NIST-800-53-AU-9(3)
- CJIS-5.10.4.1
- name: Create list of packages
command: rpm -qf "{{ item }}"
args:
warn: false
with_items: '{{ files_with_incorrect_ownership.stdout_lines | map(''regex_findall'',
''^[.]+[U|G]+.* (\/.*)'', ''\1'') | map(''join'') | select(''match'', ''(\/.*)'')
| list | unique }}'
register: list_of_packages
changed_when: false
check_mode: false
when: (files_with_incorrect_ownership.stdout_lines | length > 0)
tags:
- rpm_verify_ownership
- high_severity
- restrict_strategy
- high_complexity
- medium_disruption
- no_reboot_needed
- CCE-80545-7
- PCI-DSS-Req-11.5
- NIST-800-171-3.3.8
- NIST-800-171-3.4.1
- NIST-800-53-CM-6(d)
- NIST-800-53-CM-6(c)
- NIST-800-53-SI-7
- NIST-800-53-SI-7(1)
- NIST-800-53-SI-7(6)
- NIST-800-53-AU-9(3)
- CJIS-5.10.4.1
- name: Correct file ownership with RPM
command: rpm --quiet --setugids '{{ item }}'
args:
warn: false
with_items: '{{ list_of_packages.results | map(attribute=''stdout_lines'') | list
| unique }}'
when: (files_with_incorrect_ownership.stdout_lines | length > 0)
tags:
- rpm_verify_ownership
- high_severity
- restrict_strategy
- high_complexity
- medium_disruption
- no_reboot_needed
- CCE-80545-7
- PCI-DSS-Req-11.5
- NIST-800-171-3.3.8
- NIST-800-171-3.4.1
- NIST-800-53-CM-6(d)
- NIST-800-53-CM-6(c)
- NIST-800-53-SI-7
- NIST-800-53-SI-7(1)
- NIST-800-53-SI-7(6)
- NIST-800-53-AU-9(3)
- CJIS-5.10.4.1
Verify File Hashes with RPMWithout cryptographic integrity protections, system
executables and files can be altered by unauthorized users without
detection.
The RPM package management system can check the hashes of
installed software packages, including many that are important to system
security.
To verify that the cryptographic hash of system files and commands match vendor
values, run the following command to list which files on the system
have hashes that differ from what is expected by the RPM database:
$ rpm -Va | grep '^..5'
A "c" in the second column indicates that a file is a configuration file, which
may appropriately be expected to change. If the file was not expected to
change, investigate the cause of the change using audit logs or other means.
The package can then be reinstalled to restore the file.
Run the following command to determine which package owns the file:
$ rpm -qf FILENAME
The package can be reinstalled from a yum repository using the command:
$ sudo yum reinstall PACKAGENAME
Alternatively, the package can be reinstalled from trusted media using the command:
$ sudo rpm -Uvh PACKAGENAME1.2.6112395.10.4.1APO01.06BAI03.05BAI06.01BAI10.01BAI10.02BAI10.03BAI10.05DSS06.023.3.83.4.1CCI-000663164.308(a)(1)(ii)(D)164.312(b)164.312(c)(1)164.312(c)(2)164.312(e)(2)(i)4.3.4.3.24.3.4.3.34.3.4.4.4SR 3.1SR 3.3SR 3.4SR 3.8SR 7.6A.11.2.4A.12.1.2A.12.2.1A.12.5.1A.12.6.2A.14.1.2A.14.1.3A.14.2.2A.14.2.3A.14.2.4CM-6(d)CM-6(c)SI-7SI-7(1)SI-7(6)AU-9(3)PR.DS-6PR.DS-8PR.IP-1Req-11.5SRG-OS-000480-GPOS-00227RHEL-07-010020SV-86479r4_ruleThe hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system.CCE-27157-7
# Find which files have incorrect hash (not in /etc, because there are all system related config. files) and then get files names
files_with_incorrect_hash="$(rpm -Va | grep -E '^..5.* /(bin|sbin|lib|lib64|usr)/' | awk '{print $NF}' )"
# From files names get package names and change newline to space, because rpm writes each package to new line
packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
yum reinstall -y $packages_to_reinstall
- name: 'Set fact: Package manager reinstall command (dnf)'
set_fact:
package_manager_reinstall_cmd: dnf reinstall -y
when: ansible_distribution == "Fedora"
tags:
- rpm_verify_hashes
- high_severity
- restrict_strategy
- high_complexity
- medium_disruption
- no_reboot_needed
- CCE-27157-7
- PCI-DSS-Req-11.5
- DISA-STIG-RHEL-07-010020
- NIST-800-171-3.3.8
- NIST-800-171-3.4.1
- NIST-800-53-CM-6(d)
- NIST-800-53-CM-6(c)
- NIST-800-53-SI-7
- NIST-800-53-SI-7(1)
- NIST-800-53-SI-7(6)
- NIST-800-53-AU-9(3)
- CJIS-5.10.4.1
- name: 'Set fact: Package manager reinstall command (yum)'
set_fact:
package_manager_reinstall_cmd: yum reinstall -y
when: (ansible_distribution == "RedHat" or ansible_distribution == "OracleLinux")
tags:
- rpm_verify_hashes
- high_severity
- restrict_strategy
- high_complexity
- medium_disruption
- no_reboot_needed
- CCE-27157-7
- PCI-DSS-Req-11.5
- DISA-STIG-RHEL-07-010020
- NIST-800-171-3.3.8
- NIST-800-171-3.4.1
- NIST-800-53-CM-6(d)
- NIST-800-53-CM-6(c)
- NIST-800-53-SI-7
- NIST-800-53-SI-7(1)
- NIST-800-53-SI-7(6)
- NIST-800-53-AU-9(3)
- CJIS-5.10.4.1
- name: Read files with incorrect hash
command: rpm -Va --nodeps --nosize --nomtime --nordev --nocaps --nolinkto --nouser
--nogroup --nomode --noconfig --noghost
args:
warn: false
register: files_with_incorrect_hash
changed_when: false
failed_when: files_with_incorrect_hash.rc > 1
check_mode: false
when: (package_manager_reinstall_cmd is defined)
tags:
- rpm_verify_hashes
- high_severity
- restrict_strategy
- high_complexity
- medium_disruption
- no_reboot_needed
- CCE-27157-7
- PCI-DSS-Req-11.5
- DISA-STIG-RHEL-07-010020
- NIST-800-171-3.3.8
- NIST-800-171-3.4.1
- NIST-800-53-CM-6(d)
- NIST-800-53-CM-6(c)
- NIST-800-53-SI-7
- NIST-800-53-SI-7(1)
- NIST-800-53-SI-7(6)
- NIST-800-53-AU-9(3)
- CJIS-5.10.4.1
- name: Create list of packages
command: rpm -qf "{{ item }}"
args:
warn: false
with_items: '{{ files_with_incorrect_hash.stdout_lines | map(''regex_findall'',
''^[.]+[5]+.* (\/.*)'', ''\1'') | map(''join'') | select(''match'', ''(\/.*)'')
| list | unique }}'
register: list_of_packages
changed_when: false
check_mode: false
when:
- files_with_incorrect_hash.stdout_lines is defined
- (files_with_incorrect_hash.stdout_lines | length > 0)
tags:
- rpm_verify_hashes
- high_severity
- restrict_strategy
- high_complexity
- medium_disruption
- no_reboot_needed
- CCE-27157-7
- PCI-DSS-Req-11.5
- DISA-STIG-RHEL-07-010020
- NIST-800-171-3.3.8
- NIST-800-171-3.4.1
- NIST-800-53-CM-6(d)
- NIST-800-53-CM-6(c)
- NIST-800-53-SI-7
- NIST-800-53-SI-7(1)
- NIST-800-53-SI-7(6)
- NIST-800-53-AU-9(3)
- CJIS-5.10.4.1
- name: Reinstall packages of files with incorrect hash
command: '{{ package_manager_reinstall_cmd }} ''{{ item }}'''
args:
warn: false
with_items: '{{ list_of_packages.results | map(attribute=''stdout_lines'') | list
| unique }}'
when:
- files_with_incorrect_hash.stdout_lines is defined
- (package_manager_reinstall_cmd is defined and (files_with_incorrect_hash.stdout_lines
| length > 0))
tags:
- rpm_verify_hashes
- high_severity
- restrict_strategy
- high_complexity
- medium_disruption
- no_reboot_needed
- CCE-27157-7
- PCI-DSS-Req-11.5
- DISA-STIG-RHEL-07-010020
- NIST-800-171-3.3.8
- NIST-800-171-3.4.1
- NIST-800-53-CM-6(d)
- NIST-800-53-CM-6(c)
- NIST-800-53-SI-7
- NIST-800-53-SI-7(1)
- NIST-800-53-SI-7(6)
- NIST-800-53-AU-9(3)
- CJIS-5.10.4.1
Verify Integrity with AIDEAIDE conducts integrity checks by comparing information about
files with previously-gathered information. Ideally, the AIDE database is
created immediately after initial system configuration, and then again after any
software update. AIDE is highly configurable, with further configuration
information located in /usr/share/doc/aide-VERSION.Install AIDEThe aide package can be installed with the following command:
$ sudo yum install aideNT28(R51)1.3.111112131415162357895.10.1.3APO01.06BAI01.06BAI02.01BAI03.05BAI06.01BAI10.01BAI10.02BAI10.03BAI10.05DSS01.03DSS03.05DSS04.07DSS05.02DSS05.03DSS05.05DSS05.07DSS06.02DSS06.064.3.4.3.24.3.4.3.34.3.4.4.4SR 3.1SR 3.3SR 3.4SR 3.8SR 4.1SR 6.2SR 7.6A.11.2.4A.12.1.2A.12.2.1A.12.4.1A.12.5.1A.12.6.2A.14.1.2A.14.1.3A.14.2.2A.14.2.3A.14.2.4A.14.2.7A.15.2.1A.8.2.3CM-6(a)DE.CM-1DE.CM-7PR.DS-1PR.DS-6PR.DS-8PR.IP-1PR.IP-3Req-11.5SRG-OS-000363-GPOS-00150The AIDE package must be installed if it is to be available for integrity checking.CCE-27096-7
if ! rpm -q --quiet "aide" ; then
yum install -y "aide"
fi
- name: Ensure aide is installed
package:
name: aide
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- package_aide_installed
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27096-7
- PCI-DSS-Req-11.5
- NIST-800-53-CM-6(a)
- CJIS-5.10.1.3
include install_aide
class install_aide {
package { 'aide':
ensure => 'installed',
}
}
package --add=aide
Configure AIDE to Verify Extended AttributesBy default, the xattrs option is added to the FIPSR ruleset in AIDE.
If using a custom ruleset or the xattrs option is missing, add xattrs
to the appropriate ruleset.
For example, add xattrs to the following line in /etc/aide.conf:
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
AIDE rules can be configured in multiple ways; this is merely one example that is already
configured by default.NT28(R51)23APO01.06BAI03.05BAI06.01DSS06.02CCI-0003664.3.4.4.4SR 3.1SR 3.3SR 3.4SR 3.8A.11.2.4A.12.2.1A.12.5.1A.14.1.2A.14.1.3A.14.2.4SI-7SI-7(1)CM-6(a)PR.DS-6PR.DS-8SRG-OS-000480-GPOS-00227RHEL-07-021610SV-86695r3_ruleExtended attributes in file systems are used to contain arbitrary data and file metadata
with security implications.CCE-80376-7
if ! rpm -q --quiet "aide" ; then
yum install -y "aide"
fi
aide_conf="/etc/aide.conf"
groups=$(LC_ALL=C grep "^[A-Z]\+" $aide_conf | grep -v "^ALLXTRAHASHES" | cut -f1 -d '=' | tr -d ' ' | sort -u)
for group in $groups
do
config=$(grep "^$group\s*=" $aide_conf | cut -f2 -d '=' | tr -d ' ')
if ! [[ $config = *xattrs* ]]
then
if [[ -z $config ]]
then
config="xattrs"
else
config=$config"+xattrs"
fi
fi
sed -i "s/^$group\s*=.*/$group = $config/g" $aide_conf
done
Configure AIDE to Verify Access Control Lists (ACLs)By default, the acl option is added to the FIPSR ruleset in AIDE.
If using a custom ruleset or the acl option is missing, add acl
to the appropriate ruleset.
For example, add acl to the following line in /etc/aide.conf:
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
AIDE rules can be configured in multiple ways; this is merely one example that is already
configured by default.NT28(R51)23APO01.06BAI03.05BAI06.01DSS06.02CCI-0003664.3.4.4.4SR 3.1SR 3.3SR 3.4SR 3.8A.11.2.4A.12.2.1A.12.5.1A.14.1.2A.14.1.3A.14.2.4SI-7SI-7(1)CM-6(a)PR.DS-6PR.DS-8SRG-OS-000480-GPOS-00227RHEL-07-021600SV-86693r3_ruleACLs can provide permissions beyond those permitted through the file mode and must be
verified by the file integrity tools.CCE-80375-9
if ! rpm -q --quiet "aide" ; then
yum install -y "aide"
fi
aide_conf="/etc/aide.conf"
groups=$(LC_ALL=C grep "^[A-Z]\+" $aide_conf | grep -v "^ALLXTRAHASHES" | cut -f1 -d '=' | tr -d ' ' | sort -u)
for group in $groups
do
config=$(grep "^$group\s*=" $aide_conf | cut -f2 -d '=' | tr -d ' ')
if ! [[ $config = *acl* ]]
then
if [[ -z $config ]]
then
config="acl"
else
config=$config"+acl"
fi
fi
sed -i "s/^$group\s*=.*/$group = $config/g" $aide_conf
done
Configure AIDE to Use FIPS 140-2 for Validating HashesBy default, the sha512 option is added to the NORMAL ruleset in AIDE.
If using a custom ruleset or the sha512 option is missing, add sha512
to the appropriate ruleset.
For example, add sha512 to the following line in /etc/aide.conf:
NORMAL = FIPSR+sha512
AIDE rules can be configured in multiple ways; this is merely one example that is already
configured by default.System Crypto Modules must be provided by a vendor that undergoes
FIPS-140 certifications.
FIPS-140 is applicable to all Federal agencies that use
cryptographic-based security systems to protect sensitive information
in computer and telecommunication systems (including voice systems) as
defined in Section 5131 of the Information Technology Management Reform
Act of 1996, Public Law 104-106. This standard shall be used in
designing and implementing cryptographic modules that Federal
departments and agencies operate or are operated for them under
contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf
To meet this, the system has to have cryptographic software provided by
a vendor that has undergone this certification. This means providing
documentation, test results, design information, and independent third
party review by an accredited lab. While open source software is
capable of meeting this, it does not meet FIPS-140 unless the vendor
submits to this process.23APO01.06BAI03.05BAI06.01DSS06.023.13.11CCI-0003664.3.4.4.4SR 3.1SR 3.3SR 3.4SR 3.8A.11.2.4A.12.2.1A.12.5.1A.14.1.2A.14.1.3A.14.2.4SI-7SI-7(1)CM-6(a)PR.DS-6PR.DS-8SRG-OS-000480-GPOS-00227RHEL-07-021620SV-86697r3_ruleFile integrity tools use cryptographic hashes for verifying file contents and directories
have not been altered. These hashes must be FIPS 140-2 approved cryptographic hashes.CCE-80377-5
if ! rpm -q --quiet "aide" ; then
yum install -y "aide"
fi
aide_conf="/etc/aide.conf"
forbidden_hashes=(sha1 rmd160 sha256 whirlpool tiger haval gost crc32)
groups=$(LC_ALL=C grep "^[A-Z]\+" $aide_conf | cut -f1 -d ' ' | tr -d ' ' | sort -u)
for group in $groups
do
config=$(grep "^$group\s*=" $aide_conf | cut -f2 -d '=' | tr -d ' ')
if ! [[ $config = *sha512* ]]
then
config=$config"+sha512"
fi
for hash in ${forbidden_hashes[@]}
do
config=$(echo $config | sed "s/$hash//")
done
config=$(echo $config | sed "s/^\+*//")
config=$(echo $config | sed "s/\+\++/+/")
config=$(echo $config | sed "s/\+$//")
sed -i "s/^$group\s*=.*/$group = $config/g" $aide_conf
done
Configure Notification of Post-AIDE Scan DetailsAIDE should notify appropriate personnel of the details of a scan after the scan has been run.
If AIDE has already been configured for periodic execution in /etc/crontab, append the
following line to the existing AIDE line:
| /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost
Otherwise, add the following line to /etc/crontab:
05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost
AIDE can be executed periodically through other means; this is merely one example.NT28(R51)11112131516235789BAI01.06BAI06.01BAI10.01BAI10.02BAI10.03BAI10.05DSS01.03DSS03.05DSS05.02DSS05.05DSS05.07CCI-0017444.3.4.3.24.3.4.3.3SR 6.2SR 7.6A.12.1.2A.12.4.1A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.14.2.7A.15.2.1CM-6(a)CM-3(5)DE.CM-1DE.CM-7PR.IP-1PR.IP-3SRG-OS-000363-GPOS-00150RHEL-07-020040SV-86599r2_ruleUnauthorized changes to the baseline configuration could make the system vulnerable
to various attacks or allow unauthorized access to the operating system. Changes to
operating system configurations can have unintended side effects, some of which may
be relevant to security.
Detecting such changes and providing an automated response can help avoid unintended,
negative consequences that could ultimately affect the security state of the operating
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item.CCE-80374-2
if ! rpm -q --quiet "aide" ; then
yum install -y "aide"
fi
CRONTAB=/etc/crontab
CRONDIRS='/etc/cron.d /etc/cron.daily /etc/cron.weekly /etc/cron.monthly'
if [ -f /var/spool/cron/root ]; then
VARSPOOL=/var/spool/cron/root
fi
if ! grep -qR '^.*\/usr\/sbin\/aide\s*\-\-check.*|.*\/bin\/mail\s*-s\s*".*"\s*root@.*$' $CRONTAB $VARSPOOL $CRONDIRS; then
echo '0 5 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost' >> $CRONTAB
fi
Configure Periodic Execution of AIDEAt a minimum, AIDE should be configured to run a weekly scan.
To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:
05 4 * * * root /usr/sbin/aide --check
To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:
05 4 * * 0 root /usr/sbin/aide --check
AIDE can be executed periodically through other means; this is merely one example.
The usage of cron's special time codes, such as @daily and
@weekly is acceptable.NT28(R51)1.3.211112131415162357895.10.1.3APO01.06BAI01.06BAI02.01BAI03.05BAI06.01BAI10.01BAI10.02BAI10.03BAI10.05DSS01.03DSS03.05DSS04.07DSS05.02DSS05.03DSS05.05DSS05.07DSS06.02DSS06.06CCI-0017444.3.4.3.24.3.4.3.34.3.4.4.4SR 3.1SR 3.3SR 3.4SR 3.8SR 4.1SR 6.2SR 7.6A.11.2.4A.12.1.2A.12.2.1A.12.4.1A.12.5.1A.12.6.2A.14.1.2A.14.1.3A.14.2.2A.14.2.3A.14.2.4A.14.2.7A.15.2.1A.8.2.3SI-7SI-7(1)CM-6(a)DE.CM-1DE.CM-7PR.DS-1PR.DS-6PR.DS-8PR.IP-1PR.IP-3Req-11.5SRG-OS-000363-GPOS-00150RHEL-07-020030SV-86597r2_ruleBy default, AIDE does not install itself for periodic execution. Periodically
running AIDE is necessary to reveal unexpected changes in installed files.
Unauthorized changes to the baseline configuration could make the system vulnerable
to various attacks or allow unauthorized access to the operating system. Changes to
operating system configurations can have unintended side effects, some of which may
be relevant to security.
Detecting such changes and providing an automated response can help avoid unintended,
negative consequences that could ultimately affect the security state of the operating
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item.CCE-26952-2
if ! rpm -q --quiet "aide" ; then
yum install -y "aide"
fi
if ! grep -q "/usr/sbin/aide --check" /etc/crontab ; then
echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab
else
sed -i '/^.*\/usr\/sbin\/aide --check.*$/d' /etc/crontab
echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab
fi
- name: Ensure AIDE is installed
package:
name: '{{ item }}'
state: present
with_items:
- aide
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- aide_periodic_cron_checking
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-26952-2
- PCI-DSS-Req-11.5
- DISA-STIG-RHEL-07-020030
- NIST-800-53-SI-7
- NIST-800-53-SI-7(1)
- NIST-800-53-CM-6(a)
- CJIS-5.10.1.3
- name: Configure Periodic Execution of AIDE
cron:
name: run AIDE check
minute: 5
hour: 4
weekday: 0
user: root
job: /usr/sbin/aide --check
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- aide_periodic_cron_checking
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-26952-2
- PCI-DSS-Req-11.5
- DISA-STIG-RHEL-07-020030
- NIST-800-53-SI-7
- NIST-800-53-SI-7(1)
- NIST-800-53-CM-6(a)
- CJIS-5.10.1.3
Build and Test AIDE DatabaseRun the following command to generate a new database:
$ sudo /usr/sbin/aide --init
By default, the database will be written to the file /var/lib/aide/aide.db.new.gz.
Storing the database, the configuration file /etc/aide.conf, and the binary
/usr/sbin/aide (or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity.
The newly-generated database can be installed as follows:
$ sudo cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
To initiate a manual check, run the following command:
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate.NT28(R51)11112131415162357895.10.1.3APO01.06BAI01.06BAI02.01BAI03.05BAI06.01BAI10.01BAI10.02BAI10.03BAI10.05DSS01.03DSS03.05DSS04.07DSS05.02DSS05.03DSS05.05DSS05.07DSS06.02DSS06.064.3.4.3.24.3.4.3.34.3.4.4.4SR 3.1SR 3.3SR 3.4SR 3.8SR 4.1SR 6.2SR 7.6A.11.2.4A.12.1.2A.12.2.1A.12.4.1A.12.5.1A.12.6.2A.14.1.2A.14.1.3A.14.2.2A.14.2.3A.14.2.4A.14.2.7A.15.2.1A.8.2.3CM-6(a)DE.CM-1DE.CM-7PR.DS-1PR.DS-6PR.DS-8PR.IP-1PR.IP-3Req-11.5For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files.CCE-27220-3
if ! rpm -q --quiet "aide" ; then
yum install -y "aide"
fi
/usr/sbin/aide --init
/bin/cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
- name: Ensure AIDE is installed
package:
name: '{{ item }}'
state: present
with_items:
- aide
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- aide_build_database
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27220-3
- PCI-DSS-Req-11.5
- NIST-800-53-CM-6(a)
- CJIS-5.10.1.3
- name: Build and Test AIDE Database
command: /usr/sbin/aide --init
changed_when: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- aide_build_database
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27220-3
- PCI-DSS-Req-11.5
- NIST-800-53-CM-6(a)
- CJIS-5.10.1.3
- name: Check whether the stock AIDE Database exists
stat:
path: /var/lib/aide/aide.db.new.gz
register: aide_database_stat
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- aide_build_database
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27220-3
- PCI-DSS-Req-11.5
- NIST-800-53-CM-6(a)
- CJIS-5.10.1.3
- name: Stage AIDE Database
copy:
src: /var/lib/aide/aide.db.new.gz
dest: /var/lib/aide/aide.db.gz
backup: true
remote_src: true
when:
- (aide_database_stat.stat.exists is defined and aide_database_stat.stat.exists)
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- aide_build_database
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27220-3
- PCI-DSS-Req-11.5
- NIST-800-53-CM-6(a)
- CJIS-5.10.1.3
SAP Specific RequirementSAP (Systems, Applications and Products in Data Processing) is enterprise
software to manage business operations and customer relations. The
following section contains SAP specific requirement that is not part
of standard or common OS setting.Accounts Authorized Local Users on the Operating SystemList the user accounts that are authorized locally on the operating system. This list
includes both users requried by the operating system and by the installed applications.
Depending on the Operating System distribution, version, software groups and applications,
the user list is different and can be customized with scap-workbench.
OVAL regular expression is used for the user list.
The list starts with '^' and ends with '$' so that it matches exactly the
username, not any string that includes the username. Users are separated with '|'.
For example, three users: bin, oracle and sapadm are allowd, then the list is
^(bin|oracle|sapadm)$. The user root is the only user that is hard coded
in OVAL that is always allowed on the operating system.^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd)$^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd|[a-z][a-z0-9][a-z0-9]adm|ora[a-z][a-z0-9][a-z0-9]|sapadm|oracle)$Updating SoftwareThe yum command line tool is used to install and
update software packages. The system also provides a graphical
software update tool in the System menu, in the Administration submenu,
called Software Update.
Red Hat Enterprise Linux 7 systems contain an installed software catalog called
the RPM database, which records metadata of installed packages. Consistently using
yum or the graphical Software Update for all software installation
allows for insight into the current inventory of installed software on the system.
Ensure gpgcheck Enabled for All yum Package RepositoriesTo ensure signature checking is not disabled for
any repos, remove any lines from files in /etc/yum.repos.d of the form:
gpgcheck=0NT28(R15)112395.10.4.1APO01.06BAI03.05BAI06.01BAI10.01BAI10.02BAI10.03BAI10.05DSS06.023.4.8CCI-001749164.308(a)(1)(ii)(D)164.312(b)164.312(c)(1)164.312(c)(2)164.312(e)(2)(i)4.3.4.3.24.3.4.3.34.3.4.4.4SR 3.1SR 3.3SR 3.4SR 3.8SR 7.6A.11.2.4A.12.1.2A.12.2.1A.12.5.1A.12.6.2A.14.1.2A.14.1.3A.14.2.2A.14.2.3A.14.2.4CM-5(3)SI-7SC-12SC-12(3)CM-6(a)SA-12SA-12(10)CM-11(a)CM-11(b)PR.DS-6PR.DS-8PR.IP-1FAU_GEN.1.1.cReq-6.2SRG-OS-000366-GPOS-00153SRG-OS-000366-VMM-001430SRG-OS-000370-VMM-001460SRG-OS-000404-VMM-001650Verifying the authenticity of the software prior to installation validates
the integrity of the patch or upgrade received from a vendor. This ensures
the software has not been tampered with and that it has been provided by a
trusted vendor. Self-signed certificates are disallowed by this
requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA)."CCE-26876-3sed -i 's/gpgcheck\s*=.*/gpgcheck=1/g' /etc/yum.repos.d/*
- name: Grep for yum repo section names
shell: grep -HEr '^\[.+\]' -r /etc/yum.repos.d/
register: repo_grep_results
ignore_errors: true
changed_when: false
tags:
- ensure_gpgcheck_never_disabled
- high_severity
- enable_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-26876-3
- PCI-DSS-Req-6.2
- NIST-800-171-3.4.8
- NIST-800-53-CM-5(3)
- NIST-800-53-SI-7
- NIST-800-53-SC-12
- NIST-800-53-SC-12(3)
- NIST-800-53-CM-6(a)
- NIST-800-53-SA-12
- NIST-800-53-SA-12(10)
- NIST-800-53-CM-11(a)
- NIST-800-53-CM-11(b)
- CJIS-5.10.4.1
- name: Set gpgcheck=1 for each yum repo
ini_file:
path: '{{ item[0] }}'
section: '{{ item[1] }}'
option: gpgcheck
value: '1'
no_extra_spaces: true
loop: '{{ repo_grep_results.stdout | regex_findall( ''(.+\.repo):\[(.+)\]\n?'' )
}}'
tags:
- ensure_gpgcheck_never_disabled
- high_severity
- enable_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-26876-3
- PCI-DSS-Req-6.2
- NIST-800-171-3.4.8
- NIST-800-53-CM-5(3)
- NIST-800-53-SI-7
- NIST-800-53-SC-12
- NIST-800-53-SC-12(3)
- NIST-800-53-CM-6(a)
- NIST-800-53-SA-12
- NIST-800-53-SA-12(10)
- NIST-800-53-CM-11(a)
- NIST-800-53-CM-11(b)
- CJIS-5.10.4.1
Ensure Software Patches Installed
If the system is joined to the Red Hat Network, a Red Hat Satellite Server,
or a yum server, run the following command to install updates:
$ sudo yum update
If the system is not configured to use one of these sources, updates (in the form of RPM packages)
can be manually downloaded from the Red Hat Network and installed using rpm.
NOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy
dictates.NT28(R08)1.8182045.10.4.1APO12.01APO12.02APO12.03APO12.04BAI03.10DSS05.01DSS05.02CCI-0003664.2.34.2.3.124.2.3.74.2.3.9A.12.6.1A.14.2.3A.16.1.3A.18.2.2A.18.2.3SI-2(5)SI-2(c)CM-6(a)ID.RA-1PR.IP-12FMT_MOF_EXT.1Req-6.2SRG-OS-000480-GPOS-00227RHEL-07-020260SV-86623r4_ruleSRG-OS-000480-VMM-002000Installing software updates is a fundamental mitigation against
the exploitation of publicly-known vulnerabilities. If the most
recent security patches and updates are not installed, unauthorized
users may take advantage of weaknesses in the unpatched software. The
lack of prompt attention to patching could result in a system compromise.CCE-26895-3
yum -y update
- name: Security patches are up to date
package:
name: '*'
state: latest
tags:
- security_patches_up_to_date
- high_severity
- skip_ansible_lint
- patch_strategy
- low_complexity
- high_disruption
- reboot_required
- CCE-26895-3
- PCI-DSS-Req-6.2
- DISA-STIG-RHEL-07-020260
- NIST-800-53-SI-2(5)
- NIST-800-53-SI-2(c)
- NIST-800-53-CM-6(a)
- CJIS-5.10.4.1
Ensure Red Hat GPG Key InstalledTo ensure the system can cryptographically verify base software packages
come from Red Hat (and to connect to the Red Hat Network to receive them),
the Red Hat GPG key must properly be installed. To install the Red Hat GPG
key, run:
$ sudo subscription-manager register
If the system is not connected to the Internet or an RHN Satellite, then
install the Red Hat GPG key from trusted media such as the Red Hat
installation CD-ROM or DVD. Assuming the disc is mounted in
/media/cdrom, use the following command as the root user to import
it into the keyring:
$ sudo rpm --import /media/cdrom/RPM-GPG-KEY
Alternatively, the key may be pre-loaded during the RHEL installation. In
such cases, the key can be installed by running the following command:
sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-releaseNT28(R15)1.2.3112395.10.4.1APO01.06BAI03.05BAI06.01BAI10.01BAI10.02BAI10.03BAI10.05DSS06.023.4.8CCI-001749164.308(a)(1)(ii)(D)164.312(b)164.312(c)(1)164.312(c)(2)164.312(e)(2)(i)4.3.4.3.24.3.4.3.34.3.4.4.4SR 3.1SR 3.3SR 3.4SR 3.8SR 7.6A.11.2.4A.12.1.2A.12.2.1A.12.5.1A.12.6.2A.14.1.2A.14.1.3A.14.2.2A.14.2.3A.14.2.4CM-5(3)SI-7SC-12SC-12(3)CM-6(a)PR.DS-6PR.DS-8PR.IP-1FAU_GEN.1.1.cReq-6.2SRG-OS-000366-GPOS-00153SRG-OS-000366-VMM-001430SRG-OS-000370-VMM-001460SRG-OS-000404-VMM-001650Changes to software components can have significant effects on the overall
security of the operating system. This requirement ensures the software has
not been tampered with and that it has been provided by a trusted vendor.
The Red Hat GPG key is necessary to cryptographically verify packages are
from Red Hat.CCE-26957-1# The two fingerprints below are retrieved from https://access.redhat.com/security/team/key
readonly REDHAT_RELEASE_FINGERPRINT="567E347AD0044ADE55BA8A5F199E2F91FD431D51"
readonly REDHAT_AUXILIARY_FINGERPRINT="43A6E49C4A38F4BE9ABF2A5345689C882FA658E0"
# Location of the key we would like to import (once it's integrity verified)
readonly REDHAT_RELEASE_KEY="/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
RPM_GPG_DIR_PERMS=$(stat -c %a "$(dirname "$REDHAT_RELEASE_KEY")")
# Verify /etc/pki/rpm-gpg directory permissions are safe
if [ "${RPM_GPG_DIR_PERMS}" -le "755" ]
then
# If they are safe, try to obtain fingerprints from the key file
# (to ensure there won't be e.g. CRC error).
readarray -t GPG_OUT < <(gpg --with-fingerprint --with-colons "$REDHAT_RELEASE_KEY" | grep "^fpr" | cut -d ":" -f 10)
GPG_RESULT=$?
# No CRC error, safe to proceed
if [ "${GPG_RESULT}" -eq "0" ]
then
echo "${GPG_OUT[*]}" | grep -vE "${REDHAT_RELEASE_FINGERPRINT}|${REDHAT_AUXILIARY_FINGERPRINT}" || {
# If $REDHAT_RELEASE_KEY file doesn't contain any keys with unknown fingerprint, import it
rpm --import "${REDHAT_RELEASE_KEY}"
}
fi
fi
- name: Read permission of GPG key directory
stat:
path: /etc/pki/rpm-gpg/
register: gpg_key_directory_permission
check_mode: false
tags:
- ensure_redhat_gpgkey_installed
- high_severity
- restrict_strategy
- medium_complexity
- medium_disruption
- no_reboot_needed
- CCE-26957-1
- PCI-DSS-Req-6.2
- NIST-800-171-3.4.8
- NIST-800-53-CM-5(3)
- NIST-800-53-SI-7
- NIST-800-53-SC-12
- NIST-800-53-SC-12(3)
- NIST-800-53-CM-6(a)
- CJIS-5.10.4.1
- name: Read signatures in GPG key
command: gpg --with-fingerprint --with-colons "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
args:
warn: false
changed_when: false
register: gpg_fingerprints
check_mode: false
tags:
- ensure_redhat_gpgkey_installed
- high_severity
- restrict_strategy
- medium_complexity
- medium_disruption
- no_reboot_needed
- CCE-26957-1
- PCI-DSS-Req-6.2
- NIST-800-171-3.4.8
- NIST-800-53-CM-5(3)
- NIST-800-53-SI-7
- NIST-800-53-SC-12
- NIST-800-53-SC-12(3)
- NIST-800-53-CM-6(a)
- CJIS-5.10.4.1
- name: Set Fact - Installed GPG Fingerprints
set_fact:
gpg_installed_fingerprints: |-
{{ gpg_fingerprints.stdout | regex_findall('^pub.*
(?:^fpr[:]*)([0-9A-Fa-f]*)', '\1') | list }}
tags:
- ensure_redhat_gpgkey_installed
- high_severity
- restrict_strategy
- medium_complexity
- medium_disruption
- no_reboot_needed
- CCE-26957-1
- PCI-DSS-Req-6.2
- NIST-800-171-3.4.8
- NIST-800-53-CM-5(3)
- NIST-800-53-SI-7
- NIST-800-53-SC-12
- NIST-800-53-SC-12(3)
- NIST-800-53-CM-6(a)
- CJIS-5.10.4.1
- name: Set Fact - Valid fingerprints
set_fact:
gpg_valid_fingerprints: ("567E347AD0044ADE55BA8A5F199E2F91FD431D51" "43A6E49C4A38F4BE9ABF2A5345689C882FA658E0")
tags:
- ensure_redhat_gpgkey_installed
- high_severity
- restrict_strategy
- medium_complexity
- medium_disruption
- no_reboot_needed
- CCE-26957-1
- PCI-DSS-Req-6.2
- NIST-800-171-3.4.8
- NIST-800-53-CM-5(3)
- NIST-800-53-SI-7
- NIST-800-53-SC-12
- NIST-800-53-SC-12(3)
- NIST-800-53-CM-6(a)
- CJIS-5.10.4.1
- name: Import RedHat GPG key
rpm_key:
state: present
key: /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
when:
- gpg_key_directory_permission.stat.mode <= '0755'
- (gpg_installed_fingerprints | difference(gpg_valid_fingerprints)) | length ==
0
- gpg_installed_fingerprints | length > 0
- ansible_distribution == "RedHat"
tags:
- ensure_redhat_gpgkey_installed
- high_severity
- restrict_strategy
- medium_complexity
- medium_disruption
- no_reboot_needed
- CCE-26957-1
- PCI-DSS-Req-6.2
- NIST-800-171-3.4.8
- NIST-800-53-CM-5(3)
- NIST-800-53-SI-7
- NIST-800-53-SC-12
- NIST-800-53-SC-12(3)
- NIST-800-53-CM-6(a)
- CJIS-5.10.4.1
Ensure gpgcheck Enabled for Repository MetadataVerify the operating system prevents the installation of patches,
service packs, device drivers, or operating system components of
local packages without verification of the repository metadata.
Check that yum verifies the repository
metadata prior to install with the following command.
This should be configured by setting repo_gpgcheck to 1
in /etc/yum.conf.1139BAI10.01BAI10.02BAI10.03BAI10.05CCI-001749164.308(a)(1)(ii)(D)164.312(b)164.312(c)(1)164.312(c)(2)164.312(e)(2)(i)4.3.4.3.24.3.4.3.3SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4CM-5(3)SI-7SC-12SC-12(3)CM-6(a)SA-12SA-12(10)CM-11(a)CM-11(b)PR.IP-1SRG-OS-000366-GPOS-00153Changes to any software components can have significant effects to the
overall security of the operating system. This requirement ensures the
software has not been tampered and has been provided by a trusted vendor.
Accordingly, patches, service packs, device drivers, or operating system
components must be signed with a certificate recognized and approved by
the organization. Verifying the authenticity of the software prior to
installation validates the integrity of the patch or upgrade received from
a vendor. This ensures the software has not been tampered with and that it
has been provided by a trusted vendor. Self-signed certificates are
disallowed by this requirement. The operating system should not have
to verify the software again. NOTE: For U.S. Military systems, this
requirement does not mandate DoD certificates for this purpose; however,
the certificate used to verify the software must be from an approved
Certificate Authority.CCE-80348-6Ensure yum Removes Previous Package Versionsyum should be configured to remove previous software components after
new versions have been installed. To configure yum to remove the
previous software components after updating, set the clean_requirements_on_remove
to 1 in /etc/yum.conf.18204APO12.01APO12.02APO12.03APO12.04BAI03.10DSS05.01DSS05.023.4.8CCI-0026174.2.34.2.3.124.2.3.74.2.3.9A.12.6.1A.14.2.3A.16.1.3A.18.2.2A.18.2.3SI-2(6)CM-11(a)CM-11(b)CM-6(a)ID.RA-1PR.IP-12SRG-OS-000437-GPOS-00194RHEL-07-020200SV-86611r2_ruleSRG-OS-000437-VMM-001760Previous versions of software components that are not removed from the information
system after updates have been installed may be exploited by some adversaries.CCE-80346-0
if grep --silent ^clean_requirements_on_remove /etc/yum.conf ; then
sed -i "s/^clean_requirements_on_remove.*/clean_requirements_on_remove=1/g" /etc/yum.conf
else
echo -e "\n# Set clean_requirements_on_remove to 1 per security requirements" >> /etc/yum.conf
echo "clean_requirements_on_remove=1" >> /etc/yum.conf
fi
- name: Ensure YUM Removes Previous Package Versions
lineinfile:
dest: /etc/yum.conf
regexp: ^#?clean_requirements_on_remove
line: clean_requirements_on_remove=1
insertafter: \[main\]
create: true
tags:
- clean_components_post_updating
- low_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80346-0
- DISA-STIG-RHEL-07-020200
- NIST-800-171-3.4.8
- NIST-800-53-SI-2(6)
- NIST-800-53-CM-11(a)
- NIST-800-53-CM-11(b)
- NIST-800-53-CM-6(a)
Ensure gpgcheck Enabled In Main yum ConfigurationThe gpgcheck option controls whether
RPM packages' signatures are always checked prior to installation.
To configure yum to check package signatures before installing
them, ensure the following line appears in /etc/yum.conf in
the [main] section:
gpgcheck=1NT28(R15)1.2.2112395.10.4.1APO01.06BAI03.05BAI06.01BAI10.01BAI10.02BAI10.03BAI10.05DSS06.023.4.8CCI-001749164.308(a)(1)(ii)(D)164.312(b)164.312(c)(1)164.312(c)(2)164.312(e)(2)(i)4.3.4.3.24.3.4.3.34.3.4.4.4SR 3.1SR 3.3SR 3.4SR 3.8SR 7.6A.11.2.4A.12.1.2A.12.2.1A.12.5.1A.12.6.2A.14.1.2A.14.1.3A.14.2.2A.14.2.3A.14.2.4CM-5(3)SI-7SC-12SC-12(3)CM-6(a)SA-12SA-12(10)CM-11(a)CM-11(b)PR.DS-6PR.DS-8PR.IP-1FAU_GEN.1.1.cReq-6.2SRG-OS-000366-GPOS-00153RHEL-07-020050SV-86601r2_ruleSRG-OS-000366-VMM-001430SRG-OS-000370-VMM-001460SRG-OS-000404-VMM-001650Changes to any software components can have significant effects on the
overall security of the operating system. This requirement ensures the
software has not been tampered with and that it has been provided by a
trusted vendor.
Accordingly, patches, service packs, device drivers, or operating system
components must be signed with a certificate recognized and approved by the
organization.
Verifying the authenticity of the software prior to installation
validates the integrity of the patch or upgrade received from a vendor.
This ensures the software has not been tampered with and that it has been
provided by a trusted vendor. Self-signed certificates are disallowed by
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA).CCE-26989-4
replace_or_append "/etc/yum.conf" '^gpgcheck' '1' 'CCE-26989-4'
- name: Check existence of yum on Fedora
stat:
path: /etc/yum.conf
register: yum_config_file
check_mode: false
when: ansible_distribution == "Fedora"
tags:
- ensure_gpgcheck_globally_activated
- high_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-26989-4
- PCI-DSS-Req-6.2
- DISA-STIG-RHEL-07-020050
- NIST-800-171-3.4.8
- NIST-800-53-CM-5(3)
- NIST-800-53-SI-7
- NIST-800-53-SC-12
- NIST-800-53-SC-12(3)
- NIST-800-53-CM-6(a)
- NIST-800-53-SA-12
- NIST-800-53-SA-12(10)
- NIST-800-53-CM-11(a)
- NIST-800-53-CM-11(b)
- CJIS-5.10.4.1
- name: Ensure GPG check is globally activated (yum)
ini_file:
dest: /etc/yum.conf
section: main
option: gpgcheck
value: 1
no_extra_spaces: true
create: false
when: (ansible_distribution == "RedHat" or ansible_distribution == "CentOS" or ansible_distribution
== "Scientific" or yum_config_file.stat.exists)
tags:
- ensure_gpgcheck_globally_activated
- high_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-26989-4
- PCI-DSS-Req-6.2
- DISA-STIG-RHEL-07-020050
- NIST-800-171-3.4.8
- NIST-800-53-CM-5(3)
- NIST-800-53-SI-7
- NIST-800-53-SC-12
- NIST-800-53-SC-12(3)
- NIST-800-53-CM-6(a)
- NIST-800-53-SA-12
- NIST-800-53-SA-12(10)
- NIST-800-53-CM-11(a)
- NIST-800-53-CM-11(b)
- CJIS-5.10.4.1
- name: Ensure GPG check is globally activated (dnf)
ini_file:
dest: /etc/dnf/dnf.conf
section: main
option: gpgcheck
value: 1
no_extra_spaces: true
create: false
when: ansible_distribution == "Fedora"
tags:
- ensure_gpgcheck_globally_activated
- high_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-26989-4
- PCI-DSS-Req-6.2
- DISA-STIG-RHEL-07-020050
- NIST-800-171-3.4.8
- NIST-800-53-CM-5(3)
- NIST-800-53-SI-7
- NIST-800-53-SC-12
- NIST-800-53-SC-12(3)
- NIST-800-53-CM-6(a)
- NIST-800-53-SA-12
- NIST-800-53-SA-12(10)
- NIST-800-53-CM-11(a)
- NIST-800-53-CM-11(b)
- CJIS-5.10.4.1
Ensure gpgcheck Enabled for Local Packagesyum should be configured to verify the signature(s) of local packages
prior to installation. To configure yum to verify signatures of local
packages, set the localpkg_gpgcheck to 1 in /etc/yum.conf.NT28(R15)1139BAI10.01BAI10.02BAI10.03BAI10.053.4.8CCI-001749164.308(a)(1)(ii)(D)164.312(b)164.312(c)(1)164.312(c)(2)164.312(e)(2)(i)4.3.4.3.24.3.4.3.3SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4CM-11(a)CM-11(b)CM-6(a)CM-5(3)SA-12SA-12(10)PR.IP-1FAU_GEN.1.1.cSRG-OS-000366-GPOS-00153RHEL-07-020060SV-86603r2_ruleSRG-OS-000366-VMM-001430SRG-OS-000370-VMM-001460SRG-OS-000404-VMM-001650Changes to any software components can have significant effects to the overall security
of the operating system. This requirement ensures the software has not been tampered and
has been provided by a trusted vendor.
Accordingly, patches, service packs, device drivers, or operating system components must
be signed with a certificate recognized and approved by the organization.CCE-80347-8
replace_or_append '/etc/yum.conf' '^localpkg_gpgcheck' '1' 'CCE-80347-8'
- name: Check existence of yum on Fedora
stat:
path: /etc/yum.conf
register: yum_config_file
check_mode: false
when: ansible_distribution == "Fedora"
tags:
- ensure_gpgcheck_local_packages
- high_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80347-8
- DISA-STIG-RHEL-07-020060
- NIST-800-171-3.4.8
- NIST-800-53-CM-11(a)
- NIST-800-53-CM-11(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-5(3)
- NIST-800-53-SA-12
- NIST-800-53-SA-12(10)
- name: Ensure GPG check Enabled for Local Packages (Yum)
ini_file:
dest: /etc/yum.conf
section: main
option: localpkg_gpgcheck
value: 1
create: true
when: (ansible_distribution == "RedHat" or ansible_distribution == "CentOS" or ansible_distribution
== "Scientific" or yum_config_file.stat.exists)
tags:
- ensure_gpgcheck_local_packages
- high_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80347-8
- DISA-STIG-RHEL-07-020060
- NIST-800-171-3.4.8
- NIST-800-53-CM-11(a)
- NIST-800-53-CM-11(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-5(3)
- NIST-800-53-SA-12
- NIST-800-53-SA-12(10)
- name: Ensure GPG check Enabled for Local Packages (DNF)
ini_file:
dest: /etc/dnf/dnf.conf
section: main
option: localpkg_gpgcheck
value: 1
create: true
when: ansible_distribution == "Fedora"
tags:
- ensure_gpgcheck_local_packages
- high_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80347-8
- DISA-STIG-RHEL-07-020060
- NIST-800-171-3.4.8
- NIST-800-53-CM-11(a)
- NIST-800-53-CM-11(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-5(3)
- NIST-800-53-SA-12
- NIST-800-53-SA-12(10)
Disk PartitioningTo ensure separation and protection of data, there
are top-level system directories which should be placed on their
own physical partition or logical volume. The installer's default
partitioning scheme creates separate logical volumes for
/, /boot, and swap.
If starting with any of the default layouts, check the box to
\"Review and modify partitioning.\" This allows for the easy creation
of additional logical volumes inside the volume group already
created, though it may require making /'s logical volume smaller to
create space. In general, using logical volumes is preferable to
using partitions because they can be more easily adjusted
later.If creating a custom layout, create the partitions mentioned in
the previous paragraph (which the installer will require anyway),
as well as separate ones described in the following sections.
If a system has already been installed, and the default
partitioning
scheme was used, it is possible but nontrivial to
modify it to create separate logical volumes for the directories
listed above. The Logical Volume Manager (LVM) makes this possible.
See the LVM HOWTO at
http://tldp.org/HOWTO/LVM-HOWTO/
for more detailed information on LVM.Encrypt PartitionsRed Hat Enterprise Linux 7 natively supports partition encryption through the
Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to
encrypt a partition is during installation time.
For manual installations, select the Encrypt checkbox during
partition creation to encrypt the partition. When this
option is selected the system will prompt for a passphrase to use in
decrypting the partition. The passphrase will subsequently need to be entered manually
every time the system boots.
For automated/unattended installations, it is possible to use Kickstart by adding
the --encrypted and --passphrase= options to the definition of each partition to be
encrypted. For example, the following line would encrypt the root partition:
part / --fstype=ext4 --size=100 --onpart=hda1 --encrypted --passphrase=PASSPHRASE
Any PASSPHRASE is stored in the Kickstart in plaintext, and the Kickstart
must then be protected accordingly.
Omitting the --passphrase= option from the partition definition will cause the
installer to pause and interactively ask for the passphrase during installation.
By default, the Anaconda installer uses aes-xts-plain64 cipher
with a minimum 512 bit key size which should be compatible with FIPS enabled.
Detailed information on encrypting partitions using LUKS or LUKS ciphers can be found on
the Red Hat Enterprise Linux 7 Documentation web site:https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Encryption.html.1314APO01.06BAI02.01BAI06.01DSS04.07DSS05.03DSS05.04DSS05.07DSS06.02DSS06.063.13.16CCI-001199CCI-002475CCI-002476164.308(a)(1)(ii)(D)164.308(b)(1)164.310(d)164.312(a)(1)164.312(a)(2)(iii)164.312(a)(2)(iv)164.312(b)164.312(c)164.314(b)(2)(i)164.312(d)SR 3.4SR 4.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)SC-28SC-28(1)SC-13AU-9(3)PR.DS-1PR.DS-5SRG-OS-000405-GPOS-00184SRG-OS-000185-GPOS-00079SRG-OS-000404-GPOS-00183SRG-OS-000404-VMM-001650SRG-OS-000405-VMM-001660The risk of a system's physical compromise, particularly mobile systems such as
laptops, places its data at risk of compromise. Encrypting this data mitigates
the risk of its loss if the system is lost.CCE-27128-8Ensure /home Located On Separate PartitionIf user home directories will be stored locally, create a separate partition
for /home at installation time (or migrate it later using LVM). If
/home will be mounted from another system such as an NFS server, then
creating a separate partition is not necessary at installation time, and the
mountpoint can instead be configured later.NT28(R12)1.1.1312158APO13.01DSS05.02CCI-000366CCI-001208SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 7.1SR 7.6A.13.1.1A.13.2.1A.14.1.3CM-6(a)SC-5(2)PR.PT-4SRG-OS-000480-GPOS-00227RHEL-07-021310SV-86683r2_ruleEnsuring that /home is mounted on its own partition enables the
setting of more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage.CCE-80144-9
part /home
Ensure /srv Located On Separate PartitionIf a file server (FTP, TFTP...) is hosted locally, create a separate partition
for /srv at installation time (or migrate it later using LVM). If
/srv will be mounted from another system such as an NFS server, then
creating a separate partition is not necessary at installation time, and the
mountpoint can instead be configured later.NT28(R12)Srv deserves files for local network file server such as FTP. Ensuring
that /srv is mounted on its own partition enables the setting of
more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage.
part /srv
Ensure /var/tmp Located On Separate PartitionThe /var/tmp directory is a world-writable directory used
for temporary file storage. Ensure it has its own partition or
logical volume at installation time, or migrate it using LVM.NT28(R12)1.1.7The /var/tmp partition is used as temporary storage by many programs.
Placing /var/tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it.CCE-82353-4
part /var/tmp
Ensure /var Located On Separate PartitionThe /var directory is used by daemons and other system
services to store frequently-changing data. Ensure that /var has its own partition
or logical volume at installation time, or migrate it using LVM.NT28(R12)1.1.612158APO13.01DSS05.02CCI-000366SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 7.1SR 7.6A.13.1.1A.13.2.1A.14.1.3CM-6(a)SC-5(2)PR.PT-4SRG-OS-000480-GPOS-00227RHEL-07-021320SV-86685r2_ruleSRG-OS-000341-VMM-001220Ensuring that /var is mounted on its own partition enables the
setting of more restrictive mount options. This helps protect
system services such as daemons or other programs which use it.
It is not uncommon for the /var directory to contain
world-writable directories installed by other software packages.CCE-82014-2
part /var
Ensure /tmp Located On Separate PartitionThe /tmp directory is a world-writable directory used
for temporary file storage. Ensure it has its own partition or
logical volume at installation time, or migrate it using LVM.NT28(R12)1.1.212158APO13.01DSS05.02CCI-000366SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 7.1SR 7.6A.13.1.1A.13.2.1A.14.1.3CM-6(a)SC-5(2)PR.PT-4SRG-OS-000480-GPOS-00227RHEL-07-021340SV-86689r3_ruleThe /tmp partition is used as temporary storage by many programs.
Placing /tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it.CCE-82053-0
part /tmp
Ensure /var/log/audit Located On Separate PartitionAudit logs are stored in the /var/log/audit directory. Ensure that it
has its own partition or logical volume at installation time, or migrate it
later using LVM. Make absolutely certain that it is large enough to store all
audit logs that will be created by the auditing daemon.1.1.121121314151623568APO11.04APO13.01BAI03.05BAI04.04DSS05.02DSS05.04DSS05.07MEA02.01CCI-000366164.312(a)(2)(ii)4.3.3.3.94.3.3.5.84.3.4.4.74.4.2.14.4.2.24.4.2.4SR 2.10SR 2.11SR 2.12SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 7.1SR 7.2SR 7.6A.12.1.3A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.17.2.1CM-6(a)AU-4SC-5(2)PR.DS-4PR.PT-1PR.PT-4SRG-OS-000480-GPOS-00227RHEL-07-021330SV-86687r6_ruleSRG-OS-000341-VMM-001220Placing /var/log/audit in its own partition
enables better separation between audit files
and other files, and helps ensure that
auditing cannot be halted due to the partition running out
of space.CCE-82035-7
part /var/log/audit
Ensure /var/log Located On Separate PartitionSystem logs are stored in the /var/log directory.
Ensure that it has its own partition or logical
volume at installation time, or migrate it using LVM.NT28(R12)NT28(R47)1.1.111121415163568APO11.04APO13.01BAI03.05DSS05.02DSS05.04DSS05.07MEA02.014.3.3.3.94.3.3.5.84.3.4.4.74.4.2.14.4.2.24.4.2.4SR 2.10SR 2.11SR 2.12SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 7.1SR 7.6A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.13.1.1A.13.2.1A.14.1.3CM-6(a)AU-4SC-5(2)PR.PT-1PR.PT-4SRG-OS-000480-GPOS-00227Placing /var/log in its own partition
enables better separation between log files
and other files in /var/.CCE-82034-0
part /var/log
ServicesThe best protection against vulnerable software is running less software. This section describes how to review
the software which Red Hat Enterprise Linux 7 installs on a system and disable software which is not needed. It
then enumerates the software packages installed on a default Red Hat Enterprise Linux 7 system and provides guidance about which
ones can be safely disabled.
Red Hat Enterprise Linux 7 provides a convenient minimal install option that essentially installs the bare necessities for a functional
system. When building Red Hat Enterprise Linux 7 systems, it is highly recommended to select the minimal packages and then build up
the system from there.Obsolete ServicesThis section discusses a number of network-visible
services which have historically caused problems for system
security, and for which disabling or severely limiting the service
has been the best available guidance for some time. As a result of
this, many of these services are not installed as part of Red Hat Enterprise Linux 7
by default.
Organizations which are running these services should
switch to more secure equivalents as soon as possible.
If it remains absolutely necessary to run one of
these services for legacy reasons, care should be taken to restrict
the service as much as possible, for instance by configuring host
firewall software such as firewalld to restrict access to the
vulnerable service to only those remote hosts which have a known
need to use it.Rlogin, Rsh, and RexecThe Berkeley r-commands are legacy services which
allow cleartext remote access and have an insecure trust
model.Uninstall rsh PackageThe rsh package contains the client commands
for the rsh services2.3.23.1.13164.308(a)(4)(i)164.308(b)(1)164.308(b)(3)164.310(b)164.312(e)(1)164.312(e)(2)(ii)A.8.2.3A.13.1.1A.13.2.1A.13.2.3A.14.1.2A.14.1.3These legacy clients contain numerous security exposures and have
been replaced with the more secure SSH package. Even if the server is removed,
it is best to ensure the clients are also removed to prevent users from
inadvertently attempting to use these commands and therefore exposing
their credentials. Note that removing the rsh package removes
the clients for rsh,rcp, and rlogin.CCE-27274-0
# CAUTION: This remediation script will remove rsh
# from the system, and may remove any packages
# that depend on rsh. Execute this
# remediation AFTER testing on a non-production
# system!
if rpm -q --quiet "rsh" ; then
yum remove -y "rsh"
fi
- name: Ensure rsh is removed
package:
name: rsh
state: absent
tags:
- package_rsh_removed
- unknown_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27274-0
- NIST-800-171-3.1.13
include remove_rsh
class remove_rsh {
package { 'rsh':
ensure => 'purged',
}
}
package --remove=rsh
Uninstall rsh-server PackageThe rsh-server package can be removed with the following command:
$ sudo yum erase rsh-server11121415389APO13.01BAI10.01BAI10.02BAI10.03BAI10.05DSS01.04DSS05.02DSS05.03DSS05.05DSS06.06CCI-000381164.308(a)(4)(i)164.308(b)(1)164.308(b)(3)164.310(b)164.312(e)(1)164.312(e)(2)(ii)4.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 7.1SR 7.6A.11.2.6A.12.1.2A.12.5.1A.12.6.2A.13.1.1A.13.2.1A.14.1.3A.14.2.2A.14.2.3A.14.2.4A.6.2.1A.6.2.2A.9.1.2CM-7(a)CM-7(b)CM-6(a)IA-5(1)(c)PR.AC-3PR.IP-1PR.PT-3PR.PT-4SRG-OS-000095-GPOS-00049RHEL-07-020000SV-86591r2_ruleThe rsh-server service provides unencrypted remote access service which does not
provide for the confidentiality and integrity of user passwords or the remote session and has very weak
authentication. If a privileged user were to login using this service, the privileged user password
could be compromised. The rsh-server package provides several obsolete and insecure
network services. Removing it decreases the risk of those services' accidental (or intentional)
activation.CCE-27342-5
# CAUTION: This remediation script will remove rsh-server
# from the system, and may remove any packages
# that depend on rsh-server. Execute this
# remediation AFTER testing on a non-production
# system!
if rpm -q --quiet "rsh-server" ; then
yum remove -y "rsh-server"
fi
- name: Ensure rsh-server is removed
package:
name: rsh-server
state: absent
tags:
- package_rsh-server_removed
- high_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27342-5
- DISA-STIG-RHEL-07-020000
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(c)
include remove_rsh-server
class remove_rsh-server {
package { 'rsh-server':
ensure => 'purged',
}
}
package --remove=rsh-server
Disable rlogin ServiceThe rlogin service, which is available with
the rsh-server package and runs as a service through xinetd or separately
as a systemd socket, should be disabled.
If using xinetd, set disable to yes in /etc/xinetd.d/rlogin.
The rlogin socket can be disabled with the following command:
$ sudo systemctl disable rlogin.socket
The rlogin socket can be masked with the following command:
$ sudo systemctl mask .socket2.2.17111121415163589APO13.01BAI10.01BAI10.02BAI10.03BAI10.05DSS01.04DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07DSS05.10DSS06.03DSS06.06DSS06.103.1.133.4.7CCI-001436164.308(a)(4)(i)164.308(b)(1)164.308(b)(3)164.310(b)164.312(e)(1)164.312(e)(2)(ii)4.3.3.2.24.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 7.1SR 7.6A.11.2.6A.12.1.2A.12.5.1A.12.6.2A.13.1.1A.13.2.1A.14.1.3A.14.2.2A.14.2.3A.14.2.4A.18.1.4A.6.2.1A.6.2.2A.7.1.1A.9.1.2A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.2.6A.9.3.1A.9.4.2A.9.4.3CM-7(a)CM-7(b)CM-6(a)IA-5(1)(c)PR.AC-1PR.AC-3PR.AC-6PR.AC-7PR.IP-1PR.PT-3PR.PT-4The rlogin service uses unencrypted network communications, which
means that data from the login session, including passwords and
all other information transmitted during the session, can be
stolen by eavesdroppers on the network.CCE-27336-7
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'rlogin.service'
"$SYSTEMCTL_EXEC" disable 'rlogin.service'
"$SYSTEMCTL_EXEC" mask 'rlogin.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^rlogin.socket'; then
"$SYSTEMCTL_EXEC" stop 'rlogin.socket'
"$SYSTEMCTL_EXEC" disable 'rlogin.socket'
"$SYSTEMCTL_EXEC" mask 'rlogin.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'rlogin.service' || true
- name: Disable service rlogin
block:
- name: Gather the service facts
service_facts: null
- name: Disable service rlogin
systemd:
name: rlogin.service
enabled: 'no'
state: stopped
masked: 'yes'
when: '"rlogin.service" in ansible_facts.services'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_rlogin_disabled
- high_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27336-7
- NIST-800-171-3.1.13
- NIST-800-171-3.4.7
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(c)
- name: Unit Socket Exists - rlogin.socket
command: systemctl list-unit-files rlogin.socket
args:
warn: false
register: socket_file_exists
changed_when: false
ignore_errors: true
check_mode: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_rlogin_disabled
- high_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27336-7
- NIST-800-171-3.1.13
- NIST-800-171-3.4.7
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(c)
- name: Disable socket rlogin
systemd:
name: rlogin.socket
enabled: 'no'
state: stopped
masked: 'yes'
when:
- '"rlogin.socket" in socket_file_exists.stdout_lines[1]'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_rlogin_disabled
- high_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27336-7
- NIST-800-171-3.1.13
- NIST-800-171-3.4.7
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(c)
include disable_rlogin
class disable_rlogin {
service {'rlogin':
enable => false,
ensure => 'stopped',
}
}
Disable rsh ServiceThe rsh service, which is available with
the rsh-server package and runs as a service through xinetd or separately
as a systemd socket, should be disabled.
If using xinetd, set disable to yes in /etc/xinetd.d/rsh.
The rsh socket can be disabled with the following command:
$ sudo systemctl disable rsh.socket
The rsh socket can be masked with the following command:
$ sudo systemctl mask .socket2.2.17111121415163589APO13.01BAI10.01BAI10.02BAI10.03BAI10.05DSS01.04DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07DSS05.10DSS06.03DSS06.06DSS06.103.1.133.4.7CCI-000068CCI-001436164.308(a)(4)(i)164.308(b)(1)164.308(b)(3)164.310(b)164.312(e)(1)164.312(e)(2)(ii)4.3.3.2.24.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 7.1SR 7.6A.11.2.6A.12.1.2A.12.5.1A.12.6.2A.13.1.1A.13.2.1A.14.1.3A.14.2.2A.14.2.3A.14.2.4A.18.1.4A.6.2.1A.6.2.2A.7.1.1A.9.1.2A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.2.6A.9.3.1A.9.4.2A.9.4.3CM-7(a)CM-7(b)CM-6(a)IA-5(1)(c)PR.AC-1PR.AC-3PR.AC-6PR.AC-7PR.IP-1PR.PT-3PR.PT-4The rsh service uses unencrypted network communications, which
means that data from the login session, including passwords and
all other information transmitted during the session, can be
stolen by eavesdroppers on the network.CCE-27337-5
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'rsh.service'
"$SYSTEMCTL_EXEC" disable 'rsh.service'
"$SYSTEMCTL_EXEC" mask 'rsh.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^rsh.socket'; then
"$SYSTEMCTL_EXEC" stop 'rsh.socket'
"$SYSTEMCTL_EXEC" disable 'rsh.socket'
"$SYSTEMCTL_EXEC" mask 'rsh.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'rsh.service' || true
- name: Disable service rsh
block:
- name: Gather the service facts
service_facts: null
- name: Disable service rsh
systemd:
name: rsh.service
enabled: 'no'
state: stopped
masked: 'yes'
when: '"rsh.service" in ansible_facts.services'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_rsh_disabled
- high_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27337-5
- NIST-800-171-3.1.13
- NIST-800-171-3.4.7
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(c)
- name: Unit Socket Exists - rsh.socket
command: systemctl list-unit-files rsh.socket
args:
warn: false
register: socket_file_exists
changed_when: false
ignore_errors: true
check_mode: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_rsh_disabled
- high_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27337-5
- NIST-800-171-3.1.13
- NIST-800-171-3.4.7
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(c)
- name: Disable socket rsh
systemd:
name: rsh.socket
enabled: 'no'
state: stopped
masked: 'yes'
when:
- '"rsh.socket" in socket_file_exists.stdout_lines[1]'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_rsh_disabled
- high_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27337-5
- NIST-800-171-3.1.13
- NIST-800-171-3.4.7
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(c)
include disable_rsh
class disable_rsh {
service {'rsh':
enable => false,
ensure => 'stopped',
}
}
Disable rexec ServiceThe rexec service, which is available with the rsh-server package
and runs as a service through xinetd or separately as a systemd socket, should be disabled.
If using xinetd, set disable to yes in /etc/xinetd.d/rexec.
The rexec socket can be disabled with the following command:
$ sudo systemctl disable rexec.socket
The rexec socket can be masked with the following command:
$ sudo systemctl mask .socket2.2.1711121415389APO13.01BAI10.01BAI10.02BAI10.03BAI10.05DSS01.04DSS05.02DSS05.03DSS05.05DSS06.063.1.133.4.7CCI-000068CCI-001436164.308(a)(4)(i)164.308(b)(1)164.308(b)(3)164.310(b)164.312(e)(1)164.312(e)(2)(ii)4.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 7.1SR 7.6A.11.2.6A.12.1.2A.12.5.1A.12.6.2A.13.1.1A.13.2.1A.14.1.3A.14.2.2A.14.2.3A.14.2.4A.6.2.1A.6.2.2A.9.1.2CM-7(a)CM-7(b)CM-6(a)IA-5(1)(c)PR.AC-3PR.IP-1PR.PT-3PR.PT-4The rexec service uses unencrypted network communications, which
means that data from the login session, including passwords and
all other information transmitted during the session, can be
stolen by eavesdroppers on the network.CCE-27408-4
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'rexec.service'
"$SYSTEMCTL_EXEC" disable 'rexec.service'
"$SYSTEMCTL_EXEC" mask 'rexec.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^rexec.socket'; then
"$SYSTEMCTL_EXEC" stop 'rexec.socket'
"$SYSTEMCTL_EXEC" disable 'rexec.socket'
"$SYSTEMCTL_EXEC" mask 'rexec.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'rexec.service' || true
- name: Disable service rexec
block:
- name: Gather the service facts
service_facts: null
- name: Disable service rexec
systemd:
name: rexec.service
enabled: 'no'
state: stopped
masked: 'yes'
when: '"rexec.service" in ansible_facts.services'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_rexec_disabled
- high_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27408-4
- NIST-800-171-3.1.13
- NIST-800-171-3.4.7
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(c)
- name: Unit Socket Exists - rexec.socket
command: systemctl list-unit-files rexec.socket
args:
warn: false
register: socket_file_exists
changed_when: false
ignore_errors: true
check_mode: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_rexec_disabled
- high_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27408-4
- NIST-800-171-3.1.13
- NIST-800-171-3.4.7
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(c)
- name: Disable socket rexec
systemd:
name: rexec.socket
enabled: 'no'
state: stopped
masked: 'yes'
when:
- '"rexec.socket" in socket_file_exists.stdout_lines[1]'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_rexec_disabled
- high_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27408-4
- NIST-800-171-3.1.13
- NIST-800-171-3.4.7
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(c)
include disable_rexec
class disable_rexec {
service {'rexec':
enable => false,
ensure => 'stopped',
}
}
Remove Host-Based Authentication FilesThe shosts.equiv file list remote hosts
and users that are trusted by the local system.
To remove these files, run the following command to delete them from any
location:
$ sudo rm /[path]/[to]/[file]/shosts.equivCCI-000366SRG-OS-000480-GPOS-00227RHEL-07-040550SV-86903r2_ruleThe shosts.equiv files are used to configure host-based authentication for the
system via SSH. Host-based authentication is not sufficient for preventing
unauthorized access to the system, as it does not require interactive
identification and authentication of a connection request, or for the use of
two-factor authentication.CCE-80513-5
# Identify local mounts
MOUNT_LIST=$(df --local | awk '{ print $6 }')
# Find file on each listed mount point
for cur_mount in ${MOUNT_LIST}
do
find ${cur_mount} -xdev -type f -name "shosts.equiv" -exec rm -f {} \;
done
Remove User Host-Based Authentication FilesThe ~/.shosts (in each user's home directory) files
list remote hosts and users that are trusted by the
local system. To remove these files, run the following command
to delete them from any location:
$ sudo find / -name '.shosts' -type f -deleteCCI-000366SRG-OS-000480-GPOS-00227RHEL-07-040540SV-86901r2_ruleThe .shosts files are used to configure host-based authentication for
individual users or the system via SSH. Host-based authentication is not
sufficient for preventing unauthorized access to the system, as it does not
require interactive identification and authentication of a connection request,
or for the use of two-factor authentication.CCE-80514-3
# Identify local mounts
MOUNT_LIST=$(df --local | awk '{ print $6 }')
# Find file on each listed mount point
for cur_mount in ${MOUNT_LIST}
do
find ${cur_mount} -xdev -type f -name ".shosts" -exec rm -f {} \;
done
Remove Rsh Trust FilesThe files /etc/hosts.equiv and ~/.rhosts (in
each user's home directory) list remote hosts and users that are trusted by the
local system when using the rshd daemon.
To remove these files, run the following command to delete them from any
location:
$ sudo rm /etc/hosts.equiv$ rm ~/.rhosts6.2.1411121415389APO13.01BAI10.01BAI10.02BAI10.03BAI10.05DSS01.04DSS05.02DSS05.03DSS05.05DSS06.06CCI-001436164.308(a)(4)(i)164.308(b)(1)164.308(b)(3)164.310(b)164.312(e)(1)164.312(e)(2)(ii)4.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 7.1SR 7.6A.11.2.6A.12.1.2A.12.5.1A.12.6.2A.13.1.1A.13.2.1A.14.1.3A.14.2.2A.14.2.3A.14.2.4A.6.2.1A.6.2.2A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.AC-3PR.IP-1PR.PT-3PR.PT-4Trust files are convenient, but when
used in conjunction with the R-services, they can allow
unauthenticated access to a system.CCE-27406-8find /home -maxdepth 2 -type f -name .rhosts -exec rm -f '{}' \;
if [ -f /etc/hosts.equiv ]; then
/bin/rm -f /etc/hosts.equiv
fi
- block:
- name: Detect shosts.equiv Files on the System
find:
paths: /
recurse: true
patterns: shosts.equiv
check_mode: false
register: shosts_equiv_locations
- name: Remove Rsh Trust Files
file:
path: '{{ item.path }}'
state: absent
with_items: '{{ shosts_equiv_locations.files }}'
when: shosts_equiv_locations
tags:
- no_rsh_trust_files
- high_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27406-8
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
TelnetThe telnet protocol does not provide confidentiality or integrity
for information transmitted on the network. This includes authentication
information such as passwords. Organizations which use telnet should be
actively working to migrate to a more secure protocol.Remove telnet ClientsThe telnet client allows users to start connections to other systems via
the telnet protocol.2.3.43.1.13164.308(a)(4)(i)164.308(b)(1)164.308(b)(3)164.310(b)164.312(e)(1)164.312(e)(2)(ii)A.8.2.3A.13.1.1A.13.2.1A.13.2.3A.14.1.2A.14.1.3The telnet protocol is insecure and unencrypted. The use
of an unencrypted transmission medium could allow an unauthorized user
to steal credentials. The ssh package provides an
encrypted session and stronger security and is included in Red Hat Enterprise Linux 7.CCE-27305-2
# CAUTION: This remediation script will remove telnet
# from the system, and may remove any packages
# that depend on telnet. Execute this
# remediation AFTER testing on a non-production
# system!
if rpm -q --quiet "telnet" ; then
yum remove -y "telnet"
fi
- name: Ensure telnet is removed
package:
name: telnet
state: absent
tags:
- package_telnet_removed
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27305-2
- NIST-800-171-3.1.13
include remove_telnet
class remove_telnet {
package { 'telnet':
ensure => 'purged',
}
}
package --remove=telnet
Uninstall telnet-server PackageThe telnet-server package can be removed with the following command:
$ sudo yum erase telnet-server2.1.111121415389APO13.01BAI10.01BAI10.02BAI10.03BAI10.05DSS01.04DSS05.02DSS05.03DSS05.05DSS06.06CCI-000381164.308(a)(4)(i)164.308(b)(1)164.308(b)(3)164.310(b)164.312(e)(1)164.312(e)(2)(ii)4.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 7.1SR 7.6A.11.2.6A.12.1.2A.12.5.1A.12.6.2A.13.1.1A.13.2.1A.14.1.3A.14.2.2A.14.2.3A.14.2.4A.6.2.1A.6.2.2A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.AC-3PR.IP-1PR.PT-3PR.PT-4SRG-OS-000095-GPOS-00049RHEL-07-021710SV-86701r2_ruleIt is detrimental for operating systems to provide, or install by default,
functionality exceeding requirements or mission objectives. These
unnecessary capabilities are often overlooked and therefore may remain
unsecure. They increase the risk to the platform by providing additional
attack vectors.
The telnet service provides an unencrypted remote access service which does
not provide for the confidentiality and integrity of user passwords or the
remote session. If a privileged user were to login using this service, the
privileged user password could be compromised.
Removing the telnet-server package decreases the risk of the
telnet service's accidental (or intentional) activation.CCE-27165-0
# CAUTION: This remediation script will remove telnet-server
# from the system, and may remove any packages
# that depend on telnet-server. Execute this
# remediation AFTER testing on a non-production
# system!
if rpm -q --quiet "telnet-server" ; then
yum remove -y "telnet-server"
fi
- name: Ensure telnet-server is removed
package:
name: telnet-server
state: absent
tags:
- package_telnet-server_removed
- high_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27165-0
- DISA-STIG-RHEL-07-021710
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
include remove_telnet-server
class remove_telnet-server {
package { 'telnet-server':
ensure => 'purged',
}
}
package --remove=telnet-server
Disable telnet ServiceThe telnet service configuration file /etc/xinetd.d/telnet
is not created automatically. If it was created manually, check the
/etc/xinetd.d/telnet file and ensure that disable = no
is changed to read disable = yes as follows below:
# description: The telnet server serves telnet sessions; it uses \\
# unencrypted username/password pairs for authentication.
service telnet
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
disable = yes
}
If the /etc/xinetd.d/telnet file does not exist, make sure that
the activation of the telnet service on system boot is disabled
via the following command:
The rexec socket can be disabled with the following command:
$ sudo systemctl disable rexec.socket
The rexec socket can be masked with the following command:
$ sudo systemctl mask .socket2.2.18111121415163589APO13.01BAI10.01BAI10.02BAI10.03BAI10.05DSS01.04DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07DSS05.10DSS06.03DSS06.06DSS06.103.1.133.4.7164.308(a)(4)(i)164.308(b)(1)164.308(b)(3)164.310(b)164.312(e)(1)164.312(e)(2)(ii)4.3.3.2.24.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 7.1SR 7.6A.11.2.6A.12.1.2A.12.5.1A.12.6.2A.13.1.1A.13.2.1A.14.1.3A.14.2.2A.14.2.3A.14.2.4A.18.1.4A.6.2.1A.6.2.2A.7.1.1A.9.1.2A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.2.6A.9.3.1A.9.4.2A.9.4.3CM-7(a)CM-7(b)CM-6(a)IA-5(1)(c)PR.AC-1PR.AC-3PR.AC-6PR.AC-7PR.IP-1PR.PT-3PR.PT-4The telnet protocol uses unencrypted network communication, which
means that data from the login session, including passwords and
all other information transmitted during the session, can be
stolen by eavesdroppers on the network. The telnet protocol is also
subject to man-in-the-middle attacks.CCE-27401-9
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'telnet.service'
"$SYSTEMCTL_EXEC" disable 'telnet.service'
"$SYSTEMCTL_EXEC" mask 'telnet.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^telnet.socket'; then
"$SYSTEMCTL_EXEC" stop 'telnet.socket'
"$SYSTEMCTL_EXEC" disable 'telnet.socket'
"$SYSTEMCTL_EXEC" mask 'telnet.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'telnet.service' || true
- name: Disable service telnet
block:
- name: Gather the service facts
service_facts: null
- name: Disable service telnet
systemd:
name: telnet.service
enabled: 'no'
state: stopped
masked: 'yes'
when: '"telnet.service" in ansible_facts.services'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_telnet_disabled
- high_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27401-9
- NIST-800-171-3.1.13
- NIST-800-171-3.4.7
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(c)
- name: Unit Socket Exists - telnet.socket
command: systemctl list-unit-files telnet.socket
args:
warn: false
register: socket_file_exists
changed_when: false
ignore_errors: true
check_mode: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_telnet_disabled
- high_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27401-9
- NIST-800-171-3.1.13
- NIST-800-171-3.4.7
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(c)
- name: Disable socket telnet
systemd:
name: telnet.socket
enabled: 'no'
state: stopped
masked: 'yes'
when:
- '"telnet.socket" in socket_file_exists.stdout_lines[1]'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_telnet_disabled
- high_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27401-9
- NIST-800-171-3.1.13
- NIST-800-171-3.4.7
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(c)
include disable_telnet
class disable_telnet {
service {'telnet':
enable => false,
ensure => 'stopped',
}
}
NISThe Network Information Service (NIS), also known as 'Yellow
Pages' (YP), and its successor NIS+ have been made obsolete by
Kerberos, LDAP, and other modern centralized authentication
services. NIS should not be used because it suffers from security
problems inherent in its design, such as inadequate protection of
important authentication information.Remove NIS ClientThe Network Information Service (NIS), formerly known as Yellow Pages,
is a client-server directory service protocol used to distribute system configuration
files. The NIS client (ypbind) was used to bind a system to an NIS server
and receive the distributed configuration files.2.3.1164.308(a)(4)(i)164.308(b)(1)164.308(b)(3)164.310(b)164.312(e)(1)164.312(e)(2)(ii)The NIS service is inherently an insecure system that has been vulnerable
to DOS attacks, buffer overflows and has poor authentication for querying
NIS maps. NIS generally has been replaced by such protocols as Lightweight
Directory Access Protocol (LDAP). It is recommended that the service be
removed.CCE-27396-1
# CAUTION: This remediation script will remove ypbind
# from the system, and may remove any packages
# that depend on ypbind. Execute this
# remediation AFTER testing on a non-production
# system!
if rpm -q --quiet "ypbind" ; then
yum remove -y "ypbind"
fi
- name: Ensure ypbind is removed
package:
name: ypbind
state: absent
tags:
- package_ypbind_removed
- unknown_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27396-1
include remove_ypbind
class remove_ypbind {
package { 'ypbind':
ensure => 'purged',
}
}
package --remove=ypbind
Uninstall ypserv PackageThe ypserv package can be removed with the following command:
$ sudo yum erase ypserv2.2.1611121415389APO13.01BAI10.01BAI10.02BAI10.03BAI10.05DSS01.04DSS05.02DSS05.03DSS05.05DSS06.06CCI-000381164.308(a)(4)(i)164.308(b)(1)164.308(b)(3)164.310(b)164.312(e)(1)164.312(e)(2)(ii)4.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 7.1SR 7.6A.11.2.6A.12.1.2A.12.5.1A.12.6.2A.13.1.1A.13.2.1A.14.1.3A.14.2.2A.14.2.3A.14.2.4A.6.2.1A.6.2.2A.9.1.2CM-7(a)CM-7(b)CM-6(a)IA-5(1)(c)PR.AC-3PR.IP-1PR.PT-3PR.PT-4SRG-OS-000095-GPOS-00049RHEL-07-020010SV-86593r2_ruleThe NIS service provides an unencrypted authentication service which does
not provide for the confidentiality and integrity of user passwords or the
remote session.
Removing the ypserv package decreases the risk of the accidental
(or intentional) activation of NIS or NIS+ services.CCE-27399-5
# CAUTION: This remediation script will remove ypserv
# from the system, and may remove any packages
# that depend on ypserv. Execute this
# remediation AFTER testing on a non-production
# system!
if rpm -q --quiet "ypserv" ; then
yum remove -y "ypserv"
fi
- name: Ensure ypserv is removed
package:
name: ypserv
state: absent
tags:
- package_ypserv_removed
- high_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27399-5
- DISA-STIG-RHEL-07-020010
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(c)
include remove_ypserv
class remove_ypserv {
package { 'ypserv':
ensure => 'purged',
}
}
package --remove=ypserv
Disable ypbind ServiceThe ypbind service, which allows the system to act as a client in
a NIS or NIS+ domain, should be disabled.
The ypbind service can be disabled with the following command:
$ sudo systemctl disable ypbind.service
The ypbind service can be masked with the following command:
$ sudo systemctl mask ypbind.service11121415389APO13.01BAI10.01BAI10.02BAI10.03BAI10.05DSS01.04DSS05.02DSS05.03DSS05.05DSS06.06CCI-000305164.308(a)(4)(i)164.308(b)(1)164.308(b)(3)164.310(b)164.312(e)(1)164.312(e)(2)(ii)4.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 7.1SR 7.6A.11.2.6A.12.1.2A.12.5.1A.12.6.2A.13.1.1A.13.2.1A.14.1.3A.14.2.2A.14.2.3A.14.2.4A.6.2.1A.6.2.2A.9.1.2CM-7(a)CM-7(b)CM-6(a)IA-5(1)(c)PR.AC-3PR.IP-1PR.PT-3PR.PT-4Disabling the ypbind service ensures the system is not acting
as a client in a NIS or NIS+ domain. This service should be disabled
unless in use.CCE-27385-4
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'ypbind.service'
"$SYSTEMCTL_EXEC" disable 'ypbind.service'
"$SYSTEMCTL_EXEC" mask 'ypbind.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^ypbind.socket'; then
"$SYSTEMCTL_EXEC" stop 'ypbind.socket'
"$SYSTEMCTL_EXEC" disable 'ypbind.socket'
"$SYSTEMCTL_EXEC" mask 'ypbind.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'ypbind.service' || true
- name: Disable service ypbind
block:
- name: Gather the service facts
service_facts: null
- name: Disable service ypbind
systemd:
name: ypbind.service
enabled: 'no'
state: stopped
masked: 'yes'
when: '"ypbind.service" in ansible_facts.services'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_ypbind_disabled
- medium_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27385-4
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(c)
- name: Unit Socket Exists - ypbind.socket
command: systemctl list-unit-files ypbind.socket
args:
warn: false
register: socket_file_exists
changed_when: false
ignore_errors: true
check_mode: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_ypbind_disabled
- medium_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27385-4
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(c)
- name: Disable socket ypbind
systemd:
name: ypbind.socket
enabled: 'no'
state: stopped
masked: 'yes'
when:
- '"ypbind.socket" in socket_file_exists.stdout_lines[1]'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_ypbind_disabled
- medium_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27385-4
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(c)
include disable_ypbind
class disable_ypbind {
service {'ypbind':
enable => false,
ensure => 'stopped',
}
}
TFTP ServerTFTP is a lightweight version of the FTP protocol which has
traditionally been used to configure networking equipment. However,
TFTP provides little security, and modern versions of networking
operating systems frequently support configuration via SSH or other
more secure protocols. A TFTP server should be run only if no more
secure method of supporting existing equipment can be
found.Remove tftp DaemonTrivial File Transfer Protocol (TFTP) is a simple file transfer protocol,
typically used to automatically transfer configuration or boot files between systems.
TFTP does not support authentication and can be easily hacked. The package
tftp is a client program that allows for connections to a tftp server.It is recommended that TFTP be removed, unless there is a specific need
for TFTP (such as a boot server). In that case, use extreme caution when configuring
the services.CCE-80443-5
# CAUTION: This remediation script will remove tftp
# from the system, and may remove any packages
# that depend on tftp. Execute this
# remediation AFTER testing on a non-production
# system!
if rpm -q --quiet "tftp" ; then
yum remove -y "tftp"
fi
- name: Ensure tftp is removed
package:
name: tftp
state: absent
tags:
- package_tftp_removed
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80443-5
include remove_tftp
class remove_tftp {
package { 'tftp':
ensure => 'purged',
}
}
package --remove=tftp
Uninstall tftp-server PackageThe tftp-server package can be removed with the following command: $ sudo yum erase tftp-server11121415389APO13.01BAI10.01BAI10.02BAI10.03BAI10.05DSS01.04DSS05.02DSS05.03DSS05.05DSS06.06CCI-000318CCI-000368CCI-001812CCI-001813CCI-0018144.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 7.1SR 7.6A.11.2.6A.12.1.2A.12.5.1A.12.6.2A.13.1.1A.13.2.1A.14.1.3A.14.2.2A.14.2.3A.14.2.4A.6.2.1A.6.2.2A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.AC-3PR.IP-1PR.PT-3PR.PT-4SRG-OS-000480-GPOS-00227RHEL-07-040700SV-86925r2_ruleRemoving the tftp-server package decreases the risk of the accidental
(or intentional) activation of tftp services.
If TFTP is required for operational support (such as transmission of router
configurations), its use must be documented with the Information Systems
Securty Manager (ISSM), restricted to only authorized personnel, and have
access control rules established.CCE-80213-2
# CAUTION: This remediation script will remove tftp-server
# from the system, and may remove any packages
# that depend on tftp-server. Execute this
# remediation AFTER testing on a non-production
# system!
if rpm -q --quiet "tftp-server" ; then
yum remove -y "tftp-server"
fi
- name: Ensure tftp-server is removed
package:
name: tftp-server
state: absent
tags:
- package_tftp-server_removed
- high_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80213-2
- DISA-STIG-RHEL-07-040700
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
include remove_tftp-server
class remove_tftp-server {
package { 'tftp-server':
ensure => 'purged',
}
}
package --remove=tftp-server
Disable tftp ServiceThe tftp service should be disabled.
The tftp service can be disabled with the following command:
$ sudo systemctl disable tftp.service
The tftp service can be masked with the following command:
$ sudo systemctl mask tftp.service2.1.611121415389APO13.01BAI10.01BAI10.02BAI10.03BAI10.05DSS01.04DSS05.02DSS05.03DSS05.05DSS06.06CCI-0014364.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 7.1SR 7.6A.11.2.6A.12.1.2A.12.5.1A.12.6.2A.13.1.1A.13.2.1A.14.1.3A.14.2.2A.14.2.3A.14.2.4A.6.2.1A.6.2.2A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.AC-3PR.IP-1PR.PT-3PR.PT-4Disabling the tftp service ensures the system is not acting
as a TFTP server, which does not provide encryption or authentication.CCE-80212-4
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'tftp.service'
"$SYSTEMCTL_EXEC" disable 'tftp.service'
"$SYSTEMCTL_EXEC" mask 'tftp.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^tftp.socket'; then
"$SYSTEMCTL_EXEC" stop 'tftp.socket'
"$SYSTEMCTL_EXEC" disable 'tftp.socket'
"$SYSTEMCTL_EXEC" mask 'tftp.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'tftp.service' || true
- name: Disable service tftp
block:
- name: Gather the service facts
service_facts: null
- name: Disable service tftp
systemd:
name: tftp.service
enabled: 'no'
state: stopped
masked: 'yes'
when: '"tftp.service" in ansible_facts.services'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_tftp_disabled
- high_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80212-4
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Unit Socket Exists - tftp.socket
command: systemctl list-unit-files tftp.socket
args:
warn: false
register: socket_file_exists
changed_when: false
ignore_errors: true
check_mode: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_tftp_disabled
- high_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80212-4
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Disable socket tftp
systemd:
name: tftp.socket
enabled: 'no'
state: stopped
masked: 'yes'
when:
- '"tftp.socket" in socket_file_exists.stdout_lines[1]'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_tftp_disabled
- high_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80212-4
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
include disable_tftp
class disable_tftp {
service {'tftp':
enable => false,
ensure => 'stopped',
}
}
Ensure tftp Daemon Uses Secure ModeIf running the tftp service is necessary, it should be configured
to change its root directory at startup. To do so, ensure
/etc/xinetd.d/tftp includes -s as a command line argument, as shown in
the following example (which is also the default):
server_args = -s /var/lib/tftpboot111213141516183589APO01.06APO13.01BAI10.01BAI10.02BAI10.03BAI10.05DSS01.04DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07DSS06.02DSS06.06CCI-0003664.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 7.1SR 7.6A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.11.2.6A.12.1.2A.12.5.1A.12.6.2A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.14.2.2A.14.2.3A.14.2.4A.6.1.2A.6.2.1A.6.2.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(b)AC-6CM-7(a)PR.AC-3PR.AC-4PR.DS-5PR.IP-1PR.PT-3PR.PT-4SRG-OS-000480-GPOS-00227RHEL-07-040720SV-86929r3_ruleUsing the -s option causes the TFTP service to only serve files from the
given directory. Serving files from an intentionally-specified directory
reduces the risk of sharing files which should remain private.CCE-80214-0XinetdThe xinetd service acts as a dedicated listener for some
network services (mostly, obsolete ones) and can be used to provide access
controls and perform some logging. It has been largely obsoleted by other
features, and it is not installed by default. The older Inetd service
is not even available as part of Red Hat Enterprise Linux 7.Install tcp_wrappers PackageWhen network services are using the xinetd service, the
tcp_wrappers package should be installed.
The tcp_wrappers package can be installed with the following command:
$ sudo yum install tcp_wrappers3.4.11139BAI10.01BAI10.02BAI10.03BAI10.05CCI-0003664.3.4.3.24.3.4.3.3SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4CM-6(a)PR.IP-1SRG-OS-000480-GPOS-00227Access control methods provide the ability to enhance system security posture
by restricting services and known good IP addresses and address ranges. This
prevents connections from unknown hosts and protocols.CCE-27361-5
if ! rpm -q --quiet "tcp_wrappers" ; then
yum install -y "tcp_wrappers"
fi
- name: Ensure tcp_wrappers is installed
package:
name: tcp_wrappers
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- package_tcp_wrappers_installed
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27361-5
- NIST-800-53-CM-6(a)
include install_tcp_wrappers
class install_tcp_wrappers {
package { 'tcp_wrappers':
ensure => 'installed',
}
}
package --add=tcp_wrappers
Uninstall xinetd PackageThe xinetd package can be removed with the following command:
$ sudo yum erase xinetd11121415389APO13.01BAI10.01BAI10.02BAI10.03BAI10.05DSS01.04DSS05.02DSS05.03DSS05.05DSS06.06CCI-000305164.308(a)(4)(i)164.308(b)(1)164.308(b)(3)164.310(b)164.312(e)(1)164.312(e)(2)(ii)4.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 7.1SR 7.6A.11.2.6A.12.1.2A.12.5.1A.12.6.2A.13.1.1A.13.2.1A.14.1.3A.14.2.2A.14.2.3A.14.2.4A.6.2.1A.6.2.2A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.AC-3PR.IP-1PR.PT-3PR.PT-4Removing the xinetd package decreases the risk of the
xinetd service's accidental (or intentional) activation.CCE-27354-0
# CAUTION: This remediation script will remove xinetd
# from the system, and may remove any packages
# that depend on xinetd. Execute this
# remediation AFTER testing on a non-production
# system!
if rpm -q --quiet "xinetd" ; then
yum remove -y "xinetd"
fi
- name: Ensure xinetd is removed
package:
name: xinetd
state: absent
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- package_xinetd_removed
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27354-0
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
include remove_xinetd
class remove_xinetd {
package { 'xinetd':
ensure => 'purged',
}
}
package --remove=xinetd
Disable xinetd Service The xinetd service can be disabled with the following command: $ sudo systemctl disable xinetd.service The xinetd service can be masked with the following command: $ sudo systemctl mask xinetd.service2.1.711121415389APO13.01BAI10.01BAI10.02BAI10.03BAI10.05DSS01.04DSS05.02DSS05.03DSS05.05DSS06.063.4.7CCI-000305164.308(a)(4)(i)164.308(b)(1)164.308(b)(3)164.310(b)164.312(e)(1)164.312(e)(2)(ii)4.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 7.1SR 7.6A.11.2.6A.12.1.2A.12.5.1A.12.6.2A.13.1.1A.13.2.1A.14.1.3A.14.2.2A.14.2.3A.14.2.4A.6.2.1A.6.2.2A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.AC-3PR.IP-1PR.PT-3PR.PT-4The xinetd service provides a dedicated listener service for some programs,
which is no longer necessary for commonly-used network services. Disabling
it ensures that these uncommon services are not running, and also prevents
attacks against xinetd itself.CCE-27443-1
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'xinetd.service'
"$SYSTEMCTL_EXEC" disable 'xinetd.service'
"$SYSTEMCTL_EXEC" mask 'xinetd.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^xinetd.socket'; then
"$SYSTEMCTL_EXEC" stop 'xinetd.socket'
"$SYSTEMCTL_EXEC" disable 'xinetd.socket'
"$SYSTEMCTL_EXEC" mask 'xinetd.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'xinetd.service' || true
- name: Disable service xinetd
block:
- name: Gather the service facts
service_facts: null
- name: Disable service xinetd
systemd:
name: xinetd.service
enabled: 'no'
state: stopped
masked: 'yes'
when: '"xinetd.service" in ansible_facts.services'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_xinetd_disabled
- medium_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27443-1
- NIST-800-171-3.4.7
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Unit Socket Exists - xinetd.socket
command: systemctl list-unit-files xinetd.socket
args:
warn: false
register: socket_file_exists
changed_when: false
ignore_errors: true
check_mode: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_xinetd_disabled
- medium_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27443-1
- NIST-800-171-3.4.7
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Disable socket xinetd
systemd:
name: xinetd.socket
enabled: 'no'
state: stopped
masked: 'yes'
when:
- '"xinetd.socket" in socket_file_exists.stdout_lines[1]'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_xinetd_disabled
- medium_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27443-1
- NIST-800-171-3.4.7
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
include disable_xinetd
class disable_xinetd {
service {'xinetd':
enable => false,
ensure => 'stopped',
}
}
Chat/Messaging ServicesThe talk software makes it possible for users to send and receive messages
across systems through a terminal session.Uninstall talk PackageThe talk package contains the client program for the
Internet talk protocol, which allows the user to chat with other users on
different systems. Talk is a communication program which copies lines from one
terminal to the terminal of another user.
The talk package can be removed with the following command:
$ sudo yum erase talk2.3.3164.308(a)(4)(i)164.308(b)(1)164.308(b)(3)164.310(b)164.312(e)(1)164.312(e)(2)(ii)The talk software presents a security risk as it uses unencrypted protocols
for communications. Removing the talk package decreases the
risk of the accidental (or intentional) activation of talk client program.CCE-27432-4
# CAUTION: This remediation script will remove talk
# from the system, and may remove any packages
# that depend on talk. Execute this
# remediation AFTER testing on a non-production
# system!
if rpm -q --quiet "talk" ; then
yum remove -y "talk"
fi
- name: Ensure talk is removed
package:
name: talk
state: absent
tags:
- package_talk_removed
- medium_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27432-4
include remove_talk
class remove_talk {
package { 'talk':
ensure => 'purged',
}
}
package --remove=talk
Uninstall talk-server PackageThe talk-server package can be removed with the following command: $ sudo yum erase talk-server2.2.21164.308(a)(4)(i)164.308(b)(1)164.308(b)(3)164.310(b)164.312(e)(1)164.312(e)(2)(ii)The talk software presents a security risk as it uses unencrypted protocols
for communications. Removing the talk-server package decreases the
risk of the accidental (or intentional) activation of talk services.CCE-27210-4
# CAUTION: This remediation script will remove talk-server
# from the system, and may remove any packages
# that depend on talk-server. Execute this
# remediation AFTER testing on a non-production
# system!
if rpm -q --quiet "talk-server" ; then
yum remove -y "talk-server"
fi
- name: Ensure talk-server is removed
package:
name: talk-server
state: absent
tags:
- package_talk-server_removed
- medium_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27210-4
include remove_talk-server
class remove_talk-server {
package { 'talk-server':
ensure => 'purged',
}
}
package --remove=talk-server
APT service configurationThe apt service manage the package management and update of the whole system. Its configuration need to be properly defined to ensure efficient security updates, packages and repository authentication and proper lifecycle management.Remote Authentication Dial-In User Service (RADIUS)Remote Authentication Dial-In User Service (RADIUS) is a networking
protocol, operating on port 1812 that provides centralized
Authentication, Authorization, and Accounting (AAA or Triple A)
management for users who connect and use a network service. Remove the FreeRadius Server PackageThe freeradius package should be removed if not in use.
Is this system a RADIUS server? If not, remove the package.
The freeradius package can be removed with the following command:
$ sudo yum erase freeradius
The freeradius RPM is not installed by default on a Red Hat Enterprise Linux 7
system. It is needed only by the RADIUS servers, not by the
clients which use RADIUS for authentication. If the system is not
intended for use as a RADIUS Server it should be removed.Unnecessary packages should not be installed to decrease the attack
surface of the system. While this software is clearly essential on a
RADIUS server, it is not necessary on typical desktop or workstation systems.CCE-82751-9
# CAUTION: This remediation script will remove freeradius
# from the system, and may remove any packages
# that depend on freeradius. Execute this
# remediation AFTER testing on a non-production
# system!
if rpm -q --quiet "freeradius" ; then
yum remove -y "freeradius"
fi
- name: Ensure freeradius is removed
package:
name: freeradius
state: absent
tags:
- package_freeradius_removed
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82751-9
include remove_freeradius
class remove_freeradius {
package { 'freeradius':
ensure => 'purged',
}
}
package --remove=freeradius
FTP ServerFTP is a common method for allowing remote access to
files. Like telnet, the FTP protocol is unencrypted, which means
that passwords and other data transmitted during the session can be
captured and that the session is vulnerable to hijacking.
Therefore, running the FTP server software is not recommended.
However, there are some FTP server configurations which may
be appropriate for some environments, particularly those which
allow only read-only anonymous access as a means of downloading
data available to the public.Configure vsftpd to Provide FTP Service if NecessaryThe primary vsftpd configuration file is
/etc/vsftpd.conf, if that file exists, or
/etc/vsftpd/vsftpd.conf if it does not.Configure Firewalls to Protect the FTP Server
By default, firewalld
blocks access to the ports used by the web server.
To configure firewalld to allow access, run the following command(s):
firewall-cmd --permanent --add-service=ftpThese settings configure the firewall to allow connections to an FTP server.
The first line allows initial connections to the FTP server port.
FTP is an older protocol which is not very compatible with firewalls. During the initial FTP dialogue, the client
and server negotiate an arbitrary port to be used for data transfer. The ip_conntrack_ftp module is used by
iptables to listen to that dialogue and allow connections to the data ports which FTP negotiates. This allows an
FTP server to operate on a system which is running a firewall.Create Warning Banners for All FTP Users
Edit the vsftpd configuration file, which resides at /etc/vsftpd/vsftpd.conf
by default. Add or correct the following configuration options:
banner_file=/etc/issueCCI-000048This setting will cause the system greeting banner to be used for FTP connections as well.CCE-80248-8Enable Logging of All FTP TransactionsAdd or correct the following configuration options within the vsftpd
configuration file, located at /etc/vsftpd/vsftpd.conf:
xferlog_enable=YES
xferlog_std_format=NO
log_ftp_protocol=YESIf verbose logging to vsftpd.log is done, sparse logging of
downloads to /var/log/xferlog will not also occur. However,
the information about what files were downloaded is included in the
information logged to vsftpd.log.To trace malicious activity facilitated by the FTP service, it must be configured to ensure that all commands sent to
the FTP server are logged using the verbose vsftpd log
format. The default vsftpd log file is /var/log/vsftpd.log.CCE-80247-0Disable FTP Uploads if PossibleIs there a mission-critical reason for users to upload files via FTP? If not,
edit the vsftpd configuration file to add or correct the following configuration options:
write_enable=NO
If FTP uploads are necessary, follow the guidance in the remainder of this section to secure these transactions
as much as possible.Anonymous FTP can be a convenient way to make files available for universal download. However, it is less
common to have a need to allow unauthenticated users to place files on the FTP server. If this must be done, it
is necessary to ensure that files cannot be uploaded and downloaded from the same directory.CCE-80250-4Place the FTP Home Directory on its Own PartitionBy default, the anonymous FTP root is the home directory of the FTP user account. The df command can
be used to verify that this directory is on its own partition.If there is a mission-critical reason for anonymous users to upload files, precautions must be taken to prevent
these users from filling a disk used by other services.CCE-80251-2Restrict the Set of Users Allowed to Access FTPThis section describes how to disable non-anonymous (password-based) FTP logins, or, if it is not possible to
do this entirely due to legacy applications, how to restrict insecure FTP login to only those users who have an
identified need for this access.Restrict Access to Anonymous Users if PossibleIs there a mission-critical reason for users to transfer files to/from their own accounts
using FTP, rather than using a secure protocol like SCP/SFTP? If not, edit the vsftpd
configuration file. Add or correct the following configuration option:
local_enable=NO
If non-anonymous FTP logins are necessary, follow the guidance in the remainder of
this section to secure these logins as much as possible.111214151618359BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.04DSS05.05DSS05.07DSS06.03DSS06.064.3.3.2.24.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.6.1.2A.7.1.1A.9.1.2A.9.2.1A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-7(a)CM-7(b)CM-6(a)AC-3AC-17(a)PR.AC-4PR.AC-6PR.IP-1PR.PT-3The use of non-anonymous FTP logins is strongly discouraged. Since SSH clients
and servers are widely available, and since SSH provides support for a transfer
mode which resembles FTP in user interface, there is no good reason to allow
password-based FTP access.'CCE-80249-6Limit Users Allowed FTP Access if NecessaryIf there is a mission-critical reason for users to access their accounts via the insecure FTP protocol, limit the set of users who are allowed this access. Edit the vsftpd configuration file. Add or correct the following configuration options:
userlist_enable=YES
userlist_file=/etc/vsftp.ftpusers
userlist_deny=NO
Edit the file /etc/vsftp.ftpusers. For each user USERNAME who should be allowed to access the system via FTP, add a line containing that user's name:
USERNAME
If anonymous access is also required, add the anonymous usernames to /etc/vsftp.ftpusers as well.
anonymous
ftpHistorically, the file /etc/ftpusers contained a list of users who were not allowed to access the system via FTP. It was used to prevent system users such as the root user from logging in via the insecure FTP protocol. However, when the configuration option userlist deny=NO is set, vsftpd interprets ftpusers as the set of users who are allowed to login via FTP. Since it should be possible for most users to access their accounts via secure protocols, it is recommended that this setting be used, so that non-anonymous FTP access can be limited to legacy users who have been explicitly identified.Use vsftpd to Provide FTP Service if NecessaryIf your use-case requires FTP service, install and
set-up vsftpd to provide it.Install vsftpd PackageIf this system must operate as an FTP server, install the vsftpd package via the standard channels.
The vsftpd package can be installed with the following command:
$ sudo yum install vsftpd111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.064.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-6(a)PR.IP-1PR.PT-3After Red Hat Enterprise Linux 2.1, Red Hat switched from distributing wu-ftpd with
Red Hat Enterprise Linux to distributing vsftpd. For security
and for consistency with future Red Hat releases, the use of vsftpd is recommended.CCE-80246-2
if ! rpm -q --quiet "vsftpd" ; then
yum install -y "vsftpd"
fi
- name: Ensure vsftpd is installed
package:
name: vsftpd
state: present
tags:
- package_vsftpd_installed
- low_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80246-2
- NIST-800-53-CM-6(a)
include install_vsftpd
class install_vsftpd {
package { 'vsftpd':
ensure => 'installed',
}
}
package --add=vsftpd
Disable vsftpd if PossibleTo minimize attack surface, disable vsftpd if at all
possible.Uninstall vsftpd PackageThe vsftpd package can be removed with the following command: $ sudo yum erase vsftpd111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.06CCI-0003664.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.IP-1PR.PT-3SRG-OS-000480-GPOS-00227RHEL-07-040690SV-86923r3_ruleRemoving the vsftpd package decreases the risk of its
accidental activation.CCE-80245-4
# CAUTION: This remediation script will remove vsftpd
# from the system, and may remove any packages
# that depend on vsftpd. Execute this
# remediation AFTER testing on a non-production
# system!
if rpm -q --quiet "vsftpd" ; then
yum remove -y "vsftpd"
fi
- name: Ensure vsftpd is removed
package:
name: vsftpd
state: absent
tags:
- package_vsftpd_removed
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80245-4
- DISA-STIG-RHEL-07-040690
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
include remove_vsftpd
class remove_vsftpd {
package { 'vsftpd':
ensure => 'purged',
}
}
package --remove=vsftpd
Disable vsftpd Service The vsftpd service can be disabled with the following command: $ sudo systemctl disable vsftpd.service The vsftpd service can be masked with the following command: $ sudo systemctl mask vsftpd.service2.2.9111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.06CCI-0014364.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.IP-1PR.PT-3Running FTP server software provides a network-based avenue
of attack, and should be disabled if not needed.
Furthermore, the FTP protocol is unencrypted and creates
a risk of compromising sensitive information.CCE-80244-7
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'vsftpd.service'
"$SYSTEMCTL_EXEC" disable 'vsftpd.service'
"$SYSTEMCTL_EXEC" mask 'vsftpd.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^vsftpd.socket'; then
"$SYSTEMCTL_EXEC" stop 'vsftpd.socket'
"$SYSTEMCTL_EXEC" disable 'vsftpd.socket'
"$SYSTEMCTL_EXEC" mask 'vsftpd.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'vsftpd.service' || true
- name: Disable service vsftpd
block:
- name: Gather the service facts
service_facts: null
- name: Disable service vsftpd
systemd:
name: vsftpd.service
enabled: 'no'
state: stopped
masked: 'yes'
when: '"vsftpd.service" in ansible_facts.services'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_vsftpd_disabled
- medium_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80244-7
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Unit Socket Exists - vsftpd.socket
command: systemctl list-unit-files vsftpd.socket
args:
warn: false
register: socket_file_exists
changed_when: false
ignore_errors: true
check_mode: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_vsftpd_disabled
- medium_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80244-7
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Disable socket vsftpd
systemd:
name: vsftpd.socket
enabled: 'no'
state: stopped
masked: 'yes'
when:
- '"vsftpd.socket" in socket_file_exists.stdout_lines[1]'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_vsftpd_disabled
- medium_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80244-7
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
include disable_vsftpd
class disable_vsftpd {
service {'vsftpd':
enable => false,
ensure => 'stopped',
}
}
SNMP ServerThe Simple Network Management Protocol allows
administrators to monitor the state of network devices, including
computers. Older versions of SNMP were well-known for weak
security, such as plaintext transmission of the community string
(used for authentication) and usage of easily-guessable
choices for the community string.Configure SNMP Server if NecessaryIf it is necessary to run the snmpd agent on the system, some best
practices should be followed to minimize the security risk from the
installation. The multiple security models implemented by SNMP cannot be fully
covered here so only the following general configuration advice can be offered:
use only SNMP version 3 security models and enable the use of authentication and encryptionwrite access to the MIB (Management Information Base) should be allowed only if necessaryall access to the MIB should be restricted following a principle of least privilegenetwork access should be limited to the maximum extent possible including restricting to expected network
addresses both in the configuration files and in the system firewall rulesensure SNMP agents send traps only to, and accept SNMP queries only from, authorized management
stationsensure that permissions on the snmpd.conf configuration file (by default, in /etc/snmp) are 640 or more restrictiveensure that any MIB files' permissions are also 640 or more restrictiveConfigure SNMP Service to Use Only SNMPv3 or NewerEdit /etc/snmp/snmpd.conf, removing any references to rocommunity, rwcommunity, or com2sec.
Upon doing that, restart the SNMP service:
$ sudo service snmpd restartEarlier versions of SNMP are considered insecure, as they potentially allow
unauthorized access to detailed system management information.CCE-80276-9Ensure SNMP Read Write is disabledEdit /etc/snmp/snmpd.conf, remove any rwuser entries.
Once the read write users have been removed, restart the SNMP service:
$ sudo service snmpd restartCertain SNMP settings can permit users to execute system behaviors from user
writes to the community strings.
This may permit a compromised account to execute commands on a remote system.CCE-82732-9
if grep -s "rwuser" /etc/snmp/snmpd.conf | grep -qv "^#"; then
sed -i "/^\s*#/b;/rwuser/ s/^/#/" /etc/snmp/snmpd.conf
fi
Ensure Default SNMP Password Is Not UsedEdit /etc/snmp/snmpd.conf, remove or change the default community strings of
public and private.
Once the default community strings have been changed, restart the SNMP service:
$ sudo service snmpd restart11215165DSS05.04DSS05.05DSS05.07DSS05.10DSS06.03DSS06.10CCI-0003664.3.3.2.24.3.3.5.14.3.3.5.24.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.24.3.3.7.4SR 1.1SR 1.10SR 1.2SR 1.3SR 1.4SR 1.5SR 1.7SR 1.8SR 1.9SR 2.1A.18.1.4A.7.1.1A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.2.6A.9.3.1A.9.4.2A.9.4.3IA-5(e)PR.AC-1PR.AC-6PR.AC-7SRG-OS-000480-GPOS-00227RHEL-07-040800SV-86937r2_ruleWhether active or not, default simple network management protocol (SNMP) community
strings must be changed to maintain security. If the service is running with the
default authenticators, then anyone can gather data about the system and the network
and use the information to potentially compromise the integrity of the system and
network(s).CCE-27386-2
if grep -s "public\|private" /etc/snmp/snmpd.conf | grep -qv "^#"; then
sed -i "/^\s*#/b;/public\|private/ s/^/#/" /etc/snmp/snmpd.conf
fi
Disable SNMP Server if PossibleThe system includes an SNMP daemon that allows for its remote
monitoring, though it not installed by default. If it was installed and
activated but is not needed, the software should be disabled and removed.Uninstall net-snmp PackageThe net-snmp package provides the snmpd service.
The net-snmp package can be removed with the following command:
$ sudo yum erase net-snmpIf there is no need to run SNMP server software,
removing the package provides a safeguard against its
activation.CCE-80275-1
# CAUTION: This remediation script will remove net-snmp
# from the system, and may remove any packages
# that depend on net-snmp. Execute this
# remediation AFTER testing on a non-production
# system!
if rpm -q --quiet "net-snmp" ; then
yum remove -y "net-snmp"
fi
- name: Ensure net-snmp is removed
package:
name: net-snmp
state: absent
tags:
- package_net-snmp_removed
- unknown_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80275-1
include remove_net-snmp
class remove_net-snmp {
package { 'net-snmp':
ensure => 'purged',
}
}
package --remove=net-snmp
Disable snmpd Service The snmpd service can be disabled with the following command: $ sudo systemctl disable snmpd.service The snmpd service can be masked with the following command: $ sudo systemctl mask snmpd.service2.2.14SRG-OS-000480-VMM-002000Running SNMP software provides a network-based avenue of attack, and
should be disabled if not needed.CCE-80274-4
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'snmpd.service'
"$SYSTEMCTL_EXEC" disable 'snmpd.service'
"$SYSTEMCTL_EXEC" mask 'snmpd.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^snmpd.socket'; then
"$SYSTEMCTL_EXEC" stop 'snmpd.socket'
"$SYSTEMCTL_EXEC" disable 'snmpd.socket'
"$SYSTEMCTL_EXEC" mask 'snmpd.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'snmpd.service' || true
- name: Disable service snmpd
block:
- name: Gather the service facts
service_facts: null
- name: Disable service snmpd
systemd:
name: snmpd.service
enabled: 'no'
state: stopped
masked: 'yes'
when: '"snmpd.service" in ansible_facts.services'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_snmpd_disabled
- unknown_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80274-4
- name: Unit Socket Exists - snmpd.socket
command: systemctl list-unit-files snmpd.socket
args:
warn: false
register: socket_file_exists
changed_when: false
ignore_errors: true
check_mode: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_snmpd_disabled
- unknown_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80274-4
- name: Disable socket snmpd
systemd:
name: snmpd.socket
enabled: 'no'
state: stopped
masked: 'yes'
when:
- '"snmpd.socket" in socket_file_exists.stdout_lines[1]'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_snmpd_disabled
- unknown_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80274-4
include disable_snmpd
class disable_snmpd {
service {'snmpd':
enable => false,
ensure => 'stopped',
}
}
Cron and At DaemonsThe cron and at services are used to allow commands to
be executed at a later time. The cron service is required by almost
all systems to perform necessary maintenance tasks, while at may or
may not be required on a given system. Both daemons should be
configured defensively.Install the cron serviceThe Cron service should be installed.NT28(R50)111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.064.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-6(a)PR.IP-1PR.PT-3The cron service allow periodic job execution, needed for almost all administrative tasks and services (software update, log rotating, etc.). Access to cron service should be restricted to administrative accounts only.
if ! rpm -q --quiet "cron" ; then
yum install -y "cron"
fi
- name: Ensure cron is installed
package:
name: cron
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- package_cron_installed
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- NIST-800-53-CM-6(a)
include install_cron
class install_cron {
package { 'cron':
ensure => 'installed',
}
}
package --add=cron
Enable cron ServiceThe crond service is used to execute commands at
preconfigured times. It is required by almost all systems to perform necessary
maintenance tasks, such as notifying root of system activity.
The crond service can be enabled with the following command:
$ sudo systemctl enable crond.service5.1.1111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.06164.308(a)(4)(i)164.308(b)(1)164.308(b)(3)164.310(b)164.312(e)(1)164.312(e)(2)(ii)4.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-6(a)PR.IP-1PR.PT-3Due to its usage for maintenance and security-supporting tasks,
enabling the cron daemon is essential.CCE-27323-5
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" start 'crond.service'
"$SYSTEMCTL_EXEC" enable 'crond.service'
- name: Enable service crond
block:
- name: Gather the package facts
package_facts:
manager: auto
- name: Enable service crond
service:
name: crond
enabled: 'yes'
state: started
when:
- '"cronie" in ansible_facts.packages'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_crond_enabled
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27323-5
- NIST-800-53-CM-6(a)
include enable_crond
class enable_crond {
service {'crond':
enable => true,
ensure => 'running',
}
}
Enable cron ServiceThe crond service is used to execute commands at
preconfigured times. It is required by almost all systems to perform necessary
maintenance tasks, such as notifying root of system activity.
The cron service can be enabled with the following command:
$ sudo systemctl enable cron.service111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.064.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-6(a)PR.IP-1PR.PT-3Due to its usage for maintenance and security-supporting tasks,
enabling the cron daemon is essential.
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" start 'cron.service'
"$SYSTEMCTL_EXEC" enable 'cron.service'
- name: Enable service cron
block:
- name: Gather the package facts
package_facts:
manager: auto
- name: Enable service cron
service:
name: cron
enabled: 'yes'
state: started
when:
- '"cron" in ansible_facts.packages'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_cron_enabled
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- NIST-800-53-CM-6(a)
include enable_cron
class enable_cron {
service {'cron':
enable => true,
ensure => 'running',
}
}
Disable At Service (atd)The at and batch commands can be used to
schedule tasks that are meant to be executed only once. This allows delayed
execution in a manner similar to cron, except that it is not
recurring. The daemon atd keeps track of tasks scheduled via
at and batch, and executes them at the specified time.
The atd service can be disabled with the following command:
$ sudo systemctl disable atd.service
The atd service can be masked with the following command:
$ sudo systemctl mask atd.service111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.06CCI-0003814.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.IP-1PR.PT-3The atd service could be used by an unsophisticated insider to carry
out activities outside of a normal login session, which could complicate
accountability. Furthermore, the need to schedule tasks with at or
batch is not common.CCE-80345-2
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'atd.service'
"$SYSTEMCTL_EXEC" disable 'atd.service'
"$SYSTEMCTL_EXEC" mask 'atd.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^atd.socket'; then
"$SYSTEMCTL_EXEC" stop 'atd.socket'
"$SYSTEMCTL_EXEC" disable 'atd.socket'
"$SYSTEMCTL_EXEC" mask 'atd.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'atd.service' || true
- name: Disable service atd
block:
- name: Gather the service facts
service_facts: null
- name: Disable service atd
systemd:
name: atd.service
enabled: 'no'
state: stopped
masked: 'yes'
when: '"atd.service" in ansible_facts.services'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_atd_disabled
- medium_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80345-2
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Unit Socket Exists - atd.socket
command: systemctl list-unit-files atd.socket
args:
warn: false
register: socket_file_exists
changed_when: false
ignore_errors: true
check_mode: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_atd_disabled
- medium_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80345-2
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Disable socket atd
systemd:
name: atd.socket
enabled: 'no'
state: stopped
masked: 'yes'
when:
- '"atd.socket" in socket_file_exists.stdout_lines[1]'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_atd_disabled
- medium_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80345-2
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
include disable_atd
class disable_atd {
service {'atd':
enable => false,
ensure => 'stopped',
}
}
Disable anacron ServiceThe cronie-anacron package, which provides anacron
functionality, is installed by default.
The cronie-anacron package can be removed with the following command:
$ sudo yum erase cronie-anacron111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.064.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.IP-1PR.PT-3The anacron service provides cron functionality for systems
such as laptops and workstations that may be shut down during the normal times
that cron jobs are scheduled to run. On systems which do not require this
additional functionality, anacron could needlessly increase the possible
attack surface for an intruder.CCE-80344-5Verify Owner on crontab
To properly set the owner of /etc/crontab, run the command:
$ sudo chown root /etc/crontab 5.1.212131415161835APO01.06DSS05.04DSS05.07DSS06.024.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)AC-6(1)PR.AC-4PR.DS-5SRG-OS-000480-GPOS-00227Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the
correct user to prevent unauthorized changes.CCE-82217-1
chown 0 /etc/crontab
- name: Test for existence /etc/crontab
stat:
path: /etc/crontab
register: file_exists
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- file_owner_crontab
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82217-1
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- name: Ensure owner 0 on /etc/crontab
file:
path: /etc/crontab
owner: '0'
when:
- file_exists.stat is defined and file_exists.stat.exists
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- file_owner_crontab
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82217-1
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
Verify Owner on cron.d
To properly set the owner of /etc/cron.d, run the command:
$ sudo chown root /etc/cron.d 5.1.712131415161835APO01.06DSS05.04DSS05.07DSS06.024.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)AC-6(1)PR.AC-4PR.DS-5SRG-OS-000480-GPOS-00227Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the
correct user to prevent unauthorized changes.CCE-82270-0
chown 0 /etc/cron.d/
- name: Test for existence /etc/cron.d/
stat:
path: /etc/cron.d/
register: file_exists
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- file_owner_cron_d
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82270-0
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- name: Ensure owner 0 on /etc/cron.d/
file:
path: /etc/cron.d/
owner: '0'
when:
- file_exists.stat is defined and file_exists.stat.exists
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- file_owner_cron_d
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82270-0
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
Verify Owner on cron.hourly
To properly set the owner of /etc/cron.hourly, run the command:
$ sudo chown root /etc/cron.hourly 5.1.312131415161835APO01.06DSS05.04DSS05.07DSS06.024.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)AC-6(1)PR.AC-4PR.DS-5SRG-OS-000480-GPOS-00227Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the
correct user to prevent unauthorized changes.CCE-82208-0
chown 0 /etc/cron.hourly/
- name: Test for existence /etc/cron.hourly/
stat:
path: /etc/cron.hourly/
register: file_exists
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- file_owner_cron_hourly
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82208-0
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- name: Ensure owner 0 on /etc/cron.hourly/
file:
path: /etc/cron.hourly/
owner: '0'
when:
- file_exists.stat is defined and file_exists.stat.exists
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- file_owner_cron_hourly
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82208-0
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
Verify Group Who Owns cron.daily
To properly set the group owner of /etc/cron.daily, run the command:
$ sudo chgrp root /etc/cron.daily5.1.412131415161835APO01.06DSS05.04DSS05.07DSS06.024.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)AC-6(1)PR.AC-4PR.DS-5SRG-OS-000480-GPOS-00227Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the
correct group to prevent unauthorized changes.CCE-82232-0
chgrp 0 /etc/cron.daily/
- name: Test for existence /etc/cron.daily/
stat:
path: /etc/cron.daily/
register: file_exists
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- file_groupowner_cron_daily
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82232-0
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- name: Ensure group owner 0 on /etc/cron.daily/
file:
path: /etc/cron.daily/
group: '0'
when:
- file_exists.stat is defined and file_exists.stat.exists
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- file_groupowner_cron_daily
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82232-0
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
Verify Group Who Owns Crontab
To properly set the group owner of /etc/crontab, run the command:
$ sudo chgrp root /etc/crontab5.1.212131415161835APO01.06DSS05.04DSS05.07DSS06.024.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)AC-6(1)PR.AC-4PR.DS-5SRG-OS-000480-GPOS-00227Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the
correct group to prevent unauthorized changes.CCE-82222-1
chgrp 0 /etc/crontab
- name: Test for existence /etc/crontab
stat:
path: /etc/crontab
register: file_exists
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- file_groupowner_crontab
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82222-1
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- name: Ensure group owner 0 on /etc/crontab
file:
path: /etc/crontab
group: '0'
when:
- file_exists.stat is defined and file_exists.stat.exists
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- file_groupowner_crontab
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82222-1
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
Verify Permissions on cron.hourly
To properly set the permissions of /etc/cron.hourly, run the command:
$ sudo chmod 0700 /etc/cron.hourly5.1.312131415161835APO01.06DSS05.04DSS05.07DSS06.024.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)AC-6(1)PR.AC-4PR.DS-5SRG-OS-000480-GPOS-00227Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the
correct access rights to prevent unauthorized changes.CCE-82229-6
chmod 0700 /etc/cron.hourly/
- name: Test for existence /etc/cron.hourly/
stat:
path: /etc/cron.hourly/
register: file_exists
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- file_permissions_cron_hourly
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82229-6
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- name: Ensure permission 0700 on /etc/cron.hourly/
file:
path: /etc/cron.hourly/
mode: '0700'
when:
- file_exists.stat is defined and file_exists.stat.exists
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- file_permissions_cron_hourly
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82229-6
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
Verify Group Who Owns cron.weekly
To properly set the group owner of /etc/cron.weekly, run the command:
$ sudo chgrp root /etc/cron.weekly5.1.512131415161835APO01.06DSS05.04DSS05.07DSS06.024.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)AC-6(1)PR.AC-4PR.DS-5SRG-OS-000480-GPOS-00227Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the
correct group to prevent unauthorized changes.CCE-82242-9
chgrp 0 /etc/cron.weekly/
- name: Test for existence /etc/cron.weekly/
stat:
path: /etc/cron.weekly/
register: file_exists
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- file_groupowner_cron_weekly
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82242-9
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- name: Ensure group owner 0 on /etc/cron.weekly/
file:
path: /etc/cron.weekly/
group: '0'
when:
- file_exists.stat is defined and file_exists.stat.exists
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- file_groupowner_cron_weekly
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82242-9
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
Verify Permissions on cron.daily
To properly set the permissions of /etc/cron.daily, run the command:
$ sudo chmod 0700 /etc/cron.daily5.1.412131415161835APO01.06DSS05.04DSS05.07DSS06.024.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)AC-6(1)PR.AC-4PR.DS-5SRG-OS-000480-GPOS-00227Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the
correct access rights to prevent unauthorized changes.CCE-82239-5
chmod 0700 /etc/cron.daily/
- name: Test for existence /etc/cron.daily/
stat:
path: /etc/cron.daily/
register: file_exists
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- file_permissions_cron_daily
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82239-5
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- name: Ensure permission 0700 on /etc/cron.daily/
file:
path: /etc/cron.daily/
mode: '0700'
when:
- file_exists.stat is defined and file_exists.stat.exists
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- file_permissions_cron_daily
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82239-5
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
Verify Permissions on crontab
To properly set the permissions of /etc/crontab, run the command:
$ sudo chmod 0600 /etc/crontab5.1.212131415161835APO01.06DSS05.04DSS05.07DSS06.024.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)AC-6(1)PR.AC-4PR.DS-5SRG-OS-000480-GPOS-00227Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the
correct access rights to prevent unauthorized changes.CCE-82205-6
chmod 0600 /etc/crontab
- name: Test for existence /etc/crontab
stat:
path: /etc/crontab
register: file_exists
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- file_permissions_crontab
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82205-6
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- name: Ensure permission 0600 on /etc/crontab
file:
path: /etc/crontab
mode: '0600'
when:
- file_exists.stat is defined and file_exists.stat.exists
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- file_permissions_crontab
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82205-6
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
Verify Group Who Owns cron.d
To properly set the group owner of /etc/cron.d, run the command:
$ sudo chgrp root /etc/cron.d5.1.712131415161835APO01.06DSS05.04DSS05.07DSS06.024.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)AC-6(1)PR.AC-4PR.DS-5SRG-OS-000480-GPOS-00227Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the
correct group to prevent unauthorized changes.CCE-82265-0
chgrp 0 /etc/cron.d/
- name: Test for existence /etc/cron.d/
stat:
path: /etc/cron.d/
register: file_exists
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- file_groupowner_cron_d
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82265-0
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- name: Ensure group owner 0 on /etc/cron.d/
file:
path: /etc/cron.d/
group: '0'
when:
- file_exists.stat is defined and file_exists.stat.exists
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- file_groupowner_cron_d
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82265-0
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
Verify Owner on cron.monthly
To properly set the owner of /etc/cron.monthly, run the command:
$ sudo chown root /etc/cron.monthly 5.1.612131415161835APO01.06DSS05.04DSS05.07DSS06.024.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)AC-6(1)PR.AC-4PR.DS-5SRG-OS-000480-GPOS-00227Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the
correct user to prevent unauthorized changes.CCE-82259-3
chown 0 /etc/cron.monthly/
- name: Test for existence /etc/cron.monthly/
stat:
path: /etc/cron.monthly/
register: file_exists
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- file_owner_cron_monthly
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82259-3
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- name: Ensure owner 0 on /etc/cron.monthly/
file:
path: /etc/cron.monthly/
owner: '0'
when:
- file_exists.stat is defined and file_exists.stat.exists
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- file_owner_cron_monthly
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82259-3
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
Verify Permissions on cron.monthly
To properly set the permissions of /etc/cron.monthly, run the command:
$ sudo chmod 0700 /etc/cron.monthly5.1.612131415161835APO01.06DSS05.04DSS05.07DSS06.024.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)AC-6(1)PR.AC-4PR.DS-5SRG-OS-000480-GPOS-00227Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the
correct access rights to prevent unauthorized changes.CCE-82262-7
chmod 0700 /etc/cron.monthly/
- name: Test for existence /etc/cron.monthly/
stat:
path: /etc/cron.monthly/
register: file_exists
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- file_permissions_cron_monthly
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82262-7
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- name: Ensure permission 0700 on /etc/cron.monthly/
file:
path: /etc/cron.monthly/
mode: '0700'
when:
- file_exists.stat is defined and file_exists.stat.exists
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- file_permissions_cron_monthly
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82262-7
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
Verify Permissions on cron.d
To properly set the permissions of /etc/cron.d, run the command:
$ sudo chmod 0700 /etc/cron.d5.1.712131415161835APO01.06DSS05.04DSS05.07DSS06.024.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)AC-6(1)PR.AC-4PR.DS-5SRG-OS-000480-GPOS-00227Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the
correct access rights to prevent unauthorized changes.CCE-82276-7
chmod 0700 /etc/cron.d/
- name: Test for existence /etc/cron.d/
stat:
path: /etc/cron.d/
register: file_exists
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- file_permissions_cron_d
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82276-7
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- name: Ensure permission 0700 on /etc/cron.d/
file:
path: /etc/cron.d/
mode: '0700'
when:
- file_exists.stat is defined and file_exists.stat.exists
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- file_permissions_cron_d
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82276-7
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
Verify Group Who Owns cron.hourly
To properly set the group owner of /etc/cron.hourly, run the command:
$ sudo chgrp root /etc/cron.hourly5.1.312131415161835APO01.06DSS05.04DSS05.07DSS06.024.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)AC-6(1)PR.AC-4PR.DS-5SRG-OS-000480-GPOS-00227Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the
correct group to prevent unauthorized changes.CCE-82226-2
chgrp 0 /etc/cron.hourly/
- name: Test for existence /etc/cron.hourly/
stat:
path: /etc/cron.hourly/
register: file_exists
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- file_groupowner_cron_hourly
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82226-2
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- name: Ensure group owner 0 on /etc/cron.hourly/
file:
path: /etc/cron.hourly/
group: '0'
when:
- file_exists.stat is defined and file_exists.stat.exists
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- file_groupowner_cron_hourly
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82226-2
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
Verify Permissions on cron.weekly
To properly set the permissions of /etc/cron.weekly, run the command:
$ sudo chmod 0700 /etc/cron.weekly5.1.512131415161835APO01.06DSS05.04DSS05.07DSS06.024.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)AC-6(1)PR.AC-4PR.DS-5SRG-OS-000480-GPOS-00227Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the
correct access rights to prevent unauthorized changes.CCE-82250-2
chmod 0700 /etc/cron.weekly/
- name: Test for existence /etc/cron.weekly/
stat:
path: /etc/cron.weekly/
register: file_exists
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- file_permissions_cron_weekly
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82250-2
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- name: Ensure permission 0700 on /etc/cron.weekly/
file:
path: /etc/cron.weekly/
mode: '0700'
when:
- file_exists.stat is defined and file_exists.stat.exists
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- file_permissions_cron_weekly
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82250-2
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
Verify Owner on cron.daily
To properly set the owner of /etc/cron.daily, run the command:
$ sudo chown root /etc/cron.daily 5.1.412131415161835APO01.06DSS05.04DSS05.07DSS06.024.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)AC-6(1)PR.AC-4PR.DS-5SRG-OS-000480-GPOS-00227Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the
correct user to prevent unauthorized changes.CCE-82236-1
chown 0 /etc/cron.daily/
- name: Test for existence /etc/cron.daily/
stat:
path: /etc/cron.daily/
register: file_exists
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- file_owner_cron_daily
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82236-1
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- name: Ensure owner 0 on /etc/cron.daily/
file:
path: /etc/cron.daily/
owner: '0'
when:
- file_exists.stat is defined and file_exists.stat.exists
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- file_owner_cron_daily
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82236-1
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
Verify Group Who Owns cron.monthly
To properly set the group owner of /etc/cron.monthly, run the command:
$ sudo chgrp root /etc/cron.monthly5.1.612131415161835APO01.06DSS05.04DSS05.07DSS06.024.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)AC-6(1)PR.AC-4PR.DS-5SRG-OS-000480-GPOS-00227Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the
correct group to prevent unauthorized changes.CCE-82255-1
chgrp 0 /etc/cron.monthly/
- name: Test for existence /etc/cron.monthly/
stat:
path: /etc/cron.monthly/
register: file_exists
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- file_groupowner_cron_monthly
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82255-1
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- name: Ensure group owner 0 on /etc/cron.monthly/
file:
path: /etc/cron.monthly/
group: '0'
when:
- file_exists.stat is defined and file_exists.stat.exists
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- file_groupowner_cron_monthly
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82255-1
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
Verify Owner on cron.weekly
To properly set the owner of /etc/cron.weekly, run the command:
$ sudo chown root /etc/cron.weekly 5.1.512131415161835APO01.06DSS05.04DSS05.07DSS06.024.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)AC-6(1)PR.AC-4PR.DS-5SRG-OS-000480-GPOS-00227Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the
correct user to prevent unauthorized changes.CCE-82246-0
chown 0 /etc/cron.weekly/
- name: Test for existence /etc/cron.weekly/
stat:
path: /etc/cron.weekly/
register: file_exists
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- file_owner_cron_weekly
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82246-0
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- name: Ensure owner 0 on /etc/cron.weekly/
file:
path: /etc/cron.weekly/
owner: '0'
when:
- file_exists.stat is defined and file_exists.stat.exists
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- file_owner_cron_weekly
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82246-0
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
Restrict at and cron to Authorized Users if NecessaryThe /etc/cron.allow and /etc/at.allow files contain lists of
users who are allowed to use cron and at to delay execution of
processes. If these files exist and if the corresponding files
/etc/cron.deny and /etc/at.deny do not exist, then only users
listed in the relevant allow files can run the crontab and at commands
to submit jobs to be run at scheduled intervals. On many systems, only the
system administrator needs the ability to schedule jobs. Note that even if a
given user is not listed in cron.allow, cron jobs can still be run as
that user. The cron.allow file controls only administrative access
to the crontab command for scheduling and modifying cron jobs.
To restrict at and cron to only authorized users:
Remove the cron.deny file:$ sudo rm /etc/cron.denyEdit /etc/cron.allow, adding one line for each user allowed to use
the crontab command to create cron jobs.Remove the at.deny file:$ sudo rm /etc/at.denyEdit /etc/at.allow, adding one line for each user allowed to use
the at command to create at jobs.Verify Group Who Owns /etc/cron.allow fileIf /etc/cron.allow exists, it must be group-owned by root.
To properly set the group owner of /etc/cron.allow, run the command:
$ sudo chgrp root /etc/cron.allow12131415161835APO01.06DSS05.04DSS05.07DSS06.02CCI-0003664.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)AC-6(1)PR.AC-4PR.DS-5SRG-OS-000480-GPOS-00227RHEL-07-021120SV-86679r2_ruleIf the owner of the cron.allow file is not set to root, the possibility exists for an
unauthorized user to view or edit sensitive information.CCE-80379-1
chgrp 0 /etc/cron.allow
- name: Test for existence /etc/cron.allow
stat:
path: /etc/cron.allow
register: file_exists
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- file_groupowner_cron_allow
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80379-1
- DISA-STIG-RHEL-07-021120
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- name: Ensure group owner 0 on /etc/cron.allow
file:
path: /etc/cron.allow
group: '0'
when:
- file_exists.stat is defined and file_exists.stat.exists
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- file_groupowner_cron_allow
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80379-1
- DISA-STIG-RHEL-07-021120
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
Verify User Who Owns /etc/cron.allow fileIf /etc/cron.allow exists, it must be owned by root.
To properly set the owner of /etc/cron.allow, run the command:
$ sudo chown root /etc/cron.allow 12131415161835APO01.06DSS05.04DSS05.07DSS06.02CCI-0003664.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)AC-6(1)PR.AC-4PR.DS-5SRG-OS-000480-GPOS-00227RHEL-07-021110SV-86677r3_ruleIf the owner of the cron.allow file is not set to root, the possibility exists for an
unauthorized user to view or edit sensitive information.CCE-80378-3
chown 0 /etc/cron.allow
- name: Test for existence /etc/cron.allow
stat:
path: /etc/cron.allow
register: file_exists
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- file_owner_cron_allow
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80378-3
- DISA-STIG-RHEL-07-021110
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- name: Ensure owner 0 on /etc/cron.allow
file:
path: /etc/cron.allow
owner: '0'
when:
- file_exists.stat is defined and file_exists.stat.exists
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- file_owner_cron_allow
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80378-3
- DISA-STIG-RHEL-07-021110
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
X Window SystemThe X Window System implementation included with the
system is called X.org.Disable X WindowsUnless there is a mission-critical reason for the
system to run a graphical user interface, ensure X is not set to start
automatically at boot and remove the X Windows software packages.
There is usually no reason to run X Windows
on a dedicated server system, as it increases the system's attack surface and consumes
system resources. Administrators of server systems should instead login via
SSH or on the text console.Remove the X Windows Package GroupBy removing the xorg-x11-server-common package, the system no longer has X Windows
installed. If X Windows is not installed then the system cannot boot into graphical user mode.
This prevents the system from being accidentally or maliciously booted into a graphical.target
mode. To do so, run the following command:
$ sudo yum groupremove "X Window System"$ sudo yum remove xorg-x11-server-common2.2.212158APO13.01DSS01.04DSS05.02DSS05.03CCI-0003664.3.3.6.6SR 1.13SR 2.6SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 7.1SR 7.6A.11.2.6A.13.1.1A.13.2.1A.14.1.3A.6.2.1A.6.2.2CM-7(a)CM-7(b)CM-6(a)PR.AC-3PR.PT-4SRG-OS-000480-GPOS-00227RHEL-07-040730SV-86931r4_ruleUnnecessary service packages must not be installed to decrease the attack surface of the system. X windows has a long history of security
vulnerabilities and should not be installed unless approved and documented.CCE-27218-7
# CAUTION: This remediation script will remove xorg-x11-server-common
# from the system, and may remove any packages
# that depend on xorg-x11-server-common. Execute this
# remediation AFTER testing on a non-production
# system!
if rpm -q --quiet "xorg-x11-server-common" ; then
yum remove -y "xorg-x11-server-common"
fi
- name: Ensure xorg-x11-server-common is removed
package:
name: xorg-x11-server-common
state: absent
tags:
- package_xorg-x11-server-common_removed
- medium_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27218-7
- DISA-STIG-RHEL-07-040730
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
include remove_xorg-x11-server-common
class remove_xorg-x11-server-common {
package { 'xorg-x11-server-common':
ensure => 'purged',
}
}
package --remove=xorg-x11-server-common
Disable X Windows Startup By Setting Default TargetSystems that do not require a graphical user interface should only boot by
default into multi-user.target mode. This prevents accidental booting of the system
into a graphical.target mode. Setting the system's default target to
multi-user.target will prevent automatic startup of the X server. To do so, run:
$ systemctl set-default multi-user.target
You should see the following output:
rm '/etc/systemd/system/default.target'
ln -s '/usr/lib/systemd/system/multi-user.target' '/etc/systemd/system/default.target'12158APO13.01DSS01.04DSS05.02DSS05.03CCI-0003664.3.3.6.6SR 1.13SR 2.6SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 7.1SR 7.6A.11.2.6A.13.1.1A.13.2.1A.14.1.3A.6.2.1A.6.2.2CM-7(a)CM-7(b)CM-6(a)PR.AC-3PR.PT-4SRG-OS-000480-GPOS-00227Services that are not required for system and application processes
must not be active to decrease the attack surface of the system. X windows has a
long history of security vulnerabilities and should not be used unless approved
and documented.CCE-27285-6Network RoutingA router is a very desirable target for a
potential adversary because they fulfill a variety of
infrastructure networking roles such as access to network segments,
gateways to other networks, filtering, etc. Therefore, if one is
required, the system acting as a router should be dedicated
to that purpose alone and be stored in a physically secure
location. The system's default routing software is Quagga, and
provided in an RPM package of the same name.Disable Quagga if PossibleIf Quagga was installed and activated, but the system
does not need to act as a router, then it should be disabled
and removed.Uninstall quagga PackageThe quagga package can be removed with the following command: $ sudo yum erase quagga12158APO13.01DSS05.02CCI-000366SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 7.1SR 7.6A.13.1.1A.13.2.1A.14.1.3CM-7(a)CM-7(b)CM-6(a)PR.PT-4SRG-OS-000480-GPOS-00227Routing software is typically used on routers to exchange network topology information
with other routers. If routing software is used when not required, system network
information may be unnecessarily transmitted across the network.
If there is no need to make the router software available,
removing it provides a safeguard against its activation.CCE-27594-1
# CAUTION: This remediation script will remove quagga
# from the system, and may remove any packages
# that depend on quagga. Execute this
# remediation AFTER testing on a non-production
# system!
if rpm -q --quiet "quagga" ; then
yum remove -y "quagga"
fi
- name: Ensure quagga is removed
package:
name: quagga
state: absent
tags:
- package_quagga_removed
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27594-1
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
include remove_quagga
class remove_quagga {
package { 'quagga':
ensure => 'purged',
}
}
package --remove=quagga
Disable Quagga Service The zebra service can be disabled with the following command: $ sudo systemctl disable zebra.service The zebra service can be masked with the following command: $ sudo systemctl mask zebra.service12158APO13.01DSS05.02CCI-000366164.308(a)(4)(i)164.308(b)(1)164.308(b)(3)164.310(b)164.312(e)(1)164.312(e)(2)(ii)SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 7.1SR 7.6A.13.1.1A.13.2.1A.14.1.3CM-7(a)CM-7(b)CM-6(a)PR.PT-4SRG-OS-000480-GPOS-00227Routing protocol daemons are typically used on routers to exchange network
topology information with other routers. If routing daemons are used when not
required, system network information may be unnecessarily transmitted across
the network.CCE-27191-6
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'zebra.service'
"$SYSTEMCTL_EXEC" disable 'zebra.service'
"$SYSTEMCTL_EXEC" mask 'zebra.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^zebra.socket'; then
"$SYSTEMCTL_EXEC" stop 'zebra.socket'
"$SYSTEMCTL_EXEC" disable 'zebra.socket'
"$SYSTEMCTL_EXEC" mask 'zebra.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'zebra.service' || true
- name: Disable service zebra
block:
- name: Gather the service facts
service_facts: null
- name: Disable service zebra
systemd:
name: zebra.service
enabled: 'no'
state: stopped
masked: 'yes'
when: '"zebra.service" in ansible_facts.services'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_zebra_disabled
- medium_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27191-6
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Unit Socket Exists - zebra.socket
command: systemctl list-unit-files zebra.socket
args:
warn: false
register: socket_file_exists
changed_when: false
ignore_errors: true
check_mode: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_zebra_disabled
- medium_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27191-6
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Disable socket zebra
systemd:
name: zebra.socket
enabled: 'no'
state: stopped
masked: 'yes'
when:
- '"zebra.socket" in socket_file_exists.stdout_lines[1]'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_zebra_disabled
- medium_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27191-6
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
include disable_zebra
class disable_zebra {
service {'zebra':
enable => false,
ensure => 'stopped',
}
}
DNS ServerMost organizations have an operational need to run at
least one nameserver. However, there are many common attacks
involving DNS server software, and this server software should
be disabled on any system
on which it is not needed.Protect DNS Data from Tampering or AttackThis section discusses DNS configuration options which make it
more difficult for attackers to gain access to private DNS data or to modify
DNS data.Disable Zone Transfers from the NameserverIs it necessary for a secondary nameserver to receive zone data
via zone transfer from the primary server? If not, follow the instructions in
this section. If so, see the next section for instructions on protecting zone
transfers.
Add or correct the following directive within /etc/named.conf:
options {
allow-transfer { none; };
...
}If both the primary and secondary nameserver are under your control,
or if you have only one nameserver, it may be possible to use an external
configuration management mechanism to distribute zone updates. In that case, it
is not necessary to allow zone transfers within BIND itself, so they should be
disabled to avoid the potential for abuse.CCE-80327-0Disable Dynamic UpdatesIs there a mission-critical reason to enable the risky dynamic
update functionality? If not, edit /etc/named.conf. For each zone
specification, correct the following directive if necessary:
zone "example.com " IN {
allow-update { none; };
...
};Dynamic updates allow remote servers to add, delete, or modify any
entries in your zone file. Therefore, they should be considered highly risky,
and disabled unless there is a very good reason for their use. If dynamic
updates must be allowed, IP-based ACLs are insufficient protection, since they
are easily spoofed. Instead, use TSIG keys (see the previous section for an
example), and consider using the update-policy directive to restrict changes to
only the precise type of change needed.CCE-80329-6Authenticate Zone TransfersIf it is necessary for a secondary nameserver to receive zone data
via zone transfer from the primary server, follow the instructions here. Use
dnssec-keygen to create a symmetric key file in the current directory:
$ cd /tmp
$ sudo dnssec-keygen -a HMAC-MD5 -b 128 -n HOST dns.example.com
Kdns.example.com .+aaa +iiiii
This output is the name of a file containing the new key. Read the file to find
the base64-encoded key string:
$ sudo cat Kdns.example.com .+NNN +MMMMM .key
dns.example.com IN KEY 512 3 157 base64-key-string
Add the directives to /etc/named.conf on the primary server:
key zone-transfer-key {
algorithm hmac-md5;
secret "base64-key-string ";
};
zone "example.com " IN {
type master;
allow-transfer { key zone-transfer-key; };
...
};
Add the directives below to /etc/named.conf on the secondary nameserver:
key zone-transfer-key {
algorithm hmac-md5;
secret "base64-key-string ";
};
server IP-OF-MASTER {
keys { zone-transfer-key; };
};
zone "example.com " IN {
type slave;
masters { IP-OF-MASTER ; };
...
};The purpose of the dnssec-keygen command is to
create the shared secret string base64-key-string. Once this secret has been
obtained and inserted into named.conf on the primary and secondary servers, the
key files Kdns.example.com .+NNN +MMMMM .key and Kdns.example.com .+NNN +MMMMM
.private are no longer needed, and may safely be deleted.111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.064.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.IP-1PR.PT-3The BIND transaction signature (TSIG) functionality allows primary
and secondary nameservers to use a shared secret to verify authorization to
perform zone transfers. This method is more secure than using IP-based limiting
to restrict nameserver access, since IP addresses can be easily spoofed.
However, if you cannot configure TSIG between your servers because, for
instance, the secondary nameserver is not under your control and its
administrators are unwilling to configure TSIG, you can configure an
allow-transfer directive with numerical IP addresses or ACLs as a last resort.CCE-80328-8Run Separate DNS Servers for External and Internal QueriesIs it possible to run external and internal nameservers on
separate systems? If so, follow the configuration guidance in this section. On
the external nameserver, edit /etc/named.conf to add or correct the
following directives:
options {
allow-query { any; };
recursion no;
...
};
zone "example.com " IN {
...
};
On the internal nameserver, edit /etc/named.conf. Add or correct the
following directives, where SUBNET is the numerical IP representation of your
organization in the form xxx.xxx.xxx.xxx/xx:
acl internal {
SUBNET ;
localhost;
};
options {
allow-query { internal; };
...
};
zone "internal.example.com " IN {
...
};Use Views to Partition External and Internal InformationIf it is not possible to run external and internal nameservers on
separate physical systems, run BIND9 and simulate this feature using views.
Edit /etc/named.conf. Add or correct the following directives (where
SUBNET is the numerical IP representation of your organization in the form
xxx.xxx.xxx.xxx/xx):
acl internal {
SUBNET ;
localhost;
};
view "internal-view" {
match-clients { internal; };
zone "." IN {
type hint;
file "db.cache";
};
zone "internal.example.com " IN {
...
};
};
view "external-view" {
match-clients { any; };
recursion no;
zone "example.com " IN {
...
};
};As shown in the example, database files which are
required for recursion, such as the root hints file, must be available to any
clients which are allowed to make recursive queries. Under typical
circumstances, this includes only the internal clients which are allowed to use
this server as a general-purpose nameserver.Isolate DNS from Other ServicesThis section discusses mechanisms for preventing the DNS server
from interfering with other services. This is done both to protect the
remainder of the network should a nameserver be compromised, and to make direct
attacks on nameservers more difficult.Run DNS Software in a chroot JailInstall the bind-chroot package:
$ sudo yum install bind-chroot
Place a valid named.conf file inside the chroot jail:
$ sudo cp /etc/named.conf /var/named/chroot/etc/named.conf
$ sudo chown root:root /var/named/chroot/etc/named.conf
$ sudo chmod 644 /var/named/chroot/etc/named.conf
Create and populate an appropriate zone directory within the jail, based on the
options directive. If your named.conf includes:
options {
directory "/path/to/DIRNAME ";
...
}
then copy that directory and its contents from the original zone directory:
$ sudo cp -r /path/to/DIRNAME /var/named/chroot/DIRNAME
Add or correct the following line within /etc/sysconfig/named:
ROOTDIR=/var/named/chrootIf you are running BIND in a chroot jail, then you
should use the jailed named.conf as the primary nameserver
configuration file. That is, when this guide recommends editing
/etc/named.conf, you should instead edit
/var/named/chroot/etc/named.conf.Run DNS Software on Dedicated ServersSince DNS is
a high-risk service which must frequently be made available to the entire
Internet, it is strongly recommended that no other services be offered by
systems which act as organizational DNS servers.Disable DNS ServerDNS software should be disabled on any systems which does not
need to be a nameserver. Note that the BIND DNS server software is
not installed on Red Hat Enterprise Linux 7 by default. The remainder of this section
discusses secure configuration of systems which must be
nameservers.Uninstall bind PackageThe named service is provided by the bind package.
The bind package can be removed with the following command:
$ sudo yum erase bind111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.06CCI-0003664.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.IP-1PR.PT-3If there is no need to make DNS server software available,
removing it provides a safeguard against its activation.CCE-80326-2
# CAUTION: This remediation script will remove bind
# from the system, and may remove any packages
# that depend on bind. Execute this
# remediation AFTER testing on a non-production
# system!
if rpm -q --quiet "bind" ; then
yum remove -y "bind"
fi
- name: Ensure bind is removed
package:
name: bind
state: absent
tags:
- package_bind_removed
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80326-2
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
include remove_bind
class remove_bind {
package { 'bind':
ensure => 'purged',
}
}
package --remove=bind
Disable named Service The named service can be disabled with the following command: $ sudo systemctl disable named.service The named service can be masked with the following command: $ sudo systemctl mask named.service2.2.8111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.06CCI-0003664.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.IP-1PR.PT-3All network services involve some risk of compromise due to
implementation flaws and should be disabled if possible.CCE-80325-4
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'named.service'
"$SYSTEMCTL_EXEC" disable 'named.service'
"$SYSTEMCTL_EXEC" mask 'named.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^named.socket'; then
"$SYSTEMCTL_EXEC" stop 'named.socket'
"$SYSTEMCTL_EXEC" disable 'named.socket'
"$SYSTEMCTL_EXEC" mask 'named.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'named.service' || true
- name: Disable service named
block:
- name: Gather the service facts
service_facts: null
- name: Disable service named
systemd:
name: named.service
enabled: 'no'
state: stopped
masked: 'yes'
when: '"named.service" in ansible_facts.services'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_named_disabled
- medium_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80325-4
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Unit Socket Exists - named.socket
command: systemctl list-unit-files named.socket
args:
warn: false
register: socket_file_exists
changed_when: false
ignore_errors: true
check_mode: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_named_disabled
- medium_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80325-4
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Disable socket named
systemd:
name: named.socket
enabled: 'no'
state: stopped
masked: 'yes'
when:
- '"named.socket" in socket_file_exists.stdout_lines[1]'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_named_disabled
- medium_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80325-4
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
include disable_named
class disable_named {
service {'named':
enable => false,
ensure => 'stopped',
}
}
LDAPLDAP is a popular directory service, that is, a
standardized way of looking up information from a central database.
Red Hat Enterprise Linux 7 includes software that enables a system to act as both
an LDAP client and server.Configure OpenLDAP ServerThis section details some security-relevant settings
for an OpenLDAP server.
Installation and configuration of OpenLDAP on Red Hat Enterprise Linux 7 is available at:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/openldap.html.Uninstall openldap-servers PackageThe openldap-servers RPM is not installed by default on a Red Hat Enterprise Linux 7
system. It is needed only by the OpenLDAP server, not by the
clients which use LDAP for authentication. If the system is not
intended for use as an LDAP Server it should be removed.111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.06CCI-0003664.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.IP-1PR.PT-3Unnecessary packages should not be installed to decrease the attack
surface of the system. While this software is clearly essential on an LDAP
server, it is not necessary on typical desktop or workstation systems.CCE-80293-4
# CAUTION: This remediation script will remove openldap-servers
# from the system, and may remove any packages
# that depend on openldap-servers. Execute this
# remediation AFTER testing on a non-production
# system!
if rpm -q --quiet "openldap-servers" ; then
yum remove -y "openldap-servers"
fi
- name: Ensure openldap-servers is removed
package:
name: openldap-servers
state: absent
tags:
- package_openldap-servers_removed
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80293-4
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
include remove_openldap-servers
class remove_openldap-servers {
package { 'openldap-servers':
ensure => 'purged',
}
}
package --remove=openldap-servers
Install and Protect LDAP Certificate FilesCreate the PKI directory for LDAP certificates if it does not already exist:
$ sudo mkdir /etc/pki/tls/ldap
$ sudo chown root:root /etc/pki/tls/ldap
$ sudo chmod 755 /etc/pki/tls/ldap
Using removable media or some other secure transmission format, install the certificate files
onto the LDAP server:
/etc/pki/tls/ldap/serverkey.pem: the private key ldapserverkey.pem/etc/pki/tls/ldap/servercert.pem: the certificate file ldapservercert.pem
Verify the ownership and permissions of these files:
$ sudo chown root:ldap /etc/pki/tls/ldap/serverkey.pem
$ sudo chown root:ldap /etc/pki/tls/ldap/servercert.pem
$ sudo chmod 640 /etc/pki/tls/ldap/serverkey.pem
$ sudo chmod 640 /etc/pki/tls/ldap/servercert.pem
Verify that the CA's public certificate file has been installed as
/etc/pki/tls/CA/cacert.pem, and has the correct permissions:
$ sudo mkdir /etc/pki/tls/CA
$ sudo chown root:root /etc/pki/tls/CA/cacert.pem
$ sudo chmod 644 /etc/pki/tls/CA/cacert.pem
As a result of these steps, the LDAP server will have access to its own private
certificate and the key with which that certificate is encrypted, and to the
public certificate file belonging to the CA. Note that it would be possible for
the key to be protected further, so that processes running as ldap could not
read it. If this were done, the LDAP server process would need to be restarted
manually whenever the server rebooted.Configure OpenLDAP ClientsThis section provides information on which security settings are
important to configure in OpenLDAP clients by manually editing the appropriate
configuration files. Red Hat Enterprise Linux 7 provides an automated configuration tool called
authconfig and a graphical wrapper for authconfig called
system-config-authentication. However, these tools do not provide as
much control over configuration as manual editing of configuration files. The
authconfig tools do not allow you to specify locations of SSL certificate
files, which is useful when trying to use SSL cleanly across several protocols.
Installation and configuration of OpenLDAP on Red Hat Enterprise Linux 7 is available at
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/openldap.html.Before configuring any system to be an
LDAP client, ensure that a working LDAP server is present on the
network.Configure LDAP Client to Use TLS For All TransactionsThis check verifies cryptography has been implemented
to protect the integrity of remote LDAP authentication sessions.
To determine if LDAP is being used for authentication, use the following
command:
$ sudo grep -i useldapauth /etc/sysconfig/authconfig
If USELDAPAUTH=yes, then LDAP is being used. To check if LDAP is
configured to use TLS, use the following command:
$ sudo grep -i ssl /etc/pam_ldap.conf11121415389APO13.01BAI10.01BAI10.02BAI10.03BAI10.05DSS01.04DSS05.02DSS05.03DSS05.05DSS06.06CCI-0014534.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 7.1SR 7.6A.11.2.6A.12.1.2A.12.5.1A.12.6.2A.13.1.1A.13.2.1A.14.1.3A.14.2.2A.14.2.3A.14.2.4A.6.2.1A.6.2.2A.9.1.2AC-17(a)AC-17(2)CM-6(a)SC-12(a)SC-12(b)PR.AC-3PR.IP-1PR.PT-3PR.PT-4SRG-OS-000250-GPOS-00093Without cryptographic integrity protections, information can be altered by
unauthorized users without detection. The ssl directive specifies whether
to use TLS or not. If not specified it will default to no. It should be set
to start_tls rather than doing LDAP over SSL.CCE-80291-8
# Use LDAP for authentication
replace_or_append '/etc/sysconfig/authconfig' '^USELDAPAUTH' 'yes' 'CCE-80291-8' '%s=%s'
# Configure client to use TLS for all authentications
replace_or_append '/etc/nslcd.conf' '^ssl' 'start_tls' 'CCE-80291-8' '%s %s'
Configure Certificate Directives for LDAP Use of TLSEnsure a copy of a trusted CA certificate has been placed in the file
/etc/pki/tls/CA/cacert.pem. Configure LDAP to enforce TLS use and
to trust certificates signed by that CA. First, edit the file
/etc/nslcd.conf, and add or correct either of the following lines:
tls_cacertdir /etc/pki/tls/CA or
tls_cacertfile /etc/pki/tls/CA/cacert.pem
Then review the LDAP server and ensure TLS has been configured.111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.06CCI-000776CCI-000778CCI-0014534.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-6(a)PR.IP-1PR.PT-3The tls_cacertdir or tls_cacertfile directives are required when
tls_checkpeer is configured (which is the default for openldap versions 2.1 and
up). These directives define the path to the trust certificates signed by the
site CA.CCE-80292-6Enable the LDAP Client For Use in AuthconfigTo determine if LDAP is being used for authentication, use the following
command:
$ sudo grep -i useldapauth /etc/sysconfig/authconfig
If USELDAPAUTH=yes, then LDAP is being used. If not, set USELDAPAUTH
to yes.11121415389APO13.01BAI10.01BAI10.02BAI10.03BAI10.05DSS01.04DSS05.02DSS05.03DSS05.05DSS06.06CCI-0014534.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 7.1SR 7.6A.11.2.6A.12.1.2A.12.5.1A.12.6.2A.13.1.1A.13.2.1A.14.1.3A.14.2.2A.14.2.3A.14.2.4A.6.2.1A.6.2.2A.9.1.2AC-17(a)CM-6(a)PR.AC-3PR.IP-1PR.PT-3PR.PT-4SRG-OS-000250-GPOS-00093Without cryptographic integrity protections, information can be
altered by unauthorized users without detection. The ssl directive specifies
whether to use TLS or not. If not specified it will default to no.
It should be set to start_tls rather than doing LDAP over SSL.CCE-80448-4Mail Server SoftwareMail servers are used to send and receive email over the network.
Mail is a very common service, and Mail Transfer Agents (MTAs) are obvious
targets of network attack.
Ensure that systems are not running MTAs unnecessarily,
and configure needed MTAs as defensively as possible.
Very few systems at any site should be configured to directly receive email over the
network. Users should instead use mail client programs to retrieve email
from a central server that supports protocols such as IMAP or POP3.
However, it is normal for most systems to be independently capable of sending email,
for instance so that cron jobs can report output to an administrator.
Most MTAs, including Postfix, support a submission-only mode in which mail can be sent from
the local system to a central site MTA (or directly delivered to a local account),
but the system still cannot receive mail directly over a network.
The alternatives program in Red Hat Enterprise Linux 7 permits selection of other mail server software
(such as Sendmail), but Postfix is the default and is preferred.
Postfix was coded with security in mind and can also be more effectively contained by
SELinux as its modular design has resulted in separate processes performing specific actions.
More information is available on its website,
http://www.postfix.org.Uninstall Sendmail PackageSendmail is not the default mail transfer agent and is
not installed by default.
The sendmail package can be removed with the following command:
$ sudo yum erase sendmailNT28(R1)111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.064.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.IP-1PR.PT-3SRG-OS-000480-GPOS-00227The sendmail software was not developed with security in mind and
its design prevents it from being effectively contained by SELinux. Postfix
should be used instead.CCE-80288-4
# CAUTION: This remediation script will remove sendmail
# from the system, and may remove any packages
# that depend on sendmail. Execute this
# remediation AFTER testing on a non-production
# system!
if rpm -q --quiet "sendmail" ; then
yum remove -y "sendmail"
fi
- name: Ensure sendmail is removed
package:
name: sendmail
state: absent
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- package_sendmail_removed
- medium_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80288-4
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
include remove_sendmail
class remove_sendmail {
package { 'sendmail':
ensure => 'purged',
}
}
package --remove=sendmail
Enable Postfix ServiceThe Postfix mail transfer agent is used for local mail delivery
within the system. The default configuration only listens for connections to
the default SMTP port (port 25) on the loopback interface (127.0.0.1). It is
recommended to leave this service enabled for local mail delivery.
The postfix service can be enabled with the following command:
$ sudo systemctl enable postfix.serviceLocal mail delivery is essential to some system maintenance and
notification tasks.CCE-80287-6
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" start 'postfix.service'
"$SYSTEMCTL_EXEC" enable 'postfix.service'
- name: Enable service postfix
block:
- name: Gather the package facts
package_facts:
manager: auto
- name: Enable service postfix
service:
name: postfix
enabled: 'yes'
state: started
when:
- '"postfix" in ansible_facts.packages'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_postfix_enabled
- unknown_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80287-6
include enable_postfix
class enable_postfix {
service {'postfix':
enable => true,
ensure => 'running',
}
}
Configure SMTP For Mail ClientsThis section discusses settings for Postfix in a submission-only
e-mail configuration.Postfix relayhostSpecify the host all outbound email should be routed into.smtp.$mydomainPostfix Network InterfacesThe setting for inet_interfaces in /etc/postfix/main.cfloopback-onlyloopback-onlylocalhostPostfix Root Mail AliasSpecify an email address (string) for a root mail alias.system.administrator@mail.milConfigure System to Forward All Mail For The Root AccountSet up an alias for root that forwards to a monitored email address:
$ sudo echo "root: " >> /etc/aliases
$ sudo newaliasesCCI-000366CM-6(a)A number of system services utilize email messages sent to the root user to
notify system administrators of active or impending issues. These messages must
be forwarded to at least one monitored email address.CCE-82380-7Disable Postfix Network ListeningEdit the file /etc/postfix/main.cf to ensure that only the following
inet_interfaces line appears:
inet_interfaces = 2.2.15111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.06CCI-0003824.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.IP-1PR.PT-3This ensures postfix accepts mail messages
(such as cron job reports) from the local system only,
and not from the network, which protects it from network attack.CCE-80289-2- name: XCCDF Value var_postfix_inet_interfaces # promote to variable
set_fact:
var_postfix_inet_interfaces: !!str
tags:
- always
- name: Ensure mail transfer agent is configured for local-only mode
lineinfile:
path: /etc/postfix/main.cf
create: false
regexp: ^inet_interfaces\s*=\s.*
line: inet_interfaces = {{ var_postfix_inet_interfaces }}
state: present
insertafter: ^inet_interfaces\s*=\s.*
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- postfix_network_listening_disabled
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80289-2
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
Configure System to Forward All Mail through a specific hostSet up a relay host that will act as a gateway for all outbound email.
Edit the file /etc/postfix/main.cf to ensure that only the following
relayhost line appears:
relayhost = A central outbound email location ensures messages sent from any network host
can be audited for potential unexpected content. Tooling on the central server
may help prevent spam or viruses from being delivered.Configure Operating System to Protect Mail ServerThe guidance in this section is appropriate for any host which is
operating as a site MTA, whether the mail server runs using Sendmail, Postfix,
or some other software.Configure SSL Certificates for Use with SMTP AUTHIf SMTP AUTH is to be used, the use of SSL to protect credentials in transit is strongly recommended.
There are also configurations for which it may be desirable to encrypt all mail in transit from one MTA to another,
though such configurations are beyond the scope of this guide. In either event, the steps for creating and installing
an SSL certificate are independent of the MTA in use, and are described here.Ensure Security of Postfix SSL CertificateCreate the PKI directory for mail certificates, if it does not already exist:
$ sudo mkdir /etc/pki/tls/mail
$ sudo chown root:root /etc/pki/tls/mail
$ sudo chmod 755 /etc/pki/tls/mail
Using removable media or some other secure transmission format, install the files generated in the previous
step onto the mail server:
/etc/pki/tls/mail/serverkey.pem: the private key mailserverkey.pem
/etc/pki/tls/mail/servercert.pem: the certificate file mailservercert.pem
Verify the ownership and permissions of these files:
$ sudo chown root:root /etc/pki/tls/mail/serverkey.pem
$ sudo chown root:root /etc/pki/tls/mail/servercert.pem
$ sudo chmod 600 /etc/pki/tls/mail/serverkey.pem
$ sudo chmod 644 /etc/pki/tls/mail/servercert.pem
Verify that the CA's public certificate file has been installed as /etc/pki/tls/CA/cacert.pem, and has the
correct permissions:
$ sudo chown root:root /etc/pki/tls/CA/cacert.pem
$ sudo chmod 644 /etc/pki/tls/CA/cacert.pemConfigure Postfix if NecessaryPostfix stores its configuration files in the directory
/etc/postfix by default. The primary configuration file is
/etc/postfix/main.cf.Configure SMTP Greeting BannerEdit /etc/postfix/main.cf, and add or correct the
following line, substituting some other wording for the banner information if
you prefer:
smtpd_banner = $myhostname ESMTP11415163567APO11.04BAI03.05DSS05.04DSS05.07MEA02.014.3.3.3.94.3.3.5.84.3.4.4.74.4.2.14.4.2.24.4.2.4SR 2.10SR 2.11SR 2.12SR 2.8SR 2.9SR 6.2A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1AC-8(a)AC-8(c)DE.CM-3PR.PT-1The default greeting banner discloses that the listening mail
process is Postfix. When remote mail senders connect to the MTA on port 25,
they are greeted by an initial banner as part of the SMTP dialogue. This banner
is necessary, but it frequently gives away too much information, including the
MTA software which is in use, and sometimes also its version number. Remote
mail senders do not need this information in order to send mail, so the banner
should be changed to reveal only the hostname (which is already known and may
be useful) and the word ESMTP, to indicate that the modern SMTP protocol
variant is supported.CCE-80290-0Control Mail RelayingPostfix's mail relay controls are implemented with the help of the
smtpd recipient restrictions option, which controls the restrictions placed on
the SMTP dialogue once the sender and recipient envelope addresses are known.
The guidance in the following sections should be applied to all systems. If
there are systems which must be allowed to relay mail, but which cannot be
trusted to relay unconditionally, configure SMTP AUTH with SSL support.Prevent Unrestricted Mail RelayingModify the /etc/postfix/main.cf file to restrict client connections
to the local network with the following command:
$ sudo postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'CCI-000366SRG-OS-000480-GPOS-00227RHEL-07-040680SV-86921r3_ruleIf unrestricted mail relaying is permitted, unauthorized senders could use this
host as a mail relay for the purpose of sending spam or other unauthorized
activity.CCE-80512-7
if ! grep -q ^smtpd_client_restrictions /etc/postfix/main.cf; then
echo "smtpd_client_restrictions = permit_mynetworks,reject" >> /etc/postfix/main.cf
else
sed -i "s/^smtpd_client_restrictions.*/smtpd_client_restrictions = permit_mynetworks,reject/g" /etc/postfix/main.cf
fi
Configure Trusted Networks and HostsEdit /etc/postfix/main.cf, and configure the contents of
the mynetworks variable in one of the following ways:
If any system in the subnet containing the MTA may be trusted to relay
messages, add or correct the following line:
mynetworks_style = subnet
This is also the default setting, and is in effect if all
my_networks_style directives are commented.If only the MTA host itself is trusted to relay messages, add or correct
the following line:
mynetworks_style = hostIf the set of systems which can relay is more complicated, manually
specify an entry for each netblock or IP address which is trusted to relay by
setting the mynetworks variable directly:
mynetworks = 10.0.0.0/16, 192.168.1.0/24, 127.0.0.1Require SMTP AUTH Before Relaying from Untrusted ClientsSMTP authentication allows remote clients to relay mail safely by
requiring them to authenticate before submitting mail. Postfix's SMTP AUTH uses
an authentication library called SASL, which is not part of Postfix itself. To
enable the use of SASL authentication, see
http://www.postfix.org/SASL_README.htmlEnact SMTP Recipient RestrictionsTo configure Postfix to restrict addresses to which it
will send mail, see:
http://www.postfix.org/SMTPD_ACCESS_README.html#danger
The full contents of smtpd_recipient_restrictions will
vary by site, since this is a common place to put spam restrictions and other
site-specific options. The permit_mynetworks option allows all mail to
be relayed from the systems in mynetworks. Then, the
reject_unauth_destination option denies all mail whose destination
address is not local, preventing any other systems from relaying. These two
options should always appear in this order, and should usually follow one
another immediately unless SMTP AUTH is used.Enact SMTP Relay RestrictionsTo configure Postfix to restrict addresses to which it
will send mail, see:
http://www.postfix.org/SMTPD_ACCESS_README.html#danger
The full contents of smtpd_recipient_restrictions will
vary by site, since this is a common place to put spam restrictions and other
site-specific options. The permit_mynetworks option allows all mail to
be relayed from the systems in mynetworks. Then, the
reject_unauth_destination option denies all mail whose destination
address is not local, preventing any other systems from relaying. These two
options should always appear in this order, and should usually follow one
another immediately unless SMTP AUTH is used.Use TLS for SMTP AUTHPostfix provides options to use TLS for certificate-based
authentication and encrypted sessions. An encrypted session protects the
information that is transmitted with SMTP mail or with SASL authentication.
To configure Postfix to protect all SMTP AUTH transactions
using TLS, see
http://www.postfix.org/TLS_README.html.Configure Postfix Resource Usage to Limit Denial of Service AttacksEdit /etc/postfix/main.cf. Edit the following lines to
configure the amount of system resources Postfix can consume:
default_process_limit = 100
smtpd_client_connection_count_limit = 10
smtpd_client_connection_rate_limit = 30
queue_minfree = 20971520
header_size_limit = 51200
message_size_limit = 10485760
smtpd_recipient_limit = 100
The values here are examples.Note: The values given here are examples, and may
need to be modified for any particular site. By default, the Postfix anvil
process gathers mail receipt statistics. To get information about about what
connection rates are typical at your site, look in /var/log/maillog
for lines with the daemon name postfix/anvil.Samba(SMB) Microsoft Windows File Sharing ServerWhen properly configured, the Samba service allows
Linux systems to provide file and print sharing to Microsoft
Windows systems. There are two software packages that provide
Samba support. The first, samba-client, provides a series of
command line tools that enable a client system to access Samba
shares. The second, simply labeled samba, provides the Samba
service. It is this second package that allows a Linux system to
act as an Active Directory server, a domain controller, or as a
domain member. Only the samba-client package is installed by
default.Disable Samba if PossibleEven after the Samba server package has been installed, it
will remain disabled. Do not enable this service unless it is
absolutely necessary to provide Microsoft Windows file and print
sharing functionality.Uninstall Samba PackageThe samba package can be removed with the following command: $ sudo yum erase sambaIf there is no need to make the Samba software available,
removing it provides a safeguard against its activation.CCE-80278-5
# CAUTION: This remediation script will remove samba
# from the system, and may remove any packages
# that depend on samba. Execute this
# remediation AFTER testing on a non-production
# system!
if rpm -q --quiet "samba" ; then
yum remove -y "samba"
fi
- name: Ensure samba is removed
package:
name: samba
state: absent
tags:
- package_samba_removed
- unknown_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80278-5
include remove_samba
class remove_samba {
package { 'samba':
ensure => 'purged',
}
}
package --remove=samba
Disable Samba The smb service can be disabled with the following command: $ sudo systemctl disable smb.service The smb service can be masked with the following command: $ sudo systemctl mask smb.service2.2.12CCI-001436Running a Samba server provides a network-based avenue of attack, and
should be disabled if not needed.CCE-80277-7
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'smb.service'
"$SYSTEMCTL_EXEC" disable 'smb.service'
"$SYSTEMCTL_EXEC" mask 'smb.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^smb.socket'; then
"$SYSTEMCTL_EXEC" stop 'smb.socket'
"$SYSTEMCTL_EXEC" disable 'smb.socket'
"$SYSTEMCTL_EXEC" mask 'smb.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'smb.service' || true
- name: Disable service smb
block:
- name: Gather the service facts
service_facts: null
- name: Disable service smb
systemd:
name: smb.service
enabled: 'no'
state: stopped
masked: 'yes'
when: '"smb.service" in ansible_facts.services'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_smb_disabled
- unknown_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80277-7
- name: Unit Socket Exists - smb.socket
command: systemctl list-unit-files smb.socket
args:
warn: false
register: socket_file_exists
changed_when: false
ignore_errors: true
check_mode: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_smb_disabled
- unknown_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80277-7
- name: Disable socket smb
systemd:
name: smb.socket
enabled: 'no'
state: stopped
masked: 'yes'
when:
- '"smb.socket" in socket_file_exists.stdout_lines[1]'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_smb_disabled
- unknown_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80277-7
include disable_smb
class disable_smb {
service {'smb':
enable => false,
ensure => 'stopped',
}
}
Configure Samba if NecessaryAll settings for the Samba daemon can be found in
/etc/samba/smb.conf. Settings are divided between a
[global] configuration section and a series of user
created share definition sections meant to describe file or print
shares on the system. By default, Samba will operate in user mode
and allow client systems to access local home directories and
printers. It is recommended that these settings be changed or that
additional limitations be set in place.Install the Samba Common PackageThe samba-common package should be installed.
The samba-common package can be installed with the following command:
$ sudo yum install samba-commonIf the samba-common package is not installed, samba cannot be configured.CCE-80360-1
if ! rpm -q --quiet "samba-common" ; then
yum install -y "samba-common"
fi
- name: Ensure samba-common is installed
package:
name: samba-common
state: present
tags:
- package_samba-common_installed
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80360-1
include install_samba-common
class install_samba-common {
package { 'samba-common':
ensure => 'installed',
}
}
package --add=samba-common
Disable Root Access to SMB SharesAdministrators should not use administrator accounts to access
Samba file and printer shares. Disable the root user and the wheel
administrator group:
[share]
invalid users = root @wheel
If administrator accounts cannot be disabled, ensure that local system
passwords and Samba service passwords do not match.Typically, administrator access is required when Samba must create user and
system accounts and shares. Domain member servers and standalone servers may
not need administrator access at all. If that is the case, add the invalid
users parameter to [global] instead.CCE-80279-3Require Client SMB Packet Signing, if using smbclientTo require samba clients running smbclient to use
packet signing, add the following to the [global] section
of the Samba configuration file, /etc/samba/smb.conf:
client signing = mandatory
Requiring samba clients such as smbclient to use packet
signing ensures they can
only communicate with servers that support packet signing.Packet signing can prevent
man-in-the-middle attacks which modify SMB packets in
transit.CCE-80280-1######################################################################
#By Luke "Brisk-OH" Brisk
#luke.brisk@boeing.com or luke.brisk@gmail.com
######################################################################
CLIENTSIGNING=$( grep -ic 'client signing' /etc/samba/smb.conf )
if [ "$CLIENTSIGNING" -eq 0 ]; then
# Add to global section
sed -i 's/\[global\]/\[global\]\n\n\tclient signing = mandatory/g' /etc/samba/smb.conf
else
sed -i 's/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/ client signing = mandatory/g' /etc/samba/smb.conf
fi
- name: Check if /etc/samba/smb.conf exists
stat:
path: /etc/samba/smb.conf
register: st_smb
tags:
- require_smb_client_signing
- unknown_severity
- configure_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80280-1
- name: Require Client SMB Packet Signing, if using smbclient
lineinfile:
dest: /etc/samba/smb.conf
line: client signing = mandatory
state: present
insertafter:
- global
when: st_smb.stat.exists
tags:
- require_smb_client_signing
- unknown_severity
- configure_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80280-1
Require Client SMB Packet Signing, if using mount.cifsRequire packet signing of clients who mount Samba
shares using the mount.cifs program (e.g., those who specify shares
in /etc/fstab). To do so, ensure signing options (either
sec=krb5i or sec=ntlmv2i) are used.
See the mount.cifs(8) man page for more information. A Samba
client should only communicate with servers who can support SMB
packet signing.Packet signing can prevent man-in-the-middle
attacks which modify SMB packets in transit.CCE-80281-9Restrict Printer SharingBy default, Samba utilizes the CUPS printing service to enable
printer sharing with Microsoft Windows workstations. If there are no printers
on the local system, or if printer sharing with Microsoft Windows is not
required, disable the printer sharing capability by commenting out the
following lines, found in /etc/samba/smb.conf:
[global]
load printers = yes
cups options = raw
[printers]
comment = All Printers
path = /usr/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
There may be other options present, but these are the only options enabled and
uncommented by default. Removing the [printers] share should be enough
for most users. If the Samba printer sharing capability is needed, consider
disabling the Samba network browsing capability or restricting access to a
particular set of users or network addresses. Set the valid users
parameter to a small subset of users or restrict it to a particular group of
users with the shorthand @. Separate each user or group of users with
a space. For example, under the [printers] share:
[printers]
valid users = user @printerusersRestrict SMB File Sharing to Configured NetworksOnly users with local user accounts will be able to log in to
Samba shares by default. Shares can be limited to particular users or network
addresses. Use the hosts allow and hosts deny directives
accordingly, and consider setting the valid users directive to a limited subset
of users or to a group of users. Separate each address, user, or user group
with a space as follows for a particular share or global:
[share]
hosts allow = 192.168.1. 127.0.0.1
valid users = userone usertwo @usergroup
It is also possible to limit read and write access to particular users with the
read list and write list options, though the permissions set by the system
itself will override these settings. Set the read only attribute for each share
to ensure that global settings will not accidentally override the individual
share settings. Then, as with the valid users directive, separate each user or
group of users with a space:
[share]
read only = yes
write list = userone usertwo @usergroupUSBGuard daemonThe USBGuard daemon enforces the USB device authorization policy for all USB devices.Install usbguard PackageThe usbguard package can be installed with the following command:
$ sudo yum install usbguardSRG-OS-000378-GPOS-00163usbguard is a software framework that helps to protect
against rogue USB devices by implementing basic whitelisting/blacklisting
capabilities based on USB device attributes.CCE-82960-6
if ! rpm -q --quiet "usbguard" ; then
yum install -y "usbguard"
fi
- name: Ensure usbguard is installed
package:
name: usbguard
state: present
tags:
- package_usbguard_installed
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82960-6
include install_usbguard
class install_usbguard {
package { 'usbguard':
ensure => 'installed',
}
}
package --add=usbguard
Web ServerThe web server is responsible for providing access to
content via the HTTP protocol. Web servers represent a significant
security risk because:
The HTTP port is commonly probed by malicious sourcesWeb server software is very complex, and includes a long
history of vulnerabilitiesThe HTTP protocol is unencrypted and vulnerable to passive
monitoring
The system's default web server software is Apache 2 and is
provided in the RPM package httpd.Install Apache if NecessaryIf httpd was not installed and activated, but the system
needs to act as a web server, then it should be installed on the system. Follow these
guidelines to install it defensively. The httpd package can be installed with
the following command:
$ sudo yum install httpd
This method of installation is recommended over installing the "Web Server"
package group during the system installation process. The Web Server package
group includes many packages which are likely extraneous, while the
command-line method installs only the required httpd package itself.Confirm Minimal Built-in Modules InstalledThe default httpd installation minimizes the number of
modules that are compiled directly into the binary (core prefork http_core
mod_so). This minimizes risk by limiting the capabilities allowed by the
web server.
Query the set of compiled-in modules using the following command:
$ httpd -l
If the number of compiled-in modules is significantly larger than the
aforementioned set, this guide recommends re-installing httpd with a
reduced configuration. Minimizing the number of modules that are compiled into
the httpd binary, reduces risk by limiting the capabilities allowed by
the webserver.Disable Apache if PossibleIf Apache was installed and activated, but the system
does not need to act as a web server, then it should be disabled
and removed from the system.Uninstall httpd PackageThe httpd package can be removed with the following command: $ sudo yum erase httpd111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.064.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.IP-1PR.PT-3If there is no need to make the web server software available,
removing it provides a safeguard against its activation.CCE-80301-5
# CAUTION: This remediation script will remove httpd
# from the system, and may remove any packages
# that depend on httpd. Execute this
# remediation AFTER testing on a non-production
# system!
if rpm -q --quiet "httpd" ; then
yum remove -y "httpd"
fi
- name: Ensure httpd is removed
package:
name: httpd
state: absent
tags:
- package_httpd_removed
- unknown_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80301-5
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
include remove_httpd
class remove_httpd {
package { 'httpd':
ensure => 'purged',
}
}
package --remove=httpd
Disable httpd Service The httpd service can be disabled with the following command: $ sudo systemctl disable httpd.service The httpd service can be masked with the following command: $ sudo systemctl mask httpd.service2.2.10111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.064.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.IP-1PR.PT-3Running web server software provides a network-based avenue
of attack, and should be disabled if not needed.CCE-80300-7
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'httpd.service'
"$SYSTEMCTL_EXEC" disable 'httpd.service'
"$SYSTEMCTL_EXEC" mask 'httpd.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^httpd.socket'; then
"$SYSTEMCTL_EXEC" stop 'httpd.socket'
"$SYSTEMCTL_EXEC" disable 'httpd.socket'
"$SYSTEMCTL_EXEC" mask 'httpd.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'httpd.service' || true
- name: Disable service httpd
block:
- name: Gather the service facts
service_facts: null
- name: Disable service httpd
systemd:
name: httpd.service
enabled: 'no'
state: stopped
masked: 'yes'
when: '"httpd.service" in ansible_facts.services'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_httpd_disabled
- unknown_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80300-7
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Unit Socket Exists - httpd.socket
command: systemctl list-unit-files httpd.socket
args:
warn: false
register: socket_file_exists
changed_when: false
ignore_errors: true
check_mode: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_httpd_disabled
- unknown_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80300-7
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Disable socket httpd
systemd:
name: httpd.socket
enabled: 'no'
state: stopped
masked: 'yes'
when:
- '"httpd.socket" in socket_file_exists.stdout_lines[1]'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_httpd_disabled
- unknown_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80300-7
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
include disable_httpd
class disable_httpd {
service {'httpd':
enable => false,
ensure => 'stopped',
}
}
Secure Apache ConfigurationThe httpd configuration file is
/etc/httpd/conf/httpd.conf. Apply the recommendations in the remainder
of this section to this file.Maximum KeepAlive Requests for HTTPDThe setting for MaxKeepAliveRequests in httpd.conf100000100001001001000500HTTPD Log LevelThe setting for LogLevel in /etc/httpd/conf/httpd.confwarncritemergerrorwarnalertEnable HTTPD Error LoggingErrorLog should be enabled and set to the following in
/etc/httpd/conf/httpd.conf:
ErrorLog "logs/error_log"RHEL-07-WA00605The server error logs are invaluable because they can also be used to identify
potential problems and enable proactive remediation. Log data can reveal
anomalous behavior such as "not found" or "unauthorized" errors that may
be an evidence of attack attempts. Failure to enable error logging can
significantly reduce the ability of Web Administrators to detect or remediate
problems.CCE-81130-7A public web server, if hosted on the NIPRNet, must be isolated in an accredited DoD DMZ extensionTo minimize exposure of private assets to unnecesarry risk by attackers,
public web servers must be isolated from internal systems.
Logically relocate public web servers to be isolated from internal
systems. In addition, ensure the public web server does not have
trusted connections with assets outside the confines of the
demilitarizez done (DMZ) other than application and/or database servers
that are a part of the same system as the web server.RHEL-07-WA060Public web servers are by nature more vulnerabile to attack from publically
based sources, such as the public Internet. Once compromised, a public
server might be used as a base for further attack on private resources,
unless additional layers of protection are implemented. Public web servers
must be located in a DoD DMZ Extension, if hosted on the NIPRNet, with
carefully controlled access. Failure to isolate resources in this way
increase risk that private assets are exposed to attacks from public
sources. An improperly located public web server is a potential
threat to the entire network.A private web server must be located on a separate controlled access subnetPrivate web servers, which host sites that serve controlled access data,
must be protected from outside threats in addition to insider threats.
Isolate the private web server from the public DMZ and separate it from the
internal general population LAN.RHEL-07-WA070Insider threat may be accidental or intentional but, in either case, can
cause a disruption in service of the web server. To protect the private
web server from these threats, it must be located on a separate controlled
access subnet and must not be part of the public DMZ that houses the public
web servers. it also cannot be located inside the enclave as part of the
local general population LAN.Configure The Number of Allowed Simultaneous RequestsThe MaxKeepAliveRequests directive should be set and configured to
or greater by setting the following
in /etc/httpd/conf/httpd.conf:
MaxKeepAliveRequests RHEL-07-WG110Resource exhaustion can occur when an unlimited number of concurrent requests
are allowed on a web site, facilitating a denial of service attack. Mitigating
this kind of attack will include limiting the number of concurrent HTTP/HTTPS
requests per IP address and may include, where feasible, limiting parameter
values associated with keepalive, (i.e., a parameter used to limit the amount of
time a connection may be inactive).CCE-80551-5Public web server resources must not be shared with private assetsIt is important to segregate public web server resources from private
resources located behind the DoD DMZ in order to protect private
assets.RHEL-07-WG040When folders, drives, or other resources are directly shared between the
public web server and private servers the intent of data and resource
segregation can be compromised.
In addition to the requirements of the DoD Internet-NIPRNet DMZ STIG that
isolates inbound traffic from external network to the internal network,
resources such as printers, files, and folders/directories will not be
shared between public web servers and assets located within the internal
network.The web server password(s) must be entrusted to the SA or Web ManagerNormally, a service account is established for the web server. This is
because a privileged account is not desirable and the server is designed to
run for long uninterrupted periods of time. The SA or Web Manager will need
password access to the web server to restart the service in the event or an
emergency as the web server is not to restart automatically after an
unscheduled interruption.RHEL-07-WG050If the password is not entrusted to an SA or web manager the ability to
ensure the availability of the web server is compromised.Configure Error Log FormatLogFormat should be enabled and set to the following in
/etc/httpd/conf/httpd.conf:
LogFormat "a %A %h %H %l %m %s %t %u %U \"%{Referer}i\" \"%{User-Agent}i\"" combinedRHEL-07-WA00612The server error logs are invaluable because they can also be used to identify
potential problems and enable proactive remediation. Log data can reveal
anomalous behavior such as "not found" or "unauthorized" errors that may
be an evidence of attack attempts. Failure to enable error logging can
significantly reduce the ability of Web Administrators to detect or remediate
problems. The LogFormat directive defines the format and information to be
included in the access log entries.CCE-80548-1Backup interactive scripts on the production web server are prohibitedCopies of backup files will not execute on the server, but they can be
read by the anonymous user if special precautions are not taken.RHEL-07-WG420Such backup copies contain the same sensitive information as the actual
scripts being executed and, as such, are useful to malicious users.
Techniques and systems exist today that search web servers for such files
and are able to exploit the information contained in them.
Backup copies of files are automatically created by some text editors such
such as emacs and VIM. Editors may write a backup file with an extension
~ added to the name of the original file. The edit plus editor will
create a .bak file. Of course, this would imply the presence and use of
development tools on the web server, which is a finding under WG130. Having
backup scripts on the web server provides one more opportunity for
malicious persons to view these scripts and use the information found in
them.MIME types for csh or sh shell programs must be disabledUsers must not be allowed to access the shell programs.RHEL-07-WG370Shell programs might execute shell escapes and could then perform
unauthorized activities that could damage the security posture of the web
server. A shell is a program that serves as the basic interface between the
user and the operating system. In this regard, there are shells that are
security risks in the context of a web server and shells that are
unauthorized.Enable HTTPD System LoggingCustomLog should be enabled and set to the following in
/etc/httpd/conf/httpd.conf:
CustomLog "logs/access_log" combinedRHEL-07-WA00615The server error logs are invaluable because they can also be used to identify
potential problems and enable proactive remediation. Log data can reveal
anomalous behavior such as "not found" or "unauthorized" errors that may
be an evidence of attack attempts. Failure to enable error logging can
significantly reduce the ability of Web Administrators to detect or remediate
problems. The CustomLog directive specifies the log file, syslog facility, or
piped logging utility.CCE-80549-9Enable HTTPD LogLevelLogLevel should be enabled and set to .
Add or edit the following in /etc/httpd/conf/httpd.conf:
LogLevel RHEL-07-WA00620The server error logs are invaluable because they can also be used to identify
potential problems and enable proactive remediation. Log data can reveal
anomalous behavior such as "not found" or "unauthorized" errors that may
be an evidence of attack attempts. Failure to enable error logging can
significantly reduce the ability of Web Administrators to detect or remediate
problems. While the ErrorLog directive configures the error log file name, the
LogLevel directive is used to configure the severity level for the error logs.
The log level values are the standard syslog levels: emerg, alert, crit, error,
warn, notice, info and debug.CCE-80550-7Installation of a compiler on production web server is prohibitedThe presence of a compiler on a production server facilitates the malicious
user's task of creating custom versions of programs and installing Trojan
Horses or viruses.RHEL-07-WG080An attacker's code could be uploaded and compiled on the server
under attack.Restrict Web Server Information LeakageThe ServerTokens and ServerSignature directives determine how
much information the web server discloses about the configuration of the
system.Set httpd ServerTokens Directive to ProdServerTokens Prod restricts information in page headers, returning only the word "Apache."
Add or correct the following directive in /etc/httpd/conf/httpd.conf:
ServerTokens Prod111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.064.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.IP-1PR.PT-3Information disclosed to clients about the configuration of the web server and system could be used
to plan an attack on the given system. This information disclosure should be restricted to a minimum.CCE-80302-3Set httpd ServerSignature Directive to OffServerSignature Off restricts httpd from displaying server version number
on error pages.
Add or correct the following directive in /etc/httpd/conf/httpd.conf:
ServerSignature Off111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.064.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.IP-1PR.PT-3Information disclosed to clients about the configuration of the web server and system could be used
to plan an attack on the given system. This information disclosure should be restricted to a minimum.CCE-80303-1Configure Operating System to Protect Web ServerThe following configuration steps should be taken on the system which hosts the
web server, in order to provide as safe an environment as possible for the web server.Ensure Remote Administrative Access Is EncryptedEnsure that the SSH server service is enabled.
The sshd service can be enabled with the following command:
$ sudo systemctl enable sshd.serviceRHEL-07-WG230Logging into a web server remotely using an unencrypted protocol or service
when performing updates and maintenance is a major risk. Data, such as user
account, is transmitted in plaintext and can easily be compromised. When
performing remote administrative tasks, a protocol or service that encrypts the
communication channel must be used.
An alternative to remote administration of
the web server is to perform web server administration locally at the console.
Local administration at the console implies physical access to the server.Scan All Uploaded Content for Malicious SoftwareInstall anti-virus software on the system and set it to automatically scan new
files that are introduced to the web server.RHEL-07-WG237Remote web authors should not be able to upload files to the Document Root
directory structure without virus checking and checking for malicious or mobile
code. A remote web user, whose agency has a Memorandum of Agreement (MOA) with
the hosting agency and has submitted a DoD form 2875 (System Authorization
Access Request (SAAR)) or an equivalent document, will be allowed to post files
to a temporary location on the server. All posted files to this temporary
location will be scanned for viruses and content checked for malicious or mobile
code. Only files free of viruses and malicious or mobile code will be posted to
the appropriate DocumentRoot directory.CCE-80561-4Configure firewall to Allow Access to the Web Server
By default, firewalld
blocks access to the ports used by the web server.
To configure firewalld to allow access, run the following command(s):
firewall-cmd --permanent --add-service=http
To configure firewalld to allow access, run the following command(s):
firewall-cmd --permanent --add-service=httpsRHEL-07-WG610Failure to comply with DoD ports, protocols, and services (PPS) requirements
can result in compromise of enclave boundary protections and/or functionality
of the AIS.Run httpd in a chroot Jail if PracticalRunning httpd inside a chroot jail is designed to isolate the
web server process to a small section of the filesystem, limiting the damage if
it is compromised. Versions of Apache greater than 2.2.10 (such as the one
included with Red Hat Enterprise Linux 7) provide the ChrootDir directive. To run Apache
inside a chroot jail in /chroot/apache, add the following line to
/etc/httpd/conf/httpd.conf: ChrootDir /chroot/apache This
necessitates placing all files required by httpd inside
/chroot/apache , including httpd's binaries, modules,
configuration files, and served web pages. The details of this configuration
are beyond the scope of this guide. This may also require additional SELinux
configuration.Restrict File and Directory AccessMinimize access to critical httpd files and directories.HTTPD Log Files Must Be Owned By RootAll httpd logs must be owned by root user and group. By default,
the path for httpd logs is /var/log/httpd/
To properly set the owner of /var/log/httpd, run the command:
$ sudo chown root /var/log/httpd
To properly set the owner of /var/log/httpd/*, run the command:
$ sudo chown root /var/log/httpd/* RHEL-07-WG255A major tool in exploring the web site use, attempted use, unusual conditions,
and problems are the access and error logs. In the event of a security incident,
these logs can provide the SA and the web administrator with valuable
information. Because of the information that is captured in the logs, it is
critical that only authorized individuals have access to the logs.CCE-80562-2Set Permissions on the /var/log/httpd/ DirectoryEnsure that the permissions on the web server log directory is set to 700:
$ sudo chmod 700 /var/log/httpd/
This is its default setting.111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.064.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)AC-6(1)PR.IP-1PR.PT-3A major tool in exploring the web site use, attempted use, unusual conditions,
and problems are the access and error logs. In the event of a security incident,
these logs can provide the SA and the web manager with valuable information. To
ensure the integrity of the log files and protect the SA and the web manager
from a conflict of interest related to the maintenance of these files, only the
members of the Auditors group will be granted permissions to move, copy, and
delete these files in the course of their duties related to the archiving of
these files.CCE-80322-1Set Permissions on All Configuration Files Inside /etc/httpd/conf.modules.d/ To properly set the permissions of /etc/http/conf.modules.d/*, run the command: $ sudo chmod 0640 /etc/http/conf.modules.d/*111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.064.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)AC-6(1)PR.IP-1PR.PT-3Access to the web server's configuration files may allow an unauthorized user or attacker
to access information about the web server or to alter the server's configuration files.CCE-80382-5Set Permissions on the /etc/httpd/conf/ Directory To properly set the permissions of /etc/http/conf, run the command: $ sudo chmod 0750 /etc/http/confAccess to the web server's configuration files may allow an unauthorized user or attacker
to access information about the web server or alter the server's configuration files.CCE-80323-9Set Permissions on All Configuration Files Inside /etc/httpd/conf.d/ To properly set the permissions of /etc/http/conf.d/*, run the command: $ sudo chmod 0640 /etc/http/conf.d/*111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.064.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)AC-6(1)PR.IP-1PR.PT-3Access to the web server's configuration files may allow an unauthorized user or attacker
to access information about the web server or to alter the server's configuration files.CCE-80381-7
find /etc/httpd/conf.d/ -regex '^.*$' -exec chmod 0640 {} \;
- name: Find /etc/httpd/conf.d/ file(s)
find:
paths: /etc/httpd/conf.d/
patterns: ^.*$
use_regex: true
register: files_found
tags:
- file_permissions_httpd_server_conf_d_files
- unknown_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80381-7
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- name: Set permissions for /etc/httpd/conf.d/ file(s)
file:
path: '{{ item.path }}'
mode: '0640'
with_items:
- '{{ files_found.files }}'
tags:
- file_permissions_httpd_server_conf_d_files
- unknown_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80381-7
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
Set Permissions on All Configuration Files Inside /etc/httpd/conf/ To properly set the permissions of /etc/http/conf/*, run the command: $ sudo chmod 0640 /etc/http/conf/*111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.064.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)AC-6(1)PR.IP-1PR.PT-3Access to the web server's configuration files may allow an unauthorized user or attacker
to access information about the web server or to alter the server's configuration files.CCE-80324-7
find /etc/httpd/conf/ -regex '^.*$' -exec chmod 0640 {} \;
- name: Find /etc/httpd/conf/ file(s)
find:
paths: /etc/httpd/conf/
patterns: ^.*$
use_regex: true
register: files_found
tags:
- file_permissions_httpd_server_conf_files
- unknown_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80324-7
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- name: Set permissions for /etc/httpd/conf/ file(s)
file:
path: '{{ item.path }}'
mode: '0640'
with_items:
- '{{ files_found.files }}'
tags:
- file_permissions_httpd_server_conf_files
- unknown_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80324-7
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
Use Denial-of-Service Protection ModulesDenial-of-service attacks are difficult to detect and prevent while maintaining
acceptable access to authorized users. However, some traffic-shaping
modules can be used to address the problem. Well-known DoS protection modules include:
mod_cband mod_bwshare mod_limitipconn mod_evasive
Denial-of-service prevention should be implemented for a web server if such a threat exists.
However, specific configuration details are very dependent on the environment and often best left
at the discretion of the administrator.Use Appropriate Modules to Improve httpd's SecurityAmong the modules available for httpd are several whose use may improve the
security of the web server installation. This section recommends and discusses
the deployment of security-relevant modules.Deploy mod_securityThe security module provides an application level firewall for httpd.
Following its installation with the base ruleset, specific configuration advice can be found at
http://www.modsecurity.org/ to design a policy that best matches the security needs of
the web applications. Usage of mod_security is highly recommended for some environments,
but it should be noted this module does not ship with Red Hat Enterprise Linux itself,
and instead is provided via Extra Packages for Enterprise Linux (EPEL).
For more information on EPEL please refer to
http://fedoraproject.org/wiki/EPEL.Install mod_securityInstall the security module:
The mod_security package can be installed with the following command:
$ sudo yum install mod_securitymod_security provides an additional level of protection for the web server by
enabling the administrator to implement content access policies and filters at the
application layer.CCE-80321-3Deploy mod_sslBecause HTTP is a plain text protocol, all traffic is susceptible to passive
monitoring. If there is a need for confidentiality, SSL should be configured
and enabled to encrypt content.
Note: mod_nss is a FIPS 140-2 certified alternative to mod_ssl.
The modules share a considerable amount of code and should be nearly identical
in functionality. If FIPS 140-2 validation is required, then mod_nss should
be used. If it provides some feature or its greater compatibility is required,
then mod_ssl should be used.Require Client CertificatesSSLVerifyClient should be set and configured to require by
setting the following in /etc/httpd/conf/httpd.conf:
SSLVerifyClient requireRHEL-07-WG140Web sites requiring authentication within the DoD must utilize PKI as an
authentication mechanism for web users. Information systems residing behind web
servers requiring authorization based on individual identity must use the
identity provided by certificate-based authentication to support access control
decisions.CCE-80558-0Enable Transport Layer Security (TLS) EncryptionDisable old SSL and TLS version and enable the latest TLS encryption by setting
the following in /etc/httpd/conf.modules.d/ssl.conf:
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
Make sure to also set SSLEngine to on in
/etc/httpd/conf.modules.d/ssl.conf like the following:
SSLEngine onRHEL-07-WG340Transport Layer Security (TLS) encryption is a required security setting for a
private web server. Encryption of private information is essential to ensuring
data confidentiality. If private information is not encrypted, it can be
intercepted and easily read by an unauthorized party. A web server must
use a FIPS 140-2 approved TLS version, and all non-FIPS-approved SSL versions
must be disabled.CCE-80557-2Configure A Valid Server CertificateConfigure the web site to use a valid organizationally defined certificate.
For DoD, this is a DoD server certificate issued by the DoD CA.RHEL-07-WG350This check verifies that DoD is a hosted web site's CA. The certificate is
actually a DoD-issued server certificate used by the organization being
reviewed. This is used to verify the authenticity of the web site to the user.
If the certificate is not for the server (Certificate belongs to), if the
certificate is not issued by DoD (Certificate was issued by), or if the current
date is not included in the valid date (Certificate is valid from), then there
is no assurance that the use of the certificate is valid. The entire purpose of
using a certificate is, therefore, compromised.CCE-80559-8Install mod_sslInstall the mod_ssl module:
The mod_ssl package can be installed with the following command:
$ sudo yum install mod_sslmod_ssl provides encryption capabilities for the httpd Web server. Unencrypted
content is transmitted in plain text which could be passively monitored and accessed by
unauthorized parties.CCE-80320-5Directory RestrictionsThe Directory tags in the web server configuration file allow finer grained access
control for a specified directory. All web directories should be configured on a
case-by-case basis, allowing access only where needed.Restrict Web DirectoryThe default configuration for the web (/var/www/html) Directory allows directory
indexing (Indexes) and the following of symbolic links (FollowSymLinks).
Neither of these is recommended.
The /var/www/html directory hierarchy should not be viewable via the web, and
symlinks should only be followed if the owner of the symlink also owns the linked file.
Ensure that this policy is adhered to by altering the related section of the configuration:
<Directory "/var/www/html">
# ...
Options SymLinksIfOwnerMatch
# ...
</Directory>Access to the web server's directory hierarchy could allow access to unauthorized files
by web clients. Following symbolic links could also allow such access.CCE-80317-1Restrict Other Critical DirectoriesAll accessible web directories should be configured with similarly restrictive settings.
The Options directive should be limited to necessary functionality and the AllowOverride
directive should be used only if needed. The Order and Deny access control tags
should be used to deny access by default, allowing access only where necessary.Directories accessible from a web client should be configured with the least amount of
access possible in order to avoid unauthorized access to restricted content or server information.CCE-80318-9Restrict Root DirectoryThe httpd root directory should always have the most restrictive configuration enabled.
<Directory / >
Options None
AllowOverride None
Order allow,deny
</Directory>The Web Server's root directory content should be protected from unauthorized access
by web clients.CCE-80316-3Ignore HTTPD .htaccess FilesSet AllowOverride to none for each instant of
<Directory>.RHEL-07-WG400CGI scripts represents one of the most common and exploitable means of
compromising a web server. By definition, CGI are executable by the operating
system of the host server. While access control is provided via the web service,
the execution of CGI programs is not otherwise limited unless the SA or Web
Manager takes specific measures. CGI programs can access and alter data files,
launch other programs and use the network. CGI programs can be written in any
available programming language. C, PERL, PHP, Javascript, VBScript and shell
(sh, ksh, bash) are popular choices.CCE-80554-9Disable Anonymous FTP AccessIf any directories that contain dynamic scripts can be accessed via FTP by
any group or user that does not require access, remove permissions to such
directories that allow anonymous access. Also, ensure that any such
access employs an encrypted connection.RHEL-07-WG430The directories containing the CGI scripts, such as PERL, must not be
accessible to anonymous users via FTP. This applies to all directories that
contain scripts that can dynamically produce web pages in an interactive manner
(i.e., scripts based upon user-provided input). Such scripts contain information
that could be used to compromise a web service, access system resources, or
deface a web site.CCE-80553-1Remove Write Permissions From Filesystem Paths And Server ScriptsConfigure permissions for each instance of Alias,
ScriptAlias, and ScriptAliasMatch that exist.
$ sudo find DIR -type d -exec chmod 755 {} \;
$ sudo find DIR -type f -exec chmod 555 {} \;
Where DIR matches the paths from Alias,
ScriptAlias, and ScriptAliasMatch.RHEL-07-WG290Excessive permissions for the anonymous web user account are one of the most
common faults contributing to the compromise of a web server. If this user is
able to upload and execute files on the web server, the organization or owner of
the server will no longer have control of the asset.CCE-80556-4Limit Available MethodsWeb server methods are defined in section 9 of RFC 2616 (
http://www.ietf.org/rfc/rfc2616.txt).
If a web server does not require the implementation of all available methods,
they should be disabled.
Note: GET and POST are the most common methods. A majority of the others
are limited to the WebDAV protocol.
<Directory /var/www/html>
# ...
# Only allow specific methods (this command is case-sensitive!)
<LimitExcept GET POST>
Order allow,deny
</LimitExcept>
# ...
</Directory>Minimizing the number of available methods to the web client reduces risk
by limiting the capabilities allowed by the web server.CCE-80319-7Web Content Directories Must Not Be Shared AnonymouslyWeb content directories should not be shared anonymously over remote filesystems
such as nfs and smb. Remove the shares from the applicable
directories.RHEL-07-WG210Sharing web content is a security risk when a web server is involved. Users
accessing the share anonymously could experience privileged access to the
content of such directories. Network sharable directories expose those
directories and their contents to unnecessary access. Any unnecessary exposure
increases the risk that someone could exploit that access and either compromises
the web content or cause web server performance problems.CCE-80555-6Configure PHP SecurelyPHP is a widely-used and often misconfigured server-side scripting language. It should
be used with caution, but configured appropriately when needed.
Review /etc/php.ini and make the following changes if possible:
# Do not expose PHP error messages to external users
display_errors = Off
# Enable safe mode
safe_mode = On
# Only allow access to executables in isolated directory
safe_mode_exec_dir = php-required-executables-path
# Limit external access to PHP environment
safe_mode_allowed_env_vars = PHP_
# Restrict PHP information leakage
expose_php = Off
# Log all errors
log_errors = On
# Do not register globals for input data
register_globals = Off
# Minimize allowable PHP post size
post_max_size = 1K
# Ensure PHP redirects appropriately
cgi.force_redirect = 0
# Disallow uploading unless necessary
file_uploads = Off
# Disallow treatment of file requests as fopen calls
allow_url_fopen = Off
# Enable SQL safe mode
sql.safe_mode = On
Minimize Web Server Loadable ModulesA default installation of httpd includes a plethora of dynamically shared objects (DSO)
that are loaded at run-time. Unlike the aforementioned compiled-in modules, a DSO can be
disabled in the configuration file by removing the corresponding LoadModule directive.
Note: A DSO only provides additional functionality if associated directives are included
in the httpd configuration file. It should also be noted that removing a DSO will produce
errors on httpd startup if the configuration file contains directives that apply to that
module. Refer to http://httpd.apache.org/docs/ for details on which directives
are associated with each DSO.
Following each DSO removal, the configuration can be tested with the following command
to check if everything still works:
$ sudo service httpd configtest
The purpose of each of the modules loaded by default will now be addressed one at a time.
If none of a module's directives are being used, remove it.httpd Core ModulesThese modules comprise a basic subset of modules that are likely needed for base httpd
functionality; ensure they are not commented out in /etc/httpd/conf/httpd.conf:
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_default_module modules/mod_authz_default.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule logio_module modules/mod_logio.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule mime_module modules/mod_mome.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule dir_module modules/mod_dir.so
LoadModule alias_module modules/mod_alias.so
Minimizing the number of loadable modules available to the web server reduces risk
by limiting the capabilities allowed by the web server.Disable LDAP SupportThe ldap module provides HTTP authentication via an LDAP directory.
If its functionality is unnecessary, comment out the related modules:
#LoadModule ldap_module modules/mod_ldap.so
#LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
If LDAP is to be used, SSL encryption should be used as well.Minimizing the number of loadable modules available to the web server reduces risk
by limiting the capabilities allowed by the web server.CCE-80306-4Disable MIME MagicThe mime_magic module provides a second layer of MIME support that in most configurations
is likely extraneous. If its functionality is unnecessary, comment out the related module:
#LoadModule mime_magic_module modules/mod_mime_magic.soMinimizing the number of loadable modules available to the web server reduces risk
by limiting the capabilities allowed by the web server.CCE-80308-0Disable HTTP Digest AuthenticationThe auth_digest module provides encrypted authentication sessions.
If this functionality is unnecessary, comment out the related module:
#LoadModule auth_digest_module modules/mod_auth_digest.soMinimizing the number of loadable modules available to the web server reduces risk
by limiting the capabilities allowed by the web server.CCE-80304-9Disable Server Activity StatusThe status module provides real-time access to statistics on the internal operation of
the web server. This may constitute an unnecessary information leak and should be disabled
unless necessary. To do so, comment out the related module:
#LoadModule status_module modules/mod_status.so
If there is a critical need for this module, ensure that access to the status
page is properly restricted to a limited set of hosts in the status handler
configuration.Minimizing the number of loadable modules available to the web server reduces risk
by limiting the capabilities allowed by the web server.CCE-80310-6Disable URL Correction on Misspelled EntriesThe speling module attempts to find a document match by allowing one misspelling in an
otherwise failed request. If this functionality is unnecessary, comment out the module:
#LoadModule speling_module modules/mod_speling.so
This functionality weakens server security by making site enumeration easier.Minimizing the number of loadable modules available to the web server reduces risk
by limiting the capabilities allowed by the web server.CCE-80312-2Disable CGI SupportThe cgi module allows HTML to interact with the CGI web programming language.
If this functionality is unnecessary, comment out the module:
#LoadModule cgi_module modules/mod_cgi.so
If the web server requires the use of CGI, enable mod_cgi.Minimizing the number of loadable modules available to the web server reduces risk
by limiting the capabilities allowed by the web server.CCE-80315-5Disable WebDAV (Distributed Authoring and Versioning)WebDAV is an extension of the HTTP protocol that provides distributed and
collaborative access to web content. If its functionality is unnecessary,
comment out the related modules:
#LoadModule dav_module modules/mod_dav.so
#LoadModule dav_fs_module modules/mod_dav_fs.so
If there is a critical need for WebDAV, extra care should be taken in its configuration.
Since DAV access allows remote clients to manipulate server files, any location on the
server that is DAV enabled should be protected by access controls.Minimizing the number of loadable modules available to the web server, reduces risk
by limiting the capabilities allowed by the web server.CCE-80309-8Disable Proxy SupportThe proxy module provides proxying support, allowing httpd to forward requests and
serve as a gateway for other servers. If its functionality is unnecessary, comment out the module:
#LoadModule proxy_module modules/mod_proxy.so
If proxy support is needed, load mod_proxy and the appropriate proxy protocol handler
module (one of mod_proxy_http, mod_proxy_ftp, or mod_proxy_connect). Additionally,
make certain that a server is secure before enabling proxying, as open proxy servers
are a security risk. mod_proxy_balancer enables load balancing, but requires that
mod status be enabled.Minimizing the number of loadable modules available to the web server reduces risk
by limiting the capabilities allowed by the web server.CCE-80313-0Disable HTTP mod_rewriteThe mod_rewrite module is very powerful and can protect against
certain classes of web attacks. However, it is also very complex and has a
significant history of vulnerabilities itself. If its functionality is
unnecessary, comment out the related module:
#LoadModule rewrite_module modules/mod_rewrite.soMinimizing the number of loadable modules available to the web server reduces risk
by limiting the capabilities allowed by the web server.CCE-80305-6Disable Cache SupportThe cache module allows httpd to cache data, optimizing access to
frequently accessed content. However, it introduces potential security flaws
such as the possibility of circumventing Allow and
Deny directives.
If this functionality is
unnecessary, comment out the module:
#LoadModule cache_module modules/mod_cache.so
If caching is required, it should not be enabled for any limited-access content.Minimizing the number of loadable modules available to the web server reduces risk
by limiting the capabilities allowed by the web server.CCE-80314-8Disable Web Server Configuration DisplayThe info module creates a web page illustrating the configuration of the web server. This
can create an unnecessary security leak and should be disabled.
If its functionality is unnecessary, comment out the module:
#LoadModule info_module modules/mod_info.so
If there is a critical need for this module, use the Location directive to provide
an access control list to restrict access to the information.Minimizing the number of loadable modules available to the web server reduces risk
by limiting the capabilities allowed by the web server.CCE-80311-4Disable Server Side IncludesServer Side Includes provide a method of dynamically generating web pages through the
insertion of server-side code. However, the technology is also deprecated and
introduces significant security concerns.
If this functionality is unnecessary, comment out the related module:
#LoadModule include_module modules/mod_include.so
If there is a critical need for Server Side Includes, they should be enabled with the
option IncludesNoExec to prevent arbitrary code execution. Additionally, user
supplied data should be encoded to prevent cross-site scripting vulnerabilities.Minimizing the number of loadable modules available to the web server reduces risk
by limiting the capabilities allowed by the web server.CCE-80307-2Enable log_config_module For HTTPD LoggingThe log_config_module should exist and be configured in
the /etc/httpd/conf/httpd.conf file by adding the following module to
configure logging:
log_config_moduleRHEL-07-WG240A major tool in exploring the web site use, attempted use, unusual conditions,
and problems are reported in the access and error logs. In the event of a
security incident, these logs can provide the SA and the web manager with
valuable information. Without these log files, SAs and web managers are
seriously hindered in their efforts to respond appropriately to suspicious or
criminal actions targeted at the web site.CCE-80552-3Minimize Modules for HTTP Basic AuthenticationThe following modules are necessary if this web server will provide content that will
be restricted by a password.
Authentication can be performed using local plain text password files (authn_file),
local DBM password files (authn_dbm) or an LDAP directory. The only module required by
the web server depends on your choice of authentication. Comment out the modules you don't
need from the following:
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_dbm_module modules/mod_authn_dbm.soauthn_alias allows for authentication based on aliases. authn_anon
allows anonymous authentication similar to that of anonymous ftp sites. authz_owner
allows authorization based on file ownership. authz_dbm allows for authorization
based on group membership if the web server is using DBM authentication.
If the above functionality is unnecessary, comment out the related module:
#LoadModule authn_alias_module modules/mod_authn_alias.so
#LoadModule authn_anon_module modules/mod_authn_anon.so
#LoadModule authz_owner_module modules/mod_authz_owner.so
#LoadModule authz_dbm_module modules/mod_authz_dbm.soMinimize Configuration Files IncludedThe Include directive directs httpd to load supplementary configuration files
from a provided path. The default configuration loads all files that end in .conf
from the /etc/httpd/conf.d directory.
To restrict excess configuration, the following line should be commented out and
replaced with Include directives that only reference required configuration files:
#Include conf.d/*.conf
If the above change was made, ensure that the SSL encryption remains loaded by
explicitly including the corresponding configuration file:
Include conf.d/ssl.conf
If PHP is necessary, a similar alteration must be made:
Include conf.d/php.conf
Explicitly listing the configuration files to be loaded during web server start-up avoids
the possibility of unwanted or malicious configuration files to be automatically included as
part of the server's running configuration.Minimize Various Optional ComponentsThe following modules perform very specific tasks, sometimes providing access to
just a few additional directives. If such functionality is not required (or if you
are not using these directives), comment out the associated module:
External filtering (response passed through external program prior to client delivery)
#LoadModule ext_filter_module modules/mod_ext_filter.soUser-specified Cache Control and Expiration
#LoadModule expires_module modules/mod_expires.soCompression Output Filter (provides content compression prior to client delivery)
#LoadModule deflate_module modules/mod_deflate.soHTTP Response/Request Header Customization
#LoadModule headers_module modules/mod_headers.soUser activity monitoring via cookies
#LoadModule usertrack_module modules/mod_usertrack.soDynamically configured mass virtual hosting
#LoadModule vhost_alias_module modules/mod_vhost_alias.so
Minimizing the number of loadable modules available to the web server reduces risk
by limiting the capabilities allowed by the web server.Configure PERL SecurelyPERL (Practical Extraction and Report Language) is an interpreted language
optimized for scanning arbitrary text files, extracting information from those
text files, and printing reports based on that information. The language is
often used in shell scripting and is intended to be practical, easy to use, and
efficient means of generating interactive web pages for the user.Configure HTTP PERL Scripts To Use TAINT OptionIf the mod_perl module is installed, enable Perl Taint checking in
/etc/httpd/conf/httpd.conf. To enable Perl Taint
checking, add or uncomment the following to /etc/httpd/conf.d/perl.conf:
PerlSwitches -TRHEL-07-WG460PERL (Practical Extraction and Report Language) is an interpreted language
optimized for scanning arbitrary text files, extracting information from those
text files, and printing reports based on that information. The language is
often used in shell scripting and is intended to be practical, easy to use, and
efficient means of generating interactive web pages for the user. Unfortunately,
many widely available freeware PERL programs (scripts) are extremely insecure.
This is most readily accomplished by a malicious user substituting input to a
PERL script during a POST or a GET operation.
Consequently, the founders of
PERL have developed a mechanism named TAINT that protects the system from
malicious input sent from outside the program. When the data is tainted, it
cannot be used in programs or functions such as eval(), system(), exec(), pipes,
or popen(). The script will exit with a warning message.CCE-80560-6Configure HTTPD-Served Web Content SecurelyRunning httpd inside a chroot jail is designed to isolate the
web server process to a small section of the filesystem, limiting the damage if
it is compromised. Versions of Apache greater than 2.2.10 (such as the one
included with Red Hat Enterprise Linux 7) provide the ChrootDir directive. To run Apache
inside a chroot jail in /chroot/apache, add the following line to
/etc/httpd/conf/httpd.conf: ChrootDir /chroot/apache This
necessitates placing all files required by httpd inside
/chroot/apache , including httpd's binaries, modules,
configuration files, and served web pages. The details of this configuration
are beyond the scope of this guide. This may also require additional SELinux
configuration.Web Login Banner VerbiageEnter an appropriate login banner for your organization. Please note that new lines must
be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\'.[\s\n]+Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times.[\s\n]+This[\s\n]+is[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+and[\s\n]+related[\s\n]+equipment[\s\n]+are[\s\n]+intended[\s\n]+for[\s\n]+the[\s\n]+communication,[\s\n]+transmission,[\s\n]+processing,[\s\n]+and[\s\n]+storage[\s\n]+of[\s\n]+official[\s\n]+U.S.[\s\n]+Government[\s\n]+or[\s\n]+other[\s\n]+authorized[\s\n]+information[\s\n]+only.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times[\s\n]+to[\s\n]+ensure[\s\n]+proper[\s\n]+functioning[\s\n]+of[\s\n]+equipment[\s\n]+and[\s\n]+systems[\s\n]+including[\s\n]+security[\s\n]+devices[\s\n]+and[\s\n]+systems,[\s\n]+to[\s\n]+prevent[\s\n]+unauthorized[\s\n]+use[\s\n]+and[\s\n]+violations[\s\n]+of[\s\n]+statutes[\s\n]+and[\s\n]+security[\s\n]+regulations,[\s\n]+to[\s\n]+deter[\s\n]+criminal[\s\n]+activity,[\s\n]+and[\s\n]+for[\s\n]+other[\s\n]+similar[\s\n]+purposes.[\s\n]+Any[\s\n]+user[\s\n]+of[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+should[\s\n]+be[\s\n]+aware[\s\n]+that[\s\n]+any[\s\n]+information[\s\n]+placed[\s\n]+in[\s\n]+the[\s\n]+system[\s\n]+is[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+not[\s\n]+subject[\s\n]+to[\s\n]+any[\s\n]+expectation[\s\n]+of[\s\n]+privacy.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+violation[\s\n]+of[\s\n]+criminal[\s\n]+statutes,[\s\n]+this[\s\n]+evidence[\s\n]+and[\s\n]+any[\s\n]+other[\s\n]+related[\s\n]+information,[\s\n]+including[\s\n]+identification[\s\n]+information[\s\n]+about[\s\n]+the[\s\n]+user,[\s\n]+may[\s\n]+be[\s\n]+provided[\s\n]+to[\s\n]+law[\s\n]+enforcement[\s\n]+officials.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+reveals[\s\n]+violations[\s\n]+of[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+unauthorized[\s\n]+use,[\s\n]+employees[\s\n]+who[\s\n]+violate[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+make[\s\n]+unauthorized[\s\n]+use[\s\n]+of[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+appropriate[\s\n]+disciplinary[\s\n]+action.[\s\n]+Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times.--[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials.You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:[\s\n]*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.[\s\n]*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.[\s\n]*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.[\s\n]*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.[\s\n]*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:[\s\n]*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.[\s\n]*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.[\s\n]*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.[\s\n]*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.[\s\n]*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.|I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t.)$I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t.Ensure Web Content Located on Separate partitionThe DocumentRoot directory is used for storing web content and data.
Ensure that the DocumentRoot directory exists on a separate logical
volume at installation time, or migrate it using LVM.RHEL-07-WG205Application partitioning enables an additional security measure by securing
user traffic under one security context, while managing system and application
files under another. Web content is can be to an anonymous web user. For such
an account to have access to system files of any type is a major security risk
that is avoidable and desirable. Failure to partition the system files from the
web site documents increases risk of attack via directory traversal, or impede
web site availability due to drive space exhaustion.Disable Web Content Symbolic LinksFor each <Directory> instance, remove the following:
FollowSymLinks
If symbolic links are allowed, the following can be added for each
<Directory> instance:
Options SymLinksIfOwnerMatchDisableRHEL-07-WG360A symbolic link allows a file or a directory to be referenced using a symbolic
name raising a potential hazard if symbolic linkage is made to a sensitive area.
When web scripts are executed and symbolic links are allowed, the web user could
be allowed to access locations on the web server that are outside the scope of
the web document root or home directory.Remove .java And .jpp Files.java and .jpp files should not exist and should be removed
from the web server.RHEL-07-WG490From the source code in a .java or a .jpp file, the Java compiler produces a
binary file with an extension of .class. The .java or .jpp file would,
therefore, reveal sensitive information regarding an application's logic and
permissions to resources on the server. By contrast, the .class file, because it
is intended to be machine independent, is referred to as bytecode. Bytecodes are
run by the Java Virtual Machine (JVM), or the Java Runtime Environment (JRE),
via a browser configured to permit Java code.Each Web Content Directory Must Contain An index.html FileEvery DocumentRoot that is configured should have an
index.html file that exists. Add an index.html file to every
configured DocumentRoot.RHEL-07-WG170The goal is to completely control the web users experience in navigating any
portion of the web document root directories. Ensuring all web content
directories have at least the equivalent of an index.html file is a significant
factor to accomplish this end. Also, enumeration techniques, such as URL
parameter manipulation, rely upon being able to obtain information about the web
server's directory structure by locating directories with default pages. This
practice helps ensure that the anonymous web user will not obtain directory
browsing information or an error message that reveals the server type and
version.The robots.txt Files Must Not ExistRemove any robots.txt files that may exist with any web content.
Other methods must be employed if there is information on the web site that
needs protection from search engines and public view. Inspect all instances of
DocumentRoot and Alias and remove any robots.txt file.
$ sudo rm -f path/to/robots.txtRHEL-07-WG310Search engines are constantly at work on the Internet. Search engines are
augmented by agents, often referred to as spiders or bots, which endeavor to
capture and catalog web-site content. In turn, these search engines make the
content they obtain and catalog available to any public web user.
To request
that a well behaved search engine not crawl and catalog a site, the web site may
contain a file called robots.txt. This file contains directories and files that
the web server SA desires not be crawled or cataloged, but this file can also be
used, by an attacker or poorly coded search engine, as a directory and file
index to a site. This information may be used to reduce an attacker's time
searching and traversing the web site to find files that might be relevant. If
information on the web site needs to be protected from search engines and public
view, other methods must be used.Configure A Banner Page For Each WebsiteConfigure a login banner for each website when authentication is required for
user access.RHEL-07-WG265A consent banner will be in place to make prospective entrants aware that the
website they are about to enter is a DoD web site and their activity is subject
to monitoring. The document, DoDI 8500.01, establishes the policy on the use of
DoD information systems. It requires the use of a standard Notice and Consent
Banner and standard text to be included in user agreements. The requirement for
the banner is for websites with security and access controls. These are
restricted and not publicly accessible. If the website does not require
authentication/authorization for use, then the banner does not need to be
present. A manual check of the document root directory for a banner page file
(such as banner.html) or navigation to the website via a browser can be used to
confirm the information provided from interviewing the web staff.Encrypt All File UploadsUse only secure encrypted logons and connections for uploading files to the web
site.RHEL-07-WG235Logging in to a web server via an unencrypted protocol or service, to upload
documents to the web site, is a risk if proper encryption is not utilized to
protect the data being transmitted. An encrypted protocol or service must be
used for remote access to web administration tasks.System Security Services DaemonThe System Security Services Daemon (SSSD) is a system daemon that provides access
to different identity and authentication providers such as Red Hat's IdM, Microsoft's AD,
openLDAP, MIT Kerberos, etc. It uses a common framework that can provide caching and offline
support to systems utilizing SSSD. SSSD using caching to reduce load on authentication
servers permit offline authentication as well as store extended user data.
For more information, see
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/SSSD.htmlSSSD ssh_known_hosts_timeout optionValue of the ssh_known_hosts_timeout option in the [ssh] section
of SSSD configuration file /etc/sssd/sssd.conf.300180018086400180900600SSSD memcache_timeout optionValue of the memcache_timeout option in the [nss] section
of SSSD config /etc/sssd/sssd.conf.300180030086400180900600Install sssd-ipa PackageThe sssd-ipa package can be installed with the following command:
$ sudo yum install sssd-ipaSRG-OS-000480-GPOS-00227sssd-ipa provides the IPA back end that the SSSD can utilize to
fetch identity data from and authenticate against an IPA server.CCE-82993-7
if ! rpm -q --quiet "sssd-ipa" ; then
yum install -y "sssd-ipa"
fi
- name: Ensure sssd-ipa is installed
package:
name: sssd-ipa
state: present
tags:
- package_sssd-ipa_installed
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82993-7
include install_sssd-ipa
class install_sssd-ipa {
package { 'sssd-ipa':
ensure => 'installed',
}
}
package --add=sssd-ipa
Install the SSSD PackageThe sssd package should be installed.
The sssd package can be installed with the following command:
$ sudo yum install sssd11215165DSS05.04DSS05.05DSS05.07DSS05.10DSS06.03DSS06.104.3.3.2.24.3.3.5.14.3.3.5.24.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.24.3.3.7.4SR 1.1SR 1.10SR 1.2SR 1.3SR 1.4SR 1.5SR 1.7SR 1.8SR 1.9SR 2.1A.18.1.4A.7.1.1A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.2.6A.9.3.1A.9.4.2A.9.4.3CM-6(a)PR.AC-1PR.AC-6PR.AC-7CCE-80362-7
if ! rpm -q --quiet "sssd" ; then
yum install -y "sssd"
fi
- name: Ensure sssd is installed
package:
name: sssd
state: present
tags:
- package_sssd_installed
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80362-7
- NIST-800-53-CM-6(a)
include install_sssd
class install_sssd {
package { 'sssd':
ensure => 'installed',
}
}
package --add=sssd
Enable the SSSD ServiceThe SSSD service should be enabled.
The sssd service can be enabled with the following command:
$ sudo systemctl enable sssd.service11215165DSS05.04DSS05.05DSS05.07DSS05.10DSS06.03DSS06.104.3.3.2.24.3.3.5.14.3.3.5.24.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.24.3.3.7.4SR 1.1SR 1.10SR 1.2SR 1.3SR 1.4SR 1.5SR 1.7SR 1.8SR 1.9SR 2.1A.18.1.4A.7.1.1A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.2.6A.9.3.1A.9.4.2A.9.4.3CM-6(a)IA-5(10)PR.AC-1PR.AC-6PR.AC-7CCE-80363-5
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" start 'sssd.service'
"$SYSTEMCTL_EXEC" enable 'sssd.service'
- name: Enable service sssd
block:
- name: Gather the package facts
package_facts:
manager: auto
- name: Enable service sssd
service:
name: sssd
enabled: 'yes'
state: started
when:
- '"sssd" in ansible_facts.packages'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_sssd_enabled
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80363-5
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(10)
include enable_sssd
class enable_sssd {
service {'sssd':
enable => true,
ensure => 'running',
}
}
Configure SSSD's Memory Cache to ExpireSSSD's memory cache should be configured to set to expire records after
seconds.
To configure SSSD to expire memory cache, set memcache_timeout to
under the
[nss] section in /etc/sssd/sssd.conf.
For example:
[nss]
memcache_timeout = 11215165DSS05.04DSS05.05DSS05.07DSS05.10DSS06.03DSS06.10CCI-0020074.3.3.2.24.3.3.5.14.3.3.5.24.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.24.3.3.7.4SR 1.1SR 1.10SR 1.2SR 1.3SR 1.4SR 1.5SR 1.7SR 1.8SR 1.9SR 2.1A.18.1.4A.7.1.1A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.2.6A.9.3.1A.9.4.2A.9.4.3CM-6(a)IA-5(13)PR.AC-1PR.AC-6PR.AC-7SRG-OS-000383-GPOS-00166SRG-OS-000383-VMM-001570If cached authentication information is out-of-date, the validity of the
authentication information may be questionable.CCE-80364-3
var_sssd_memcache_timeout=""
SSSD_CONF="/etc/sssd/sssd.conf"
MEMCACHE_TIMEOUT_REGEX="[[:space:]]*\[nss]([^\n\[]*\n+)+?[[:space:]]*memcache_timeout"
NSS_REGEX="[[:space:]]*\[nss]"
# Try find [nss] and memcache_timeout in sssd.conf, if it exists, set to
# var_sssd_memcache_timeout, if it isn't here, add it, if [nss] doesn't
# exist, add it there
if grep -qzosP $MEMCACHE_TIMEOUT_REGEX $SSSD_CONF; then
sed -i "s/memcache_timeout[^(\n)]*/memcache_timeout = $var_sssd_memcache_timeout/" $SSSD_CONF
elif grep -qs $NSS_REGEX $SSSD_CONF; then
sed -i "/$NSS_REGEX/a memcache_timeout = $var_sssd_memcache_timeout" $SSSD_CONF
else
mkdir -p /etc/sssd
touch $SSSD_CONF
echo -e "[nss]\nmemcache_timeout = $var_sssd_memcache_timeout" >> $SSSD_CONF
fi
- name: XCCDF Value var_sssd_memcache_timeout # promote to variable
set_fact:
var_sssd_memcache_timeout: !!str
tags:
- always
- name: Test for domain group
command: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
register: test_grep_domain
ignore_errors: true
changed_when: false
check_mode: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sssd_memcache_timeout
- medium_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80364-3
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(13)
- name: Add default domain group (if no domain there)
ini_file:
path: /etc/sssd/sssd.conf
section: '{{ item.section }}'
option: '{{ item.option }}'
value: '{{ item.value }}'
create: true
mode: 384
with_items:
- section: sssd
option: domains
value: default
- section: domain/default
option: id_provider
value: files
when:
- test_grep_domain.stdout is defined
- test_grep_domain.stdout | length < 1
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sssd_memcache_timeout
- medium_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80364-3
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(13)
- name: Configure SSSD's Memory Cache to Expire
ini_file:
dest: /etc/sssd/sssd.conf
section: nss
option: memcache_timeout
value: '{{ var_sssd_memcache_timeout }}'
create: true
mode: 384
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sssd_memcache_timeout
- medium_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80364-3
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(13)
Configure PAM in SSSD ServicesSSSD should be configured to run SSSD pam services.
To configure SSSD to known SSH hosts, add pam
to services under the [sssd] section in
/etc/sssd/sssd.conf. For example:
[sssd]
services = sudo, autofs, pam
11215165DSS05.04DSS05.05DSS05.07DSS05.10DSS06.03DSS06.10CCI-001948CCI-001953CCI-0019544.3.3.2.24.3.3.5.14.3.3.5.24.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.24.3.3.7.4SR 1.1SR 1.10SR 1.2SR 1.3SR 1.4SR 1.5SR 1.7SR 1.8SR 1.9SR 2.1A.18.1.4A.7.1.1A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.2.6A.9.3.1A.9.4.2A.9.4.3IA-2(1)CM-6(a)PR.AC-1PR.AC-6PR.AC-7SRG-OS-000375-GPOS-00160SRG-OS-000375-GPOS-00161SRG-OS-000375-GPOS-00162RHEL-07-041002SV-87051r4_ruleSRG-OS-000107-VMM-000530Using an authentication device, such as a CAC or token that is separate from
the information system, ensures that even if the information system is
compromised, that compromise will not affect credentials stored on the
authentication device.CCE-80437-7
SSSD_SERVICES_PAM_REGEX="^[[:space:]]*\[sssd]([^\n]*\n+)+?[[:space:]]*services.*pam.*$"
SSSD_SERVICES_REGEX="^[[:space:]]*\[sssd]([^\n]*\n+)+?[[:space:]]*services.*$"
SSSD_PAM_SERVICES="[sssd]
services = pam"
SSSD_CONF="/etc/sssd/sssd.conf"
# If there is services line with pam, good
# If there is services line without pam, append pam
# If not echo services line with pam
grep -q "$SSSD_SERVICES_PAM_REGEX" $SSSD_CONF || \
grep -q "$SSSD_SERVICES_REGEX" $SSSD_CONF && \
sed -i "s/$SSSD_SERVICES_REGEX/&, pam/" $SSSD_CONF || \
echo "$SSSD_PAM_SERVICES" >> $SSSD_CONF
Enable Smartcards in SSSDSSSD should be configured to authenticate access to the system
using smart cards. To enable smart cards in SSSD, set pam_cert_auth
to true under the [pam]
section in /etc/sssd/sssd.conf. For example:
[pam]
pam_cert_auth = true
CCI-001954SRG-OS-000375-GPOS-00160SRG-OS-000107-VMM-000530Using an authentication device, such as a CAC or token that is separate from
the information system, ensures that even if the information system is
compromised, that compromise will not affect credentials stored on the
authentication device.
Multifactor solutions that require devices separate from
information systems gaining access include, for example, hardware tokens
providing time-based or challenge-response authenticators and smart cards such
as the U.S. Government Personal Identity Verification card and the DoD Common
Access Card.CCE-80570-5
SSSD_CONF="/etc/sssd/sssd.conf"
SSSD_OPT="pam_cert_auth"
SSSD_OPT_VAL=true
PAM_REGEX="[[:space:]]*\[pam]"
PAM_OPT_REGEX="${PAM_REGEX}([^\n\[]*\n+)+?[[:space:]]*${SSSD_OPT}"
if grep -qzosP $PAM_OPT_REGEX $SSSD_CONF; then
sed -i "s/${SSSD_OPT}[^(\n)]*/${SSSD_OPT} = ${SSSD_OPT_VAL}/" $SSSD_CONF
elif grep -qs $PAM_REGEX $SSSD_CONF; then
sed -i "/$PAM_REGEX/a ${SSSD_OPT} = ${SSSD_OPT_VAL}" $SSSD_CONF
else
mkdir -p /etc/sssd
touch $SSSD_CONF
echo -e "[pam]\n${SSSD_OPT} = ${SSSD_OPT_VAL}" >> $SSSD_CONF
fi
- name: Test for domain group
command: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
register: test_grep_domain
ignore_errors: true
changed_when: false
check_mode: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sssd_enable_smartcards
- medium_severity
- configure_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80570-5
- name: Add default domain group (if no domain there)
ini_file:
path: /etc/sssd/sssd.conf
section: '{{ item.section }}'
option: '{{ item.option }}'
value: '{{ item.value }}'
create: true
mode: 384
with_items:
- section: sssd
option: domains
value: default
- section: domain/default
option: id_provider
value: files
when:
- test_grep_domain.stdout is defined
- test_grep_domain.stdout | length < 1
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sssd_enable_smartcards
- medium_severity
- configure_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80570-5
- name: Enable Smartcards in SSSD
ini_file:
dest: /etc/sssd/sssd.conf
section: pam
option: pam_cert_auth
value: true
create: true
mode: 384
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sssd_enable_smartcards
- medium_severity
- configure_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80570-5
Configure SSSD to Expire Offline CredentialsSSSD should be configured to expire offline credentials after 1 day.
To configure SSSD to expire offline credentials, set
offline_credentials_expiration to 1 under the [pam]
section in /etc/sssd/sssd.conf. For example:
[pam]
offline_credentials_expiration = 1
11215165DSS05.04DSS05.05DSS05.07DSS05.10DSS06.03DSS06.10CCI-0020074.3.3.2.24.3.3.5.14.3.3.5.24.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.24.3.3.7.4SR 1.1SR 1.10SR 1.2SR 1.3SR 1.4SR 1.5SR 1.7SR 1.8SR 1.9SR 2.1A.18.1.4A.7.1.1A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.2.6A.9.3.1A.9.4.2A.9.4.3CM-6(a)IA-5(13)PR.AC-1PR.AC-6PR.AC-7SRG-OS-000383-GPOS-00166SRG-OS-000383-VMM-001570If cached authentication information is out-of-date, the validity of the
authentication information may be questionable.CCE-80365-0
SSSD_CONF="/etc/sssd/sssd.conf"
SSSD_OPT="offline_credentials_expiration"
SSSD_OPT_VAL=1
PAM_REGEX="[[:space:]]*\[pam]"
PAM_OPT_REGEX="${PAM_REGEX}([^\n\[]*\n+)+?[[:space:]]*${SSSD_OPT}"
# Try find [pam] and offline_credentials_expiration in sssd.conf, if it exists
# set it to 1, if it doesn't exist add it, if [pam] section doesn't exist add
# the section and the configuration option.
if grep -qzosP $PAM_OPT_REGEX $SSSD_CONF; then
sed -i "s/${SSSD_OPT}[^(\n)]*/${SSSD_OPT} = ${SSSD_OPT_VAL}/" $SSSD_CONF
elif grep -qs $PAM_REGEX $SSSD_CONF; then
sed -i "/$PAM_REGEX/a ${SSSD_OPT} = ${SSSD_OPT_VAL}" $SSSD_CONF
else
mkdir -p /etc/sssd
touch $SSSD_CONF
echo -e "[pam]\n${SSSD_OPT} = ${SSSD_OPT_VAL}" >> $SSSD_CONF
fi
- name: Test for domain group
command: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
register: test_grep_domain
ignore_errors: true
changed_when: false
check_mode: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sssd_offline_cred_expiration
- medium_severity
- configure_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80365-0
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(13)
- name: Add default domain group (if no domain there)
ini_file:
path: /etc/sssd/sssd.conf
section: '{{ item.section }}'
option: '{{ item.option }}'
value: '{{ item.value }}'
create: true
mode: 384
with_items:
- section: sssd
option: domains
value: default
- section: domain/default
option: id_provider
value: files
when:
- test_grep_domain.stdout is defined
- test_grep_domain.stdout | length < 1
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sssd_offline_cred_expiration
- medium_severity
- configure_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80365-0
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(13)
- name: Configure SSD to Expire Offline Credentials
ini_file:
dest: /etc/sssd/sssd.conf
section: pam
option: offline_credentials_expiration
value: 1
create: true
mode: 384
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sssd_offline_cred_expiration
- medium_severity
- configure_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80365-0
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(13)
Configure SSSD to Expire SSH Known HostsSSSD should be configured to expire keys from known SSH hosts after
seconds.
To configure SSSD to known SSH hosts, set ssh_known_hosts_timeout
to under the
[ssh] section in /etc/sssd/sssd.conf. For example:
[ssh]
ssh_known_hosts_timeout = 11215165DSS05.04DSS05.05DSS05.07DSS05.10DSS06.03DSS06.10CCI-0020074.3.3.2.24.3.3.5.14.3.3.5.24.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.24.3.3.7.4SR 1.1SR 1.10SR 1.2SR 1.3SR 1.4SR 1.5SR 1.7SR 1.8SR 1.9SR 2.1A.18.1.4A.7.1.1A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.2.6A.9.3.1A.9.4.2A.9.4.3CM-6(a)IA-5(13)PR.AC-1PR.AC-6PR.AC-7SRG-OS-000383-GPOS-00166If cached authentication information is out-of-date, the validity of the
authentication information may be questionable.CCE-80366-8
var_sssd_ssh_known_hosts_timeout=""
SSSD_CONF="/etc/sssd/sssd.conf"
SSH_KNOWN_HOSTS_TIMEOUT_REGEX="[[:space:]]*\[ssh]([^\n\[]*\n+)+?[[:space:]]*ssh_known_hosts_timeout"
SSH_REGEX="[[:space:]]*\[ssh]"
# Try find [ssh] and ssh_known_hosts_timeout in sssd.conf, if it exists, set to
# var_sssd_ssh_known_hosts_timeout, if it isn't here, add it, if [ssh] doesn't
# exist, add it there
if grep -qzosP $SSH_KNOWN_HOSTS_TIMEOUT_REGEX $SSSD_CONF; then
sed -i "s/ssh_known_hosts_timeout[^(\n)]*/ssh_known_hosts_timeout = $var_sssd_ssh_known_hosts_timeout/" $SSSD_CONF
elif grep -qs $SSH_REGEX $SSSD_CONF; then
sed -i "/$SSH_REGEX/a ssh_known_hosts_timeout = $var_sssd_ssh_known_hosts_timeout" $SSSD_CONF
else
mkdir -p /etc/sssd
touch $SSSD_CONF
echo -e "[ssh]\nssh_known_hosts_timeout = $var_sssd_ssh_known_hosts_timeout" >> $SSSD_CONF
fi
- name: XCCDF Value var_sssd_ssh_known_hosts_timeout # promote to variable
set_fact:
var_sssd_ssh_known_hosts_timeout: !!str
tags:
- always
- name: Test for domain group
command: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
register: test_grep_domain
ignore_errors: true
changed_when: false
check_mode: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sssd_ssh_known_hosts_timeout
- medium_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80366-8
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(13)
- name: Add default domain group (if no domain there)
ini_file:
path: /etc/sssd/sssd.conf
section: '{{ item.section }}'
option: '{{ item.option }}'
value: '{{ item.value }}'
create: true
mode: 384
with_items:
- section: sssd
option: domains
value: default
- section: domain/default
option: id_provider
value: files
when:
- test_grep_domain.stdout is defined
- test_grep_domain.stdout | length < 1
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sssd_ssh_known_hosts_timeout
- medium_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80366-8
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(13)
- name: Configure SSSD to Expire SSH Known Hosts
ini_file:
dest: /etc/sssd/sssd.conf
section: ssh
option: ssh_known_hosts_timeout
value: '{{ var_sssd_ssh_known_hosts_timeout }}'
create: true
mode: 384
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sssd_ssh_known_hosts_timeout
- medium_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80366-8
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(13)
System Security Services Daemon (SSSD) - LDAPThe System Security Services Daemon (SSSD) is a system daemon that provides access
to different identity and authentication providers such as Red Hat's IdM, Microsoft's AD,
openLDAP, MIT Kerberos, etc. It uses a common framework that can provide caching and offline
support to systems utilizing SSSD. SSSD using caching to reduce load on authentication
servers permit offline authentication as well as store extended user data.
SSSD can support many backends including LDAP. The sssd-ldap backend
allows SSSD to fetch identity information from an LDAP server.SSSD LDAP Backend Client CA Certificate LocationPath of a directory that contains Certificate Authority certificates./etc/openldap/cacertsConfigure SSSD LDAP Backend Client CA Certificate LocationConfigure SSSD to implement cryptography to protect the
integrity of LDAP remote access sessions. By setting
the ldap_tls_cacertdir option in /etc/sssd/sssd.conf
to point to the path for the X.509 certificates used for peer authentication.
ldap_tls_cacertdir /path/to/tls/cacertCCI-001453SC-12(3)CM-6(a)SRG-OS-000250-GPOS-00093RHEL-07-040190SV-86853r4_ruleWithout cryptographic integrity protections, information can be altered by
unauthorized users without detection.
Cryptographic mechanisms used for
protecting the integrity of information include, for example, signed hash
functions using asymmetric cryptography enabling distribution of the public key
to verify the hash information while maintaining the confidentiality of the key
used to generate the hash.CCE-80515-0
var_sssd_ldap_tls_ca_dir=""
SSSD_CONF="/etc/sssd/sssd.conf"
LDAP_REGEX='[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*ldap_tls_cacertdir'
DOMAIN_REGEX="[[:space:]]*\[domain\/[^]]*]"
# Try find [domain/..] and ldap_tls_cacertdir in sssd.conf, if it exists, set to CA directory
# if it isn't here, add it, if [domain/..] doesn't exist, add it here for default domain
if grep -qzosP $LDAP_REGEX $SSSD_CONF; then
sed -i "s~ldap_tls_cacertdir[^(\n)]*~ldap_tls_cacertdir = $var_sssd_ldap_tls_ca_dir~" $SSSD_CONF
elif grep -qs $DOMAIN_REGEX $SSSD_CONF; then
sed -i "/$DOMAIN_REGEX/a ldap_tls_cacertdir = $var_sssd_ldap_tls_ca_dir" $SSSD_CONF
else
mkdir -p /etc/sssd
touch $SSSD_CONF
echo -e "[domain/default]\nldap_tls_cacertdir = $var_sssd_ldap_tls_ca_dir" >> $SSSD_CONF
fi
- name: XCCDF Value var_sssd_ldap_tls_ca_dir # promote to variable
set_fact:
var_sssd_ldap_tls_ca_dir: !!str
tags:
- always
- name: Test for domain group
command: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
register: test_grep_domain
ignore_errors: true
changed_when: false
check_mode: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sssd_ldap_configure_tls_ca_dir
- medium_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80515-0
- DISA-STIG-RHEL-07-040190
- NIST-800-53-SC-12(3)
- NIST-800-53-CM-6(a)
- name: Add default domain group and set CA directory (if no domain there)
ini_file:
path: /etc/sssd/sssd.conf
section: '{{ item.section }}'
option: '{{ item.option }}'
value: '{{ item.value }}'
create: true
mode: 384
with_items:
- section: sssd
option: domains
value: default
- section: domain/default
option: id_provider
value: files
- section: domain/default
option: ldap_tls_cacertdir
value: '{{ var_sssd_ldap_tls_ca_dir }}'
when:
- test_grep_domain.stdout is defined
- test_grep_domain.stdout | length < 1
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sssd_ldap_configure_tls_ca_dir
- medium_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80515-0
- DISA-STIG-RHEL-07-040190
- NIST-800-53-SC-12(3)
- NIST-800-53-CM-6(a)
- name: Configure LDAPs path to CA directory
ini_file:
path: /etc/sssd/sssd.conf
section: '{{ test_grep_domain.stdout | regex_replace(''\[(.*)\]'',''\1'') }}'
option: ldap_tls_cacertdir
value: '{{ var_sssd_ldap_tls_ca_dir }}'
create: true
mode: 384
when:
- test_grep_domain.stdout is defined
- test_grep_domain.stdout | length > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sssd_ldap_configure_tls_ca_dir
- medium_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80515-0
- DISA-STIG-RHEL-07-040190
- NIST-800-53-SC-12(3)
- NIST-800-53-CM-6(a)
Configure SSSD LDAP Backend to Use TLS For All TransactionsThis check verifies that Red Hat Enterprise Linux 7 implements cryptography
to protect the integrity of remote LDAP authentication sessions.
To determine if LDAP is being used for authentication, use the following
command:
$ sudo grep -i useldapauth /etc/sysconfig/authconfig
If USELDAPAUTH=yes, then LDAP is being used. To check if LDAP is
configured to use TLS, use the following command:
$ sudo grep -i ldap_id_use_start_tls /etc/sssd/sssd.conf11121415389APO13.01BAI10.01BAI10.02BAI10.03BAI10.05DSS01.04DSS05.02DSS05.03DSS05.05DSS06.06CCI-0014534.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 7.1SR 7.6A.11.2.6A.12.1.2A.12.5.1A.12.6.2A.13.1.1A.13.2.1A.14.1.3A.14.2.2A.14.2.3A.14.2.4A.6.2.1A.6.2.2A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.AC-3PR.IP-1PR.PT-3PR.PT-4SRG-OS-000250-GPOS-00093RHEL-07-040180SV-86851r4_ruleWithout cryptographic integrity protections, information can be
altered by unauthorized users without detection. The ssl directive specifies
whether to use TLS or not. If not specified it will default to no.
It should be set to start_tls rather than doing LDAP over SSL.CCE-80546-5
AUTHCONFIG="/etc/sysconfig/authconfig"
USELDAPAUTH_REGEX="^USELDAPAUTH="
SSSD_CONF="/etc/sssd/sssd.conf"
LDAP_REGEX='[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*ldap_id_use_start_tls'
DOMAIN_REGEX="[[:space:]]*\[domain\/[^]]*]"
# Try find USELDAPAUTH in authconfig. If its here set to 'yes', otherwise append USELDAPAUTH=yes
grep -qs "^USELDAPAUTH=" "$AUTHCONFIG" && sed -i 's/^USELDAPAUTH=.*/USELDAPAUTH=yes/g' $AUTHCONFIG
if ! [ $? -eq 0 ]; then
echo "USELDAPAUTH=yes" >> $AUTHCONFIG
fi
# Try find [domain/..] and ldap_id_use_start_tls in sssd.conf, if it exists, set to 'True'
# if ldap_id_use_start_tls isn't here, add it
# if [domain/..] doesn't exist, add it here for default domain
if grep -qzosP $LDAP_REGEX $SSSD_CONF; then
sed -i 's/ldap_id_use_start_tls[^(\n)]*/ldap_id_use_start_tls = True/' $SSSD_CONF
elif grep -qs $DOMAIN_REGEX $SSSD_CONF; then
sed -i "/$DOMAIN_REGEX/a ldap_id_use_start_tls = True" $SSSD_CONF
else
mkdir -p /etc/sssd
touch $SSSD_CONF
echo -e "[domain/default]\nldap_id_use_start_tls = True" >> $SSSD_CONF
fi
- name: Set LDAP to be used for authentication
lineinfile:
path: /etc/sysconfig/authconfig
regexp: ^USELDAPAUTH=
line: USELDAPAUTH=yes
create: true
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sssd_ldap_start_tls
- high_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80546-5
- DISA-STIG-RHEL-07-040180
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Test for domain group
command: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
register: test_grep_domain
ignore_errors: true
changed_when: false
check_mode: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sssd_ldap_start_tls
- high_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80546-5
- DISA-STIG-RHEL-07-040180
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Add default domain group and use STARTTLS (if no domain there)
ini_file:
path: /etc/sssd/sssd.conf
section: '{{ item.section }}'
option: '{{ item.option }}'
value: '{{ item.value }}'
create: true
mode: 384
with_items:
- section: sssd
option: domains
value: default
- section: domain/default
option: id_provider
value: files
- section: domain/default
option: ldap_id_use_start_tls
value: true
when:
- test_grep_domain.stdout is defined
- test_grep_domain.stdout | length < 1
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sssd_ldap_start_tls
- high_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80546-5
- DISA-STIG-RHEL-07-040180
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Configure LDAP to use STARTTLS
ini_file:
path: /etc/sssd/sssd.conf
section: '{{ test_grep_domain.stdout | regex_replace(''\[(.*)\]'',''\1'') }}'
option: ldap_id_use_start_tls
value: true
create: true
mode: 384
when:
- test_grep_domain.stdout is defined
- test_grep_domain.stdout | length > 0
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sssd_ldap_start_tls
- high_severity
- unknown_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80546-5
- DISA-STIG-RHEL-07-040180
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
Configure SSSD LDAP Backend Client CA CertificateConfigure SSSD to implement cryptography to protect the
integrity of LDAP remote access sessions. By setting
the ldap_tls_cacert option in /etc/sssd/sssd.conf
to point to the path for the X.509 certificates used for peer authentication.
ldap_tls_cacert /path/to/tls/ca.certCCI-001453SC-12(3)CM-6(a)SRG-OS-000250-GPOS-00093RHEL-07-040200SV-86855r4_ruleWithout cryptographic integrity protections, information can be altered by
unauthorized users without detection.
Cryptographic mechanisms used for
protecting the integrity of information include, for example, signed hash
functions using asymmetric cryptography enabling distribution of the public key
to verify the hash information while maintaining the confidentiality of the key
used to generate the hash.CCE-80516-8Network Time ProtocolThe Network Time Protocol is used to manage the system
clock over a network. Computer clocks are not very accurate, so
time will drift unpredictably on unmanaged systems. Central time
protocols can be used both to ensure that time is consistent among
a network of systems, and that their time is consistent with the
outside world.
If every system on a network reliably reports the same time, then it is much
easier to correlate log messages in case of an attack. In addition, a number of
cryptographic protocols (such as Kerberos) use timestamps to prevent certain
types of attacks. If your network does not have synchronized time, these
protocols may be unreliable or even unusable.
Depending on the specifics of the network, global time accuracy may be just as
important as local synchronization, or not very important at all. If your
network is connected to the Internet, using a public timeserver (or one
provided by your enterprise) provides globally accurate timestamps which may be
essential in investigating or responding to an attack which originated outside
of your network.
A typical network setup involves a small number of internal systems operating
as NTP servers, and the remainder obtaining time information from those
internal servers.
There is a choice between the daemons ntpd and chronyd, which
are available from the repositories in the ntp and chrony
packages respectively.
The default chronyd daemon can work well when external time references
are only intermittently accesible, can perform well even when the network is
congested for longer periods of time, can usually synchronize the clock faster
and with better time accuracy, and quickly adapts to sudden changes in the rate
of the clock, for example, due to changes in the temperature of the crystal
oscillator. Chronyd should be considered for all systems which are
frequently suspended or otherwise intermittently disconnected and reconnected
to a network. Mobile and virtual systems for example.
The ntpd NTP daemon fully supports NTP protocol version 4 (RFC 5905),
including broadcast, multicast, manycast clients and servers, and the orphan
mode. It also supports extra authentication schemes based on public-key
cryptography (RFC 5906). The NTP daemon (ntpd) should be considered
for systems which are normally kept permanently on. Systems which are required
to use broadcast or multicast IP, or to perform authentication of packets with
the Autokey protocol, should consider using ntpd.
Refer to
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html
for more detailed comparison of features of chronyd
and ntpd daemon features respectively, and for further guidance how to
choose between the two NTP daemons.
The upstream manual pages at
http://chrony.tuxfamily.org/manual.html for
chronyd and
http://www.ntp.org for ntpd provide additional
information on the capabilities and configuration of each of the NTP daemons.Maximum NTP or Chrony PollThe maximum NTP or Chrony poll interval number in seconds specified as a power of two.101017Vendor Approved Time ServersThe list of vendor-approved time servers0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org0.fedora.pool.ntp.org,1.fedora.pool.ntp.org,2.fedora.pool.ntp.org,3.fedora.pool.ntp.org0.rhel.pool.ntp.org,1.rhel.pool.ntp.org,2.rhel.pool.ntp.org,3.rhel.pool.ntp.orgInstall the ntp serviceThe ntpd service should be installed.NT012(R03)1141516356APO11.04BAI03.05DSS05.04DSS05.07MEA02.01CCI-0001604.3.3.3.94.3.3.5.84.3.4.4.74.4.2.14.4.2.24.4.2.4SR 2.10SR 2.11SR 2.12SR 2.8SR 2.9A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1CM-6(a)PR.PT-1Req-10.4Time synchronization (using NTP) is required by almost all network and administrative tasks (syslog, cryptographic based services (authentication, etc.), etc.). Ntpd is regulary maintained and updated, supporting security features such as RFC 5906.
if ! rpm -q --quiet "ntp" ; then
yum install -y "ntp"
fi
- name: Ensure ntp is installed
package:
name: ntp
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- package_ntp_installed
- high_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- PCI-DSS-Req-10.4
- NIST-800-53-CM-6(a)
include install_ntp
class install_ntp {
package { 'ntp':
ensure => 'installed',
}
}
package --add=ntp
Enable the NTP Daemon The ntpd service can be enabled with the following command: $ sudo systemctl enable ntpd.service1141516356APO11.04BAI03.05DSS05.04DSS05.07MEA02.014.3.3.3.94.3.3.5.84.3.4.4.74.4.2.14.4.2.24.4.2.4SR 2.10SR 2.11SR 2.12SR 2.8SR 2.9A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1CM-6(a)AU-8(1)(a)PR.PT-1Req-10.4Enabling the ntpd service ensures that the ntpd
service will be running and that the system will synchronize its time to
any servers specified. This is important whether the system is configured to be
a client (and synchronize only its own clock) or it is also acting as an NTP
server to other systems. Synchronizing time is essential for authentication
services such as Kerberos, but it is also important for maintaining accurate
logs and auditing possible security breaches.
The NTP daemon offers all of the functionality of ntpdate, which is now
deprecated. Additional information on this is available at
http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate.
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" start 'ntpd.service'
"$SYSTEMCTL_EXEC" enable 'ntpd.service'
- name: Enable service ntpd
block:
- name: Gather the package facts
package_facts:
manager: auto
- name: Enable service ntpd
service:
name: ntpd
enabled: 'yes'
state: started
when:
- '"ntp" in ansible_facts.packages'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_ntpd_enabled
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- PCI-DSS-Req-10.4
- NIST-800-53-CM-6(a)
- NIST-800-53-AU-8(1)(a)
include enable_ntpd
class enable_ntpd {
service {'ntpd':
enable => true,
ensure => 'running',
}
}
Enable the NTP Daemon
Run the following command to determine the current status of the
chronyd service:
$ systemctl is-active chronyd
If the service is running, it should return the following: active
Note: The chronyd daemon is enabled by default.
Run the following command to determine the current status of the
ntpd service:
$ systemctl is-active ntpd
If the service is running, it should return the following: active
Note: The ntpd daemon is not enabled by default. Though as mentioned
in the previous sections in certain environments the ntpd daemon might
be preferred to be used rather than the chronyd one. Refer to:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html
for guidance which NTP daemon to choose depending on the environment used.2.2.1.11141516356APO11.04BAI03.05DSS05.04DSS05.07MEA02.013.3.7CCI-0001604.3.3.3.94.3.3.5.84.3.4.4.74.4.2.14.4.2.24.4.2.4SR 2.10SR 2.11SR 2.12SR 2.8SR 2.9A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1CM-6(a)AU-8(1)(a)PR.PT-1Req-10.4SRG-OS-000356-VMM-001340Enabling some of chronyd or ntpd services ensures
that the NTP daemon will be running and that the system will synchronize its
time to any servers specified. This is important whether the system is
configured to be a client (and synchronize only its own clock) or it is also
acting as an NTP server to other systems. Synchronizing time is essential for
authentication services such as Kerberos, but it is also important for
maintaining accurate logs and auditing possible security breaches.
The chronyd and ntpd NTP daemons offer all of the
functionality of ntpdate, which is now deprecated. Additional
information on this is available at
http://support.ntp.org/bin/view/Dev/DeprecatingNtpdateCCE-27444-9
if rpm -q --quiet chrony ; then
if ! /usr/sbin/pidof ntpd ; then
/usr/bin/systemctl enable "chronyd"
/usr/bin/systemctl start "chronyd"
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
/usr/bin/systemctl reset-failed "chronyd"
fi
elif rpm -q --quiet ntp ; then
/usr/bin/systemctl enable "ntpd"
/usr/bin/systemctl start "ntpd"
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
/usr/bin/systemctl reset-failed "ntpd"
else
if ! rpm -q --quiet "chrony" ; then
yum install -y "chrony"
fi
/usr/bin/systemctl enable "chronyd"
/usr/bin/systemctl start "chronyd"
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
/usr/bin/systemctl reset-failed "chronyd"
fi
Enable the NTP Daemon The ntpd service can be enabled with the following command: $ sudo systemctl enable ntpd.serviceNT012(R03)1141516356APO11.04BAI03.05DSS05.04DSS05.07MEA02.01CCI-0001604.3.3.3.94.3.3.5.84.3.4.4.74.4.2.14.4.2.24.4.2.4SR 2.10SR 2.11SR 2.12SR 2.8SR 2.9A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1CM-6(a)AU-8(1)(a)PR.PT-1Req-10.4Enabling the ntpd service ensures that the ntpd
service will be running and that the system will synchronize its time to
any servers specified. This is important whether the system is configured to be
a client (and synchronize only its own clock) or it is also acting as an NTP
server to other systems. Synchronizing time is essential for authentication
services such as Kerberos, but it is also important for maintaining accurate
logs and auditing possible security breaches.
The NTP daemon offers all of the functionality of ntpdate, which is now
deprecated. Additional information on this is available at
http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate.
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" start 'ntp.service'
"$SYSTEMCTL_EXEC" enable 'ntp.service'
- name: Enable service ntp
block:
- name: Gather the package facts
package_facts:
manager: auto
- name: Enable service ntp
service:
name: ntp
enabled: 'yes'
state: started
when:
- '"ntp" in ansible_facts.packages'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_ntp_enabled
- high_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- PCI-DSS-Req-10.4
- NIST-800-53-CM-6(a)
- NIST-800-53-AU-8(1)(a)
include enable_ntp
class enable_ntp {
service {'ntp':
enable => true,
ensure => 'running',
}
}
Specify Additional Remote NTP ServersDepending on specific functional requirements of a concrete
production environment, the Red Hat Enterprise Linux 7 system can be
configured to utilize the services of the chronyd NTP daemon (the
default), or services of the ntpd NTP daemon. Refer to
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html
for more detailed comparison of the features of both of the choices, and for
further guidance how to choose between the two NTP daemons.
Additional NTP servers can be specified for time synchronization. To do so,
perform the following:
if the system is configured to use the chronyd as the NTP daemon
(the default), edit the file /etc/chrony.conf as follows, if the system is configured to use the ntpd as the NTP daemon,
edit the file /etc/ntp.conf as documented below.
Add additional lines of the following form, substituting the IP address or
hostname of a remote NTP server for ntpserver:
server ntpserver1141516356APO11.04BAI03.05DSS05.04DSS05.07MEA02.014.3.3.3.94.3.3.5.84.3.4.4.74.4.2.14.4.2.24.4.2.4SR 2.10SR 2.11SR 2.12SR 2.8SR 2.9A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1CM-6(a)AU-8(1)(a)AU-8(2)PR.PT-1Req-10.4.3Specifying additional NTP servers increases the availability of
accurate time data, in the event that one of the specified servers becomes
unavailable. This is typical for a system acting as an NTP server for
other systems.CCE-27012-4
var_multiple_time_servers=""
config_file="/etc/ntp.conf"
/usr/sbin/pidof ntpd || config_file="/etc/chrony.conf"
if ! [ "$(grep -c '^server' "$config_file")" -gt 1 ] ; then
if ! grep -q '#[[:space:]]*server' "$config_file" ; then
for server in $(echo "$var_multiple_time_servers" | tr ',' '\n') ; do
printf '\nserver %s iburst' "$server" >> "$config_file"
done
else
sed -i 's/#[ \t]*server/server/g' "$config_file"
fi
fi
Specify Additional Remote NTP ServersAdditional NTP servers can be specified for time synchronization
in the file /etc/ntp.conf. To do so, add additional lines of the
following form, substituting the IP address or hostname of a remote NTP server for
ntpserver:
server ntpserver1141516356APO11.04BAI03.05DSS05.04DSS05.07MEA02.014.3.3.3.94.3.3.5.84.3.4.4.74.4.2.14.4.2.24.4.2.4SR 2.10SR 2.11SR 2.12SR 2.8SR 2.9A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1CM-6(a)AU-8(1)(a)AU-8(2)PR.PT-1Req-10.4.3Specifying additional NTP servers increases the availability of
accurate time data, in the event that one of the specified servers becomes
unavailable. This is typical for a system acting as an NTP server for
other systems.Configure Time Service Maxpoll IntervalThe maxpoll should be configured to
in /etc/ntp.conf or
/etc/chrony.conf to continuously poll time servers. To configure
maxpoll in /etc/ntp.conf or /etc/chrony.conf
add the following:
maxpoll 1141516356APO11.04BAI03.05DSS05.04DSS05.07MEA02.01CCI-001891CCI-0020464.3.3.3.94.3.3.5.84.3.4.4.74.4.2.14.4.2.24.4.2.4SR 2.10SR 2.11SR 2.12SR 2.8SR 2.9A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1CM-6(a)AU-8(1)(b)PR.PT-1SRG-OS-000355-GPOS-00143SRG-OS-000356-GPOS-00144RHEL-07-040500SV-86893r4_ruleInaccurate time stamps make it more difficult to correlate
events and can lead to an inaccurate analysis. Determining the correct
time a particular event occurred on a system is critical when conducting
forensic analysis and investigating system events. Sources outside the
configured acceptable allowance (drift) may be inaccurate.CCE-80439-3
var_time_service_set_maxpoll=""
config_file="/etc/ntp.conf"
/usr/sbin/pidof ntpd || config_file="/etc/chrony.conf"
# Set maxpoll values to var_time_service_set_maxpoll
sed -i "s/^\(server.*maxpoll\) [0-9][0-9]*\(.*\)$/\1 $var_time_service_set_maxpoll \2/" "$config_file"
# Add maxpoll to server entries without maxpoll
grep "^server" "$config_file" | grep -v maxpoll | while read -r line ; do
sed -i "s/$line/& maxpoll $var_time_service_set_maxpoll/" "$config_file"
done
Specify a Remote NTP ServerDepending on specific functional requirements of a concrete
production environment, the Red Hat Enterprise Linux 7 system can be
configured to utilize the services of the chronyd NTP daemon (the
default), or services of the ntpd NTP daemon. Refer to
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html
for more detailed comparison of the features of both of the choices, and for
further guidance how to choose between the two NTP daemons.
To specify a remote NTP server for time synchronization, perform the following:
if the system is configured to use the chronyd as the NTP daemon (the
default), edit the file /etc/chrony.conf as follows, if the system is configured to use the ntpd as the NTP daemon,
edit the file /etc/ntp.conf as documented below.
Add or correct the following lines, substituting the IP or hostname of a remote
NTP server for ntpserver:
server ntpserver
This instructs the NTP software to contact that remote server to obtain time
data.3.61141516356APO11.04BAI03.05DSS05.04DSS05.07MEA02.013.3.7CCI-000160CCI-0018914.3.3.3.94.3.3.5.84.3.4.4.74.4.2.14.4.2.24.4.2.4SR 2.10SR 2.11SR 2.12SR 2.8SR 2.9A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1CM-6(a)AU-8(1)(a)AU-8(2)PR.PT-1Req-10.4.1Req-10.4.3SRG-OS-000355-VMM-001330Synchronizing with an NTP server makes it possible to collate system
logs from multiple sources or correlate computer events with real time events.CCE-27278-1
var_multiple_time_servers=""
config_file="/etc/ntp.conf"
/usr/sbin/pidof ntpd || config_file="/etc/chrony.conf"
if ! grep -q ^server "$config_file" ; then
if ! grep -q '#[[:space:]]*server' "$config_file" ; then
for server in $(echo "$var_multiple_time_servers" | tr ',' '\n') ; do
printf '\nserver %s iburst' "$server" >> "$config_file"
done
else
sed -i 's/#[ \t]*server/server/g' "$config_file"
fi
fi
Specify a Remote NTP ServerTo specify a remote NTP server for time synchronization, edit
the file /etc/ntp.conf. Add or correct the following lines,
substituting the IP or hostname of a remote NTP server for ntpserver:
server ntpserver
This instructs the NTP software to contact that remote server to obtain time
data.1141516356APO11.04BAI03.05DSS05.04DSS05.07MEA02.014.3.3.3.94.3.3.5.84.3.4.4.74.4.2.14.4.2.24.4.2.4SR 2.10SR 2.11SR 2.12SR 2.8SR 2.9A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1CM-6(a)AU-8(1)(a)PR.PT-1Req-10.4.1Req-10.4.3Synchronizing with an NTP server makes it possible
to collate system logs from multiple sources or correlate computer events with
real time events.KerberosThe Kerberos protocol is used for authentication across
non-secure network. Authentication can happen between
various types of principals -- users, service, or hosts.
Their identity and encryption keys can be stored in keytab
files.Remove the Kerberos Server PackageThe krb5-server package should be removed if not in use.
Is this system the Kerberos server? If not, remove the package.
The krb5-server package can be removed with the following command:
$ sudo yum erase krb5-server
The krb5-server RPM is not installed by default on a Red Hat Enterprise Linux 7
system. It is needed only by the Kerberos servers, not by the
clients which use Kerberos for authentication. If the system is not
intended for use as a Kerberos Server it should be removed.Unnecessary packages should not be installed to decrease the attack
surface of the system. While this software is clearly essential on an KDC
server, it is not necessary on typical desktop or workstation systems.
# CAUTION: This remediation script will remove krb5-server
# from the system, and may remove any packages
# that depend on krb5-server. Execute this
# remediation AFTER testing on a non-production
# system!
if rpm -q --quiet "krb5-server" ; then
yum remove -y "krb5-server"
fi
- name: Ensure krb5-server is removed
package:
name: krb5-server
state: absent
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- package_krb5-server_removed
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
include remove_krb5-server
class remove_krb5-server {
package { 'krb5-server':
ensure => 'purged',
}
}
package --remove=krb5-server
Disable Kerberos by removing host keytabKerberos is not an approved key distribution method for
Common Criteria. To prevent using Kerberos by system daemons,
remove the Kerberos keytab files, especially
/etc/krb5.keytab.FCS_CKM.1SRG-OS-000120-GPOS-00061The key derivation function (KDF) in Kerberos is not FIPS compatible.Hardware RNG Entropy Gatherer DaemonThe rngd feeds random data from hardware device to kernel random device.Application Whitelisting DaemonFapolicyd (File Access Policy Daemon) implements application whitelisting
to decide file access rights. Applications that are known via a reputation
source are allowed access while unknown applications are not. The daemon
makes use of the kernel's fanotify interface to determine file access rights.Base ServicesThis section addresses the base services that are installed on a
Red Hat Enterprise Linux 7 default installation which are not covered in other
sections. Some of these services listen on the network and
should be treated with particular discretion. Other services are local
system utilities that may or may not be extraneous. In general, system services
should be disabled if not required.Install the psacct packageThe process accounting service, psacct, works with programs
including acct and ac to allow system administrators to view
user activity, such as commands issued by users of the system.
The psacct package can be installed with the following command:
$ sudo yum install psacct11112131415162356789APO10.01APO10.03APO10.04APO10.05APO11.04BAI03.05BAI10.01BAI10.02BAI10.03BAI10.05DSS01.03DSS03.05DSS05.02DSS05.04DSS05.05DSS05.07DSS06.06MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.014.3.2.6.74.3.3.3.94.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.34.3.4.4.74.4.2.14.4.2.24.4.2.4SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.10SR 2.11SR 2.12SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 2.8SR 2.9SR 6.1SR 6.2SR 7.6A.12.1.2A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.5.1A.12.6.2A.12.7.1A.14.2.2A.14.2.3A.14.2.4A.14.2.7A.15.2.1A.15.2.2A.9.1.2AU-12(a)CM-6(a)DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.IP-1PR.PT-1PR.PT-3The psacct service can provide administrators a convenient
view into some user activities. However, it should be noted that the auditing
system and its audit records provide more authoritative and comprehensive
records.CCE-82403-7
if ! rpm -q --quiet "psacct" ; then
yum install -y "psacct"
fi
- name: Ensure psacct is installed
package:
name: psacct
state: present
tags:
- package_psacct_installed
- low_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82403-7
- NIST-800-53-AU-12(a)
- NIST-800-53-CM-6(a)
include install_psacct
class install_psacct {
package { 'psacct':
ensure => 'installed',
}
}
package --add=psacct
Uninstall Automatic Bug Reporting Tool (abrt)The Automatic Bug Reporting Tool (abrt) collects
and reports crash data when an application crash is detected. Using a variety
of plugins, abrt can email crash reports to system administrators, log crash
reports to files, or forward crash reports to a centralized issue tracking
system such as RHTSupport.
The abrt package can be removed with the following command:
$ sudo yum erase abrtSRG-OS-000095-GPOS-00049Mishandling crash data could expose sensitive information about
vulnerabilities in software executing on the system, as well as sensitive
information from within a process's address space or registers.CCE-81040-8
# CAUTION: This remediation script will remove abrt
# from the system, and may remove any packages
# that depend on abrt. Execute this
# remediation AFTER testing on a non-production
# system!
if rpm -q --quiet "abrt" ; then
yum remove -y "abrt"
fi
- name: Ensure abrt is removed
package:
name: abrt
state: absent
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- package_abrt_removed
- medium_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-81040-8
include remove_abrt
class remove_abrt {
package { 'abrt':
ensure => 'purged',
}
}
package --remove=abrt
Enable Process Accounting (psacct)The process accounting service, psacct, works with programs
including acct and ac to allow system administrators to view
user activity, such as commands issued by users of the system.
The psacct service can be enabled with the following command:
$ sudo systemctl enable psacct.service11112131415162356789APO10.01APO10.03APO10.04APO10.05APO11.04BAI03.05BAI10.01BAI10.02BAI10.03BAI10.05DSS01.03DSS03.05DSS05.02DSS05.04DSS05.05DSS05.07DSS06.06MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.014.3.2.6.74.3.3.3.94.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.34.3.4.4.74.4.2.14.4.2.24.4.2.4SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.10SR 2.11SR 2.12SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 2.8SR 2.9SR 6.1SR 6.2SR 7.6A.12.1.2A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.5.1A.12.6.2A.12.7.1A.14.2.2A.14.2.3A.14.2.4A.14.2.7A.15.2.1A.15.2.2A.9.1.2AU-12(a)CM-6(a)DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.IP-1PR.PT-1PR.PT-3The psacct service can provide administrators a convenient
view into some user activities. However, it should be noted that the auditing
system and its audit records provide more authoritative and comprehensive
records.CCE-80265-2
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" start 'psacct.service'
"$SYSTEMCTL_EXEC" enable 'psacct.service'
- name: Enable service psacct
block:
- name: Gather the package facts
package_facts:
manager: auto
- name: Enable service psacct
service:
name: psacct
enabled: 'yes'
state: started
when:
- '"psacct" in ansible_facts.packages'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_psacct_enabled
- low_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80265-2
- NIST-800-53-AU-12(a)
- NIST-800-53-CM-6(a)
include enable_psacct
class enable_psacct {
service {'psacct':
enable => true,
ensure => 'running',
}
}
Enable IRQ Balance (irqbalance)The irqbalance service optimizes the balance between
power savings and performance through distribution of hardware interrupts across
multiple processors.
The irqbalance service can be enabled with the following command:
$ sudo systemctl enable irqbalance.service111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.064.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-6(a)CM-7(a)CM-7(b)PR.IP-1PR.PT-3In an environment with multiple processors (now common), the irqbalance service
provides potential speedups for handling interrupt requests.CCE-80257-9
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" start 'irqbalance.service'
"$SYSTEMCTL_EXEC" enable 'irqbalance.service'
- name: Enable service irqbalance
block:
- name: Gather the package facts
package_facts:
manager: auto
- name: Enable service irqbalance
service:
name: irqbalance
enabled: 'yes'
state: started
when:
- '"irqbalance" in ansible_facts.packages'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_irqbalance_enabled
- low_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80257-9
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
include enable_irqbalance
class enable_irqbalance {
service {'irqbalance':
enable => true,
ensure => 'running',
}
}
Disable Control Group Rules Engine (cgred)The cgred service moves tasks into control groups according to
parameters set in the /etc/cgrules.conf configuration file.
The cgred service can be disabled with the following command:
$ sudo systemctl disable cgred.service
The cgred service can be masked with the following command:
$ sudo systemctl mask cgred.service111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.064.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.IP-1PR.PT-3Unless control groups are used to manage system resources, running the cgred service
service is not necessary.CCE-80255-3
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'cgred.service'
"$SYSTEMCTL_EXEC" disable 'cgred.service'
"$SYSTEMCTL_EXEC" mask 'cgred.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^cgred.socket'; then
"$SYSTEMCTL_EXEC" stop 'cgred.socket'
"$SYSTEMCTL_EXEC" disable 'cgred.socket'
"$SYSTEMCTL_EXEC" mask 'cgred.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'cgred.service' || true
- name: Disable service cgred
block:
- name: Gather the service facts
service_facts: null
- name: Disable service cgred
systemd:
name: cgred.service
enabled: 'no'
state: stopped
masked: 'yes'
when: '"cgred.service" in ansible_facts.services'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_cgred_disabled
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80255-3
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Unit Socket Exists - cgred.socket
command: systemctl list-unit-files cgred.socket
args:
warn: false
register: socket_file_exists
changed_when: false
ignore_errors: true
check_mode: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_cgred_disabled
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80255-3
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Disable socket cgred
systemd:
name: cgred.socket
enabled: 'no'
state: stopped
masked: 'yes'
when:
- '"cgred.socket" in socket_file_exists.stdout_lines[1]'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_cgred_disabled
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80255-3
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
include disable_cgred
class disable_cgred {
service {'cgred':
enable => false,
ensure => 'stopped',
}
}
Disable D-Bus IPC Service (messagebus)D-Bus provides an IPC mechanism used by a growing list of programs, such as
those used for Gnome, Bluetooth, and Avahi. Due to these dependencies,
disabling D-Bus may not be practical for many systems.
The messagebus service can be disabled with the following command:
$ sudo systemctl disable messagebus.service
The messagebus service can be masked with the following command:
$ sudo systemctl mask messagebus.service111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.064.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.IP-1PR.PT-3If no services which require D-Bus are needed, then it
can be disabled. As a broker for IPC between processes of different privilege levels,
it could be a target for attack. However, disabling D-Bus is likely to be
impractical for any system which needs to provide
a graphical login session.CCE-80260-3
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'messagebus.service'
"$SYSTEMCTL_EXEC" disable 'messagebus.service'
"$SYSTEMCTL_EXEC" mask 'messagebus.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^messagebus.socket'; then
"$SYSTEMCTL_EXEC" stop 'messagebus.socket'
"$SYSTEMCTL_EXEC" disable 'messagebus.socket'
"$SYSTEMCTL_EXEC" mask 'messagebus.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'messagebus.service' || true
- name: Disable service messagebus
block:
- name: Gather the service facts
service_facts: null
- name: Disable service messagebus
systemd:
name: messagebus.service
enabled: 'no'
state: stopped
masked: 'yes'
when: '"messagebus.service" in ansible_facts.services'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_messagebus_disabled
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80260-3
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Unit Socket Exists - messagebus.socket
command: systemctl list-unit-files messagebus.socket
args:
warn: false
register: socket_file_exists
changed_when: false
ignore_errors: true
check_mode: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_messagebus_disabled
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80260-3
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Disable socket messagebus
systemd:
name: messagebus.socket
enabled: 'no'
state: stopped
masked: 'yes'
when:
- '"messagebus.socket" in socket_file_exists.stdout_lines[1]'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_messagebus_disabled
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80260-3
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
include disable_messagebus
class disable_messagebus {
service {'messagebus':
enable => false,
ensure => 'stopped',
}
}
Disable Advanced Configuration and Power Interface (acpid)The Advanced Configuration and Power Interface Daemon (acpid)
dispatches ACPI events (such as power/reset button depressed) to userspace
programs.
The acpid service can be disabled with the following command:
$ sudo systemctl disable acpid.service
The acpid service can be masked with the following command:
$ sudo systemctl mask acpid.service111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.064.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.IP-1PR.PT-3ACPI support is highly desirable for systems in some network roles,
such as laptops or desktops. For other systems, such as servers, it may permit
accidental or trivially achievable denial of service situations and disabling
it is appropriate.CCE-80252-0
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'acpid.service'
"$SYSTEMCTL_EXEC" disable 'acpid.service'
"$SYSTEMCTL_EXEC" mask 'acpid.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^acpid.socket'; then
"$SYSTEMCTL_EXEC" stop 'acpid.socket'
"$SYSTEMCTL_EXEC" disable 'acpid.socket'
"$SYSTEMCTL_EXEC" mask 'acpid.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'acpid.service' || true
- name: Disable service acpid
block:
- name: Gather the service facts
service_facts: null
- name: Disable service acpid
systemd:
name: acpid.service
enabled: 'no'
state: stopped
masked: 'yes'
when: '"acpid.service" in ansible_facts.services'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_acpid_disabled
- medium_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80252-0
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Unit Socket Exists - acpid.socket
command: systemctl list-unit-files acpid.socket
args:
warn: false
register: socket_file_exists
changed_when: false
ignore_errors: true
check_mode: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_acpid_disabled
- medium_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80252-0
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Disable socket acpid
systemd:
name: acpid.socket
enabled: 'no'
state: stopped
masked: 'yes'
when:
- '"acpid.socket" in socket_file_exists.stdout_lines[1]'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_acpid_disabled
- medium_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80252-0
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
include disable_acpid
class disable_acpid {
service {'acpid':
enable => false,
ensure => 'stopped',
}
}
Disable KDump Kernel Crash Analyzer (kdump)The kdump service provides a kernel crash dump analyzer. It uses the kexec
system call to boot a secondary kernel ("capture" kernel) following a system
crash, which can load information from the crashed kernel for analysis.
The kdump service can be disabled with the following command:
$ sudo systemctl disable kdump.service
The kdump service can be masked with the following command:
$ sudo systemctl mask kdump.service11121415389APO13.01BAI10.01BAI10.02BAI10.03BAI10.05DSS01.04DSS05.02DSS05.03DSS05.05DSS06.06CCI-000366164.308(a)(1)(ii)(D)164.308(a)(3)164.308(a)(4)164.310(b)164.310(c)164.312(a)164.312(e)4.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 7.1SR 7.6A.11.2.6A.12.1.2A.12.5.1A.12.6.2A.13.1.1A.13.2.1A.14.1.3A.14.2.2A.14.2.3A.14.2.4A.6.2.1A.6.2.2A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.AC-3PR.IP-1PR.PT-3PR.PT-4SRG-OS-000480-GPOS-00227RHEL-07-021300SV-86681r2_ruleKernel core dumps may contain the full contents of system memory at the
time of the crash. Kernel core dumps consume a considerable amount of disk
space and may result in denial of service by exhausting the available space
on the target file system partition. Unless the system is used for kernel
development or testing, there is little need to run the kdump service.CCE-80258-7
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'kdump.service'
"$SYSTEMCTL_EXEC" disable 'kdump.service'
"$SYSTEMCTL_EXEC" mask 'kdump.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^kdump.socket'; then
"$SYSTEMCTL_EXEC" stop 'kdump.socket'
"$SYSTEMCTL_EXEC" disable 'kdump.socket'
"$SYSTEMCTL_EXEC" mask 'kdump.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'kdump.service' || true
- name: Disable service kdump
block:
- name: Gather the service facts
service_facts: null
- name: Disable service kdump
systemd:
name: kdump.service
enabled: 'no'
state: stopped
masked: 'yes'
when: '"kdump.service" in ansible_facts.services'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_kdump_disabled
- medium_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80258-7
- DISA-STIG-RHEL-07-021300
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Unit Socket Exists - kdump.socket
command: systemctl list-unit-files kdump.socket
args:
warn: false
register: socket_file_exists
changed_when: false
ignore_errors: true
check_mode: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_kdump_disabled
- medium_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80258-7
- DISA-STIG-RHEL-07-021300
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Disable socket kdump
systemd:
name: kdump.socket
enabled: 'no'
state: stopped
masked: 'yes'
when:
- '"kdump.socket" in socket_file_exists.stdout_lines[1]'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_kdump_disabled
- medium_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80258-7
- DISA-STIG-RHEL-07-021300
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
include disable_kdump
class disable_kdump {
service {'kdump':
enable => false,
ensure => 'stopped',
}
}
kdump --disable
Disable Network Console (netconsole)The netconsole service is responsible for loading the
netconsole kernel module, which logs kernel printk messages over UDP to a
syslog server. This allows debugging of problems where disk logging fails and
serial consoles are impractical.
The netconsole service can be disabled with the following command:
$ sudo systemctl disable netconsole.service
The netconsole service can be masked with the following command:
$ sudo systemctl mask netconsole.service11121415389APO13.01BAI10.01BAI10.02BAI10.03BAI10.05DSS01.04DSS05.02DSS05.03DSS05.05DSS06.06CCI-0003814.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 7.1SR 7.6A.11.2.6A.12.1.2A.12.5.1A.12.6.2A.13.1.1A.13.2.1A.14.1.3A.14.2.2A.14.2.3A.14.2.4A.6.2.1A.6.2.2A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.AC-3PR.IP-1PR.PT-3PR.PT-4The netconsole service is not necessary unless there is a need to debug
kernel panics, which is not common.CCE-80261-1
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'netconsole.service'
"$SYSTEMCTL_EXEC" disable 'netconsole.service'
"$SYSTEMCTL_EXEC" mask 'netconsole.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^netconsole.socket'; then
"$SYSTEMCTL_EXEC" stop 'netconsole.socket'
"$SYSTEMCTL_EXEC" disable 'netconsole.socket'
"$SYSTEMCTL_EXEC" mask 'netconsole.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'netconsole.service' || true
- name: Disable service netconsole
block:
- name: Gather the service facts
service_facts: null
- name: Disable service netconsole
systemd:
name: netconsole.service
enabled: 'no'
state: stopped
masked: 'yes'
when: '"netconsole.service" in ansible_facts.services'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_netconsole_disabled
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80261-1
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Unit Socket Exists - netconsole.socket
command: systemctl list-unit-files netconsole.socket
args:
warn: false
register: socket_file_exists
changed_when: false
ignore_errors: true
check_mode: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_netconsole_disabled
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80261-1
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Disable socket netconsole
systemd:
name: netconsole.socket
enabled: 'no'
state: stopped
masked: 'yes'
when:
- '"netconsole.socket" in socket_file_exists.stdout_lines[1]'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_netconsole_disabled
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80261-1
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
include disable_netconsole
class disable_netconsole {
service {'netconsole':
enable => false,
ensure => 'stopped',
}
}
Disable Certmonger Service (certmonger)Certmonger is a D-Bus based service that attempts to simplify interaction
with certifying authorities on networks which use public-key infrastructure. It is often
combined with Red Hat's IPA (Identity Policy Audit) security information management
solution to aid in the management of certificates.
The certmonger service can be disabled with the following command:
$ sudo systemctl disable certmonger.service
The certmonger service can be masked with the following command:
$ sudo systemctl mask certmonger.service111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.064.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.IP-1PR.PT-3The services provided by certmonger may be essential for systems
fulfilling some roles a PKI infrastructure, but its functionality is not necessary
for many other use cases.CCE-80253-8
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'certmonger.service'
"$SYSTEMCTL_EXEC" disable 'certmonger.service'
"$SYSTEMCTL_EXEC" mask 'certmonger.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^certmonger.socket'; then
"$SYSTEMCTL_EXEC" stop 'certmonger.socket'
"$SYSTEMCTL_EXEC" disable 'certmonger.socket'
"$SYSTEMCTL_EXEC" mask 'certmonger.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'certmonger.service' || true
- name: Disable service certmonger
block:
- name: Gather the service facts
service_facts: null
- name: Disable service certmonger
systemd:
name: certmonger.service
enabled: 'no'
state: stopped
masked: 'yes'
when: '"certmonger.service" in ansible_facts.services'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_certmonger_disabled
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80253-8
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Unit Socket Exists - certmonger.socket
command: systemctl list-unit-files certmonger.socket
args:
warn: false
register: socket_file_exists
changed_when: false
ignore_errors: true
check_mode: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_certmonger_disabled
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80253-8
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Disable socket certmonger
systemd:
name: certmonger.socket
enabled: 'no'
state: stopped
masked: 'yes'
when:
- '"certmonger.socket" in socket_file_exists.stdout_lines[1]'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_certmonger_disabled
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80253-8
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
include disable_certmonger
class disable_certmonger {
service {'certmonger':
enable => false,
ensure => 'stopped',
}
}
Disable Quota Netlink (quota_nld)The quota_nld service provides notifications to
users of disk space quota violations. It listens to the kernel via a netlink
socket for disk quota violations and notifies the appropriate user of the
violation using D-Bus or by sending a message to the terminal that the user has
last accessed.
The quota_nld service can be disabled with the following command:
$ sudo systemctl disable quota_nld.service
The quota_nld service can be masked with the following command:
$ sudo systemctl mask quota_nld.service111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.064.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.IP-1PR.PT-3If disk quotas are enforced on the local system, then the
quota_nld service likely provides useful functionality and should
remain enabled. However, if disk quotas are not used or user notification of
disk quota violation is not desired then there is no need to run this
service.CCE-80267-8
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'quota_nld.service'
"$SYSTEMCTL_EXEC" disable 'quota_nld.service'
"$SYSTEMCTL_EXEC" mask 'quota_nld.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^quota_nld.socket'; then
"$SYSTEMCTL_EXEC" stop 'quota_nld.socket'
"$SYSTEMCTL_EXEC" disable 'quota_nld.socket'
"$SYSTEMCTL_EXEC" mask 'quota_nld.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'quota_nld.service' || true
- name: Disable service quota_nld
block:
- name: Gather the service facts
service_facts: null
- name: Disable service quota_nld
systemd:
name: quota_nld.service
enabled: 'no'
state: stopped
masked: 'yes'
when: '"quota_nld.service" in ansible_facts.services'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_quota_nld_disabled
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80267-8
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Unit Socket Exists - quota_nld.socket
command: systemctl list-unit-files quota_nld.socket
args:
warn: false
register: socket_file_exists
changed_when: false
ignore_errors: true
check_mode: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_quota_nld_disabled
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80267-8
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Disable socket quota_nld
systemd:
name: quota_nld.socket
enabled: 'no'
state: stopped
masked: 'yes'
when:
- '"quota_nld.socket" in socket_file_exists.stdout_lines[1]'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_quota_nld_disabled
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80267-8
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
include disable_quota_nld
class disable_quota_nld {
service {'quota_nld':
enable => false,
ensure => 'stopped',
}
}
Disable Red Hat Network Service (rhnsd)The Red Hat Network service automatically queries Red Hat Network
servers to determine whether there are any actions that should be executed,
such as package updates. This only occurs if the system was registered to an
RHN server or satellite and managed as such.
The rhnsd service can be disabled with the following command:
$ sudo systemctl disable rhnsd.service
The rhnsd service can be masked with the following command:
$ sudo systemctl mask rhnsd.service1.2.511121415389APO13.01BAI10.01BAI10.02BAI10.03BAI10.05DSS01.04DSS05.02DSS05.03DSS05.05DSS06.06CCI-0003824.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 7.1SR 7.6A.11.2.6A.12.1.2A.12.5.1A.12.6.2A.13.1.1A.13.2.1A.14.1.3A.14.2.2A.14.2.3A.14.2.4A.6.2.1A.6.2.2A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.AC-3PR.IP-1PR.PT-3PR.PT-4Although systems management and patching is extremely important to
system security, management by a system outside the enterprise enclave is not
desirable for some environments. However, if the system is being managed by RHN or
RHN Satellite Server the rhnsd daemon can remain on.CCE-80269-4
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'rhnsd.service'
"$SYSTEMCTL_EXEC" disable 'rhnsd.service'
"$SYSTEMCTL_EXEC" mask 'rhnsd.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^rhnsd.socket'; then
"$SYSTEMCTL_EXEC" stop 'rhnsd.socket'
"$SYSTEMCTL_EXEC" disable 'rhnsd.socket'
"$SYSTEMCTL_EXEC" mask 'rhnsd.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'rhnsd.service' || true
- name: Disable service rhnsd
block:
- name: Gather the service facts
service_facts: null
- name: Disable service rhnsd
systemd:
name: rhnsd.service
enabled: 'no'
state: stopped
masked: 'yes'
when: '"rhnsd.service" in ansible_facts.services'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_rhnsd_disabled
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80269-4
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Unit Socket Exists - rhnsd.socket
command: systemctl list-unit-files rhnsd.socket
args:
warn: false
register: socket_file_exists
changed_when: false
ignore_errors: true
check_mode: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_rhnsd_disabled
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80269-4
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Disable socket rhnsd
systemd:
name: rhnsd.socket
enabled: 'no'
state: stopped
masked: 'yes'
when:
- '"rhnsd.socket" in socket_file_exists.stdout_lines[1]'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_rhnsd_disabled
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80269-4
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
include disable_rhnsd
class disable_rhnsd {
service {'rhnsd':
enable => false,
ensure => 'stopped',
}
}
Disable Software RAID Monitor (mdmonitor)The mdmonitor service is used for monitoring a software RAID array; hardware
RAID setups do not use this service.
The mdmonitor service can be disabled with the following command:
$ sudo systemctl disable mdmonitor.service
The mdmonitor service can be masked with the following command:
$ sudo systemctl mask mdmonitor.service111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.064.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.IP-1PR.PT-3If software RAID monitoring is not required,
there is no need to run this service.CCE-80259-5
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'mdmonitor.service'
"$SYSTEMCTL_EXEC" disable 'mdmonitor.service'
"$SYSTEMCTL_EXEC" mask 'mdmonitor.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^mdmonitor.socket'; then
"$SYSTEMCTL_EXEC" stop 'mdmonitor.socket'
"$SYSTEMCTL_EXEC" disable 'mdmonitor.socket'
"$SYSTEMCTL_EXEC" mask 'mdmonitor.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'mdmonitor.service' || true
- name: Disable service mdmonitor
block:
- name: Gather the service facts
service_facts: null
- name: Disable service mdmonitor
systemd:
name: mdmonitor.service
enabled: 'no'
state: stopped
masked: 'yes'
when: '"mdmonitor.service" in ansible_facts.services'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_mdmonitor_disabled
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80259-5
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Unit Socket Exists - mdmonitor.socket
command: systemctl list-unit-files mdmonitor.socket
args:
warn: false
register: socket_file_exists
changed_when: false
ignore_errors: true
check_mode: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_mdmonitor_disabled
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80259-5
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Disable socket mdmonitor
systemd:
name: mdmonitor.socket
enabled: 'no'
state: stopped
masked: 'yes'
when:
- '"mdmonitor.socket" in socket_file_exists.stdout_lines[1]'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_mdmonitor_disabled
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80259-5
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
include disable_mdmonitor
class disable_mdmonitor {
service {'mdmonitor':
enable => false,
ensure => 'stopped',
}
}
Disable Odd Job Daemon (oddjobd)The oddjobd service exists to provide an interface and
access control mechanism through which
specified privileged tasks can run tasks for unprivileged client
applications. Communication with oddjobd through the system message bus.
The oddjobd service can be disabled with the following command:
$ sudo systemctl disable oddjobd.service
The oddjobd service can be masked with the following command:
$ sudo systemctl mask oddjobd.service111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.06CCI-0003814.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.IP-1PR.PT-3The oddjobd service may provide necessary functionality in
some environments, and can be disabled if it is not needed. Execution of
tasks by privileged programs, on behalf of unprivileged ones, has traditionally
been a source of privilege escalation security issues.CCE-80263-7
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'oddjobd.service'
"$SYSTEMCTL_EXEC" disable 'oddjobd.service'
"$SYSTEMCTL_EXEC" mask 'oddjobd.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^oddjobd.socket'; then
"$SYSTEMCTL_EXEC" stop 'oddjobd.socket'
"$SYSTEMCTL_EXEC" disable 'oddjobd.socket'
"$SYSTEMCTL_EXEC" mask 'oddjobd.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'oddjobd.service' || true
- name: Disable service oddjobd
block:
- name: Gather the service facts
service_facts: null
- name: Disable service oddjobd
systemd:
name: oddjobd.service
enabled: 'no'
state: stopped
masked: 'yes'
when: '"oddjobd.service" in ansible_facts.services'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_oddjobd_disabled
- medium_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80263-7
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Unit Socket Exists - oddjobd.socket
command: systemctl list-unit-files oddjobd.socket
args:
warn: false
register: socket_file_exists
changed_when: false
ignore_errors: true
check_mode: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_oddjobd_disabled
- medium_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80263-7
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Disable socket oddjobd
systemd:
name: oddjobd.socket
enabled: 'no'
state: stopped
masked: 'yes'
when:
- '"oddjobd.socket" in socket_file_exists.stdout_lines[1]'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_oddjobd_disabled
- medium_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80263-7
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
include disable_oddjobd
class disable_oddjobd {
service {'oddjobd':
enable => false,
ensure => 'stopped',
}
}
Disable SMART Disk Monitoring Service (smartd)SMART (Self-Monitoring, Analysis, and Reporting Technology) is a
feature of hard drives that allows them to detect symptoms of disk failure and
relay an appropriate warning.
The smartd service can be disabled with the following command:
$ sudo systemctl disable smartd.service
The smartd service can be masked with the following command:
$ sudo systemctl mask smartd.service111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.064.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.IP-1PR.PT-3SMART can help ensure availability of systems by notifying system operators
of failing hardware. Nevertheless, if it is not needed or the
system's drives are not SMART-capable (such as solid state drives), this service
can be disabled.CCE-80272-8
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'smartd.service'
"$SYSTEMCTL_EXEC" disable 'smartd.service'
"$SYSTEMCTL_EXEC" mask 'smartd.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^smartd.socket'; then
"$SYSTEMCTL_EXEC" stop 'smartd.socket'
"$SYSTEMCTL_EXEC" disable 'smartd.socket'
"$SYSTEMCTL_EXEC" mask 'smartd.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'smartd.service' || true
- name: Disable service smartd
block:
- name: Gather the service facts
service_facts: null
- name: Disable service smartd
systemd:
name: smartd.service
enabled: 'no'
state: stopped
masked: 'yes'
when: '"smartd.service" in ansible_facts.services'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_smartd_disabled
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80272-8
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Unit Socket Exists - smartd.socket
command: systemctl list-unit-files smartd.socket
args:
warn: false
register: socket_file_exists
changed_when: false
ignore_errors: true
check_mode: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_smartd_disabled
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80272-8
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Disable socket smartd
systemd:
name: smartd.socket
enabled: 'no'
state: stopped
masked: 'yes'
when:
- '"smartd.socket" in socket_file_exists.stdout_lines[1]'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_smartd_disabled
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80272-8
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
include disable_smartd
class disable_smartd {
service {'smartd':
enable => false,
ensure => 'stopped',
}
}
Disable Apache Qpid (qpidd)The qpidd service provides high speed, secure,
guaranteed delivery services. It is an implementation of the Advanced Message
Queuing Protocol. By default the qpidd service will bind to port 5672 and
listen for connection attempts.
The qpidd service can be disabled with the following command:
$ sudo systemctl disable qpidd.service
The qpidd service can be masked with the following command:
$ sudo systemctl mask qpidd.service11121415389APO13.01BAI10.01BAI10.02BAI10.03BAI10.05DSS01.04DSS05.02DSS05.03DSS05.05DSS06.06CCI-0003824.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 7.1SR 7.6A.11.2.6A.12.1.2A.12.5.1A.12.6.2A.13.1.1A.13.2.1A.14.1.3A.14.2.2A.14.2.3A.14.2.4A.6.2.1A.6.2.2A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.AC-3PR.IP-1PR.PT-3PR.PT-4The qpidd service is automatically installed when the base package
selection is selected during installation. The qpidd service listens for
network connections, which increases the attack surface of the system. If
the system is not intended to receive AMQP traffic, then the qpidd
service is not needed and should be disabled or removed.CCE-80266-0
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'qpidd.service'
"$SYSTEMCTL_EXEC" disable 'qpidd.service'
"$SYSTEMCTL_EXEC" mask 'qpidd.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^qpidd.socket'; then
"$SYSTEMCTL_EXEC" stop 'qpidd.socket'
"$SYSTEMCTL_EXEC" disable 'qpidd.socket'
"$SYSTEMCTL_EXEC" mask 'qpidd.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'qpidd.service' || true
- name: Disable service qpidd
block:
- name: Gather the service facts
service_facts: null
- name: Disable service qpidd
systemd:
name: qpidd.service
enabled: 'no'
state: stopped
masked: 'yes'
when: '"qpidd.service" in ansible_facts.services'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_qpidd_disabled
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80266-0
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Unit Socket Exists - qpidd.socket
command: systemctl list-unit-files qpidd.socket
args:
warn: false
register: socket_file_exists
changed_when: false
ignore_errors: true
check_mode: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_qpidd_disabled
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80266-0
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Disable socket qpidd
systemd:
name: qpidd.socket
enabled: 'no'
state: stopped
masked: 'yes'
when:
- '"qpidd.socket" in socket_file_exists.stdout_lines[1]'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_qpidd_disabled
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80266-0
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
include disable_qpidd
class disable_qpidd {
service {'qpidd':
enable => false,
ensure => 'stopped',
}
}
Disable Automatic Bug Reporting Tool (abrtd)The Automatic Bug Reporting Tool (abrtd) daemon collects
and reports crash data when an application crash is detected. Using a variety
of plugins, abrtd can email crash reports to system administrators, log crash
reports to files, or forward crash reports to a centralized issue tracking
system such as RHTSupport.
The abrtd service can be disabled with the following command:
$ sudo systemctl disable abrtd.service
The abrtd service can be masked with the following command:
$ sudo systemctl mask abrtd.service11121415389APO13.01BAI10.01BAI10.02BAI10.03BAI10.05DSS01.04DSS05.02DSS05.03DSS05.05DSS06.064.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 7.1SR 7.6A.11.2.6A.12.1.2A.12.5.1A.12.6.2A.13.1.1A.13.2.1A.14.1.3A.14.2.2A.14.2.3A.14.2.4A.6.2.1A.6.2.2A.9.1.2CM-7(a)CM-6(a)PR.AC-3PR.IP-1PR.PT-3PR.PT-4Mishandling crash data could expose sensitive information about
vulnerabilities in software executing on the system, as well as sensitive
information from within a process's address space or registers.CCE-82027-4
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'abrtd.service'
"$SYSTEMCTL_EXEC" disable 'abrtd.service'
"$SYSTEMCTL_EXEC" mask 'abrtd.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^abrtd.socket'; then
"$SYSTEMCTL_EXEC" stop 'abrtd.socket'
"$SYSTEMCTL_EXEC" disable 'abrtd.socket'
"$SYSTEMCTL_EXEC" mask 'abrtd.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'abrtd.service' || true
- name: Disable service abrtd
block:
- name: Gather the service facts
service_facts: null
- name: Disable service abrtd
systemd:
name: abrtd.service
enabled: 'no'
state: stopped
masked: 'yes'
when: '"abrtd.service" in ansible_facts.services'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_abrtd_disabled
- medium_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82027-4
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-6(a)
- name: Unit Socket Exists - abrtd.socket
command: systemctl list-unit-files abrtd.socket
args:
warn: false
register: socket_file_exists
changed_when: false
ignore_errors: true
check_mode: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_abrtd_disabled
- medium_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82027-4
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-6(a)
- name: Disable socket abrtd
systemd:
name: abrtd.socket
enabled: 'no'
state: stopped
masked: 'yes'
when:
- '"abrtd.socket" in socket_file_exists.stdout_lines[1]'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_abrtd_disabled
- medium_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82027-4
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-6(a)
include disable_abrtd
class disable_abrtd {
service {'abrtd':
enable => false,
ensure => 'stopped',
}
}
Disable Cockpit Management ServerThe Cockpit Management Server (cockpit) provides a web based
login and management framework.
The cockpit service can be disabled with the following command:
$ sudo systemctl disable cockpit.service
The cockpit service can be masked with the following command:
$ sudo systemctl mask cockpit.serviceCockpit provides a form of remote login.
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'cockpit.service'
"$SYSTEMCTL_EXEC" disable 'cockpit.service'
"$SYSTEMCTL_EXEC" mask 'cockpit.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^cockpit.socket'; then
"$SYSTEMCTL_EXEC" stop 'cockpit.socket'
"$SYSTEMCTL_EXEC" disable 'cockpit.socket'
"$SYSTEMCTL_EXEC" mask 'cockpit.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'cockpit.service' || true
- name: Disable service cockpit
block:
- name: Gather the service facts
service_facts: null
- name: Disable service cockpit
systemd:
name: cockpit.service
enabled: 'no'
state: stopped
masked: 'yes'
when: '"cockpit.service" in ansible_facts.services'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_cockpit_disabled
- medium_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Unit Socket Exists - cockpit.socket
command: systemctl list-unit-files cockpit.socket
args:
warn: false
register: socket_file_exists
changed_when: false
ignore_errors: true
check_mode: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_cockpit_disabled
- medium_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Disable socket cockpit
systemd:
name: cockpit.socket
enabled: 'no'
state: stopped
masked: 'yes'
when:
- '"cockpit.socket" in socket_file_exists.stdout_lines[1]'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_cockpit_disabled
- medium_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
include disable_cockpit
class disable_cockpit {
service {'cockpit':
enable => false,
ensure => 'stopped',
}
}
Disable CPU Speed (cpupower)The cpupower service can adjust the clock speed of supported CPUs based upon
the current processing load thereby conserving power and reducing heat.
The cpupower service can be disabled with the following command:
$ sudo systemctl disable cpupower.service
The cpupower service can be masked with the following command:
$ sudo systemctl mask cpupower.service111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.064.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.IP-1PR.PT-3The cpupower service is only necessary if adjusting the CPU clock speed
provides benefit. Traditionally this has included laptops (to enhance battery life),
but may also apply to server or desktop environments where conserving power is
highly desirable or necessary.CCE-80256-1
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'cpupower.service'
"$SYSTEMCTL_EXEC" disable 'cpupower.service'
"$SYSTEMCTL_EXEC" mask 'cpupower.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^cpupower.socket'; then
"$SYSTEMCTL_EXEC" stop 'cpupower.socket'
"$SYSTEMCTL_EXEC" disable 'cpupower.socket'
"$SYSTEMCTL_EXEC" mask 'cpupower.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'cpupower.service' || true
- name: Disable service cpupower
block:
- name: Gather the service facts
service_facts: null
- name: Disable service cpupower
systemd:
name: cpupower.service
enabled: 'no'
state: stopped
masked: 'yes'
when: '"cpupower.service" in ansible_facts.services'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_cpupower_disabled
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80256-1
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Unit Socket Exists - cpupower.socket
command: systemctl list-unit-files cpupower.socket
args:
warn: false
register: socket_file_exists
changed_when: false
ignore_errors: true
check_mode: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_cpupower_disabled
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80256-1
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Disable socket cpupower
systemd:
name: cpupower.socket
enabled: 'no'
state: stopped
masked: 'yes'
when:
- '"cpupower.socket" in socket_file_exists.stdout_lines[1]'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_cpupower_disabled
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80256-1
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
include disable_cpupower
class disable_cpupower {
service {'cpupower':
enable => false,
ensure => 'stopped',
}
}
Disable Cyrus SASL Authentication Daemon (saslauthd)The saslauthd service handles plaintext authentication requests on
behalf of the SASL library. The service isolates all code requiring superuser
privileges for SASL authentication into a single process, and can also be used
to provide proxy authentication services to clients that do not understand SASL
based authentication.
The saslauthd service can be disabled with the following command:
$ sudo systemctl disable saslauthd.service
The saslauthd service can be masked with the following command:
$ sudo systemctl mask saslauthd.service11121415389APO13.01BAI10.01BAI10.02BAI10.03BAI10.05DSS01.04DSS05.02DSS05.03DSS05.05DSS06.064.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 7.1SR 7.6A.11.2.6A.12.1.2A.12.5.1A.12.6.2A.13.1.1A.13.2.1A.14.1.3A.14.2.2A.14.2.3A.14.2.4A.6.2.1A.6.2.2A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.AC-3PR.IP-1PR.PT-3PR.PT-4The saslauthd service provides essential functionality for
performing authentication in some directory environments, such as those which
use Kerberos and LDAP. For others, however, in which only local files may be
consulted, it is not necessary and should be disabled.CCE-80271-0
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'saslauthd.service'
"$SYSTEMCTL_EXEC" disable 'saslauthd.service'
"$SYSTEMCTL_EXEC" mask 'saslauthd.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^saslauthd.socket'; then
"$SYSTEMCTL_EXEC" stop 'saslauthd.socket'
"$SYSTEMCTL_EXEC" disable 'saslauthd.socket'
"$SYSTEMCTL_EXEC" mask 'saslauthd.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'saslauthd.service' || true
- name: Disable service saslauthd
block:
- name: Gather the service facts
service_facts: null
- name: Disable service saslauthd
systemd:
name: saslauthd.service
enabled: 'no'
state: stopped
masked: 'yes'
when: '"saslauthd.service" in ansible_facts.services'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_saslauthd_disabled
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80271-0
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Unit Socket Exists - saslauthd.socket
command: systemctl list-unit-files saslauthd.socket
args:
warn: false
register: socket_file_exists
changed_when: false
ignore_errors: true
check_mode: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_saslauthd_disabled
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80271-0
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Disable socket saslauthd
systemd:
name: saslauthd.socket
enabled: 'no'
state: stopped
masked: 'yes'
when:
- '"saslauthd.socket" in socket_file_exists.stdout_lines[1]'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_saslauthd_disabled
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80271-0
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
include disable_saslauthd
class disable_saslauthd {
service {'saslauthd':
enable => false,
ensure => 'stopped',
}
}
Disable Control Group Config (cgconfig)Control groups allow an administrator to allocate system resources (such as CPU,
memory, network bandwidth, etc) among a defined group (or groups) of processes executing on
a system. The cgconfig daemon starts at boot and establishes the predefined control groups.
The cgconfig service can be disabled with the following command:
$ sudo systemctl disable cgconfig.service
The cgconfig service can be masked with the following command:
$ sudo systemctl mask cgconfig.service111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.064.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.IP-1PR.PT-3Unless control groups are used to manage system resources, running the cgconfig
service is not necessary.CCE-80254-6
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'cgconfig.service'
"$SYSTEMCTL_EXEC" disable 'cgconfig.service'
"$SYSTEMCTL_EXEC" mask 'cgconfig.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^cgconfig.socket'; then
"$SYSTEMCTL_EXEC" stop 'cgconfig.socket'
"$SYSTEMCTL_EXEC" disable 'cgconfig.socket'
"$SYSTEMCTL_EXEC" mask 'cgconfig.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'cgconfig.service' || true
- name: Disable service cgconfig
block:
- name: Gather the service facts
service_facts: null
- name: Disable service cgconfig
systemd:
name: cgconfig.service
enabled: 'no'
state: stopped
masked: 'yes'
when: '"cgconfig.service" in ansible_facts.services'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_cgconfig_disabled
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80254-6
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Unit Socket Exists - cgconfig.socket
command: systemctl list-unit-files cgconfig.socket
args:
warn: false
register: socket_file_exists
changed_when: false
ignore_errors: true
check_mode: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_cgconfig_disabled
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80254-6
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Disable socket cgconfig
systemd:
name: cgconfig.socket
enabled: 'no'
state: stopped
masked: 'yes'
when:
- '"cgconfig.socket" in socket_file_exists.stdout_lines[1]'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_cgconfig_disabled
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80254-6
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
include disable_cgconfig
class disable_cgconfig {
service {'cgconfig':
enable => false,
ensure => 'stopped',
}
}
Disable ntpdate Service (ntpdate)The ntpdate service sets the local hardware clock by polling NTP servers
when the system boots. It synchronizes to the NTP servers listed in
/etc/ntp/step-tickers or /etc/ntp.conf
and then sets the local hardware clock to the newly synchronized
system time.
The ntpdate service can be disabled with the following command:
$ sudo systemctl disable ntpdate.service
The ntpdate service can be masked with the following command:
$ sudo systemctl mask ntpdate.service11121415389APO13.01BAI10.01BAI10.02BAI10.03BAI10.05DSS01.04DSS05.02DSS05.03DSS05.05DSS06.06CCI-0003824.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 7.1SR 7.6A.11.2.6A.12.1.2A.12.5.1A.12.6.2A.13.1.1A.13.2.1A.14.1.3A.14.2.2A.14.2.3A.14.2.4A.6.2.1A.6.2.2A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.AC-3PR.IP-1PR.PT-3PR.PT-4The ntpdate service may only be suitable for systems which
are rebooted frequently enough that clock drift does not cause problems between
reboots. In any event, the functionality of the ntpdate service is now
available in the ntpd program and should be considered deprecated.CCE-80262-9
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'ntpdate.service'
"$SYSTEMCTL_EXEC" disable 'ntpdate.service'
"$SYSTEMCTL_EXEC" mask 'ntpdate.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^ntpdate.socket'; then
"$SYSTEMCTL_EXEC" stop 'ntpdate.socket'
"$SYSTEMCTL_EXEC" disable 'ntpdate.socket'
"$SYSTEMCTL_EXEC" mask 'ntpdate.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'ntpdate.service' || true
- name: Disable service ntpdate
block:
- name: Gather the service facts
service_facts: null
- name: Disable service ntpdate
systemd:
name: ntpdate.service
enabled: 'no'
state: stopped
masked: 'yes'
when: '"ntpdate.service" in ansible_facts.services'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_ntpdate_disabled
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80262-9
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Unit Socket Exists - ntpdate.socket
command: systemctl list-unit-files ntpdate.socket
args:
warn: false
register: socket_file_exists
changed_when: false
ignore_errors: true
check_mode: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_ntpdate_disabled
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80262-9
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Disable socket ntpdate
systemd:
name: ntpdate.socket
enabled: 'no'
state: stopped
masked: 'yes'
when:
- '"ntpdate.socket" in socket_file_exists.stdout_lines[1]'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_ntpdate_disabled
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80262-9
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
include disable_ntpdate
class disable_ntpdate {
service {'ntpdate':
enable => false,
ensure => 'stopped',
}
}
Disable Network Router Discovery Daemon (rdisc)The rdisc service implements the client side of the ICMP
Internet Router Discovery Protocol (IRDP), which allows discovery of routers on
the local subnet. If a router is discovered then the local routing table is
updated with a corresponding default route. By default this daemon is disabled.
The rdisc service can be disabled with the following command:
$ sudo systemctl disable rdisc.service
The rdisc service can be masked with the following command:
$ sudo systemctl mask rdisc.service11112131415161834689APO01.06APO13.01BAI10.01BAI10.02BAI10.03BAI10.05DSS01.04DSS01.05DSS03.01DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07DSS06.02DSS06.06CCI-0003824.2.3.44.3.3.44.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.34.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 7.1SR 7.6A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.11.2.6A.12.1.1A.12.1.2A.12.5.1A.12.6.2A.13.1.1A.13.1.2A.13.1.3A.13.2.1A.13.2.2A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.14.2.2A.14.2.3A.14.2.4A.6.1.2A.6.2.1A.6.2.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5AC-4CM-7(a)CM-7(b)CM-6(a)DE.AE-1ID.AM-3PR.AC-3PR.AC-5PR.DS-5PR.IP-1PR.PT-3PR.PT-4General-purpose systems typically have their network and routing
information configured statically by a system administrator. Workstations or
some special-purpose systems often use DHCP (instead of IRDP) to retrieve
dynamic network configuration information.CCE-80268-6
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'rdisc.service'
"$SYSTEMCTL_EXEC" disable 'rdisc.service'
"$SYSTEMCTL_EXEC" mask 'rdisc.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^rdisc.socket'; then
"$SYSTEMCTL_EXEC" stop 'rdisc.socket'
"$SYSTEMCTL_EXEC" disable 'rdisc.socket'
"$SYSTEMCTL_EXEC" mask 'rdisc.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'rdisc.service' || true
- name: Disable service rdisc
block:
- name: Gather the service facts
service_facts: null
- name: Disable service rdisc
systemd:
name: rdisc.service
enabled: 'no'
state: stopped
masked: 'yes'
when: '"rdisc.service" in ansible_facts.services'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_rdisc_disabled
- medium_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80268-6
- NIST-800-53-AC-4
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Unit Socket Exists - rdisc.socket
command: systemctl list-unit-files rdisc.socket
args:
warn: false
register: socket_file_exists
changed_when: false
ignore_errors: true
check_mode: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_rdisc_disabled
- medium_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80268-6
- NIST-800-53-AC-4
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Disable socket rdisc
systemd:
name: rdisc.socket
enabled: 'no'
state: stopped
masked: 'yes'
when:
- '"rdisc.socket" in socket_file_exists.stdout_lines[1]'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_rdisc_disabled
- medium_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80268-6
- NIST-800-53-AC-4
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
include disable_rdisc
class disable_rdisc {
service {'rdisc':
enable => false,
ensure => 'stopped',
}
}
Disable Red Hat Subscription Manager Daemon (rhsmcertd)The Red Hat Subscription Manager (rhsmcertd) periodically checks for
changes in the entitlement certificates for a registered system and updates it
accordingly.
The rhsmcertd service can be disabled with the following command:
$ sudo systemctl disable rhsmcertd.service
The rhsmcertd service can be masked with the following command:
$ sudo systemctl mask rhsmcertd.service111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.064.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.IP-1PR.PT-3The rhsmcertd service can provide administrators with some
additional control over which of their systems are entitled to particular
subscriptions. However, for systems that are managed locally or which are not
expected to require remote changes to their subscription status, it is
unnecessary and can be disabled.CCE-80270-2
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'rhsmcertd.service'
"$SYSTEMCTL_EXEC" disable 'rhsmcertd.service'
"$SYSTEMCTL_EXEC" mask 'rhsmcertd.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^rhsmcertd.socket'; then
"$SYSTEMCTL_EXEC" stop 'rhsmcertd.socket'
"$SYSTEMCTL_EXEC" disable 'rhsmcertd.socket'
"$SYSTEMCTL_EXEC" mask 'rhsmcertd.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'rhsmcertd.service' || true
- name: Disable service rhsmcertd
block:
- name: Gather the service facts
service_facts: null
- name: Disable service rhsmcertd
systemd:
name: rhsmcertd.service
enabled: 'no'
state: stopped
masked: 'yes'
when: '"rhsmcertd.service" in ansible_facts.services'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_rhsmcertd_disabled
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80270-2
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Unit Socket Exists - rhsmcertd.socket
command: systemctl list-unit-files rhsmcertd.socket
args:
warn: false
register: socket_file_exists
changed_when: false
ignore_errors: true
check_mode: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_rhsmcertd_disabled
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80270-2
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Disable socket rhsmcertd
systemd:
name: rhsmcertd.socket
enabled: 'no'
state: stopped
masked: 'yes'
when:
- '"rhsmcertd.socket" in socket_file_exists.stdout_lines[1]'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_rhsmcertd_disabled
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80270-2
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
include disable_rhsmcertd
class disable_rhsmcertd {
service {'rhsmcertd':
enable => false,
ensure => 'stopped',
}
}
Disable Portreserve (portreserve)The portreserve service is a TCP port reservation utility that can
be used to prevent portmap from binding to well known TCP ports that are
required for other services.
The portreserve service can be disabled with the following command:
$ sudo systemctl disable portreserve.service
The portreserve service can be masked with the following command:
$ sudo systemctl mask portreserve.service11121415389APO13.01BAI10.01BAI10.02BAI10.03BAI10.05DSS01.04DSS05.02DSS05.03DSS05.05DSS06.064.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 7.1SR 7.6A.11.2.6A.12.1.2A.12.5.1A.12.6.2A.13.1.1A.13.2.1A.14.1.3A.14.2.2A.14.2.3A.14.2.4A.6.2.1A.6.2.2A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.AC-3PR.IP-1PR.PT-3PR.PT-4The portreserve service provides helpful functionality by
preventing conflicting usage of ports in the reserved port range, but it can be
disabled if not needed.CCE-80264-5
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'portreserve.service'
"$SYSTEMCTL_EXEC" disable 'portreserve.service'
"$SYSTEMCTL_EXEC" mask 'portreserve.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^portreserve.socket'; then
"$SYSTEMCTL_EXEC" stop 'portreserve.socket'
"$SYSTEMCTL_EXEC" disable 'portreserve.socket'
"$SYSTEMCTL_EXEC" mask 'portreserve.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'portreserve.service' || true
- name: Disable service portreserve
block:
- name: Gather the service facts
service_facts: null
- name: Disable service portreserve
systemd:
name: portreserve.service
enabled: 'no'
state: stopped
masked: 'yes'
when: '"portreserve.service" in ansible_facts.services'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_portreserve_disabled
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80264-5
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Unit Socket Exists - portreserve.socket
command: systemctl list-unit-files portreserve.socket
args:
warn: false
register: socket_file_exists
changed_when: false
ignore_errors: true
check_mode: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_portreserve_disabled
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80264-5
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Disable socket portreserve
systemd:
name: portreserve.socket
enabled: 'no'
state: stopped
masked: 'yes'
when:
- '"portreserve.socket" in socket_file_exists.stdout_lines[1]'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_portreserve_disabled
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80264-5
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
include disable_portreserve
class disable_portreserve {
service {'portreserve':
enable => false,
ensure => 'stopped',
}
}
Disable System Statistics Reset Service (sysstat)The sysstat service resets various I/O and CPU
performance statistics to zero in order to begin counting from a fresh state
at boot time.
The sysstat service can be disabled with the following command:
$ sudo systemctl disable sysstat.service
The sysstat service can be masked with the following command:
$ sudo systemctl mask sysstat.service111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.064.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.IP-1PR.PT-3By default the sysstat service runs a program at
boot to reset performance statistics. This data can be retrieved using programs such as
sar and sadc. While the sysstat service may provide useful
insight into system operation, through the lens of providing only essential system services,
this service should be disabled. CCE-80273-6
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'sysstat.service'
"$SYSTEMCTL_EXEC" disable 'sysstat.service'
"$SYSTEMCTL_EXEC" mask 'sysstat.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^sysstat.socket'; then
"$SYSTEMCTL_EXEC" stop 'sysstat.socket'
"$SYSTEMCTL_EXEC" disable 'sysstat.socket'
"$SYSTEMCTL_EXEC" mask 'sysstat.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'sysstat.service' || true
- name: Disable service sysstat
block:
- name: Gather the service facts
service_facts: null
- name: Disable service sysstat
systemd:
name: sysstat.service
enabled: 'no'
state: stopped
masked: 'yes'
when: '"sysstat.service" in ansible_facts.services'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_sysstat_disabled
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80273-6
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Unit Socket Exists - sysstat.socket
command: systemctl list-unit-files sysstat.socket
args:
warn: false
register: socket_file_exists
changed_when: false
ignore_errors: true
check_mode: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_sysstat_disabled
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80273-6
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Disable socket sysstat
systemd:
name: sysstat.socket
enabled: 'no'
state: stopped
masked: 'yes'
when:
- '"sysstat.socket" in socket_file_exists.stdout_lines[1]'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_sysstat_disabled
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80273-6
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
include disable_sysstat
class disable_sysstat {
service {'sysstat':
enable => false,
ensure => 'stopped',
}
}
SSH ServerThe SSH protocol is recommended for remote login and
remote file transfer. SSH provides confidentiality and integrity
for data exchanged between two systems, as well as server
authentication, through the use of public key cryptography. The
implementation included with the system is called OpenSSH, and more
detailed documentation is available from its website,
http://www.openssh.org.
Its server program is called sshd and provided by the RPM package
openssh-server.SSH Server Listening PortSpecify port the SSH server is listening.22SSH Approved MACs by FIPSSpecify the FIPS approved MACs (message authentication code) algorithms
that are used for data integrity protection by the SSH server.hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.comhmac-sha2-512,hmac-sha2-256SSH enabled firewalld zoneSpecify firewalld zone to enable SSH service. This value is used only for remediation purposes.blockdroppublicworkinternalexternalhomedmzpublictrustedSSH session Idle timeSpecify duration of allowed idle time.180030036009003008407200600SSH Max authentication attemptsSpecify the maximum number of authentication attempts per connection.410345SSH Max Keep Alive CountSpecify the maximum number of idle message counts before session is terminated.0135010SSH is required to be installedSpecify if the Policy requires SSH to be installed. Used by SSH Rules
to determine if SSH should be uninstalled or configured.
A value of 0 means that the policy doesn't care if OpenSSH server is installed or not. If it is installed, scanner will check for it's configuration, if it's not installed, the check will pass.
A value of 1 indicates that OpenSSH server package is not required by the policy;
A value of 2 indicates that OpenSSH server package is required by the policy.021Install the OpenSSH Server PackageThe openssh-server package should be installed.
The openssh-server package can be installed with the following command:
$ sudo yum install openssh-server1314APO01.06DSS05.02DSS05.04DSS05.07DSS06.02DSS06.06CCI-002418CCI-002420CCI-002421CCI-002422SR 3.1SR 3.8SR 4.1SR 4.2SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)PR.DS-2PR.DS-5FIA_UAU.5FTP_ITC_EXT.1SRG-OS-000423-GPOS-00187SRG-OS-000423-GPOS-00188SRG-OS-000423-GPOS-00189SRG-OS000423-GPOS-00190RHEL-07-040300SV-86857r3_ruleWithout protection of the transmitted information, confidentiality, and
integrity may be compromised because unprotected communications can be
intercepted and either read or altered.CCE-80215-7
if ! rpm -q --quiet "openssh-server" ; then
yum install -y "openssh-server"
fi
- name: Ensure openssh-server is installed
package:
name: openssh-server
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- package_openssh-server_installed
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80215-7
- DISA-STIG-RHEL-07-040300
- NIST-800-53-CM-6(a)
include install_openssh-server
class install_openssh-server {
package { 'openssh-server':
ensure => 'installed',
}
}
package --add=openssh-server
Remove the OpenSSH Server PackageThe openssh-server package should be removed.
The openssh-server package can be removed with the following command:
$ sudo yum erase openssh-serverWithout protection of the transmitted information, confidentiality, and
integrity may be compromised because unprotected communications can be
intercepted and either read or altered.
# CAUTION: This remediation script will remove openssh-server
# from the system, and may remove any packages
# that depend on openssh-server. Execute this
# remediation AFTER testing on a non-production
# system!
if rpm -q --quiet "openssh-server" ; then
yum remove -y "openssh-server"
fi
- name: Ensure openssh-server is removed
package:
name: openssh-server
state: absent
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- package_openssh-server_removed
- medium_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
include remove_openssh-server
class remove_openssh-server {
package { 'openssh-server':
ensure => 'purged',
}
}
package --remove=openssh-server
Enable the OpenSSH ServiceThe SSH server service, sshd, is commonly needed.
The sshd service can be enabled with the following command:
$ sudo systemctl enable sshd.service1314APO01.06DSS05.02DSS05.04DSS05.07DSS06.02DSS06.063.1.133.5.43.13.8CCI-002418CCI-002420CCI-002421CCI-002422SR 3.1SR 3.8SR 4.1SR 4.2SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)SC-8SC-8(1)SC-8(2)SC-8(3)SC-8(4)PR.DS-2PR.DS-5SRG-OS-000423-GPOS-00187SRG-OS-000423-GPOS-00188SRG-OS-000423-GPOS-00189SRG-OS000423-GPOS-00190RHEL-07-040310SV-86859r3_ruleWithout protection of the transmitted information, confidentiality, and
integrity may be compromised because unprotected communications can be
intercepted and either read or altered.
This checklist item applies to both internal and external networks and all types
of information system components from which information can be transmitted (e.g., servers,
mobile devices, notebook computers, printers, copiers, scanners, etc). Communication paths
outside the physical protection of a controlled boundary are exposed to the possibility
of interception and modification.CCE-80216-5
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" start 'sshd.service'
"$SYSTEMCTL_EXEC" enable 'sshd.service'
- name: Enable service sshd
block:
- name: Gather the package facts
package_facts:
manager: auto
- name: Enable service sshd
service:
name: sshd
enabled: 'yes'
state: started
when:
- '"openssh-server" in ansible_facts.packages'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_sshd_enabled
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80216-5
- DISA-STIG-RHEL-07-040310
- NIST-800-171-3.1.13
- NIST-800-171-3.5.4
- NIST-800-171-3.13.8
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-8
- NIST-800-53-SC-8(1)
- NIST-800-53-SC-8(2)
- NIST-800-53-SC-8(3)
- NIST-800-53-SC-8(4)
include enable_sshd
class enable_sshd {
service {'sshd':
enable => true,
ensure => 'running',
}
}
Disable SSH Server If Possible (Unusual)The SSH server service, sshd, is commonly needed.
However, if it can be disabled, do so.
The sshd service can be disabled with the following command:
$ sudo systemctl disable sshd.service
The sshd service can be masked with the following command:
$ sudo systemctl mask sshd.service
This is unusual, as SSH is a common method for encrypted and authenticated
remote access.CCE-80217-3
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'sshd.service'
"$SYSTEMCTL_EXEC" disable 'sshd.service'
"$SYSTEMCTL_EXEC" mask 'sshd.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^sshd.socket'; then
"$SYSTEMCTL_EXEC" stop 'sshd.socket'
"$SYSTEMCTL_EXEC" disable 'sshd.socket'
"$SYSTEMCTL_EXEC" mask 'sshd.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'sshd.service' || true
- name: Disable service sshd
block:
- name: Gather the service facts
service_facts: null
- name: Disable service sshd
systemd:
name: sshd.service
enabled: 'no'
state: stopped
masked: 'yes'
when: '"sshd.service" in ansible_facts.services'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_sshd_disabled
- unknown_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80217-3
- name: Unit Socket Exists - sshd.socket
command: systemctl list-unit-files sshd.socket
args:
warn: false
register: socket_file_exists
changed_when: false
ignore_errors: true
check_mode: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_sshd_disabled
- unknown_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80217-3
- name: Disable socket sshd
systemd:
name: sshd.socket
enabled: 'no'
state: stopped
masked: 'yes'
when:
- '"sshd.socket" in socket_file_exists.stdout_lines[1]'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_sshd_disabled
- unknown_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80217-3
include disable_sshd
class disable_sshd {
service {'sshd':
enable => false,
ensure => 'stopped',
}
}
Verify Owner on SSH Server config file
To properly set the owner of /etc/ssh/sshd_config, run the command:
$ sudo chown root /etc/ssh/sshd_config 5.2.112131415161835APO01.06DSS05.04DSS05.07DSS06.024.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5AC-17(a)CM-6(a)AC-6(1)PR.AC-4PR.DS-5SRG-OS-000480-GPOS-00227Service configuration files enable or disable features of their respective
services that if configured incorrectly can lead to insecure and vulnerable
configurations. Therefore, service configuration files should be owned by the
correct group to prevent unauthorized changes.CCE-82899-6
chown 0 /etc/ssh/sshd_config
- name: Test for existence /etc/ssh/sshd_config
stat:
path: /etc/ssh/sshd_config
register: file_exists
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- file_owner_sshd_config
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82899-6
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- name: Ensure owner 0 on /etc/ssh/sshd_config
file:
path: /etc/ssh/sshd_config
owner: '0'
when:
- file_exists.stat is defined and file_exists.stat.exists
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- file_owner_sshd_config
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82899-6
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
Remove SSH Server firewalld Firewall exception (Unusual)By default, inbound connections to SSH's port are allowed. If
the SSH server is not being used, this exception should be removed from the
firewall configuration.
To configure firewalld to prevent access, run the following command(s):
firewall-cmd --permanent --remove-service=ssh3.1.12If inbound SSH connections are not expected, disallowing access to the SSH port will
avoid possible exploitation of the port by an attacker.CCE-80218-1Verify Permissions on SSH Server Public *.pub Key Files To properly set the permissions of /etc/ssh/*.pub, run the command: $ sudo chmod 0644 /etc/ssh/*.pub12131415161835APO01.06DSS05.04DSS05.07DSS06.023.1.133.13.10CCI-0003664.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5AC-17(a)CM-6(a)AC-6(1)PR.AC-4PR.DS-5SRG-OS-000480-GPOS-00227RHEL-07-040410SV-86879r2_ruleIf a public host key file is modified by an unauthorized user, the SSH service
may be compromised.CCE-27311-0
find /etc/ssh/ -regex '^.*.pub$' -exec chmod 0644 {} \;
- name: Find /etc/ssh/ file(s)
find:
paths: /etc/ssh/
patterns: ^.*.pub$
use_regex: true
register: files_found
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- file_permissions_sshd_pub_key
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27311-0
- DISA-STIG-RHEL-07-040410
- NIST-800-171-3.1.13
- NIST-800-171-3.13.10
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- name: Set permissions for /etc/ssh/ file(s)
file:
path: '{{ item.path }}'
mode: '0644'
with_items:
- '{{ files_found.files }}'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- file_permissions_sshd_pub_key
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27311-0
- DISA-STIG-RHEL-07-040410
- NIST-800-171-3.1.13
- NIST-800-171-3.13.10
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
include ssh_public_key_perms
class ssh_public_key_perms {
exec { 'sshd_pub_key':
command => "chmod 0644 /etc/ssh/*.pub",
path => '/bin:/usr/bin'
}
}
Verify Group Who Owns SSH Server config file
To properly set the group owner of /etc/ssh/sshd_config, run the command:
$ sudo chgrp root /etc/ssh/sshd_config5.2.112131415161835APO01.06DSS05.04DSS05.07DSS06.024.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5AC-17(a)CM-6(a)AC-6(1)PR.AC-4PR.DS-5SRG-OS-000480-GPOS-00227Service configuration files enable or disable features of their respective
services that if configured incorrectly can lead to insecure and vulnerable
configurations. Therefore, service configuration files should be owned by the
correct group to prevent unauthorized changes.CCE-82902-8
chgrp 0 /etc/ssh/sshd_config
- name: Test for existence /etc/ssh/sshd_config
stat:
path: /etc/ssh/sshd_config
register: file_exists
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- file_groupowner_sshd_config
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82902-8
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- name: Ensure group owner 0 on /etc/ssh/sshd_config
file:
path: /etc/ssh/sshd_config
group: '0'
when:
- file_exists.stat is defined and file_exists.stat.exists
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- file_groupowner_sshd_config
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82902-8
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
Verify Permissions on SSH Server Private *_key Key Files
To properly set the permissions of /etc/ssh/*_key, run the command:
$ sudo chmod 0640 /etc/ssh/*_key12131415161835APO01.06DSS05.04DSS05.07DSS06.023.1.133.13.10CCI-0003664.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5AC-17(a)CM-6(a)AC-6(1)PR.AC-4PR.DS-5SRG-OS-000480-GPOS-00227RHEL-07-040420SV-86881r3_ruleIf an unauthorized user obtains the private SSH host key file, the host could be
impersonated.CCE-27485-2
find /etc/ssh/ -regex '^.*_key$' -exec chmod 0640 {} \;
- name: Find /etc/ssh/ file(s)
find:
paths: /etc/ssh/
patterns: ^.*_key$
use_regex: true
register: files_found
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- file_permissions_sshd_private_key
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27485-2
- DISA-STIG-RHEL-07-040420
- NIST-800-171-3.1.13
- NIST-800-171-3.13.10
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- name: Set permissions for /etc/ssh/ file(s)
file:
path: '{{ item.path }}'
mode: '0640'
with_items:
- '{{ files_found.files }}'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- file_permissions_sshd_private_key
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27485-2
- DISA-STIG-RHEL-07-040420
- NIST-800-171-3.1.13
- NIST-800-171-3.13.10
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
include ssh_private_key_perms
class ssh_private_key_perms {
exec { 'sshd_priv_key':
command => "chmod 0640 /etc/ssh/*_key",
path => '/bin:/usr/bin'
}
}
Verify Permissions on SSH Server config file
To properly set the permissions of /etc/ssh/sshd_config, run the command:
$ sudo chmod 0600 /etc/ssh/sshd_config5.2.112131415161835APO01.06DSS05.04DSS05.07DSS06.024.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5AC-17(a)CM-6(a)AC-6(1)PR.AC-4PR.DS-5SRG-OS-000480-GPOS-00227Service configuration files enable or disable features of their respective
services that if configured incorrectly can lead to insecure and vulnerable
configurations. Therefore, service configuration files should be owned by the
correct group to prevent unauthorized changes.CCE-82895-4
chmod 0600 /etc/ssh/sshd_config
- name: Test for existence /etc/ssh/sshd_config
stat:
path: /etc/ssh/sshd_config
register: file_exists
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- file_permissions_sshd_config
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82895-4
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
- name: Ensure permission 0600 on /etc/ssh/sshd_config
file:
path: /etc/ssh/sshd_config
mode: '0600'
when:
- file_exists.stat is defined and file_exists.stat.exists
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- file_permissions_sshd_config
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82895-4
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-6(1)
Remove SSH Server iptables Firewall exception (Unusual)By default, inbound connections to SSH's port are allowed. If the SSH
server is not being used, this exception should be removed from the
firewall configuration.
Edit the files /etc/sysconfig/iptables and
/etc/sysconfig/ip6tables (if IPv6 is in use). In each file, locate
and delete the line:
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
This is unusual, as SSH is a common method for encrypted and authenticated
remote access.If inbound SSH connections are not expected, disallowing access to the SSH
port will avoid possible exploitation of the port by an attacker.Configure OpenSSH Server if NecessaryIf the system needs to act as an SSH server, then
certain changes should be made to the OpenSSH daemon configuration
file /etc/ssh/sshd_config. The following recommendations can be
applied to this file. See the sshd_config(5) man page for more
detailed information.SSH Compression SettingSpecify the compression setting for SSH connections.nodelayednoSSH Privilege Separation SettingSpecify whether and how sshd separates privileges when handling incoming network connections.sandboxyessandboxnoUse Only Strong MACsLimit the MACs to strong hash algorithms.
The following line in /etc/ssh/sshd_config demonstrates use
of those MACs:
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160MD5 and 96-bit MAC algorithms are considered weak and have been shown to increase
exploitability in SSH downgrade attacks. Weak algorithms continue to have a great deal of
attention as a weak spot that can be exploited with expanded computing power. An
attacker that breaks the algorithm could take advantage of a MiTM position to decrypt the
SSH tunnel and capture credentials and informationCCE-82364-1
if [ -e "/etc/ssh/sshd_config" ] ; then
LC_ALL=C sed -i "/^\s*MACs\s\+/Id" "/etc/ssh/sshd_config"
else
touch "/etc/ssh/sshd_config"
fi
cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
# Insert before the line matching the regex '^Match'.
line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
# There was no match of '^Match', insert at
# the end of the file.
printf '%s\n' "MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160" >> "/etc/ssh/sshd_config"
else
head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
printf '%s\n' "MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160" >> "/etc/ssh/sshd_config"
tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
fi
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"
Disable SSH Support for User Known HostsSSH can allow system users to connect to systems if a cache of the remote
systems public keys is available. This should be disabled.
To ensure this behavior is disabled, add or correct the
following line in /etc/ssh/sshd_config:
IgnoreUserKnownHosts yes1139BAI10.01BAI10.02BAI10.03BAI10.053.1.12CCI-000366164.308(a)(4)(i)164.308(b)(1)164.308(b)(3)164.310(b)164.312(e)(1)164.312(e)(2)(ii)4.3.4.3.24.3.4.3.3SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4AC-17(a)CM-7(a)CM-7(b)CM-6(a)PR.IP-1FIA_AFL.1SRG-OS-000480-GPOS-00227RHEL-07-040380SV-86873r3_ruleConfiguring this setting for the SSH daemon provides additional
assurance that remove login via SSH will require a password, even
in the event of misconfiguration elsewhere.CCE-80372-6if [ -e "/etc/ssh/sshd_config" ] ; then
LC_ALL=C sed -i "/^\s*IgnoreUserKnownHosts\s\+/Id" "/etc/ssh/sshd_config"
else
touch "/etc/ssh/sshd_config"
fi
cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
# Insert before the line matching the regex '^Match'.
line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
# There was no match of '^Match', insert at
# the end of the file.
printf '%s\n' "IgnoreUserKnownHosts yes" >> "/etc/ssh/sshd_config"
else
head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
printf '%s\n' "IgnoreUserKnownHosts yes" >> "/etc/ssh/sshd_config"
tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
fi
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"
- name: Disable SSH Support for User Known Hosts
block:
- name: Deduplicate values from /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)^\s*IgnoreUserKnownHosts\s+
state: absent
- name: Insert correct line to /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: true
line: IgnoreUserKnownHosts yes
state: present
insertbefore: ^[#\s]*Match
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sshd_disable_user_known_hosts
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80372-6
- DISA-STIG-RHEL-07-040380
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
Disable SSH Access via Empty PasswordsTo explicitly disallow SSH login from accounts with
empty passwords, add or correct the following line in /etc/ssh/sshd_config:
PermitEmptyPasswords no
Any accounts with empty passwords should be disabled immediately, and PAM configuration
should prevent users from being able to assign themselves empty passwords.NT007(R17)5.2.9111213141516183595.5.6APO01.06BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.04DSS05.05DSS05.07DSS06.02DSS06.03DSS06.063.1.13.1.5CCI-000366164.308(a)(4)(i)164.308(b)(1)164.308(b)(3)164.310(b)164.312(e)(1)164.312(e)(2)(ii)4.3.3.2.24.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 5.2SR 7.6A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.12.1.2A.12.5.1A.12.6.2A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.14.2.2A.14.2.3A.14.2.4A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.1A.9.2.3A.9.4.1A.9.4.4A.9.4.5AC-17(a)CM-7(a)CM-7(b)CM-6(a)PR.AC-4PR.AC-6PR.DS-5PR.IP-1PR.PT-3FIA_AFL.1SRG-OS-000480-GPOS-00229RHEL-07-010300SV-86563r3_ruleSRG-OS-000480-VMM-002000Configuring this setting for the SSH daemon provides additional assurance
that remote login via SSH will require a password, even in the event of
misconfiguration elsewhere.CCE-27471-2if [ -e "/etc/ssh/sshd_config" ] ; then
LC_ALL=C sed -i "/^\s*PermitEmptyPasswords\s\+/Id" "/etc/ssh/sshd_config"
else
touch "/etc/ssh/sshd_config"
fi
cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
# Insert before the line matching the regex '^Match'.
line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
# There was no match of '^Match', insert at
# the end of the file.
printf '%s\n' "PermitEmptyPasswords no" >> "/etc/ssh/sshd_config"
else
head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
printf '%s\n' "PermitEmptyPasswords no" >> "/etc/ssh/sshd_config"
tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
fi
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"
- name: Disable SSH Access via Empty Passwords
block:
- name: Deduplicate values from /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)^\s*PermitEmptyPasswords\s+
state: absent
- name: Insert correct line to /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: true
line: PermitEmptyPasswords no
state: present
insertbefore: ^[#\s]*Match
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sshd_disable_empty_passwords
- high_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27471-2
- DISA-STIG-RHEL-07-010300
- NIST-800-171-3.1.1
- NIST-800-171-3.1.5
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- CJIS-5.5.6
Set SSH Client Alive Max CountTo ensure the SSH idle timeout occurs precisely when the ClientAliveInterval is set,
edit /etc/ssh/sshd_config as follows:
ClientAliveCountMax 5.2.12112131415161835785.5.6APO13.01BAI03.01BAI03.02BAI03.03DSS01.03DSS03.05DSS05.04DSS05.05DSS05.07DSS05.10DSS06.03DSS06.103.1.11CCI-000879CCI-001133CCI-002361164.308(a)(4)(i)164.308(b)(1)164.308(b)(3)164.310(b)164.312(e)(1)164.312(e)(2)(ii)4.3.3.2.24.3.3.5.14.3.3.5.24.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.3SR 1.1SR 1.10SR 1.2SR 1.3SR 1.4SR 1.5SR 1.7SR 1.8SR 1.9SR 2.1SR 6.2A.12.4.1A.12.4.3A.14.1.1A.14.2.1A.14.2.5A.18.1.4A.6.1.2A.6.1.5A.7.1.1A.9.1.2A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.2.6A.9.3.1A.9.4.1A.9.4.2A.9.4.3A.9.4.4A.9.4.5AC-2(5)AC-12AC-17(a)SC-10CM-6(a)DE.CM-1DE.CM-3PR.AC-1PR.AC-4PR.AC-6PR.AC-7PR.IP-2SRG-OS-000163-GPOS-00072SRG-OS-000279-GPOS-00109RHEL-07-040340SV-86865r4_ruleSRG-OS-000480-VMM-002000This ensures a user login will be terminated as soon as the ClientAliveInterval
is reached.CCE-27082-7
var_sshd_set_keepalive=""
replace_or_append '/etc/ssh/sshd_config' '^ClientAliveCountMax' "$var_sshd_set_keepalive" 'CCE-27082-7' '%s %s'
- name: XCCDF Value var_sshd_set_keepalive # promote to variable
set_fact:
var_sshd_set_keepalive: !!str
tags:
- always
- name: Set SSH Client Alive Max Count
block:
- name: Deduplicate values from /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)^\s*ClientAliveCountMax\s+
state: absent
- name: Insert correct line to /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: true
line: ClientAliveCountMax {{ var_sshd_set_keepalive }}
state: present
insertbefore: ^[#\s]*Match
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sshd_set_keepalive
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27082-7
- DISA-STIG-RHEL-07-040340
- NIST-800-171-3.1.11
- NIST-800-53-AC-2(5)
- NIST-800-53-AC-12
- NIST-800-53-AC-17(a)
- NIST-800-53-SC-10
- NIST-800-53-CM-6(a)
- CJIS-5.5.6
Disable SSH Support for Rhosts RSA AuthenticationSSH can allow authentication through the obsolete rsh
command through the use of the authenticating user's SSH keys. This should be disabled.
To ensure this behavior is disabled, add or correct the
following line in /etc/ssh/sshd_config:
RhostsRSAAuthentication noAs of openssh-server version 7.4 and above,
the RhostsRSAAuthentication option has been deprecated, and the line
RhostsRSAAuthentication no in /etc/ssh/sshd_config is not
necessary.1139BAI10.01BAI10.02BAI10.03BAI10.053.1.12CCI-000366164.308(a)(4)(i)164.308(b)(1)164.308(b)(3)164.310(b)164.312(e)(1)164.312(e)(2)(ii)4.3.4.3.24.3.4.3.3SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4AC-17(a)CM-7(a)CM-7(b)CM-6(a)PR.IP-1FIA_AFL.1SRG-OS-000480-GPOS-00227RHEL-07-040330SV-86863r4_ruleConfiguring this setting for the SSH daemon provides additional
assurance that remove login via SSH will require a password, even
in the event of misconfiguration elsewhere.CCE-80373-4
replace_or_append '/etc/ssh/sshd_config' '^RhostsRSAAuthentication' 'no' 'CCE-80373-4' '%s %s'
- name: Disable SSH Support for Rhosts RSA Authentication
block:
- name: Deduplicate values from /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)^\s*RhostsRSAAuthentication\s+
state: absent
- name: Insert correct line to /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: true
line: RhostsRSAAuthentication no
state: present
insertbefore: ^[#\s]*Match
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sshd_disable_rhosts_rsa
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80373-4
- DISA-STIG-RHEL-07-040330
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
Limit Users' SSH AccessBy default, the SSH configuration allows any user with an account
to access the system. In order to specify the users that are allowed to login
via SSH and deny all other users, add or correct the following line in the
/etc/ssh/sshd_config file:
DenyUsers USER1 USER2
Where USER1 and USER2 are valid user names.11121415161835DSS05.02DSS05.04DSS05.05DSS05.07DSS06.03DSS06.063.1.124.3.3.2.24.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.4SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7A.6.1.2A.7.1.1A.9.1.2A.9.2.1A.9.2.3A.9.4.1A.9.4.4A.9.4.5AC-3CM-6(a)PR.AC-4PR.AC-6PR.PT-3Specifying which accounts are allowed SSH access into the system reduces the
possibility of unauthorized access to the system.CCE-80219-9Enable SSH Warning BannerTo enable the warning banner and ensure it is consistent
across the system, add or correct the following line in /etc/ssh/sshd_config:
Banner /etc/issue
Another section contains information on how to create an
appropriate system-wide warning banner.5.2.1611215165.5.6DSS05.04DSS05.10DSS06.103.1.9CCI-000048CCI-000050CCI-001384CCI-001385CCI-001386CCI-001387CCI-001388164.308(a)(4)(i)164.308(b)(1)164.308(b)(3)164.310(b)164.312(e)(1)164.312(e)(2)(ii)4.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.9SR 1.1SR 1.10SR 1.2SR 1.5SR 1.7SR 1.8SR 1.9A.18.1.4A.9.2.1A.9.2.4A.9.3.1A.9.4.2A.9.4.3AC-8(a)AC-8(c)AC-17(a)CM-6(a)PR.AC-7FMT_MOF_EXT.1SRG-OS-000023-GPOS-00006SRG-OS-000024-GPOS-00007SRG-OS-000228-GPOS-00088RHEL-07-040170SV-86849r4_ruleSRG-OS-000023-VMM-000060SRG-OS-000024-VMM-000070The warning message reinforces policy awareness during the logon process and
facilitates possible legal action against attackers. Alternatively, systems
whose ownership should not be obvious should ensure usage of a banner that does
not provide easy attribution.CCE-27314-4if [ -e "/etc/ssh/sshd_config" ] ; then
LC_ALL=C sed -i "/^\s*Banner\s\+/Id" "/etc/ssh/sshd_config"
else
touch "/etc/ssh/sshd_config"
fi
cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
# Insert before the line matching the regex '^Match'.
line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
# There was no match of '^Match', insert at
# the end of the file.
printf '%s\n' "Banner /etc/issue" >> "/etc/ssh/sshd_config"
else
head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
printf '%s\n' "Banner /etc/issue" >> "/etc/ssh/sshd_config"
tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
fi
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"
- name: Enable SSH Warning Banner
block:
- name: Deduplicate values from /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)^\s*Banner\s+
state: absent
- name: Insert correct line to /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: true
line: Banner /etc/issue
state: present
insertbefore: ^[#\s]*Match
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sshd_enable_warning_banner
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27314-4
- DISA-STIG-RHEL-07-040170
- NIST-800-171-3.1.9
- NIST-800-53-AC-8(a)
- NIST-800-53-AC-8(c)
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- CJIS-5.5.6
Enable GSSAPI AuthenticationSites setup to use Kerberos or other GSSAPI Authenticaion require setting
sshd to accept this authentication.
To enable GSSAPI authentication, add or correct the following line in the
/etc/ssh/sshd_config file:
GSSAPIAuthentication yesKerberos authentication for SSH is often implemented using GSSAPI. If
Kerberos is enabled through SSH, the SSH daemon provides a means of access
to the system's Kerberos implementation. Vulnerabilities in the system's
Kerberos implementations may be subject to exploitation.
For enterprises, Kerberos is often enabled and used with GSSAPI for
centralized user account management which may necessitate enabling of
GSSAPI functionality in SSH. if [ -e "/etc/ssh/sshd_config" ] ; then
LC_ALL=C sed -i "/^\s*GSSAPIAuthentication\s\+/Id" "/etc/ssh/sshd_config"
else
touch "/etc/ssh/sshd_config"
fi
cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
# Insert before the line matching the regex '^Match'.
line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
# There was no match of '^Match', insert at
# the end of the file.
printf '%s\n' "GSSAPIAuthentication yes" >> "/etc/ssh/sshd_config"
else
head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
printf '%s\n' "GSSAPIAuthentication yes" >> "/etc/ssh/sshd_config"
tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
fi
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"
- name: Enable GSSAPI Authentication
block:
- name: Deduplicate values from /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)^\s*GSSAPIAuthentication\s+
state: absent
- name: Insert correct line to /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: true
line: GSSAPIAuthentication yes
state: present
insertbefore: ^[#\s]*Match
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sshd_enable_gssapi_auth
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Force frequent session key renegotiationThe RekeyLimit parameter specifies how often
the session key of the is renegotiated, both in terms of
amount of data that may be transmitted and the time
elapsed. To decrease the default limits, put line
RekeyLimit 512M 1h to file /etc/ssh/sshd_config.FCS_SSHS_EXT.1SRG-OS-000480-GPOS-00227By decreasing the limit based on the amount of data and enabling
time-based limit, effects of potential attacks against
encryption keys are limited.if [ -e "/etc/ssh/sshd_config" ] ; then
LC_ALL=C sed -i "/^\s*RekeyLimit\s\+/Id" "/etc/ssh/sshd_config"
else
touch "/etc/ssh/sshd_config"
fi
cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
# Insert before the line matching the regex '^Match'.
line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
# There was no match of '^Match', insert at
# the end of the file.
printf '%s\n' "RekeyLimit 512M 1h" >> "/etc/ssh/sshd_config"
else
head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
printf '%s\n' "RekeyLimit 512M 1h" >> "/etc/ssh/sshd_config"
tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
fi
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"
- name: Force frequent session key renegotiation
block:
- name: Deduplicate values from /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)^\s*RekeyLimit\s+
state: absent
- name: Insert correct line to /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: true
line: RekeyLimit 512M 1h
state: present
insertbefore: ^[#\s]*Match
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sshd_rekey_limit
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Use Only FIPS 140-2 Validated MACsLimit the MACs to those hash algorithms which are FIPS-approved.
The following line in /etc/ssh/sshd_config
demonstrates use of FIPS-approved MACs:
MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1
The man page sshd_config(5) contains a list of supported MACs.
Only the following message authentication codes are FIPS 140-2 certified on Red Hat Enterprise Linux 7:
- hmac-sha1
- hmac-sha2-256
- hmac-sha2-512
- hmac-sha1-etm@openssh.com
- hmac-sha2-256-etm@openssh.com
- hmac-sha2-512-etm@openssh.com
Any combination of the above MACs will pass this check. Official FIPS 140-2 paperwork for
Red Hat Enterprise Linux 7 can be found at
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdfThe system needs to be rebooted for these changes to take effect.System Crypto Modules must be provided by a vendor that undergoes
FIPS-140 certifications.
FIPS-140 is applicable to all Federal agencies that use
cryptographic-based security systems to protect sensitive information
in computer and telecommunication systems (including voice systems) as
defined in Section 5131 of the Information Technology Management Reform
Act of 1996, Public Law 104-106. This standard shall be used in
designing and implementing cryptographic modules that Federal
departments and agencies operate or are operated for them under
contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf
To meet this, the system has to have cryptographic software provided by
a vendor that has undergone this certification. This means providing
documentation, test results, design information, and independent third
party review by an accredited lab. While open source software is
capable of meeting this, it does not meet FIPS-140 unless the vendor
submits to this process.5.2.1211213151658APO01.06APO13.01DSS01.04DSS05.02DSS05.03DSS05.04DSS05.07DSS06.02DSS06.033.1.133.13.113.13.8CCI-000068CCI-000803CCI-001453CCI-000877CCI-003123164.308(b)(1)164.308(b)(2)164.312(e)(1)164.312(e)(2)(i)164.312(e)(2)(ii)164.314(b)(2)(i)4.3.3.5.14.3.3.6.6SR 1.1SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.7SR 1.8SR 1.9SR 2.6SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 7.1SR 7.6A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.11.2.6A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.6.2.1A.6.2.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.2.6A.9.3.1A.9.4.1A.9.4.2A.9.4.3A.9.4.4A.9.4.5CM-6(a)AC-17(a)AC-17(2)SC-13MA-4(6)SC-12(2)SC-12(3)PR.AC-1PR.AC-3PR.DS-5PR.PT-4SRG-OS-000250-GPOS-00093SRG-OS-000125-GPOS-00065SRG-OS-000394-GPOS-00174RHEL-07-040400SV-86877r3_ruleSRG-OS-000033-VMM-000140SRG-OS-000120-VMM-000600SRG-OS-000478-VMM-001980SRG-OS-000480-VMM-002000SRG-OS-000396-VMM-001590DoD Information Systems are required to use FIPS-approved cryptographic hash
functions. The only SSHv2 hash algorithms meeting this requirement is SHA2.CCE-27455-5
sshd_approved_macs=""
replace_or_append '/etc/ssh/sshd_config' '^MACs' "$sshd_approved_macs" 'CCE-27455-5' '%s %s'
- name: XCCDF Value sshd_approved_macs # promote to variable
set_fact:
sshd_approved_macs: !!str
tags:
- always
- name: Use Only FIPS 140-2 Validated MACs
block:
- name: Deduplicate values from /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)^\s*MACs\s+
state: absent
- name: Insert correct line to /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: true
line: MACs {{ sshd_approved_macs }}
state: present
insertbefore: ^[#\s]*Match
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sshd_use_approved_macs
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27455-5
- DISA-STIG-RHEL-07-040400
- NIST-800-171-3.1.13
- NIST-800-171-3.13.11
- NIST-800-171-3.13.8
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-17(2)
- NIST-800-53-SC-13
- NIST-800-53-MA-4(6)
- NIST-800-53-SC-12(2)
- NIST-800-53-SC-12(3)
Set LogLevel to INFOThe INFO parameter specifices that record login and logout activity will be logged.
To specify the log level in
SSH, add or correct the following line in the /etc/ssh/sshd_config file:
LogLevel INFO5.2.3AC-17(a)CM-6(a)SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically
not recommended other than strictly for debugging SSH communications since it provides
so much data that it is difficult to identify important security information. INFO level is the
basic level that only records login activity of SSH users. In many situations, such as Incident
Response, it is important to determine when a particular user was active on a system. The
logout record can eliminate those users who disconnected, which helps narrow the field.CCE-80645-5if [ -e "/etc/ssh/sshd_config" ] ; then
LC_ALL=C sed -i "/^\s*LogLevel\s\+/Id" "/etc/ssh/sshd_config"
else
touch "/etc/ssh/sshd_config"
fi
cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
# Insert before the line matching the regex '^Match'.
line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
# There was no match of '^Match', insert at
# the end of the file.
printf '%s\n' "LogLevel INFO" >> "/etc/ssh/sshd_config"
else
head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
printf '%s\n' "LogLevel INFO" >> "/etc/ssh/sshd_config"
tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
fi
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"
- name: Set LogLevel to INFO
block:
- name: Deduplicate values from /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)^\s*LogLevel\s+
state: absent
- name: Insert correct line to /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: true
line: LogLevel INFO
state: present
insertbefore: ^[#\s]*Match
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sshd_set_loglevel_info
- low_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80645-5
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
Disable Kerberos AuthenticationUnless needed, SSH should not permit extraneous or unnecessary
authentication mechanisms like Kerberos. To disable Kerberos authentication, add
or correct the following line in the /etc/ssh/sshd_config file:
KerberosAuthentication no1139BAI10.01BAI10.02BAI10.03BAI10.053.1.12CCI-000368CCI-000318CCI-001812CCI-001813CCI-001814164.308(a)(4)(i)164.308(b)(1)164.308(b)(3)164.310(b)164.312(e)(1)164.312(e)(2)(ii)4.3.4.3.24.3.4.3.3SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4AC-17(a)CM-7(a)CM-7(b)CM-6(a)PR.IP-1FIA_AFL.1SRG-OS-000364-GPOS-00151RHEL-07-040440SV-86885r3_ruleSRG-OS-000480-VMM-002000Kerberos authentication for SSH is often implemented using GSSAPI. If Kerberos
is enabled through SSH, the SSH daemon provides a means of access to the
system's Kerberos implementation. Vulnerabilities in the system's Kerberos
implementations may be subject to exploitation.CCE-80221-5if [ -e "/etc/ssh/sshd_config" ] ; then
LC_ALL=C sed -i "/^\s*KerberosAuthentication\s\+/Id" "/etc/ssh/sshd_config"
else
touch "/etc/ssh/sshd_config"
fi
cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
# Insert before the line matching the regex '^Match'.
line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
# There was no match of '^Match', insert at
# the end of the file.
printf '%s\n' "KerberosAuthentication no" >> "/etc/ssh/sshd_config"
else
head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
printf '%s\n' "KerberosAuthentication no" >> "/etc/ssh/sshd_config"
tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
fi
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"
- name: Disable Kerberos Authentication
block:
- name: Deduplicate values from /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)^\s*KerberosAuthentication\s+
state: absent
- name: Insert correct line to /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: true
line: KerberosAuthentication no
state: present
insertbefore: ^[#\s]*Match
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sshd_disable_kerb_auth
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80221-5
- DISA-STIG-RHEL-07-040440
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
Allow Only SSH Protocol 2Only SSH protocol version 2 connections should be
permitted. The default setting in
/etc/ssh/sshd_config is correct, and can be
verified by ensuring that the following
line appears:
Protocol 2As of openssh-server version 7.4 and above, the only protocol
supported is version 2, and line Protocol 2 in
/etc/ssh/sshd_config is not necessary.NT007(R1)5.2.21121516585.5.6APO13.01DSS01.04DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07DSS05.10DSS06.03DSS06.103.1.133.5.4CCI-000197CCI-000366164.308(a)(4)(i)164.308(b)(1)164.308(b)(3)164.310(b)164.312(e)(1)164.312(e)(2)(ii)4.3.3.2.24.3.3.5.14.3.3.5.24.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.24.3.3.7.4SR 1.1SR 1.10SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.7SR 1.8SR 1.9SR 2.1SR 2.6SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 7.1SR 7.6A.11.2.6A.13.1.1A.13.2.1A.14.1.3A.18.1.4A.6.2.1A.6.2.2A.7.1.1A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.2.6A.9.3.1A.9.4.2A.9.4.3CM-6(a)AC-17(a)AC-17(2)IA-5(1)(c)SC-13MA-4(6)PR.AC-1PR.AC-3PR.AC-6PR.AC-7PR.PT-4SRG-OS-000074-GPOS-00042SRG-OS-000480-GPOS-00227RHEL-07-040390SV-86875r4_ruleSRG-OS-000033-VMM-000140SSH protocol version 1 is an insecure implementation of the SSH protocol and
has many well-known vulnerability exploits. Exploits of the SSH daemon could provide
immediate root access to the system.CCE-27320-1if [ -e "/etc/ssh/sshd_config" ] ; then
LC_ALL=C sed -i "/^\s*Protocol\s\+/Id" "/etc/ssh/sshd_config"
else
touch "/etc/ssh/sshd_config"
fi
cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
# Insert before the line matching the regex '^Match'.
line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
# There was no match of '^Match', insert at
# the end of the file.
printf '%s\n' "Protocol 2" >> "/etc/ssh/sshd_config"
else
head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
printf '%s\n' "Protocol 2" >> "/etc/ssh/sshd_config"
tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
fi
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"
- name: Allow Only SSH Protocol 2
block:
- name: Deduplicate values from /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)^\s*Protocol\s+
state: absent
- name: Insert correct line to /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: true
line: Protocol 2
state: present
insertbefore: ^[#\s]*Match
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sshd_allow_only_protocol2
- high_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27320-1
- DISA-STIG-RHEL-07-040390
- NIST-800-171-3.1.13
- NIST-800-171-3.5.4
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-17(2)
- NIST-800-53-IA-5(1)(c)
- NIST-800-53-SC-13
- NIST-800-53-MA-4(6)
- CJIS-5.5.6
Disable SSH Support for .rhosts FilesSSH can emulate the behavior of the obsolete rsh
command in allowing users to enable insecure access to their
accounts via .rhosts files.
To ensure this behavior is disabled, add or correct the
following line in /etc/ssh/sshd_config:
IgnoreRhosts yes5.2.61112141516183595.5.6BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.04DSS05.05DSS05.07DSS06.03DSS06.063.1.12CCI-0003664.3.3.2.24.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.6.1.2A.7.1.1A.9.1.2A.9.2.1A.9.2.3A.9.4.1A.9.4.4A.9.4.5AC-17(a)CM-7(a)CM-7(b)CM-6(a)PR.AC-4PR.AC-6PR.IP-1PR.PT-3FIA_AFL.1SRG-OS-000480-GPOS-00227RHEL-07-040350SV-86867r3_ruleSRG-OS-000107-VMM-000530SSH trust relationships mean a compromise on one host
can allow an attacker to move trivially to other hosts.CCE-27377-1if [ -e "/etc/ssh/sshd_config" ] ; then
LC_ALL=C sed -i "/^\s*IgnoreRhosts\s\+/Id" "/etc/ssh/sshd_config"
else
touch "/etc/ssh/sshd_config"
fi
cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
# Insert before the line matching the regex '^Match'.
line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
# There was no match of '^Match', insert at
# the end of the file.
printf '%s\n' "IgnoreRhosts yes" >> "/etc/ssh/sshd_config"
else
head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
printf '%s\n' "IgnoreRhosts yes" >> "/etc/ssh/sshd_config"
tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
fi
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"
- name: Disable SSH Support for .rhosts Files
block:
- name: Deduplicate values from /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)^\s*IgnoreRhosts\s+
state: absent
- name: Insert correct line to /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: true
line: IgnoreRhosts yes
state: present
insertbefore: ^[#\s]*Match
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sshd_disable_rhosts
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27377-1
- DISA-STIG-RHEL-07-040350
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- CJIS-5.5.6
Set SSH Idle Timeout IntervalSSH allows administrators to set an idle timeout interval. After this interval
has passed, the idle user will be automatically logged out.
To set an idle timeout interval, edit the following line in /etc/ssh/sshd_config as
follows:
ClientAliveInterval
The timeout interval is given in seconds. For example, have a timeout
of 10 minutes, set interval to 600.
If a shorter timeout has already been set for the login shell, that value will
preempt any SSH setting made in /etc/ssh/sshd_config. Keep in mind that
some processes may stop SSH from correctly detecting that the user is idle.NT28(R29)5.2.12112131415161835785.5.6APO13.01BAI03.01BAI03.02BAI03.03DSS01.03DSS03.05DSS05.04DSS05.05DSS05.07DSS05.10DSS06.03DSS06.103.1.11CCI-000879CCI-001133CCI-0023614.3.3.2.24.3.3.5.14.3.3.5.24.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.3SR 1.1SR 1.10SR 1.2SR 1.3SR 1.4SR 1.5SR 1.7SR 1.8SR 1.9SR 2.1SR 6.2A.12.4.1A.12.4.3A.14.1.1A.14.2.1A.14.2.5A.18.1.4A.6.1.2A.6.1.5A.7.1.1A.9.1.2A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.2.6A.9.3.1A.9.4.1A.9.4.2A.9.4.3A.9.4.4A.9.4.5CM-6(a)AC-17(a)AC-2(5)AC-12AC-17(a)SC-10CM-6(a)DE.CM-1DE.CM-3PR.AC-1PR.AC-4PR.AC-6PR.AC-7PR.IP-2Req-8.1.8SRG-OS-000163-GPOS-00072SRG-OS-000279-GPOS-00109SRG-OS-000126-GPOS-00066SRG-OS-000395-GPOS-00175RHEL-07-040320SV-86861r4_ruleSRG-OS-000480-VMM-002000Terminating an idle ssh session within a short time period reduces the window of
opportunity for unauthorized personnel to take control of a management session
enabled on the console or console port that has been let unattended.CCE-27433-2
sshd_idle_timeout_value=""
replace_or_append '/etc/ssh/sshd_config' '^ClientAliveInterval' $sshd_idle_timeout_value 'CCE-27433-2' '%s %s'
- name: XCCDF Value sshd_idle_timeout_value # promote to variable
set_fact:
sshd_idle_timeout_value: !!str
tags:
- always
- name: Set SSH Idle Timeout Interval
block:
- name: Deduplicate values from /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)^\s*ClientAliveInterval\s+
state: absent
- name: Insert correct line to /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: true
line: ClientAliveInterval {{ sshd_idle_timeout_value }}
state: present
insertbefore: ^[#\s]*Match
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sshd_set_idle_timeout
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27433-2
- PCI-DSS-Req-8.1.8
- DISA-STIG-RHEL-07-040320
- NIST-800-171-3.1.11
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-2(5)
- NIST-800-53-AC-12
- NIST-800-53-AC-17(a)
- NIST-800-53-SC-10
- NIST-800-53-CM-6(a)
- CJIS-5.5.6
Do Not Allow SSH Environment OptionsTo ensure users are not able to override environment
variables of the SSH daemon, add or correct the following line
in /etc/ssh/sshd_config:
PermitUserEnvironment no5.2.1011395.5.6BAI10.01BAI10.02BAI10.03BAI10.053.1.12CCI-000366164.308(a)(4)(i)164.308(b)(1)164.308(b)(3)164.310(b)164.312(e)(1)164.312(e)(2)(ii)4.3.4.3.24.3.4.3.3SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4AC-17(a)CM-7(a)CM-7(b)CM-6(a)PR.IP-1SRG-OS-000480-GPOS-00229RHEL-07-010460SV-86581r3_ruleSRG-OS-000480-VMM-002000SSH environment options potentially allow users to bypass
access restriction in some configurations.CCE-27363-1if [ -e "/etc/ssh/sshd_config" ] ; then
LC_ALL=C sed -i "/^\s*PermitUserEnvironment\s\+/Id" "/etc/ssh/sshd_config"
else
touch "/etc/ssh/sshd_config"
fi
cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
# Insert before the line matching the regex '^Match'.
line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
# There was no match of '^Match', insert at
# the end of the file.
printf '%s\n' "PermitUserEnvironment no" >> "/etc/ssh/sshd_config"
else
head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
printf '%s\n' "PermitUserEnvironment no" >> "/etc/ssh/sshd_config"
tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
fi
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"
- name: Do Not Allow SSH Environment Options
block:
- name: Deduplicate values from /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)^\s*PermitUserEnvironment\s+
state: absent
- name: Insert correct line to /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: true
line: PermitUserEnvironment no
state: present
insertbefore: ^[#\s]*Match
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sshd_do_not_permit_user_env
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27363-1
- DISA-STIG-RHEL-07-010460
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- CJIS-5.5.6
Disable PubkeyAuthentication AuthenticationUnless needed, SSH should not permit extraneous or unnecessary
authentication mechanisms. To disable PubkeyAuthentication authentication, add or
correct the following line in the /etc/ssh/sshd_config file:
PubkeyAuthentication noPubkeyAuthentication authentication is used to provide additional authentication mechanisms to
applications. Allowing PubkeyAuthentication authentication through SSH allows users to
generate their own authentication tokens, increasing the attack surface of the system.CCE-82344-3if [ -e "/etc/ssh/sshd_config" ] ; then
LC_ALL=C sed -i "/^\s*PubkeyAuthentication\s\+/Id" "/etc/ssh/sshd_config"
else
touch "/etc/ssh/sshd_config"
fi
cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
# Insert before the line matching the regex '^Match'.
line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
# There was no match of '^Match', insert at
# the end of the file.
printf '%s\n' "PubkeyAuthentication no" >> "/etc/ssh/sshd_config"
else
head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
printf '%s\n' "PubkeyAuthentication no" >> "/etc/ssh/sshd_config"
tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
fi
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"
- name: Disable PubkeyAuthentication Authentication
block:
- name: Deduplicate values from /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)^\s*PubkeyAuthentication\s+
state: absent
- name: Insert correct line to /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: true
line: PubkeyAuthentication no
state: present
insertbefore: ^[#\s]*Match
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sshd_disable_pubkey_auth
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82344-3
Enable Encrypted X11 ForwardingBy default, remote X11 connections are not encrypted when initiated
by users. SSH has the capability to encrypt remote X11 connections when SSH's
X11Forwarding option is enabled.
To enable X11 Forwarding, add or correct the
following line in /etc/ssh/sshd_config:
X11Forwarding yes5.2.41111213151618203469BAI03.08BAI07.04BAI10.01BAI10.02BAI10.03BAI10.05DSS03.013.1.13CCI-0003664.3.4.3.24.3.4.3.34.4.3.3SR 7.6A.12.1.1A.12.1.2A.12.1.4A.12.5.1A.12.6.2A.13.1.1A.13.1.2A.14.2.2A.14.2.3A.14.2.4CM-6(a)AC-17(a)AC-17(2)DE.AE-1PR.DS-7PR.IP-1SRG-OS-000480-GPOS-00227RHEL-07-040710SV-86927r4_ruleNon-encrypted X displays allow an attacker to capture keystrokes and to execute commands
remotely.CCE-80226-4if [ -e "/etc/ssh/sshd_config" ] ; then
LC_ALL=C sed -i "/^\s*X11Forwarding\s\+/Id" "/etc/ssh/sshd_config"
else
touch "/etc/ssh/sshd_config"
fi
cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
# Insert before the line matching the regex '^Match'.
line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
# There was no match of '^Match', insert at
# the end of the file.
printf '%s\n' "X11Forwarding yes" >> "/etc/ssh/sshd_config"
else
head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
printf '%s\n' "X11Forwarding yes" >> "/etc/ssh/sshd_config"
tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
fi
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"
- name: Enable Encrypted X11 Forwarding
block:
- name: Deduplicate values from /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)^\s*X11Forwarding\s+
state: absent
- name: Insert correct line to /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: true
line: X11Forwarding yes
state: present
insertbefore: ^[#\s]*Match
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sshd_enable_x11_forwarding
- high_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80226-4
- DISA-STIG-RHEL-07-040710
- NIST-800-171-3.1.13
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-17(2)
Use Only FIPS 140-2 Validated CiphersLimit the ciphers to those algorithms which are FIPS-approved.
Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode.
The following line in /etc/ssh/sshd_config
demonstrates use of FIPS-approved ciphers:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
The man page sshd_config(5) contains a list of supported ciphers.
The following ciphers are FIPS 140-2 certified on Red Hat Enterprise Linux 7:
- aes128-ctr
- aes192-ctr
- aes256-ctr
- aes128-cbc
- aes192-cbc
- aes256-cbc
- 3des-cbc
- rijndael-cbc@lysator.liu.se
Any combination of the above ciphers will pass this check.
Official FIPS 140-2 paperwork for Red Hat Enterprise Linux 7 can be found at
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdfThe system needs to be rebooted for these changes to take effect.System Crypto Modules must be provided by a vendor that undergoes
FIPS-140 certifications.
FIPS-140 is applicable to all Federal agencies that use
cryptographic-based security systems to protect sensitive information
in computer and telecommunication systems (including voice systems) as
defined in Section 5131 of the Information Technology Management Reform
Act of 1996, Public Law 104-106. This standard shall be used in
designing and implementing cryptographic modules that Federal
departments and agencies operate or are operated for them under
contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf
To meet this, the system has to have cryptographic software provided by
a vendor that has undergone this certification. This means providing
documentation, test results, design information, and independent third
party review by an accredited lab. While open source software is
capable of meeting this, it does not meet FIPS-140 unless the vendor
submits to this process.5.2.101111214151618356895.5.6APO11.04APO13.01BAI03.05BAI10.01BAI10.02BAI10.03BAI10.05DSS01.04DSS05.02DSS05.03DSS05.04DSS05.05DSS05.07DSS05.10DSS06.03DSS06.06DSS06.10MEA02.013.1.133.13.113.13.8CCI-000068CCI-000366CCI-000803164.308(b)(1)164.308(b)(2)164.312(e)(1)164.312(e)(2)(i)164.312(e)(2)(ii)164.314(b)(2)(i)4.3.3.2.24.3.3.3.94.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.34.3.4.4.74.4.2.14.4.2.24.4.2.4SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.10SR 2.11SR 2.12SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 2.8SR 2.9SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 7.1SR 7.6A.11.2.6A.12.1.2A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.5.1A.12.6.2A.12.7.1A.13.1.1A.13.2.1A.14.1.3A.14.2.2A.14.2.3A.14.2.4A.18.1.4A.6.1.2A.6.2.1A.6.2.2A.7.1.1A.9.1.2A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.2.6A.9.3.1A.9.4.1A.9.4.2A.9.4.3A.9.4.4A.9.4.5CM-6(a)AC-17(a)AC-17(2)SC-13MA-4(6)IA-5(1)(c)SC-12(2)SC-12(3)PR.AC-1PR.AC-3PR.AC-4PR.AC-6PR.AC-7PR.IP-1PR.PT-1PR.PT-3PR.PT-4SRG-OS-000033-GPOS-00014SRG-OS-000120-GPOS-00061SRG-OS-000125-GPOS-00065SRG-OS-000250-GPOS-00093SRG-OS-000393-GPOS-00173RHEL-07-040110SV-86845r3_ruleSRG-OS-000033-VMM-000140SRG-OS-000120-VMM-000600SRG-OS-000478-VMM-001980SRG-OS-000396-VMM-001590Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore
cannot be relied upon to provide confidentiality or integrity, and system data may be compromised.
Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to
cryptographic modules.
FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules
utilize authentication that meets industry and government requirements. For government systems, this allows
Security Levels 1, 2, 3, or 4 for use on Red Hat Enterprise Linux 7.CCE-27295-5
replace_or_append '/etc/ssh/sshd_config' '^Ciphers' 'aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc' 'CCE-27295-5' '%s %s'
- name: Use Only FIPS 140-2 Validated Ciphers
block:
- name: Deduplicate values from /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)^\s*Ciphers\s+
state: absent
- name: Insert correct line to /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: true
line: Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
state: present
insertbefore: ^[#\s]*Match
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sshd_use_approved_ciphers
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27295-5
- DISA-STIG-RHEL-07-040110
- NIST-800-171-3.1.13
- NIST-800-171-3.13.11
- NIST-800-171-3.13.8
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-17(2)
- NIST-800-53-SC-13
- NIST-800-53-MA-4(6)
- NIST-800-53-IA-5(1)(c)
- NIST-800-53-SC-12(2)
- NIST-800-53-SC-12(3)
- CJIS-5.5.6
Disable Host-Based AuthenticationSSH's cryptographic host-based authentication is
more secure than .rhosts authentication. However, it is
not recommended that hosts unilaterally trust one another, even
within an organization.
To disable host-based authentication, add or correct the
following line in /etc/ssh/sshd_config:
HostbasedAuthentication no5.2.71112141516183595.5.6BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.04DSS05.05DSS05.07DSS06.03DSS06.063.1.12CCI-000366164.308(a)(4)(i)164.308(b)(1)164.308(b)(3)164.310(b)164.312(e)(1)164.312(e)(2)(ii)4.3.3.2.24.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.6.1.2A.7.1.1A.9.1.2A.9.2.1A.9.2.3A.9.4.1A.9.4.4A.9.4.5AC-3AC-17(a)CM-7(a)CM-7(b)CM-6(a)PR.AC-4PR.AC-6PR.IP-1PR.PT-3FIA_AFL.1SRG-OS-000480-GPOS-00229RHEL-07-010470SV-86583r3_ruleSRG-OS-000480-VMM-002000SSH trust relationships mean a compromise on one host
can allow an attacker to move trivially to other hosts.CCE-27413-4if [ -e "/etc/ssh/sshd_config" ] ; then
LC_ALL=C sed -i "/^\s*HostbasedAuthentication\s\+/Id" "/etc/ssh/sshd_config"
else
touch "/etc/ssh/sshd_config"
fi
cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
# Insert before the line matching the regex '^Match'.
line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
# There was no match of '^Match', insert at
# the end of the file.
printf '%s\n' "HostbasedAuthentication no" >> "/etc/ssh/sshd_config"
else
head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
printf '%s\n' "HostbasedAuthentication no" >> "/etc/ssh/sshd_config"
tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
fi
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"
- name: Disable Host-Based Authentication
block:
- name: Deduplicate values from /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)^\s*HostbasedAuthentication\s+
state: absent
- name: Insert correct line to /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: true
line: HostbasedAuthentication no
state: present
insertbefore: ^[#\s]*Match
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- disable_host_auth
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27413-4
- DISA-STIG-RHEL-07-010470
- NIST-800-171-3.1.12
- NIST-800-53-AC-3
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- CJIS-5.5.6
Enable SSH Server firewalld Firewall ExceptionBy default, inbound connections to SSH's port are allowed. If
the SSH server is being used but denied by the firewall, this exception should
be added to the firewall configuration.
To configure firewalld to allow access, run the following command(s):
firewall-cmd --permanent --add-service=ssh3.1.12AC-17(a)CM-6(b)CM-7(a)CM-7(b)If inbound SSH connections are expected, adding a firewall rule exception
will allow remote access through the SSH port.CCE-80361-9- name: Ensure firewalld is installed
package:
name: '{{ item }}'
state: present
with_items:
- firewalld
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- firewalld_sshd_port_enabled
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80361-9
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- name: XCCDF Value sshd_listening_port # promote to variable
set_fact:
sshd_listening_port: !!str
tags:
- always
- name: Enable SSHD in firewalld (custom port)
firewalld:
port: '{{ sshd_listening_port }}/tcp'
permanent: true
state: enabled
when:
- sshd_listening_port != 22
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- firewalld_sshd_port_enabled
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80361-9
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- name: Enable SSHD in firewalld (default port)
firewalld:
service: ssh
permanent: true
state: enabled
when:
- sshd_listening_port == 22
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- firewalld_sshd_port_enabled
- medium_severity
- configure_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80361-9
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
Set SSH authentication attempt limitThe MaxAuthTries parameter specifies the maximum number of authentication attempts
permitted per connection. Once the number of failures reaches half this value, additional failures are logged.
to set MaxAUthTries edit /etc/ssh/sshd_config as follows:
MaxAuthTries tries5.2.5Setting the MaxAuthTries parameter to a low number will minimize the risk of successful
brute force attacks to the SSH server.CCE-82354-2Set SSH Daemon LogLevel to VERBOSEThe VERBOSE parameter configures the SSH daemon to record login and logout activity.
To specify the log level in
SSH, add or correct the following line in the /etc/ssh/sshd_config file:
LogLevel VERBOSECCI-000067AC-17(a)AC-17(1)CM-6(a)SRG-OS-000032-GPOS-00013SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically
not recommended other than strictly for debugging SSH communications since it provides
so much data that it is difficult to identify important security information. INFO or
VERBOSE level is the basic level that only records login activity of SSH users. In many
situations, such as Incident Response, it is important to determine when a particular user was active
on a system. The logout record can eliminate those users who disconnected, which helps narrow the
field.CCE-82419-3if [ -e "/etc/ssh/sshd_config" ] ; then
LC_ALL=C sed -i "/^\s*LogLevel\s\+/Id" "/etc/ssh/sshd_config"
else
touch "/etc/ssh/sshd_config"
fi
cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
# Insert before the line matching the regex '^Match'.
line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
# There was no match of '^Match', insert at
# the end of the file.
printf '%s\n' "LogLevel VERBOSE" >> "/etc/ssh/sshd_config"
else
head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
printf '%s\n' "LogLevel VERBOSE" >> "/etc/ssh/sshd_config"
tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
fi
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"
- name: Set SSH Daemon LogLevel to VERBOSE
block:
- name: Deduplicate values from /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)^\s*LogLevel\s+
state: absent
- name: Insert correct line to /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: true
line: LogLevel VERBOSE
state: present
insertbefore: ^[#\s]*Match
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sshd_set_loglevel_verbose
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82419-3
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-17(1)
- NIST-800-53-CM-6(a)
Disable SSH root Login with a Password (Insecure)To disable password-based root logins over SSH, add or correct the following
line in /etc/ssh/sshd_config:
PermitRootLogin prohibit-passwordWhile this disables password-based root logins, direct root logins
through other means such as through SSH keys or GSSAPI will still be
permitted. Permitting any sort of root login remotely opens up the
root account to attack.
To fully disable direct root logins over SSH (which is considered a
best practice) and prevent remote attacks against the root account,
see CCE-27100-7, CCE-27445-6, CCE-80901-2, and similar.Even though the communications channel may be encrypted, an additional
layer of security is gained by preventing use of a password.
This also helps to minimize direct attack attempts on root's password.if [ -e "/etc/ssh/sshd_config" ] ; then
LC_ALL=C sed -i "/^\s*PermitRootLogin\s\+/Id" "/etc/ssh/sshd_config"
else
touch "/etc/ssh/sshd_config"
fi
cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
# Insert before the line matching the regex '^Match'.
line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
# There was no match of '^Match', insert at
# the end of the file.
printf '%s\n' "PermitRootLogin prohibit-password" >> "/etc/ssh/sshd_config"
else
head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
printf '%s\n' "PermitRootLogin prohibit-password" >> "/etc/ssh/sshd_config"
tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
fi
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"
- name: Disable SSH root Login with a Password (Insecure)
block:
- name: Deduplicate values from /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)^\s*PermitRootLogin\s+
state: absent
- name: Insert correct line to /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: true
line: PermitRootLogin prohibit-password
state: present
insertbefore: ^[#\s]*Match
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sshd_disable_root_password_login
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
Enable Use of Strict Mode CheckingSSHs StrictModes option checks file and ownership permissions in
the user's home directory .ssh folder before accepting login. If world-
writable permissions are found, logon is rejected. To enable StrictModes in SSH,
add or correct the following line in the /etc/ssh/sshd_config file:
StrictModes yes12131415161835APO01.06DSS05.04DSS05.07DSS06.023.1.12CCI-000366164.308(a)(4)(i)164.308(b)(1)164.308(b)(3)164.310(b)164.312(e)(1)164.312(e)(2)(ii)4.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5AC-6AC-17(a)CM-6(a)PR.AC-4PR.DS-5SRG-OS-000480-GPOS-00227RHEL-07-040450SV-86887r3_ruleSRG-OS-000480-VMM-002000If other users have access to modify user-specific SSH configuration files, they
may be able to log into the system as another user.CCE-80222-3if [ -e "/etc/ssh/sshd_config" ] ; then
LC_ALL=C sed -i "/^\s*StrictModes\s\+/Id" "/etc/ssh/sshd_config"
else
touch "/etc/ssh/sshd_config"
fi
cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
# Insert before the line matching the regex '^Match'.
line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
# There was no match of '^Match', insert at
# the end of the file.
printf '%s\n' "StrictModes yes" >> "/etc/ssh/sshd_config"
else
head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
printf '%s\n' "StrictModes yes" >> "/etc/ssh/sshd_config"
tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
fi
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"
- name: Enable Use of Strict Mode Checking
block:
- name: Deduplicate values from /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)^\s*StrictModes\s+
state: absent
- name: Insert correct line to /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: true
line: StrictModes yes
state: present
insertbefore: ^[#\s]*Match
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sshd_enable_strictmodes
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80222-3
- DISA-STIG-RHEL-07-040450
- NIST-800-171-3.1.12
- NIST-800-53-AC-6
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
Enable Use of Privilege SeparationWhen enabled, SSH will create an unprivileged child process that
has the privilege of the authenticated user. To enable privilege separation in
SSH, add or correct the following line in the /etc/ssh/sshd_config file:
UsePrivilegeSeparation 12131415161835APO01.06DSS05.04DSS05.07DSS06.023.1.12CCI-000366164.308(a)(4)(i)164.308(b)(1)164.308(b)(3)164.310(b)164.312(e)(1)164.312(e)(2)(ii)4.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-6(a)AC-17(a)AC-6PR.AC-4PR.DS-5SRG-OS-000480-GPOS-00227RHEL-07-040460SV-86889r3_ruleSSH daemon privilege separation causes the SSH process to drop root privileges
when not needed which would decrease the impact of software vulnerabilities in
the unprivileged section.CCE-80223-1
var_sshd_priv_separation=""
if [ -e "/etc/ssh/sshd_config" ] ; then
LC_ALL=C sed -i "/^\s*UsePrivilegeSeparation\s\+/Id" "/etc/ssh/sshd_config"
else
touch "/etc/ssh/sshd_config"
fi
cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
# Insert before the line matching the regex '^Match'.
line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
# There was no match of '^Match', insert at
# the end of the file.
printf '%s\n' "UsePrivilegeSeparation $var_sshd_priv_separation" >> "/etc/ssh/sshd_config"
else
head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
printf '%s\n' "UsePrivilegeSeparation $var_sshd_priv_separation" >> "/etc/ssh/sshd_config"
tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
fi
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"
- name: Enable Use of Privilege Separation
block:
- name: Deduplicate values from /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)^\s*UsePrivilegeSeparation\s+
state: absent
- name: Insert correct line to /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: true
line: UsePrivilegeSeparation sandbox
state: present
insertbefore: ^[#\s]*Match
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sshd_use_priv_separation
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80223-1
- DISA-STIG-RHEL-07-040460
- NIST-800-171-3.1.12
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-6
Enable SSH Print Last LogWhen enabled, SSH will display the date and time of the last
successful account logon. To enable LastLog in
SSH, add or correct the following line in the /etc/ssh/sshd_config file:
PrintLastLog yes1121516DSS05.04DSS05.10DSS06.10CCI-0003664.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.9SR 1.1SR 1.10SR 1.2SR 1.5SR 1.7SR 1.8SR 1.9A.18.1.4A.9.2.1A.9.2.4A.9.3.1A.9.4.2A.9.4.3AC-9AC-17(a)CM-6(a)PR.AC-7SRG-OS-000480-GPOS-00227RHEL-07-040360SV-86869r3_ruleProviding users feedback on when account accesses last occurred facilitates user
recognition and reporting of unauthorized account use.CCE-80225-6if [ -e "/etc/ssh/sshd_config" ] ; then
LC_ALL=C sed -i "/^\s*PrintLastLog\s\+/Id" "/etc/ssh/sshd_config"
else
touch "/etc/ssh/sshd_config"
fi
cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
# Insert before the line matching the regex '^Match'.
line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
# There was no match of '^Match', insert at
# the end of the file.
printf '%s\n' "PrintLastLog yes" >> "/etc/ssh/sshd_config"
else
head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
printf '%s\n' "PrintLastLog yes" >> "/etc/ssh/sshd_config"
tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
fi
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"
- name: Enable SSH Print Last Log
block:
- name: Deduplicate values from /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)^\s*PrintLastLog\s+
state: absent
- name: Insert correct line to /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: true
line: PrintLastLog yes
state: present
insertbefore: ^[#\s]*Match
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sshd_print_last_log
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80225-6
- DISA-STIG-RHEL-07-040360
- NIST-800-53-AC-9
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
Use Only Strong CiphersLimit the ciphers to strong algorithms.
Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode.
The following line in /etc/ssh/sshd_config
demonstrates use of those ciphers:
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
The man page sshd_config(5) contains a list of supported ciphers.Based on research conducted at various institutions, it was determined that the symmetric
portion of the SSH Transport Protocol (as described in RFC 4253) has security weaknesses
that allowed recovery of up to 32 bits of plaintext from a block of ciphertext that was
encrypted with the Cipher Block Chaining (CBD) method. From that research, new Counter
mode algorithms (as described in RFC4344) were designed that are not vulnerable to these
types of attacks and these algorithms are now recommended for standard use.CCE-82363-3
if [ -e "/etc/ssh/sshd_config" ] ; then
LC_ALL=C sed -i "/^\s*Ciphers\s\+/Id" "/etc/ssh/sshd_config"
else
touch "/etc/ssh/sshd_config"
fi
cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
# Insert before the line matching the regex '^Match'.
line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
# There was no match of '^Match', insert at
# the end of the file.
printf '%s\n' "Ciphers aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com" >> "/etc/ssh/sshd_config"
else
head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
printf '%s\n' "Ciphers aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com" >> "/etc/ssh/sshd_config"
tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
fi
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"
Disable GSSAPI AuthenticationUnless needed, SSH should not permit extraneous or unnecessary
authentication mechanisms like GSSAPI. To disable GSSAPI authentication, add or
correct the following line in the /etc/ssh/sshd_config file:
GSSAPIAuthentication no1139BAI10.01BAI10.02BAI10.03BAI10.053.1.12CCI-000368CCI-000318CCI-001812CCI-001813CCI-001814164.308(a)(4)(i)164.308(b)(1)164.308(b)(3)164.310(b)164.312(e)(1)164.312(e)(2)(ii)4.3.4.3.24.3.4.3.3SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4CM-7(a)CM-7(b)CM-6(a)AC-17(a)PR.IP-1FIA_AFL.1SRG-OS-000364-GPOS-00151RHEL-07-040430SV-86883r3_ruleSRG-OS-000480-VMM-002000GSSAPI authentication is used to provide additional authentication mechanisms to
applications. Allowing GSSAPI authentication through SSH exposes the system's
GSSAPI to remote hosts, increasing the attack surface of the system.CCE-80220-7if [ -e "/etc/ssh/sshd_config" ] ; then
LC_ALL=C sed -i "/^\s*GSSAPIAuthentication\s\+/Id" "/etc/ssh/sshd_config"
else
touch "/etc/ssh/sshd_config"
fi
cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
# Insert before the line matching the regex '^Match'.
line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
# There was no match of '^Match', insert at
# the end of the file.
printf '%s\n' "GSSAPIAuthentication no" >> "/etc/ssh/sshd_config"
else
head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
printf '%s\n' "GSSAPIAuthentication no" >> "/etc/ssh/sshd_config"
tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
fi
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"
- name: Disable GSSAPI Authentication
block:
- name: Deduplicate values from /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)^\s*GSSAPIAuthentication\s+
state: absent
- name: Insert correct line to /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: true
line: GSSAPIAuthentication no
state: present
insertbefore: ^[#\s]*Match
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sshd_disable_gssapi_auth
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80220-7
- DISA-STIG-RHEL-07-040430
- NIST-800-171-3.1.12
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-AC-17(a)
Disable Compression Or Set Compression to delayedCompression is useful for slow network connections over long
distances but can cause performance issues on local LANs. If use of compression
is required, it should be enabled only after a user has authenticated; otherwise,
it should be disabled. To disable compression or delay compression until after
a user has successfully authenticated, add or correct the following line in the
/etc/ssh/sshd_config file:
Compression 1139BAI10.01BAI10.02BAI10.03BAI10.053.1.12CCI-000366164.308(a)(4)(i)164.308(b)(1)164.308(b)(3)164.310(b)164.312(e)(1)164.312(e)(2)(ii)4.3.4.3.24.3.4.3.3SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4AC-17(a)CM-7(a)CM-7(b)CM-6(a)PR.IP-1SRG-OS-000480-GPOS-00227RHEL-07-040470SV-86891r3_ruleSRG-OS-000480-VMM-002000If compression is allowed in an SSH connection prior to authentication,
vulnerabilities in the compression software could result in compromise of the
system from an unauthenticated connection, potentially with root privileges.CCE-80224-9
var_sshd_disable_compression=""
replace_or_append '/etc/ssh/sshd_config' '^Compression' "$var_sshd_disable_compression" 'CCE-80224-9' '%s %s'
- name: Disable Compression Or Set Compression to delayed
block:
- name: Deduplicate values from /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)^\s*Compression\s+
state: absent
- name: Insert correct line to /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: true
line: Compression delayed
state: present
insertbefore: ^[#\s]*Match
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sshd_disable_compression
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80224-9
- DISA-STIG-RHEL-07-040470
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
Disable SSH Root LoginThe root user should never be allowed to login to a
system directly over a network.
To disable root login via SSH, add or correct the following line
in /etc/ssh/sshd_config:
PermitRootLogin noNT28(R19)5.2.8111121314151618355.5.6APO01.06DSS05.02DSS05.04DSS05.05DSS05.07DSS05.10DSS06.02DSS06.03DSS06.06DSS06.103.1.13.1.5CCI-000366CCI-000770164.308(a)(4)(i)164.308(b)(1)164.308(b)(3)164.310(b)164.312(e)(1)164.312(e)(2)(ii)4.3.3.2.24.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.4SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.18.1.4A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.1A.9.2.2A.9.2.3A.9.2.4A.9.2.6A.9.3.1A.9.4.1A.9.4.2A.9.4.3A.9.4.4A.9.4.5AC-6(2)AC-17(a)IA-2IA-2(5)CM-7(a)CM-7(b)CM-6(a)PR.AC-1PR.AC-4PR.AC-6PR.AC-7PR.DS-5PR.PT-3FIA_AFL.1SRG-OS-000480-GPOS-00227SRG-OS-000109-GPOS-00056RHEL-07-040370SV-86871r3_ruleSRG-OS-000480-VMM-002000Even though the communications channel may be encrypted, an additional layer of
security is gained by extending the policy of not logging directly on as root.
In addition, logging in with a user-specific account provides individual
accountability of actions performed on the system and also helps to minimize
direct attack attempts on root's password.CCE-27445-6if [ -e "/etc/ssh/sshd_config" ] ; then
LC_ALL=C sed -i "/^\s*PermitRootLogin\s\+/Id" "/etc/ssh/sshd_config"
else
touch "/etc/ssh/sshd_config"
fi
cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
# Insert before the line matching the regex '^Match'.
line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
# There was no match of '^Match', insert at
# the end of the file.
printf '%s\n' "PermitRootLogin no" >> "/etc/ssh/sshd_config"
else
head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
printf '%s\n' "PermitRootLogin no" >> "/etc/ssh/sshd_config"
tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
fi
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"
- name: Disable SSH Root Login
block:
- name: Deduplicate values from /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)^\s*PermitRootLogin\s+
state: absent
- name: Insert correct line to /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
create: true
line: PermitRootLogin no
state: present
insertbefore: ^[#\s]*Match
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- sshd_disable_root_login
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-27445-6
- DISA-STIG-RHEL-07-040370
- NIST-800-171-3.1.1
- NIST-800-171-3.1.5
- NIST-800-53-AC-6(2)
- NIST-800-53-AC-17(a)
- NIST-800-53-IA-2
- NIST-800-53-IA-2(5)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-
- CJIS-5.5.6
Strengthen Firewall Configuration if PossibleIf the SSH server is expected to only receive connections from
the local network, then strengthen the default firewall rule for the SSH service
to only accept connections from the appropriate network segment(s).
Determine an appropriate network block, netwk, network mask, mask, and
network protocol, ip_protocol, representing the systems on your network which will
be allowed to access this SSH server.
Run the following command:
firewall-cmd --permanent --add-rich-rule='rule family="ip_protocol" source address="netwk/mask" service name="ssh" accept'DHCPThe Dynamic Host Configuration Protocol (DHCP) allows
systems to request and obtain an IP address and other configuration
parameters from a server.
This guide recommends configuring networking on clients by manually editing
the appropriate files under /etc/sysconfig. Use of DHCP can make client
systems vulnerable to compromise by rogue DHCP servers, and should be avoided
unless necessary. If using DHCP is necessary, however, there are best practices
that should be followed to minimize security risk.Disable DHCP ClientDHCP is the default network configuration method provided by the system
installer, and common on many networks. Nevertheless, manual management
of IP addresses for systems implies a greater degree of management and
accountability for network activity.Disable DHCP Client in ifcfgFor each interface on the system (e.g. eth0), edit
/etc/sysconfig/network-scripts/ifcfg-interface and make the
following changes:
Correct the BOOTPROTO line to read:
BOOTPROTO=none Add or correct the following lines, substituting the appropriate
values based on your site's addressing scheme:
NETMASK=255.255.255.0
IPADDR=192.168.1.2
GATEWAY=192.168.1.1111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.06CCI-0003664.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-6(a)PR.IP-1PR.PT-3DHCP relies on trusting the local network. If the local network is not trusted,
then it should not be used. However, the automatic configuration provided by
DHCP is commonly used and the alternative, manual configuration, presents an
unacceptable burden in many circumstances.CCE-80337-9Configure DHCP ServerIf the system must act as a DHCP server, the configuration
information it serves should be minimized. Also, support for other protocols
and DNS-updating schemes should be explicitly disabled unless needed. The
configuration file for dhcpd is called /etc/dhcp/dhcpd.conf. The file
begins with a number of global configuration options. The remainder of the file
is divided into sections, one for each block of addresses offered by dhcpd,
each of which contains configuration options specific to that address
block.Configure LoggingEnsure that the following line exists in
/etc/rsyslog.conf:
daemon.* /var/log/daemon.log
Configure logwatch or other log monitoring tools to summarize error conditions
reported by the dhcpd process.112131415162356789APO10.01APO10.03APO10.04APO10.05APO11.04BAI03.05DSS01.03DSS03.05DSS05.02DSS05.04DSS05.05DSS05.07MEA01.01MEA01.02MEA01.03MEA01.04MEA01.05MEA02.014.3.2.6.74.3.3.3.94.3.3.5.84.3.4.4.74.4.2.14.4.2.24.4.2.4SR 2.10SR 2.11SR 2.12SR 2.8SR 2.9SR 6.1SR 6.2A.12.4.1A.12.4.2A.12.4.3A.12.4.4A.12.7.1A.14.2.7A.15.2.1A.15.2.2AU-12(a)AU-12(c)CM-6(a)DE.CM-1DE.CM-3DE.CM-7ID.SC-4PR.PT-1By default, dhcpd logs notices to the daemon facility. Sending all
daemon messages to a dedicated log file is part of the syslog configuration
outlined in the Logging and Auditing sectionCCE-80336-1Deny Decline MessagesEdit /etc/dhcp/dhcpd.conf and add or correct the following
global option to prevent the DHCP server from responding the DHCPDECLINE
messages, if possible: deny declines;111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.064.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.IP-1PR.PT-3The DHCPDECLINE message can be sent by a DHCP client to indicate
that it does not consider the lease offered by the server to be valid. By
issuing many DHCPDECLINE messages, a malicious client can exhaust the DHCP
server's pool of IP addresses, causing the DHCP server to forget old address
allocations.CCE-80333-8Do Not Use Dynamic DNSTo prevent the DHCP server from receiving DNS information from
clients, edit /etc/dhcp/dhcpd.conf, and add or correct the following global
option: ddns-update-style none;The ddns-update-style option controls only whether
the DHCP server will attempt to act as a Dynamic DNS client. As long as the DNS
server itself is correctly configured to reject DDNS attempts, an incorrect
ddns-update-style setting on the client is harmless (but should be fixed as a
best practice).111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.064.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.IP-1PR.PT-3The Dynamic DNS protocol is used to remotely update the data served
by a DNS server. DHCP servers can use Dynamic DNS to publish information about
their clients. This setup carries security risks, and its use is not
recommended. If Dynamic DNS must be used despite the risks it poses, it is
critical that Dynamic DNS transactions be protected using TSIG or some other
cryptographic authentication mechanism. See dhcpd.conf(5) for more information
about protecting the DHCP server from passing along malicious DNS data from its
clients.CCE-80332-0Minimize Served InformationEdit /etc/dhcp/dhcpd.conf. Examine each address range section within
the file, and ensure that the following options are not defined unless there is
an operational need to provide this information via DHCP:
option domain-name
option domain-name-servers
option nis-domain
option nis-servers
option ntp-servers
option routers
option time-offsetBy default, the Red Hat Enterprise Linux client installation uses DHCP
to request much of the above information from the DHCP server. In particular,
domain-name, domain-name-servers, and routers are configured via DHCP. These
settings are typically necessary for proper network functionality, but are also
usually static across systems at a given site.111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.064.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.IP-1PR.PT-3Because the configuration information provided by the DHCP server
could be maliciously provided to clients by a rogue DHCP server, the amount of
information provided via DHCP should be minimized. Remove these definitions
from the DHCP server configuration to ensure that legitimate clients do not
unnecessarily rely on DHCP for this information.Deny BOOTP QueriesUnless your network needs to support older BOOTP clients, disable
support for the bootp protocol by adding or correcting the global option:
deny bootp;111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.064.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.IP-1PR.PT-3The bootp option tells dhcpd to respond to BOOTP queries. If support
for this simpler protocol is not needed, it should be disabled to remove attack
vectors against the DHCP server.CCE-80334-6Disable DHCP ServerThe DHCP server dhcpd is not installed or activated by
default. If the software was installed and activated, but the
system does not need to act as a DHCP server, it should be disabled
and removed.Uninstall DHCP Server PackageIf the system does not need to act as a DHCP server,
the dhcp package can be uninstalled.
The dhcp package can be removed with the following command:
$ sudo yum erase dhcpNT28(R1)111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.06CCI-0003664.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.IP-1PR.PT-3Removing the DHCP server ensures that it cannot be easily or
accidentally reactivated and disrupt network operation.CCE-80331-2
# CAUTION: This remediation script will remove dhcp
# from the system, and may remove any packages
# that depend on dhcp. Execute this
# remediation AFTER testing on a non-production
# system!
if rpm -q --quiet "dhcp" ; then
yum remove -y "dhcp"
fi
- name: Ensure dhcp is removed
package:
name: dhcp
state: absent
tags:
- package_dhcp_removed
- medium_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80331-2
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
include remove_dhcp
class remove_dhcp {
package { 'dhcp':
ensure => 'purged',
}
}
package --remove=dhcp
Disable DHCP ServiceThe dhcpd service should be disabled on
any system that does not need to act as a DHCP server.
The dhcpd service can be disabled with the following command:
$ sudo systemctl disable dhcpd.service
The dhcpd service can be masked with the following command:
$ sudo systemctl mask dhcpd.service2.2.5111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.06CCI-0003664.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.IP-1PR.PT-3Unmanaged or unintentionally activated DHCP servers may provide faulty information
to clients, interfering with the operation of a legitimate site
DHCP server if there is one.CCE-80330-4
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'dhcpd.service'
"$SYSTEMCTL_EXEC" disable 'dhcpd.service'
"$SYSTEMCTL_EXEC" mask 'dhcpd.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^dhcpd.socket'; then
"$SYSTEMCTL_EXEC" stop 'dhcpd.socket'
"$SYSTEMCTL_EXEC" disable 'dhcpd.socket'
"$SYSTEMCTL_EXEC" mask 'dhcpd.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'dhcpd.service' || true
- name: Disable service dhcpd
block:
- name: Gather the service facts
service_facts: null
- name: Disable service dhcpd
systemd:
name: dhcpd.service
enabled: 'no'
state: stopped
masked: 'yes'
when: '"dhcpd.service" in ansible_facts.services'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_dhcpd_disabled
- medium_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80330-4
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Unit Socket Exists - dhcpd.socket
command: systemctl list-unit-files dhcpd.socket
args:
warn: false
register: socket_file_exists
changed_when: false
ignore_errors: true
check_mode: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_dhcpd_disabled
- medium_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80330-4
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Disable socket dhcpd
systemd:
name: dhcpd.socket
enabled: 'no'
state: stopped
masked: 'yes'
when:
- '"dhcpd.socket" in socket_file_exists.stdout_lines[1]'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_dhcpd_disabled
- medium_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80330-4
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
include disable_dhcpd
class disable_dhcpd {
service {'dhcpd':
enable => false,
ensure => 'stopped',
}
}
Configure DHCP Client if NecessaryIf DHCP must be used, then certain configuration changes can
minimize the amount of information it receives and applies from the network,
and thus the amount of incorrect information a rogue DHCP server could
successfully distribute. For more information on configuring dhclient, see the
dhclient(8) and dhclient.conf(5) man pages.Minimize the DHCP-Configured OptionsCreate the file /etc/dhcp/dhclient.conf, and add an
appropriate setting for each of the ten configuration settings which can be
obtained via DHCP. For each setting, do one of the following:
If the setting should not be configured remotely by the DHCP server,
select an appropriate static value, and add the line:
supersede setting value;
If the setting should be configured remotely by the DHCP server, add the lines:
request setting;
require setting;
For example, suppose the DHCP server should provide only the IP address itself
and the subnet mask. Then the entire file should look like:
supersede domain-name "example.com";
supersede domain-name-servers 192.168.1.2;
supersede nis-domain "";
supersede nis-servers "";
supersede ntp-servers "ntp.example.com ";
supersede routers 192.168.1.1;
supersede time-offset -18000;
request subnet-mask;
require subnet-mask;In this example, the options nis-servers and
nis-domain are set to empty strings, on the assumption that the deprecated NIS
protocol is not in use. It is necessary to supersede settings for unused
services so that they cannot be set by a hostile DHCP server. If an option is
set to an empty string, dhclient will typically not attempt to configure the
service.By default, the DHCP client program, dhclient, requests and applies
ten configuration options (in addition to the IP address) from the DHCP server.
subnet-mask, broadcast-address, time-offset, routers, domain-name,
domain-name-servers, host-name, nis-domain, nis-servers, and ntp-servers. Many
of the options requested and applied by dhclient may be the same for every
system on a network. It is recommended that almost all configuration options be
assigned statically, and only options which must vary on a host-by-host basis
be assigned via DHCP. This limits the damage which can be done by a rogue DHCP
server. If appropriate for your site, it is also possible to supersede the
host-name directive in /etc/dhcp/dhclient.conf, establishing a static
hostname for the system. However, dhclient does not use the host name option
provided by the DHCP server (instead using the value provided by a reverse DNS
lookup).IMAP and POP3 ServerDovecot provides IMAP and POP3 services. It is not
installed by default. The project page at
http://www.dovecot.org
contains more detailed information about Dovecot
configuration.Configure Dovecot if NecessaryIf the system will operate as an IMAP or
POP3 server, the dovecot software should be configured securely by following
the recommendations below.Enable SSL SupportSSL should be used to encrypt network traffic between the
Dovecot server and its clients. Users must authenticate to the Dovecot
server in order to read their mail, and passwords should never be
transmitted in clear text. In addition, protecting mail as it is
downloaded is a privacy measure, and clients may use SSL certificates
to authenticate the server, preventing another system from impersonating
the server.Configure Dovecot to Use the SSL Key fileThis option tells Dovecot where to find the the mail server's SSL Key.
Edit /etc/dovecot/conf.d/10-ssl.conf and add or correct the
following line (note: the path below is the default path set by the
Dovecot installation. If you are using a different path, ensure you
reference the appropriate file):
ssl_key = </etc/pki/dovecot/private/dovecot.pemSSL certificates are used by the client to authenticate the identity of the
server, as well as to encrypt credentials and message traffic. Not using
SSL to encrypt mail server traffic could allow unauthorized access to
credentials and mail messages since they are sent in plain text over the
network.CCE-80298-3Disable Plaintext AuthenticationTo prevent Dovecot from attempting plaintext authentication of clients,
edit /etc/dovecot/conf.d/10-auth.conf and add\or correct the
following line:
disable_plaintext_auth = yesUsing plain text authentication to the mail server could allow an attacker
access to credentials by monitoring network traffic.CCE-80299-1Enable the SSL flag in /etc/dovecot.confTo allow clients to make encrypted connections the ssl
flag in Dovecot's configuration file needs to be set to yes.
Edit /etc/dovecot/conf.d/10-ssl.conf and add or correct the following line:
ssl = yesSSL encrypt network traffic between the Dovecot server and its clients
protecting user credentials, mail as it is downloaded, and clients may use
SSL certificates to authenticate the server, preventing another system from
impersonating the server.CCE-80296-7Configure Dovecot to Use the SSL Certificate fileThis option tells Dovecot where to find the the mail server's SSL
Certificate.
Edit /etc/dovecot/conf.d/10-ssl.conf and add or correct the
following line (note: the path below is the default path set by the
Dovecot installation. If you are using a different path, ensure you
reference the appropriate file):
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem"SSL certificates are used by the client to authenticate the identity of the
server, as well as to encrypt credentials and message traffic. Not using
SSL to encrypt mail server traffic could allow unauthorized access to
credentials and mail messages since they are sent in plain text over the
network.CCE-80297-5Allow IMAP Clients to Access the Server
The default firewalld configuration does not allow inbound
access to any services. This modification will allow remote hosts to
initiate connections to the IMAP daemon, while keeping all other ports
on the server in their default protected state.
To configure firewalld to allow access, run the following command(s):
firewall-cmd --permanent --add-port=143/tcpSupport Only the Necessary ProtocolsDovecot supports the IMAP and POP3 protocols, as well as
SSL-protected versions of those protocols. Configure the Dovecot server
to support only the protocols needed by your site. Edit /etc/dovecot/dovecot.conf.
Add or correct the following lines, replacing PROTOCOL with
only the subset of protocols (imap, imaps,
pop3, pop3s) required:
protocols = PROTOCOL
If possible, require SSL protection for all transactions. The SSL
protocol variants listen on alternate ports (995 instead of 110 for
pop3s, and 993 instead of 143 for imaps), and require SSL-aware clients.
An alternate approach is to listen on the standard port and require the
client to use the STARTTLS command before authenticating.Disable DovecotIf the system does not need to operate as an IMAP or
POP3 server, the dovecot software should be disabled and removed.Uninstall dovecot PackageThe dovecot package can be removed with the following command:
$ sudo yum erase dovecotIf there is no need to make the Dovecot software available,
removing it provides a safeguard against its activation.CCE-80295-9
# CAUTION: This remediation script will remove dovecot
# from the system, and may remove any packages
# that depend on dovecot. Execute this
# remediation AFTER testing on a non-production
# system!
if rpm -q --quiet "dovecot" ; then
yum remove -y "dovecot"
fi
- name: Ensure dovecot is removed
package:
name: dovecot
state: absent
tags:
- package_dovecot_removed
- unknown_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80295-9
include remove_dovecot
class remove_dovecot {
package { 'dovecot':
ensure => 'purged',
}
}
package --remove=dovecot
Disable Dovecot Service The dovecot service can be disabled with the following command: $ sudo systemctl disable dovecot.service The dovecot service can be masked with the following command: $ sudo systemctl mask dovecot.service2.2.11Running an IMAP or POP3 server provides a network-based
avenue of attack, and should be disabled if not needed.CCE-80294-2
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'dovecot.service'
"$SYSTEMCTL_EXEC" disable 'dovecot.service'
"$SYSTEMCTL_EXEC" mask 'dovecot.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^dovecot.socket'; then
"$SYSTEMCTL_EXEC" stop 'dovecot.socket'
"$SYSTEMCTL_EXEC" disable 'dovecot.socket'
"$SYSTEMCTL_EXEC" mask 'dovecot.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'dovecot.service' || true
- name: Disable service dovecot
block:
- name: Gather the service facts
service_facts: null
- name: Disable service dovecot
systemd:
name: dovecot.service
enabled: 'no'
state: stopped
masked: 'yes'
when: '"dovecot.service" in ansible_facts.services'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_dovecot_disabled
- unknown_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80294-2
- name: Unit Socket Exists - dovecot.socket
command: systemctl list-unit-files dovecot.socket
args:
warn: false
register: socket_file_exists
changed_when: false
ignore_errors: true
check_mode: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_dovecot_disabled
- unknown_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80294-2
- name: Disable socket dovecot
systemd:
name: dovecot.socket
enabled: 'no'
state: stopped
masked: 'yes'
when:
- '"dovecot.socket" in socket_file_exists.stdout_lines[1]'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_dovecot_disabled
- unknown_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80294-2
include disable_dovecot
class disable_dovecot {
service {'dovecot':
enable => false,
ensure => 'stopped',
}
}
Deprecated servicesSome deprecated software services impact the overall system security due to their behavior (leak of
confidentiality in network exchange, usage as uncontrolled communication channel, risk associated with the service due to its old age, etc.Uninstall the nis packageThe support for Yellowpages should not be installed unless it is required.NIS is the historical SUN service for central account management, more and more replaced by LDAP.
NIS does not support efficiently security constraints, ACL, etc. and should not be used.
# CAUTION: This remediation script will remove nis
# from the system, and may remove any packages
# that depend on nis. Execute this
# remediation AFTER testing on a non-production
# system!
if rpm -q --quiet "nis" ; then
yum remove -y "nis"
fi
- name: Ensure nis is removed
package:
name: nis
state: absent
tags:
- package_nis_removed
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
include remove_nis
class remove_nis {
package { 'nis':
ensure => 'purged',
}
}
package --remove=nis
Uninstall the telnet serverThe telnet daemon should be uninstalled.NT28(R1)11121415389APO13.01BAI10.01BAI10.02BAI10.03BAI10.05DSS01.04DSS05.02DSS05.03DSS05.05DSS06.064.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 7.1SR 7.6A.11.2.6A.12.1.2A.12.5.1A.12.6.2A.13.1.1A.13.2.1A.14.1.3A.14.2.2A.14.2.3A.14.2.4A.6.2.1A.6.2.2A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.AC-3PR.IP-1PR.PT-3PR.PT-4telnet allows clear text communications, and does not protect
any data transmission between client and server. Any confidential data
can be listened and no integrity checking is made.'CCE-82461-5
# CAUTION: This remediation script will remove telnetd
# from the system, and may remove any packages
# that depend on telnetd. Execute this
# remediation AFTER testing on a non-production
# system!
if rpm -q --quiet "telnetd" ; then
yum remove -y "telnetd"
fi
- name: Ensure telnetd is removed
package:
name: telnetd
state: absent
tags:
- package_telnetd_removed
- high_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82461-5
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
include remove_telnetd
class remove_telnetd {
package { 'telnetd':
ensure => 'purged',
}
}
package --remove=telnetd
Uninstall the ntpdate packagentpdate is a historical ntp synchronization client for unixes. It sould be uninstalled.ntpdate is an old not security-compliant ntp client. It should be replaced by modern ntp clients such as ntpd, able to use cryptographic mechanisms integrated in NTP.
# CAUTION: This remediation script will remove ntpdate
# from the system, and may remove any packages
# that depend on ntpdate. Execute this
# remediation AFTER testing on a non-production
# system!
if rpm -q --quiet "ntpdate" ; then
yum remove -y "ntpdate"
fi
- name: Ensure ntpdate is removed
package:
name: ntpdate
state: absent
tags:
- package_ntpdate_removed
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
include remove_ntpdate
class remove_ntpdate {
package { 'ntpdate':
ensure => 'purged',
}
}
package --remove=ntpdate
Uninstall the ssl compliant telnet serverThe telnet daemon, even with ssl support, should be uninstalled.NT007(R02)11121415389APO13.01BAI10.01BAI10.02BAI10.03BAI10.05DSS01.04DSS05.02DSS05.03DSS05.05DSS06.064.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 7.1SR 7.6A.11.2.6A.12.1.2A.12.5.1A.12.6.2A.13.1.1A.13.2.1A.14.1.3A.14.2.2A.14.2.3A.14.2.4A.6.2.1A.6.2.2A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.AC-3PR.IP-1PR.PT-3PR.PT-4telnet, even with ssl support, should not be installed.
When remote shell is required, up-to-date ssh daemon can be used.
# CAUTION: This remediation script will remove telnetd-ssl
# from the system, and may remove any packages
# that depend on telnetd-ssl. Execute this
# remediation AFTER testing on a non-production
# system!
if rpm -q --quiet "telnetd-ssl" ; then
yum remove -y "telnetd-ssl"
fi
- name: Ensure telnetd-ssl is removed
package:
name: telnetd-ssl
state: absent
tags:
- package_telnetd-ssl_removed
- high_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
include remove_telnetd-ssl
class remove_telnetd-ssl {
package { 'telnetd-ssl':
ensure => 'purged',
}
}
package --remove=telnetd-ssl
Uninstall the inet-based telnet serverThe inet-based telnet daemon should be uninstalled.NT007(R03)11121415389APO13.01BAI10.01BAI10.02BAI10.03BAI10.05DSS01.04DSS05.02DSS05.03DSS05.05DSS06.064.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 3.1SR 3.5SR 3.8SR 4.1SR 4.3SR 5.1SR 5.2SR 5.3SR 7.1SR 7.6A.11.2.6A.12.1.2A.12.5.1A.12.6.2A.13.1.1A.13.2.1A.14.1.3A.14.2.2A.14.2.3A.14.2.4A.6.2.1A.6.2.2A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.AC-3PR.IP-1PR.PT-3PR.PT-4telnet allows clear text communications, and does not protect any
data transmission between client and server. Any confidential data can be
listened and no integrity checking is made.
# CAUTION: This remediation script will remove inetutils-telnetd
# from the system, and may remove any packages
# that depend on inetutils-telnetd. Execute this
# remediation AFTER testing on a non-production
# system!
if rpm -q --quiet "inetutils-telnetd" ; then
yum remove -y "inetutils-telnetd"
fi
- name: Ensure inetutils-telnetd is removed
package:
name: inetutils-telnetd
state: absent
tags:
- package_inetutils-telnetd_removed
- high_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
include remove_inetutils-telnetd
class remove_inetutils-telnetd {
package { 'inetutils-telnetd':
ensure => 'purged',
}
}
package --remove=inetutils-telnetd
NFS and RPCThe Network File System is a popular distributed filesystem for
the Unix environment, and is very widely deployed. This section discusses the
circumstances under which it is possible to disable NFS and its dependencies,
and then details steps which should be taken to secure
NFS's configuration. This section is relevant to systems operating as NFS
clients, as well as to those operating as NFS servers.Uninstall nfs-utils PackageThe nfs-utils package can be removed with the following command:
$ sudo yum erase nfs-utilsSRG-OS-000095-GPOS-00049nfs-utils provides a daemon for the kernel NFS server and related tools. This
package also contains the showmount program. showmount queries the mount
daemon on a remote host for information about the Network File System (NFS) server on the
remote host. For example, showmount can display the clients which are mounted on
that host.CCE-82933-3
# CAUTION: This remediation script will remove nfs-utils
# from the system, and may remove any packages
# that depend on nfs-utils. Execute this
# remediation AFTER testing on a non-production
# system!
if rpm -q --quiet "nfs-utils" ; then
yum remove -y "nfs-utils"
fi
- name: Ensure nfs-utils is removed
package:
name: nfs-utils
state: absent
tags:
- package_nfs-utils_removed
- low_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-82933-3
include remove_nfs-utils
class remove_nfs-utils {
package { 'nfs-utils':
ensure => 'purged',
}
}
package --remove=nfs-utils
Configure NFS ServersThe steps in this section are appropriate for systems which operate as NFS servers.Use Root-Squashing on All ExportsIf a filesystem is exported using root squashing, requests from root on the client
are considered to be unprivileged (mapped to a user such as nobody). This provides some mild
protection against remote abuse of an NFS server. Root squashing is enabled by default, and
should not be disabled.
Ensure that no line in /etc/exports contains the option no_root_squash.If the NFS server allows root access to local file systems from remote hosts, this
access could be used to compromise the system.CCE-80241-3Restrict NFS Clients to Privileged PortsBy default, the server NFS implementation requires that all client requests be made
from ports less than 1024. If your organization has control over systems connected to its
network, and if NFS requests are prohibited at the border firewall, this offers some protection
against malicious requests from unprivileged users. Therefore, the default should not be changed.
To ensure that the default has not been changed, ensure no line in
/etc/exports contains the option insecure.11121415161835DSS05.02DSS05.04DSS05.05DSS05.07DSS06.03DSS06.064.3.3.2.24.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.4SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7A.6.1.2A.7.1.1A.9.1.2A.9.2.1A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-7(a)CM-7(b)CM-6(a)PR.AC-4PR.AC-6PR.PT-3Allowing client requests to be made from ports higher than 1024 could allow a unprivileged
user to initiate an NFS connection. If the unprivileged user account has been compromised, an
attacker could gain access to data on the NFS server.CCE-80242-1Ensure All-Squashing Disabled On All ExportsThe all_squash maps all uids and gids to an anonymous user.
This should be disabled by removing any instances of the
all_squash option from the file /etc/exports.The all_squash option maps all client requests to a single anonymous
uid/gid on the NFS server, negating the ability to track file access
by user ID.Ensure Insecure File Locking is Not AllowedBy default the NFS server requires secure file-lock requests, which require
credentials from the client in order to lock a file. Most NFS clients send
credentials with file lock requests, however, there are a few clients that
do not send credentials when requesting a file-lock, allowing the client to
only be able to lock world-readable files. To get around this, the
insecure_locks option can be used so these clients can access the
desired export. This poses a security risk by potentially allowing the
client access to data for which it does not have authorization. Remove any
instances of the insecure_locks option from the file
/etc/exports.CCI-000764Allowing insecure file locking could allow for sensitive data to be
viewed or edited by an unauthorized user.CCE-80243-9Use Kerberos Security on All ExportsUsing Kerberos on all exported mounts prevents a malicious client or user from
impersonating a system user. To cryptography authenticate users to the NFS server,
add sec=krb5:krb5i:krb5p to each export in /etc/exports.1121415161835DSS05.04DSS05.10DSS06.10CCI-000366164.308(a)(4)(i)164.308(b)(1)164.308(b)(3)164.310(b)164.312(e)(1)164.312(e)(2)(ii)4.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.3SR 1.1SR 1.10SR 1.2SR 1.5SR 1.7SR 1.8SR 1.9SR 2.1A.18.1.4A.6.1.2A.9.1.2A.9.2.1A.9.2.3A.9.2.4A.9.3.1A.9.4.1A.9.4.2A.9.4.3A.9.4.4A.9.4.5CM-7(a)CM-7(b)CM-6(a)IA-2IA-2(8)IA-2(9)AC-17(a)PR.AC-4PR.AC-7SRG-OS-000480-GPOS-00227When an NFS server is configured to use AUTH_SYS a selected userid and groupid are used to handle
requests from the remote user. The userid and groupid could mistakenly or maliciously be set
incorrectly. The AUTH_GSS method of authentication uses certificates on the server and client
systems to more securely authenticate the remote mount request.CCE-27464-7Export Filesystems Read-Only if PossibleIf a filesystem is being exported so that users can view the files in a convenient
fashion, but there is no need for users to edit those files, exporting the filesystem read-only
removes an attack vector against the server. The default filesystem export mode is ro,
so do not specify rw without a good reason.Configure the Exports File RestrictivelyLinux's NFS implementation uses the file /etc/exports to control what filesystems
and directories may be accessed via NFS. (See the exports(5) manpage for more information about the
format of this file.)
The syntax of the exports file is not necessarily checked fully on reload, and syntax errors
can leave your NFS configuration more open than intended. Therefore, exercise caution when modifying
the file.
The syntax of each line in /etc/exports is:
/DIR host1(opt1,opt2) host2(opt3)
where /DIR is a directory or filesystem to export, hostN is an IP address, netblock,
hostname, domain, or netgroup to which to export, and optN is an option.Use Access Lists to Enforce Authorization RestrictionsWhen configuring NFS exports, ensure that each export line in /etc/exports contains
a list of hosts which are allowed to access that export. If no hosts are specified on an export line,
then that export is available to any remote host which requests it. All lines of the exports file should
specify the hosts (or subnets, if needed) which are allowed to access the exported directory, so that
unknown or remote hosts will be denied.
Authorized hosts can be specified in several different formats:
Name or alias that is recognized by the resolverFully qualified domain nameIP addressIP subnets in the format address/netmask or address/CIDRDisable All NFS Services if PossibleIf there is not a reason for the system to operate as either an
NFS client or an NFS server, follow all instructions in this section to disable
subsystems required by NFS.The steps in this section will prevent a system
from operating as either an NFS client or an NFS server. Only perform these
steps on systems which do not need NFS at all.Disable Services Used Only by NFSIf NFS is not needed, disable the NFS client daemons nfslock, rpcgssd, and rpcidmapd.
All of these daemons run with elevated privileges, and many listen for network
connections. If they are not needed, they should be disabled to improve system
security posture.Disable Network File System Lock Service (nfslock)The Network File System Lock (nfslock) service starts the required
remote procedure call (RPC) processes which allow clients to lock files on the
server. If the local system is not configured to mount NFS filesystems then
this service should be disabled.
The nfslock service can be disabled with the following command:
$ sudo systemctl disable nfslock.service
The nfslock service can be masked with the following command:
$ sudo systemctl mask nfslock.serviceCCE-80228-0
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'nfslock.service'
"$SYSTEMCTL_EXEC" disable 'nfslock.service'
"$SYSTEMCTL_EXEC" mask 'nfslock.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^nfslock.socket'; then
"$SYSTEMCTL_EXEC" stop 'nfslock.socket'
"$SYSTEMCTL_EXEC" disable 'nfslock.socket'
"$SYSTEMCTL_EXEC" mask 'nfslock.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'nfslock.service' || true
- name: Disable service nfslock
block:
- name: Gather the service facts
service_facts: null
- name: Disable service nfslock
systemd:
name: nfslock.service
enabled: 'no'
state: stopped
masked: 'yes'
when: '"nfslock.service" in ansible_facts.services'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_nfslock_disabled
- unknown_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80228-0
- name: Unit Socket Exists - nfslock.socket
command: systemctl list-unit-files nfslock.socket
args:
warn: false
register: socket_file_exists
changed_when: false
ignore_errors: true
check_mode: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_nfslock_disabled
- unknown_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80228-0
- name: Disable socket nfslock
systemd:
name: nfslock.socket
enabled: 'no'
state: stopped
masked: 'yes'
when:
- '"nfslock.socket" in socket_file_exists.stdout_lines[1]'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_nfslock_disabled
- unknown_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80228-0
include disable_nfslock
class disable_nfslock {
service {'nfslock':
enable => false,
ensure => 'stopped',
}
}
Disable RPC ID Mapping Service (rpcidmapd)The rpcidmapd service is used to map user names and groups to UID
and GID numbers on NFSv4 mounts. If NFS is not in use on the local system then
this service should be disabled.
The rpcidmapd service can be disabled with the following command:
$ sudo systemctl disable rpcidmapd.service
The rpcidmapd service can be masked with the following command:
$ sudo systemctl mask rpcidmapd.serviceCCE-80231-4
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'rpcidmapd.service'
"$SYSTEMCTL_EXEC" disable 'rpcidmapd.service'
"$SYSTEMCTL_EXEC" mask 'rpcidmapd.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^rpcidmapd.socket'; then
"$SYSTEMCTL_EXEC" stop 'rpcidmapd.socket'
"$SYSTEMCTL_EXEC" disable 'rpcidmapd.socket'
"$SYSTEMCTL_EXEC" mask 'rpcidmapd.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'rpcidmapd.service' || true
- name: Disable service rpcidmapd
block:
- name: Gather the service facts
service_facts: null
- name: Disable service rpcidmapd
systemd:
name: rpcidmapd.service
enabled: 'no'
state: stopped
masked: 'yes'
when: '"rpcidmapd.service" in ansible_facts.services'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_rpcidmapd_disabled
- unknown_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80231-4
- name: Unit Socket Exists - rpcidmapd.socket
command: systemctl list-unit-files rpcidmapd.socket
args:
warn: false
register: socket_file_exists
changed_when: false
ignore_errors: true
check_mode: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_rpcidmapd_disabled
- unknown_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80231-4
- name: Disable socket rpcidmapd
systemd:
name: rpcidmapd.socket
enabled: 'no'
state: stopped
masked: 'yes'
when:
- '"rpcidmapd.socket" in socket_file_exists.stdout_lines[1]'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_rpcidmapd_disabled
- unknown_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80231-4
include disable_rpcidmapd
class disable_rpcidmapd {
service {'rpcidmapd':
enable => false,
ensure => 'stopped',
}
}
Disable Secure RPC Client Service (rpcgssd)The rpcgssd service manages RPCSEC GSS contexts required to secure protocols
that use RPC (most often Kerberos and NFS). The rpcgssd service is the
client-side of RPCSEC GSS. If the system does not require secure RPC then this
service should be disabled.
The rpcgssd service can be disabled with the following command:
$ sudo systemctl disable rpcgssd.service
The rpcgssd service can be masked with the following command:
$ sudo systemctl mask rpcgssd.serviceCCE-80229-8
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'rpcgssd.service'
"$SYSTEMCTL_EXEC" disable 'rpcgssd.service'
"$SYSTEMCTL_EXEC" mask 'rpcgssd.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^rpcgssd.socket'; then
"$SYSTEMCTL_EXEC" stop 'rpcgssd.socket'
"$SYSTEMCTL_EXEC" disable 'rpcgssd.socket'
"$SYSTEMCTL_EXEC" mask 'rpcgssd.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'rpcgssd.service' || true
- name: Disable service rpcgssd
block:
- name: Gather the service facts
service_facts: null
- name: Disable service rpcgssd
systemd:
name: rpcgssd.service
enabled: 'no'
state: stopped
masked: 'yes'
when: '"rpcgssd.service" in ansible_facts.services'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_rpcgssd_disabled
- unknown_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80229-8
- name: Unit Socket Exists - rpcgssd.socket
command: systemctl list-unit-files rpcgssd.socket
args:
warn: false
register: socket_file_exists
changed_when: false
ignore_errors: true
check_mode: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_rpcgssd_disabled
- unknown_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80229-8
- name: Disable socket rpcgssd
systemd:
name: rpcgssd.socket
enabled: 'no'
state: stopped
masked: 'yes'
when:
- '"rpcgssd.socket" in socket_file_exists.stdout_lines[1]'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_rpcgssd_disabled
- unknown_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80229-8
include disable_rpcgssd
class disable_rpcgssd {
service {'rpcgssd':
enable => false,
ensure => 'stopped',
}
}
Disable rpcbind ServiceThe rpcbind utility maps RPC services to the ports on which they listen.
RPC processes notify rpcbind when they start, registering the ports they
are listening on and the RPC program numbers they expect to serve. The
rpcbind service redirects the client to the proper port number so it can
communicate with the requested service. If the system does not require RPC
(such as for NFS servers) then this service should be disabled.
The rpcbind service can be disabled with the following command:
$ sudo systemctl disable rpcbind.service
The rpcbind service can be masked with the following command:
$ sudo systemctl mask rpcbind.service2.2.7CCE-80230-6
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'rpcbind.service'
"$SYSTEMCTL_EXEC" disable 'rpcbind.service'
"$SYSTEMCTL_EXEC" mask 'rpcbind.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^rpcbind.socket'; then
"$SYSTEMCTL_EXEC" stop 'rpcbind.socket'
"$SYSTEMCTL_EXEC" disable 'rpcbind.socket'
"$SYSTEMCTL_EXEC" mask 'rpcbind.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'rpcbind.service' || true
- name: Disable service rpcbind
block:
- name: Gather the service facts
service_facts: null
- name: Disable service rpcbind
systemd:
name: rpcbind.service
enabled: 'no'
state: stopped
masked: 'yes'
when: '"rpcbind.service" in ansible_facts.services'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_rpcbind_disabled
- unknown_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80230-6
- name: Unit Socket Exists - rpcbind.socket
command: systemctl list-unit-files rpcbind.socket
args:
warn: false
register: socket_file_exists
changed_when: false
ignore_errors: true
check_mode: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_rpcbind_disabled
- unknown_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80230-6
- name: Disable socket rpcbind
systemd:
name: rpcbind.socket
enabled: 'no'
state: stopped
masked: 'yes'
when:
- '"rpcbind.socket" in socket_file_exists.stdout_lines[1]'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_rpcbind_disabled
- unknown_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80230-6
include disable_rpcbind
class disable_rpcbind {
service {'rpcbind':
enable => false,
ensure => 'stopped',
}
}
Disable netfs if PossibleTo determine if any network filesystems handled by netfs are
currently mounted on the system execute the following command:
$ mount -t nfs,nfs4,smbfs,cifs,ncpfs
If the command did not return any output then disable netfs.Disable Network File Systems (netfs)The netfs script manages the boot-time mounting of several types
of networked filesystems, of which NFS and Samba are the most common. If these
filesystem types are not in use, the script can be disabled, protecting the
system somewhat against accidental or malicious changes to /etc/fstab
and against flaws in the netfs script itself.
The netfs service can be disabled with the following command:
$ sudo systemctl disable netfs.service
The netfs service can be masked with the following command:
$ sudo systemctl mask netfs.service
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'netfs.service'
"$SYSTEMCTL_EXEC" disable 'netfs.service'
"$SYSTEMCTL_EXEC" mask 'netfs.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^netfs.socket'; then
"$SYSTEMCTL_EXEC" stop 'netfs.socket'
"$SYSTEMCTL_EXEC" disable 'netfs.socket'
"$SYSTEMCTL_EXEC" mask 'netfs.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'netfs.service' || true
- name: Disable service netfs
block:
- name: Gather the service facts
service_facts: null
- name: Disable service netfs
systemd:
name: netfs.service
enabled: 'no'
state: stopped
masked: 'yes'
when: '"netfs.service" in ansible_facts.services'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_netfs_disabled
- unknown_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Unit Socket Exists - netfs.socket
command: systemctl list-unit-files netfs.socket
args:
warn: false
register: socket_file_exists
changed_when: false
ignore_errors: true
check_mode: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_netfs_disabled
- unknown_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- name: Disable socket netfs
systemd:
name: netfs.socket
enabled: 'no'
state: stopped
masked: 'yes'
when:
- '"netfs.socket" in socket_file_exists.stdout_lines[1]'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_netfs_disabled
- unknown_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
include disable_netfs
class disable_netfs {
service {'netfs':
enable => false,
ensure => 'stopped',
}
}
Configure All Systems which Use NFSThe steps in this section are appropriate for all systems which
run NFS, whether they operate as clients or as servers.Configure NFS Services to Use Fixed Ports (NFSv3 and NFSv2)Firewalling should be done at each host and at the border
firewalls to protect the NFS daemons from remote access, since NFS servers
should never be accessible from outside the organization. However, by default
for NFSv3 and NFSv2, the RPC Bind service assigns each NFS service to a port
dynamically at service startup time. Dynamic ports cannot be protected by port
filtering firewalls such as firewalld.
Therefore, restrict each service to always use a given port, so that
firewalling can be done effectively. Note that, because of the way RPC is
implemented, it is not possible to disable the RPC Bind service even if ports
are assigned statically to all RPC services.
In NFSv4, the mounting and locking protocols have been incorporated into the
protocol, and the server listens on the the well-known TCP port 2049. As such,
NFSv4 does not need to interact with the rpcbind, lockd, and rpc.statd
daemons, which can and should be disabled in a pure NFSv4 environment. The
rpc.mountd daemon is still required on the NFS server to setup
exports, but is not involved in any over-the-wire operations.Configure lockd to use static TCP portConfigure the lockd daemon to use a static TCP port as
opposed to letting the RPC Bind service dynamically assign a port. Edit the
file /etc/sysconfig/nfs. Add or correct the following line:
LOCKD_TCPPORT=lockd-port
Where lockd-port is a port which is not used by any other service on
your network.Restrict service to always use a given port, so that firewalling can be done
effectively.CCE-80232-2Configure lockd to use static UDP portConfigure the lockd daemon to use a static UDP port as
opposed to letting the RPC Bind service dynamically assign a port. Edit the
file /etc/sysconfig/nfs. Add or correct the following line:
LOCKD_UDPPORT=lockd-port
Where lockd-port is a port which is not used by any other service on
your network.Restricting services to always use a given port enables firewalling
to be done more effectively.CCE-80233-0Configure statd to use static portConfigure the statd daemon to use a static port as
opposed to letting the RPC Bind service dynamically assign a port. Edit the
file /etc/sysconfig/nfs. Add or correct the following line:
STATD_PORT=statd-port
Where statd-port is a port which is not used by any other service on your network.Restricting services to always use a given port enables firewalling
to be done more effectively.CCE-80234-8Configure mountd to use static portConfigure the mountd daemon to use a static port as
opposed to letting the RPC Bind service dynamically assign a port. Edit the
file /etc/sysconfig/nfs. Add or correct the following line:
MOUNTD_PORT=statd-port
Where mountd-port is a port which is not used by any other service on your network.Restricting services to always use a given port enables firewalling
to be done more effectively.CCE-80235-5Make Each System a Client or a Server, not BothIf NFS must be used, it should be deployed in the simplest
configuration possible to avoid maintainability problems which may lead to
unnecessary security exposure. Due to the reliability and security problems
caused by NFS (specially NFSv3 and NFSv2), it is not a good idea for systems
which act as NFS servers to also mount filesystems via NFS. At the least,
crossed mounts (the situation in which each of two servers mounts a filesystem
from the other) should never be used.Configure NFS ClientsThe steps in this section are appropriate for systems which operate as NFS clients.Mount Remote Filesystems with Restrictive OptionsEdit the file /etc/fstab. For each filesystem whose type
(column 3) is nfs or nfs4, add the text
,nodev,nosuid to the list of mount options in column 4. If
appropriate, also add ,noexec.
See the section titled "Restrict Partition Mount Options" for a description of
the effects of these options. In general, execution of files mounted via NFS
should be considered risky because of the possibility that an adversary could
intercept the request and substitute a malicious file. Allowing setuid files to
be executed from remote servers is particularly risky, both for this reason and
because it requires the clients to extend root-level trust to the NFS
server.Mount Remote Filesystems with Kerberos SecurityAdd the sec=krb5:krb5i:krb5p option to the fourth column of /etc/fstab for the line which controls mounting of
any NFS mounts.1121415161835DSS05.04DSS05.10DSS06.10CCI-0003664.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.3SR 1.1SR 1.10SR 1.2SR 1.5SR 1.7SR 1.8SR 1.9SR 2.1A.18.1.4A.6.1.2A.9.1.2A.9.2.1A.9.2.3A.9.2.4A.9.3.1A.9.4.1A.9.4.2A.9.4.3A.9.4.4A.9.4.5CM-7(a)CM-7(b)CM-6(a)IA-2IA-2(8)IA-2(9)AC-17(a)PR.AC-4PR.AC-7SRG-OS-000480-GPOS-00227RHEL-07-040750SV-86935r4_ruleWhen an NFS server is configured to use AUTH_SYS a selected userid and groupid are used to handle
requests from the remote user. The userid and groupid could mistakenly or maliciously be set
incorrectly. The AUTH_GSS method of authentication uses certificates on the server and client
systems to more securely authenticate the remote mount request.CCE-27458-9
include_mount_options_functions
ensure_mount_option_for_vfstype "nfs[4]?" "sec=krb5:krb5i:krb5p" "" "nfs4"
- name: Get nfs and nfs4 mount points, that don't have sec=krb5:krb5i:krb5p
command: findmnt --fstab --types nfs,nfs4 -O nosec=krb5:krb5i:krb5p -n
register: points_register
check_mode: false
changed_when: false
failed_when: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_krb_sec_remote_filesystems
- medium_severity
- configure_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-27458-9
- DISA-STIG-RHEL-07-040750
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-2
- NIST-800-53-IA-2(8)
- NIST-800-53-IA-2(9)
- NIST-800-53-AC-17(a)
- name: Add sec=krb5:krb5i:krb5p to nfs and nfs4 mount points
mount:
path: '{{ item.split()[0] }}'
src: '{{ item.split()[1] }}'
fstype: '{{ item.split()[2] }}'
state: mounted
opts: '{{ item.split()[3] }},sec=krb5:krb5i:krb5p'
when:
- (points_register.stdout | length > 0)
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
with_items: '{{ points_register.stdout_lines }}'
tags:
- mount_option_krb_sec_remote_filesystems
- medium_severity
- configure_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-27458-9
- DISA-STIG-RHEL-07-040750
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-2
- NIST-800-53-IA-2(8)
- NIST-800-53-IA-2(9)
- NIST-800-53-AC-17(a)
Mount Remote Filesystems with noexecAdd the noexec option to the fourth column of /etc/fstab for the line which controls mounting of
any NFS mounts.12131415161835APO01.06DSS05.04DSS05.07DSS06.02CCI-0003664.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5AC-6AC-6(8)AC-6(10)CM-6(a)PR.AC-4PR.DS-5SRG-OS-000480-GPOS-00227RHEL-07-021021SV-87813r2_ruleThe noexec mount option causes the system not to execute binary files. This option must be used
for mounting any file system not containing approved binary files as they may be incompatible. Executing
files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized
administrative access.CCE-80436-9
include_mount_options_functions
ensure_mount_option_for_vfstype "nfs[4]?" "noexec" "" "nfs4"
- name: Get nfs and nfs4 mount points, that don't have noexec
command: findmnt --fstab --types nfs,nfs4 -O nonoexec -n
register: points_register
check_mode: false
changed_when: false
failed_when: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_noexec_remote_filesystems
- medium_severity
- configure_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80436-9
- DISA-STIG-RHEL-07-021021
- NIST-800-53-AC-6
- NIST-800-53-AC-6(8)
- NIST-800-53-AC-6(10)
- NIST-800-53-CM-6(a)
- name: Add noexec to nfs and nfs4 mount points
mount:
path: '{{ item.split()[0] }}'
src: '{{ item.split()[1] }}'
fstype: '{{ item.split()[2] }}'
state: mounted
opts: '{{ item.split()[3] }},noexec'
when:
- (points_register.stdout | length > 0)
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
with_items: '{{ points_register.stdout_lines }}'
tags:
- mount_option_noexec_remote_filesystems
- medium_severity
- configure_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80436-9
- DISA-STIG-RHEL-07-021021
- NIST-800-53-AC-6
- NIST-800-53-AC-6(8)
- NIST-800-53-AC-6(10)
- NIST-800-53-CM-6(a)
Mount Remote Filesystems with nosuidAdd the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of
any NFS mounts.12131415161835APO01.06DSS05.04DSS05.07DSS06.02CCI-0003664.3.3.7.3SR 2.1SR 5.2A.10.1.1A.11.1.4A.11.1.5A.11.2.1A.13.1.1A.13.1.3A.13.2.1A.13.2.3A.13.2.4A.14.1.2A.14.1.3A.6.1.2A.7.1.1A.7.1.2A.7.3.1A.8.2.2A.8.2.3A.9.1.1A.9.1.2A.9.2.3A.9.4.1A.9.4.4A.9.4.5AC-6AC-6(1)CM6(a)PR.AC-4PR.DS-5SRG-OS-000480-GPOS-00227RHEL-07-021020SV-86669r2_ruleNFS mounts should not present suid binaries to users. Only vendor-supplied suid executables
should be installed to their default location on the local filesystem.CCE-80240-5
include_mount_options_functions
ensure_mount_option_for_vfstype "nfs[4]?" "nosuid" "" "nfs4"
- name: Get nfs and nfs4 mount points, that don't have nosuid
command: findmnt --fstab --types nfs,nfs4 -O nonosuid -n
register: points_register
check_mode: false
changed_when: false
failed_when: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_nosuid_remote_filesystems
- medium_severity
- configure_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80240-5
- DISA-STIG-RHEL-07-021020
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM6(a)
- name: Add nosuid to nfs and nfs4 mount points
mount:
path: '{{ item.split()[0] }}'
src: '{{ item.split()[1] }}'
fstype: '{{ item.split()[2] }}'
state: mounted
opts: '{{ item.split()[3] }},nosuid'
when:
- (points_register.stdout | length > 0)
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
with_items: '{{ points_register.stdout_lines }}'
tags:
- mount_option_nosuid_remote_filesystems
- medium_severity
- configure_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80240-5
- DISA-STIG-RHEL-07-021020
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM6(a)
Mount Remote Filesystems with nodevAdd the nodev option to the fourth column of /etc/fstab for the line which controls mounting of
any NFS mounts.111314389APO13.01BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS05.06DSS06.064.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.11.2.9A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.8.2.1A.8.2.2A.8.2.3A.8.3.1A.8.3.3A.9.1.2CM-6(a)MP-2PR.IP-1PR.PT-2PR.PT-3Legitimate device files should only exist in the /dev directory. NFS mounts
should not present device files to users.CCE-80239-7
include_mount_options_functions
ensure_mount_option_for_vfstype "nfs[4]?" "nodev" "" "nfs4"
- name: Get nfs and nfs4 mount points, that don't have nodev
command: findmnt --fstab --types nfs,nfs4 -O nonodev -n
register: points_register
check_mode: false
changed_when: false
failed_when: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- mount_option_nodev_remote_filesystems
- medium_severity
- configure_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80239-7
- NIST-800-53-CM-6(a)
- NIST-800-53-MP-2
- name: Add nodev to nfs and nfs4 mount points
mount:
path: '{{ item.split()[0] }}'
src: '{{ item.split()[1] }}'
fstype: '{{ item.split()[2] }}'
state: mounted
opts: '{{ item.split()[3] }},nodev'
when:
- (points_register.stdout | length > 0)
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
with_items: '{{ points_register.stdout_lines }}'
tags:
- mount_option_nodev_remote_filesystems
- medium_severity
- configure_strategy
- low_complexity
- medium_disruption
- no_reboot_needed
- CCE-80239-7
- NIST-800-53-CM-6(a)
- NIST-800-53-MP-2
Disable NFS Server DaemonsThere is no need to run the NFS server daemons nfs and
rpcsvcgssd except on a small number of properly secured systems
designated as NFS servers. Ensure that these daemons are turned off on
clients.Disable Network File System (nfs)The Network File System (NFS) service allows remote hosts to mount
and interact with shared filesystems on the local system. If the local system
is not designated as a NFS server then this service should be disabled.
The nfs service can be disabled with the following command:
$ sudo systemctl disable nfs.service
The nfs service can be masked with the following command:
$ sudo systemctl mask nfs.service2.2.711121415161835DSS05.02DSS05.04DSS05.05DSS05.07DSS06.03DSS06.064.3.3.2.24.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.4SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7A.6.1.2A.7.1.1A.9.1.2A.9.2.1A.9.2.3A.9.4.1A.9.4.4A.9.4.5CM-7(a)CM-7(b)CM-6(a)PR.AC-4PR.AC-6PR.PT-3Unnecessary services should be disabled to decrease the attack surface of the system.CCE-80237-1
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'nfs.service'
"$SYSTEMCTL_EXEC" disable 'nfs.service'
"$SYSTEMCTL_EXEC" mask 'nfs.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^nfs.socket'; then
"$SYSTEMCTL_EXEC" stop 'nfs.socket'
"$SYSTEMCTL_EXEC" disable 'nfs.socket'
"$SYSTEMCTL_EXEC" mask 'nfs.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'nfs.service' || true
- name: Disable service nfs
block:
- name: Gather the service facts
service_facts: null
- name: Disable service nfs
systemd:
name: nfs.service
enabled: 'no'
state: stopped
masked: 'yes'
when: '"nfs.service" in ansible_facts.services'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_nfs_disabled
- unknown_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80237-1
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Unit Socket Exists - nfs.socket
command: systemctl list-unit-files nfs.socket
args:
warn: false
register: socket_file_exists
changed_when: false
ignore_errors: true
check_mode: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_nfs_disabled
- unknown_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80237-1
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Disable socket nfs
systemd:
name: nfs.socket
enabled: 'no'
state: stopped
masked: 'yes'
when:
- '"nfs.socket" in socket_file_exists.stdout_lines[1]'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_nfs_disabled
- unknown_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80237-1
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
include disable_nfs
class disable_nfs {
service {'nfs':
enable => false,
ensure => 'stopped',
}
}
Disable Secure RPC Server Service (rpcsvcgssd)The rpcsvcgssd service manages RPCSEC GSS contexts required to
secure protocols that use RPC (most often Kerberos and NFS). The rpcsvcgssd
service is the server-side of RPCSEC GSS. If the system does not require secure
RPC then this service should be disabled.
The rpcsvcgssd service can be disabled with the following command:
$ sudo systemctl disable rpcsvcgssd.service
The rpcsvcgssd service can be masked with the following command:
$ sudo systemctl mask rpcsvcgssd.serviceUnnecessary services should be disabled to decrease the attack surface of the system.CCE-80238-9
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'rpcsvcgssd.service'
"$SYSTEMCTL_EXEC" disable 'rpcsvcgssd.service'
"$SYSTEMCTL_EXEC" mask 'rpcsvcgssd.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^rpcsvcgssd.socket'; then
"$SYSTEMCTL_EXEC" stop 'rpcsvcgssd.socket'
"$SYSTEMCTL_EXEC" disable 'rpcsvcgssd.socket'
"$SYSTEMCTL_EXEC" mask 'rpcsvcgssd.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'rpcsvcgssd.service' || true
- name: Disable service rpcsvcgssd
block:
- name: Gather the service facts
service_facts: null
- name: Disable service rpcsvcgssd
systemd:
name: rpcsvcgssd.service
enabled: 'no'
state: stopped
masked: 'yes'
when: '"rpcsvcgssd.service" in ansible_facts.services'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_rpcsvcgssd_disabled
- unknown_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80238-9
- name: Unit Socket Exists - rpcsvcgssd.socket
command: systemctl list-unit-files rpcsvcgssd.socket
args:
warn: false
register: socket_file_exists
changed_when: false
ignore_errors: true
check_mode: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_rpcsvcgssd_disabled
- unknown_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80238-9
- name: Disable socket rpcsvcgssd
systemd:
name: rpcsvcgssd.socket
enabled: 'no'
state: stopped
masked: 'yes'
when:
- '"rpcsvcgssd.socket" in socket_file_exists.stdout_lines[1]'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_rpcsvcgssd_disabled
- unknown_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80238-9
include disable_rpcsvcgssd
class disable_rpcsvcgssd {
service {'rpcsvcgssd':
enable => false,
ensure => 'stopped',
}
}
Specify UID and GID for Anonymous NFS ConnectionsTo specify the UID and GID for remote root users, edit the /etc/exports file and add the following for each export:
anonuid=value greater than UID_MAX from /etc/login.defs
anongid=value greater than GID_MAX from /etc/login.defs
Note that a value of "-1" is technically acceptable as this will randomize the anonuid and
anongid values on a Red Hat Enterprise Linux 6 based NFS server. While acceptable from a security perspective,
a value of -1 may cause interoperability issues, particularly with Red Hat Enterprise Linux 7 client systems.
Alternatively, functionally equivalent values of 60001, 65534, 65535 may be used.Specifying the anonymous UID and GID ensures that the remote root user is mapped
to a local account which has no permissions on the system.CCE-80236-3Print SupportThe Common Unix Printing System (CUPS) service provides both local
and network printing support. A system running the CUPS service can accept
print jobs from other systems, process them, and send them to the appropriate
printer. It also provides an interface for remote administration through a web
browser. The CUPS service is installed and activated by default. The project
homepage and more detailed documentation are available at
http://www.cups.org.
Disable the CUPS Service The cups service can be disabled with the following command: $ sudo systemctl disable cups.service The cups service can be masked with the following command: $ sudo systemctl mask cups.service2.2.4111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.064.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.IP-1PR.PT-3Turn off unneeded services to reduce attack surface.CCE-80282-7
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'cups.service'
"$SYSTEMCTL_EXEC" disable 'cups.service'
"$SYSTEMCTL_EXEC" mask 'cups.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^cups.socket'; then
"$SYSTEMCTL_EXEC" stop 'cups.socket'
"$SYSTEMCTL_EXEC" disable 'cups.socket'
"$SYSTEMCTL_EXEC" mask 'cups.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'cups.service' || true
- name: Disable service cups
block:
- name: Gather the service facts
service_facts: null
- name: Disable service cups
systemd:
name: cups.service
enabled: 'no'
state: stopped
masked: 'yes'
when: '"cups.service" in ansible_facts.services'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_cups_disabled
- unknown_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80282-7
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Unit Socket Exists - cups.socket
command: systemctl list-unit-files cups.socket
args:
warn: false
register: socket_file_exists
changed_when: false
ignore_errors: true
check_mode: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_cups_disabled
- unknown_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80282-7
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Disable socket cups
systemd:
name: cups.socket
enabled: 'no'
state: stopped
masked: 'yes'
when:
- '"cups.socket" in socket_file_exists.stdout_lines[1]'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_cups_disabled
- unknown_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80282-7
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
include disable_cups
class disable_cups {
service {'cups':
enable => false,
ensure => 'stopped',
}
}
Configure the CUPS Service if NecessaryCUPS provides the ability to easily share local printers with
other systems over the network. It does this by allowing systems to share
lists of available printers. Additionally, each system that runs the CUPS
service can potentially act as a print server. Whenever possible, the printer
sharing and print server capabilities of CUPS should be limited or disabled.
The following recommendations should demonstrate how to do just that.Disable Printer Browsing Entirely if PossibleBy default, CUPS listens on the network for printer list
broadcasts on UDP port 631. This functionality is called printer browsing.
To disable printer browsing entirely, edit the CUPS configuration
file, located at /etc/cups/cupsd.conf, to include the following:
Browsing Off
BrowseAllow none111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.064.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.IP-1PR.PT-3The CUPS print service can be configured to broadcast a list of
available printers to the network. Other systems on the network, also running
the CUPS print service, can be configured to listen to these broadcasts and add
and configure these printers for immediate use. By disabling this browsing
capability, the system will no longer generate or receive such broadcasts.CCE-80283-5Disable Print Server CapabilitiesTo prevent remote users from potentially connecting to and using
locally configured printers, disable the CUPS print server sharing
capabilities. To do so, limit how the server will listen for print jobs by
removing the more generic port directive from /etc/cups/cupsd.conf:
Port 631
and replacing it with the Listen directive:
Listen localhost:631
This will prevent remote users from printing to locally configured printers
while still allowing local users on the system to print normally.111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.064.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.IP-1PR.PT-3By default, locally configured printers will not be shared over the
network, but if this functionality has somehow been enabled, these
recommendations will disable it again. Be sure to disable outgoing printer list
broadcasts, or remote users will still be able to see the locally configured
printers, even if they cannot actually print to them. To limit print serving to
a particular set of users, use the Policy directive.CCE-80284-3Docker ServiceThe docker service is necessary to create containers, which are
self-sufficient and self-contained applications using the resource
isolation features of the kernel.Install the docker PackageThe docker package provides necessary software to create containers, which
are self-sufficient and self-contained applications using the resource
isolation features of the kernel.
The docker package can be installed with the following command:
$ sudo yum install dockerTo be able to run the docker service, the docker package has to be installed.
if ! rpm -q --quiet "docker" ; then
yum install -y "docker"
fi
- name: Ensure docker is installed
package:
name: docker
state: present
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- package_docker_installed
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
include install_docker
class install_docker {
package { 'docker':
ensure => 'installed',
}
}
package --add=docker
Enable the Docker serviceThe docker service is commonly needed to
create containers.
The docker service can be enabled with the following command:
$ sudo systemctl enable docker.serviceTo be able to find any problems with misconfiguration of
the docker daemon and running containers, the docker service
has to be enabled.CCE-80440-1
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" start 'docker.service'
"$SYSTEMCTL_EXEC" enable 'docker.service'
- name: Enable service docker
block:
- name: Gather the package facts
package_facts:
manager: auto
- name: Enable service docker
service:
name: docker
enabled: 'yes'
state: started
when:
- '"docker" in ansible_facts.packages'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_docker_enabled
- medium_severity
- enable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80440-1
include enable_docker
class enable_docker {
service {'docker':
enable => true,
ensure => 'running',
}
}
Use direct-lvm with the Device Mapper Storage DriverTo use Docker in production with the device mapper storage driver, the Docker
daemon should be configured to use direct-lvm instead of loopback device as
a storage. For setting up the LVM and configuring Docker, see the
Docker Device Mapper Storage Documentation.For using Docker in production, the device mapper storage driver with loopback
devices is discouraged. The suggested way of configuring device mapper storage
driver is direct-lvm. Choosing the right storage driver and backing filesystem
is crucial to stability and performance.CCE-80441-9Ensure SELinux support is enabled in DockerTo enable the SELinux for the Docker service, the Docker service must be
configured to run the Docker daemon with --selinux-enabled option.
In /etc/sysconfig/docker configuration file, add or correct
the following line to enable SELinux support in the Docker daemon:
OPTIONS='--selinux-enabled'If SELinux is not explicitely enabled in the Docker daemon configuration,
Docker does not use SELinux which means Docker runs unconfined,
and SELinux will not provide security separation for Docker container
processes. However enabling SELinux for the Docker service prevents
an attacker or rogue container from attacking other container processes
and content as well as prevents taking over the host operating system.CCE-80442-7Avahi ServerThe Avahi daemon implements the DNS Service Discovery
and Multicast DNS protocols, which provide service and host
discovery on a network. It allows a system to automatically
identify resources on the network, such as printers or web servers.
This capability is also known as mDNSresponder and is a major part
of Zeroconf networking.Disable Avahi Server if PossibleBecause the Avahi daemon service keeps an open network
port, it is subject to network attacks.
Disabling it can reduce the system's vulnerability to such attacks.Disable Avahi Server Software The avahi-daemon service can be disabled with the following command: $ sudo systemctl disable avahi-daemon.service The avahi-daemon service can be masked with the following command: $ sudo systemctl mask avahi-daemon.service2.2.3111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.06CCI-0003664.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.IP-1PR.PT-3Because the Avahi daemon service keeps an open network
port, it is subject to network attacks. Its functionality
is convenient but is only appropriate if the local network
can be trusted.CCE-80338-7
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'avahi-daemon.service'
"$SYSTEMCTL_EXEC" disable 'avahi-daemon.service'
"$SYSTEMCTL_EXEC" mask 'avahi-daemon.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^avahi-daemon.socket'; then
"$SYSTEMCTL_EXEC" stop 'avahi-daemon.socket'
"$SYSTEMCTL_EXEC" disable 'avahi-daemon.socket'
"$SYSTEMCTL_EXEC" mask 'avahi-daemon.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'avahi-daemon.service' || true
- name: Disable service avahi-daemon
block:
- name: Gather the service facts
service_facts: null
- name: Disable service avahi-daemon
systemd:
name: avahi-daemon.service
enabled: 'no'
state: stopped
masked: 'yes'
when: '"avahi-daemon.service" in ansible_facts.services'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_avahi-daemon_disabled
- medium_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80338-7
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Unit Socket Exists - avahi-daemon.socket
command: systemctl list-unit-files avahi-daemon.socket
args:
warn: false
register: socket_file_exists
changed_when: false
ignore_errors: true
check_mode: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_avahi-daemon_disabled
- medium_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80338-7
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
- name: Disable socket avahi-daemon
systemd:
name: avahi-daemon.socket
enabled: 'no'
state: stopped
masked: 'yes'
when:
- '"avahi-daemon.socket" in socket_file_exists.stdout_lines[1]'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_avahi-daemon_disabled
- medium_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80338-7
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-6(a)
include disable_avahi-daemon
class disable_avahi-daemon {
service {'avahi-daemon':
enable => false,
ensure => 'stopped',
}
}
Configure Avahi if NecessaryIf your system requires the Avahi daemon, its configuration can be restricted
to improve security. The Avahi daemon configuration file is
/etc/avahi/avahi-daemon.conf. The following security recommendations
should be applied to this file:
See the avahi-daemon.conf(5) man page, or documentation at
http://www.avahi.org, for more detailed information
about the configuration options.Check Avahi Responses' TTL FieldTo make Avahi ignore packets unless the TTL field is 255, edit
/etc/avahi/avahi-daemon.conf and ensure the following line
appears in the [server] section:
check-response-ttl=yes111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.064.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-6(a)PR.IP-1PR.PT-3This helps to ensure that only mDNS responses from the local network are
processed, because the TTL field in a packet is decremented from its initial
value of 255 whenever it is routed from one network to another. Although a
properly-configured router or firewall should not allow mDNS packets into
the local network at all, this option provides another check to ensure they
are not permitted.CCE-80340-3Disable Avahi PublishingTo prevent Avahi from publishing its records, edit /etc/avahi/avahi-daemon.conf
and ensure the following line appears in the [publish] section:
disable-publishing=yes111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.064.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.IP-1PR.PT-3This helps ensure that no record will be published by Avahi.CCE-82369-0Serve Avahi Only via Required ProtocolIf you are using only IPv4, edit /etc/avahi/avahi-daemon.conf and ensure
the following line exists in the [server] section:
use-ipv6=no
Similarly, if you are using only IPv6, disable IPv4 sockets with the line:
use-ipv4=no111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.064.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-6(a)PR.IP-1PR.PT-3CCE-80339-5Prevent Other Programs from Using Avahi's PortTo prevent other mDNS stacks from running, edit /etc/avahi/avahi-daemon.conf
and ensure the following line appears in the [server] section:
disallow-other-stacks=yes111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.064.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.IP-1PR.PT-3This helps ensure that only Avahi is responsible for mDNS traffic coming from
that port on the system.CCE-80341-1Restrict Information Published by AvahiIf it is necessary to publish some information to the network, it should not be joined
by any extraneous information, or by information supplied by a non-trusted source
on the system.
Prevent user applications from using Avahi to publish services by adding or
correcting the following line in the [publish] section:
disable-user-service-publishing=yes
Implement as many of the following lines as possible, to restrict the information
published by Avahi.
publish-addresses=no
publish-hinfo=no
publish-workstation=no
publish-domain=no
Inspect the files in the directory /etc/avahi/services/. Unless there
is an operational need to publish information about each of these services,
delete the corresponding file.111439BAI10.01BAI10.02BAI10.03BAI10.05DSS05.02DSS05.05DSS06.064.3.3.5.14.3.3.5.24.3.3.5.34.3.3.5.44.3.3.5.54.3.3.5.64.3.3.5.74.3.3.5.84.3.3.6.14.3.3.6.24.3.3.6.34.3.3.6.44.3.3.6.54.3.3.6.64.3.3.6.74.3.3.6.84.3.3.6.94.3.3.7.14.3.3.7.24.3.3.7.34.3.3.7.44.3.4.3.24.3.4.3.3SR 1.1SR 1.10SR 1.11SR 1.12SR 1.13SR 1.2SR 1.3SR 1.4SR 1.5SR 1.6SR 1.7SR 1.8SR 1.9SR 2.1SR 2.2SR 2.3SR 2.4SR 2.5SR 2.6SR 2.7SR 7.6A.12.1.2A.12.5.1A.12.6.2A.14.2.2A.14.2.3A.14.2.4A.9.1.2CM-7(a)CM-7(b)CM-6(a)PR.IP-1PR.PT-3These options prevent publishing attempts from succeeding,
and can be applied even if publishing is disabled entirely via
disable-publishing. Alternatively, these can be used to restrict
the types of published information in the event that some information
must be published.CCE-80343-7Proxy ServerA proxy server is a very desirable target for a
potential adversary because much (or all) sensitive data for a
given infrastructure may flow through it. Therefore, if one is
required, the system acting as a proxy server should be dedicated
to that purpose alone and be stored in a physically secure
location. The system's default proxy server software is Squid, and
provided in an RPM package of the same name.Disable Squid if PossibleIf Squid was installed and activated, but the system
does not need to act as a proxy server, then it should be disabled
and removed.Uninstall squid PackageThe squid package can be removed with the following command: $ sudo yum erase squidIf there is no need to make the proxy server software available,
removing it provides a safeguard against its activation.CCE-80286-8
# CAUTION: This remediation script will remove squid
# from the system, and may remove any packages
# that depend on squid. Execute this
# remediation AFTER testing on a non-production
# system!
if rpm -q --quiet "squid" ; then
yum remove -y "squid"
fi
- name: Ensure squid is removed
package:
name: squid
state: absent
tags:
- package_squid_removed
- unknown_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80286-8
include remove_squid
class remove_squid {
package { 'squid':
ensure => 'purged',
}
}
package --remove=squid
Disable Squid The squid service can be disabled with the following command: $ sudo systemctl disable squid.service The squid service can be masked with the following command: $ sudo systemctl mask squid.service2.2.13Running proxy server software provides a network-based avenue
of attack, and should be removed if not needed.CCE-80285-0
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'squid.service'
"$SYSTEMCTL_EXEC" disable 'squid.service'
"$SYSTEMCTL_EXEC" mask 'squid.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^squid.socket'; then
"$SYSTEMCTL_EXEC" stop 'squid.socket'
"$SYSTEMCTL_EXEC" disable 'squid.socket'
"$SYSTEMCTL_EXEC" mask 'squid.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'squid.service' || true
- name: Disable service squid
block:
- name: Gather the service facts
service_facts: null
- name: Disable service squid
systemd:
name: squid.service
enabled: 'no'
state: stopped
masked: 'yes'
when: '"squid.service" in ansible_facts.services'
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_squid_disabled
- unknown_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80285-0
- name: Unit Socket Exists - squid.socket
command: systemctl list-unit-files squid.socket
args:
warn: false
register: socket_file_exists
changed_when: false
ignore_errors: true
check_mode: false
when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_squid_disabled
- unknown_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80285-0
- name: Disable socket squid
systemd:
name: squid.socket
enabled: 'no'
state: stopped
masked: 'yes'
when:
- '"squid.socket" in socket_file_exists.stdout_lines[1]'
- ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
tags:
- service_squid_disabled
- unknown_severity
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- CCE-80285-0
include disable_squid
class disable_squid {
service {'squid':
enable => false,
ensure => 'stopped',
}
}
IntroductionThe purpose of this guidance is to provide security configuration
recommendations and baselines for the Red Hat Enterprise Linux 7 operating
system. Recommended settings for the basic operating system are provided,
as well as for many network services that the system can provide to other systems.
The guide is intended for system administrators. Readers are assumed to
possess basic system administration skills for Unix-like systems, as well
as some familiarity with the product's documentation and administration
conventions. Some instructions within this guide are complex.
All directions should be followed completely and with understanding of
their effects in order to avoid serious adverse effects on the system
and its security.How to Use This GuideReaders should heed the following points when using the guide.Formatting ConventionsCommands intended for shell execution, as well as configuration file text,
are featured in a monospace font. Italics are used
to indicate instances where the system administrator must substitute
the appropriate information into a command or configuration file.Test in Non-Production EnvironmentThis guidance should always be tested in a non-production environment
before deployment. This test environment should simulate the setup in
which the system will be deployed as closely as possible.Reboot RequiredA system reboot is implicitly required after some actions in order to
complete the reconfiguration of the system. In many cases, the changes
will not take effect until a reboot is performed. In order to ensure
that changes are applied properly and to test functionality, always
reboot the system after applying a set of recommendations from this guide.Root Shell Environment AssumedMost of the actions listed in this document are written with the
assumption that they will be executed by the root user running the
/bin/bash shell. Commands preceded with a hash mark (#)
assume that the administrator will execute the commands as root, i.e.
apply the command via sudo whenever possible, or use
su to gain root privileges if sudo cannot be
used. Commands which can be executed as a non-root user are are preceded
by a dollar sign ($) prompt.Read Sections Completely and in OrderEach section may build on information and recommendations discussed in
prior sections. Each section should be read and understood completely;
instructions should never be blindly applied. Relevant discussion may
occur after instructions for an action.General PrinciplesThe following general principles motivate much of the advice in this
guide and should also influence any configuration decisions that are
not explicitly covered.Encrypt Transmitted Data Whenever PossibleData transmitted over a network, whether wired or wireless, is susceptible
to passive monitoring. Whenever practical solutions for encrypting
such data exist, they should be applied. Even if data is expected to
be transmitted only over a local network, it should still be encrypted.
Encrypting authentication data, such as passwords, is particularly
important. Networks of Red Hat Enterprise Linux 7 machines can and should be configured
so that no unencrypted authentication data is ever transmitted between
machines.Minimize Software to Minimize VulnerabilityThe simplest way to avoid vulnerabilities in software is to avoid
installing that software. On Red Hat Enterprise Linux 7,the RPM Package Manager (originally Red Hat Package Manager, abbreviated RPM)
allows for careful management of
the set of software packages installed on a system. Installed software
contributes to system vulnerability in several ways. Packages that
include setuid programs may provide local attackers a potential path to
privilege escalation. Packages that include network services may give
this opportunity to network-based attackers. Packages that include
programs which are predictably executed by local users (e.g. after
graphical login) may provide opportunities for trojan horses or other
attack code to be run undetected. The number of software packages
installed on a system can almost always be significantly pruned to include
only the software for which there is an environmental or operational need.Configure Security Tools to Improve System RobustnessSeveral tools exist which can be effectively used to improve a system's
resistance to and detection of unknown attacks. These tools can improve
robustness against attack at the cost of relatively little configuration
effort. In particular, this guide recommends and discusses the use of
host-based firewalling, SELinux for protection against
vulnerable services, and a logging and auditing infrastructure for
detection of problems.Least PrivilegeGrant the least privilege necessary for user accounts and software to perform tasks.
For example, sudo can be implemented to limit authorization to super user
accounts on the system only to designated personnel. Another example is to limit
logins on server systems to only those administrators who need to log into them in
order to perform administration tasks. Using SELinux also follows the principle of
least privilege: SELinux policy can confine software to perform only actions on the
system that are specifically allowed. This can be far more restrictive than the
actions permissible by the traditional Unix permissions model.Run Different Network Services on Separate SystemsWhenever possible, a server should be dedicated to serving exactly one
network service. This limits the number of other services that can
be compromised in the event that an attacker is able to successfully
exploit a software flaw in one network service.OSCAP Scan Resultrootlocalhost.localdomain127.0.0.1192.168.122.2020:0:0:0:0:0:0:1fe80:0:0:0:5054:ff:fe5c:bc8dOpenSCAP1.2.1700:00:00:00:00:0052:54:00:5C:BC:8D00:00:00:00:00:0052:54:00:5C:BC:8D# Function to fix syscall audit rule for given system call. It is
# based on example audit syscall rule definitions as outlined in
# /usr/share/doc/audit-2.3.7/stig.rules file provided with the audit
# package. It will combine multiple system calls belonging to the same
# syscall group into one audit rule (rather than to create audit rule per
# different system call) to avoid audit infrastructure performance penalty
# in the case of 'one-audit-rule-definition-per-one-system-call'. See:
#
# https://www.redhat.com/archives/linux-audit/2014-November/msg00009.html
#
# for further details.
#
# Expects five arguments (each of them is required) in the form of:
# * audit tool tool used to load audit rules,
# either 'auditctl', or 'augenrules
# * audit rules' pattern audit rule skeleton for same syscall
# * syscall group greatest common string this rule shares
# with other rules from the same group
# * architecture architecture this rule is intended for
# * full form of new rule to add expected full form of audit rule as to be
# added into audit.rules file
#
# Note: The 2-th up to 4-th arguments are used to determine how many existing
# audit rules will be inspected for resemblance with the new audit rule
# (5-th argument) the function is going to add. The rule's similarity check
# is performed to optimize audit.rules definition (merge syscalls of the same
# group into one rule) to avoid the "single-syscall-per-audit-rule" performance
# penalty.
#
# Example call:
#
# See e.g. 'audit_rules_file_deletion_events.sh' remediation script
#
function fix_audit_syscall_rule {
# Load function arguments into local variables
local tool="$1"
local pattern="$2"
local group="$3"
local arch="$4"
local full_rule="$5"
# Check sanity of the input
if [ $# -ne "5" ]
then
echo "Usage: fix_audit_syscall_rule 'tool' 'pattern' 'group' 'arch' 'full rule'"
echo "Aborting."
exit 1
fi
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
# -----------------------------------------------------------------------------------------
# auditctl | Doesn't matter | /etc/audit/audit.rules |
# -----------------------------------------------------------------------------------------
# augenrules | Yes | /etc/audit/rules.d/*.rules |
# augenrules | No | /etc/audit/rules.d/$key.rules |
# -----------------------------------------------------------------------------------------
#
declare -a files_to_inspect
retval=0
# First check sanity of the specified audit tool
if [ "$tool" != 'auditctl' ] && [ "$tool" != 'augenrules' ]
then
echo "Unknown audit rules loading tool: $1. Aborting."
echo "Use either 'auditctl' or 'augenrules'!"
return 1
# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
# file to the list of files to be inspected
elif [ "$tool" == 'auditctl' ]
then
files_to_inspect+=('/etc/audit/audit.rules' )
# If audit tool is 'augenrules', then check if the audit rule is defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
elif [ "$tool" == 'augenrules' ]
then
# Extract audit $key from audit rule so we can use it later
key=$(expr "$full_rule" : '.*-k[[:space:]]\([^[:space:]]\+\)' '|' "$full_rule" : '.*-F[[:space:]]key=\([^[:space:]]\+\)')
readarray -t matches < <(sed -s -n -e "\;${pattern};!d" -e "/${arch}/!d" -e "/${group}/!d;F" /etc/audit/rules.d/*.rules)
if [ $? -ne 0 ]
then
retval=1
fi
for match in "${matches[@]}"
do
files_to_inspect+=("${match}")
done
# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
if [ ${#files_to_inspect[@]} -eq "0" ]
then
file_to_inspect="/etc/audit/rules.d/$key.rules"
files_to_inspect=("$file_to_inspect")
if [ ! -e "$file_to_inspect" ]
then
touch "$file_to_inspect"
chmod 0640 "$file_to_inspect"
fi
fi
fi
#
# Indicator that we want to append $full_rule into $audit_file by default
local append_expected_rule=0
for audit_file in "${files_to_inspect[@]}"
do
# Filter existing $audit_file rules' definitions to select those that:
# * follow the rule pattern, and
# * meet the hardware architecture requirement, and
# * are current syscall group specific
readarray -t existing_rules < <(sed -e "\;${pattern};!d" -e "/${arch}/!d" -e "/${group}/!d" "$audit_file")
if [ $? -ne 0 ]
then
retval=1
fi
# Process rules found case-by-case
for rule in "${existing_rules[@]}"
do
# Found rule is for same arch & key, but differs (e.g. in count of -S arguments)
if [ "${rule}" != "${full_rule}" ]
then
# If so, isolate just '(-S \w)+' substring of that rule
rule_syscalls=$(echo "$rule" | grep -o -P '(-S \w+ )+')
# Check if list of '-S syscall' arguments of that rule is subset
# of '-S syscall' list of expected $full_rule
if grep -q -- "$rule_syscalls" <<< "$full_rule"
then
# Rule is covered (i.e. the list of -S syscalls for this rule is
# subset of -S syscalls of $full_rule => existing rule can be deleted
# Thus delete the rule from audit.rules & our array
sed -i -e "\;${rule};d" "$audit_file"
if [ $? -ne 0 ]
then
retval=1
fi
existing_rules=("${existing_rules[@]//$rule/}")
else
# Rule isn't covered by $full_rule - it besides -S syscall arguments
# for this group contains also -S syscall arguments for other syscall
# group. Example: '-S lchown -S fchmod -S fchownat' => group='chown'
# since 'lchown' & 'fchownat' share 'chown' substring
# Therefore:
# * 1) delete the original rule from audit.rules
# (original '-S lchown -S fchmod -S fchownat' rule would be deleted)
# * 2) delete the -S syscall arguments for this syscall group, but
# keep those not belonging to this syscall group
# (original '-S lchown -S fchmod -S fchownat' would become '-S fchmod'
# * 3) append the modified (filtered) rule again into audit.rules
# if the same rule not already present
#
# 1) Delete the original rule
sed -i -e "\;${rule};d" "$audit_file"
if [ $? -ne 0 ]
then
retval=1
fi
# 2) Delete syscalls for this group, but keep those from other groups
# Convert current rule syscall's string into array splitting by '-S' delimiter
IFS_BKP="$IFS"
IFS=$'-S'
read -a rule_syscalls_as_array <<< "$rule_syscalls"
# Reset IFS back to default
IFS="$IFS_BKP"
# Splitting by "-S" can't be replaced by the readarray functionality easily
# Declare new empty string to hold '-S syscall' arguments from other groups
new_syscalls_for_rule=''
# Walk through existing '-S syscall' arguments
for syscall_arg in "${rule_syscalls_as_array[@]}"
do
# Skip empty $syscall_arg values
if [ "$syscall_arg" == '' ]
then
continue
fi
# If the '-S syscall' doesn't belong to current group add it to the new list
# (together with adding '-S' delimiter back for each of such item found)
if grep -q -v -- "$group" <<< "$syscall_arg"
then
new_syscalls_for_rule="$new_syscalls_for_rule -S $syscall_arg"
fi
done
# Replace original '-S syscall' list with the new one for this rule
updated_rule=${rule//$rule_syscalls/$new_syscalls_for_rule}
# Squeeze repeated whitespace characters in rule definition (if any) into one
updated_rule=$(echo "$updated_rule" | tr -s '[:space:]')
# 3) Append the modified / filtered rule again into audit.rules
# (but only in case it's not present yet to prevent duplicate definitions)
if ! grep -q -- "$updated_rule" "$audit_file"
then
echo "$updated_rule" >> "$audit_file"
fi
fi
else
# $audit_file already contains the expected rule form for this
# architecture & key => don't insert it second time
append_expected_rule=1
fi
done
# We deleted all rules that were subset of the expected one for this arch & key.
# Also isolated rules containing system calls not from this system calls group.
# Now append the expected rule if it's not present in $audit_file yet
if [[ ${append_expected_rule} -eq "0" ]]
then
echo "$full_rule" >> "$audit_file"
fi
done
return $retval
}
# Function to perform remediation for the 'adjtimex', 'settimeofday', and 'stime' audit
# system calls on RHEL, Fedora or OL systems.
# Remediation performed for both possible tools: 'auditctl' and 'augenrules'.
#
# Note: 'stime' system call isn't known at 64-bit arch (see "$ ausyscall x86_64 stime" 's output)
# therefore excluded from the list of time group system calls to be audited on this arch
#
# Example Call:
#
# perform_audit_adjtimex_settimeofday_stime_remediation
#
function perform_audit_adjtimex_settimeofday_stime_remediation {
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=${ARCH} -S .* -k *"
# Create expected audit group and audit rule form for particular system call & architecture
if [ ${ARCH} = "b32" ]
then
# stime system call is known at 32-bit arch (see e.g "$ ausyscall i386 stime" 's output)
# so append it to the list of time group system calls to be audited
GROUP="\(adjtimex\|settimeofday\|stime\)"
FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -S stime -k audit_time_rules"
elif [ ${ARCH} = "b64" ]
then
# stime system call isn't known at 64-bit arch (see "$ ausyscall x86_64 stime" 's output)
# therefore don't add it to the list of time group system calls to be audited
GROUP="\(adjtimex\|settimeofday\)"
FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -k audit_time_rules"
fi
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
}function create_audit_remediation_unsuccessful_file_modification_detailed {
mkdir -p "$(dirname "$1")"
# The - option to mark a here document limit string (<<-EOF) suppresses leading tabs (but not spaces) in the output.
cat <<-EOF > "$1"
## This content is a section of an Audit config snapshot recommended for linux systems that target OSPP compliance.
## The following content has been retreived on 2019-03-11 from: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules
## The purpose of these rules is to meet the requirements for Operating
## System Protection Profile (OSPP)v4.2. These rules depends on having
## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed.
## Unsuccessful file creation (open with O_CREAT)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
## Unsuccessful file modifications (open for write or truncate)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
## Unsuccessful file access (any other opens) This has to go last.
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
EOF
}function include_mount_options_functions {
:
}
# $1: type of filesystem
# $2: new mount point option
# $3: filesystem of new mount point (used when adding new entry in fstab)
# $4: mount type of new mount point (used when adding new entry in fstab)
function ensure_mount_option_for_vfstype {
local _vfstype="$1" _new_opt="$2" _filesystem=$3 _type=$4 _vfstype_points=()
readarray -t _vfstype_points < <(grep -E "[[:space:]]${_vfstype}[[:space:]]" /etc/fstab | awk '{print $2}')
for _vfstype_point in "${_vfstype_points[@]}"
do
ensure_mount_option_in_fstab "$_vfstype_point" "$_new_opt" "$_filesystem" "$_type"
done
}
# $1: mount point
# $2: new mount point option
# $3: device or virtual string (used when adding new entry in fstab)
# $4: mount type of mount point (used when adding new entry in fstab)
function ensure_mount_option_in_fstab {
local _mount_point="$1" _new_opt="$2" _device=$3 _type=$4
local _mount_point_match_regexp="" _previous_mount_opts=""
_mount_point_match_regexp="$(get_mount_point_regexp "$_mount_point")"
if [ "$(grep -c "$_mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
# runtime opts without some automatic kernel/userspace-added defaults
_previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \
| sed -E "s/(rw|defaults|seclabel|${_new_opt})(,|$)//g;s/,$//")
[ "$_previous_mount_opts" ] && _previous_mount_opts+=","
echo "${_device} ${_mount_point} ${_type} defaults,${_previous_mount_opts}${_new_opt} 0 0" >> /etc/fstab
elif [ "$(grep "$_mount_point_match_regexp" /etc/fstab | grep -c "$_new_opt")" -eq 0 ]; then
_previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/fstab | awk '{print $4}')
sed -i "s|\(${_mount_point_match_regexp}.*${_previous_mount_opts}\)|\1,${_new_opt}|" /etc/fstab
fi
}
# $1: mount point
function get_mount_point_regexp {
printf "[[:space:]]%s[[:space:]]" "$1"
}
# $1: mount point
function assert_mount_point_in_fstab {
local _mount_point_match_regexp
_mount_point_match_regexp="$(get_mount_point_regexp "$1")"
grep "$_mount_point_match_regexp" -q /etc/fstab \
|| { echo "The mount point '$1' is not even in /etc/fstab, so we can't set up mount options" >&2; return 1; }
}
# $1: mount point
function remove_defaults_from_fstab_if_overriden {
local _mount_point_match_regexp
_mount_point_match_regexp="$(get_mount_point_regexp "$1")"
if grep "$_mount_point_match_regexp" /etc/fstab | grep -q "defaults,"
then
sed -i "s|\(${_mount_point_match_regexp}.*\)defaults,|\1|" /etc/fstab
fi
}
# $1: mount point
function ensure_partition_is_mounted {
local _mount_point="$1"
mkdir -p "$_mount_point" || return 1
if mountpoint -q "$_mount_point"; then
mount -o remount --target "$_mount_point"
else
mount --target "$_mount_point"
fi
}# Function to fix syscall audit rule for given system call. It is
# based on example audit syscall rule definitions as outlined in
# /usr/share/doc/audit-2.3.7/stig.rules file provided with the audit
# package. It will combine multiple system calls belonging to the same
# syscall group into one audit rule (rather than to create audit rule per
# different system call) to avoid audit infrastructure performance penalty
# in the case of 'one-audit-rule-definition-per-one-system-call'. See:
#
# https://www.redhat.com/archives/linux-audit/2014-November/msg00009.html
#
# for further details.
#
# Expects five arguments (each of them is required) in the form of:
# * audit tool tool used to load audit rules,
# either 'auditctl', or 'augenrules
# * audit rules' pattern audit rule skeleton for same syscall
# * syscall group greatest common string this rule shares
# with other rules from the same group
# * architecture architecture this rule is intended for
# * full form of new rule to add expected full form of audit rule as to be
# added into audit.rules file
#
# Note: The 2-th up to 4-th arguments are used to determine how many existing
# audit rules will be inspected for resemblance with the new audit rule
# (5-th argument) the function is going to add. The rule's similarity check
# is performed to optimize audit.rules definition (merge syscalls of the same
# group into one rule) to avoid the "single-syscall-per-audit-rule" performance
# penalty.
#
# Example call:
#
# See e.g. 'audit_rules_file_deletion_events.sh' remediation script
#
function fix_audit_syscall_rule {
# Load function arguments into local variables
local tool="$1"
local pattern="$2"
local group="$3"
local arch="$4"
local full_rule="$5"
# Check sanity of the input
if [ $# -ne "5" ]
then
echo "Usage: fix_audit_syscall_rule 'tool' 'pattern' 'group' 'arch' 'full rule'"
echo "Aborting."
exit 1
fi
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
# -----------------------------------------------------------------------------------------
# auditctl | Doesn't matter | /etc/audit/audit.rules |
# -----------------------------------------------------------------------------------------
# augenrules | Yes | /etc/audit/rules.d/*.rules |
# augenrules | No | /etc/audit/rules.d/$key.rules |
# -----------------------------------------------------------------------------------------
#
declare -a files_to_inspect
retval=0
# First check sanity of the specified audit tool
if [ "$tool" != 'auditctl' ] && [ "$tool" != 'augenrules' ]
then
echo "Unknown audit rules loading tool: $1. Aborting."
echo "Use either 'auditctl' or 'augenrules'!"
return 1
# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
# file to the list of files to be inspected
elif [ "$tool" == 'auditctl' ]
then
files_to_inspect+=('/etc/audit/audit.rules' )
# If audit tool is 'augenrules', then check if the audit rule is defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
elif [ "$tool" == 'augenrules' ]
then
# Extract audit $key from audit rule so we can use it later
key=$(expr "$full_rule" : '.*-k[[:space:]]\([^[:space:]]\+\)' '|' "$full_rule" : '.*-F[[:space:]]key=\([^[:space:]]\+\)')
readarray -t matches < <(sed -s -n -e "\;${pattern};!d" -e "/${arch}/!d" -e "/${group}/!d;F" /etc/audit/rules.d/*.rules)
if [ $? -ne 0 ]
then
retval=1
fi
for match in "${matches[@]}"
do
files_to_inspect+=("${match}")
done
# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
if [ ${#files_to_inspect[@]} -eq "0" ]
then
file_to_inspect="/etc/audit/rules.d/$key.rules"
files_to_inspect=("$file_to_inspect")
if [ ! -e "$file_to_inspect" ]
then
touch "$file_to_inspect"
chmod 0640 "$file_to_inspect"
fi
fi
fi
#
# Indicator that we want to append $full_rule into $audit_file by default
local append_expected_rule=0
for audit_file in "${files_to_inspect[@]}"
do
# Filter existing $audit_file rules' definitions to select those that:
# * follow the rule pattern, and
# * meet the hardware architecture requirement, and
# * are current syscall group specific
readarray -t existing_rules < <(sed -e "\;${pattern};!d" -e "/${arch}/!d" -e "/${group}/!d" "$audit_file")
if [ $? -ne 0 ]
then
retval=1
fi
# Process rules found case-by-case
for rule in "${existing_rules[@]}"
do
# Found rule is for same arch & key, but differs (e.g. in count of -S arguments)
if [ "${rule}" != "${full_rule}" ]
then
# If so, isolate just '(-S \w)+' substring of that rule
rule_syscalls=$(echo "$rule" | grep -o -P '(-S \w+ )+')
# Check if list of '-S syscall' arguments of that rule is subset
# of '-S syscall' list of expected $full_rule
if grep -q -- "$rule_syscalls" <<< "$full_rule"
then
# Rule is covered (i.e. the list of -S syscalls for this rule is
# subset of -S syscalls of $full_rule => existing rule can be deleted
# Thus delete the rule from audit.rules & our array
sed -i -e "\;${rule};d" "$audit_file"
if [ $? -ne 0 ]
then
retval=1
fi
existing_rules=("${existing_rules[@]//$rule/}")
else
# Rule isn't covered by $full_rule - it besides -S syscall arguments
# for this group contains also -S syscall arguments for other syscall
# group. Example: '-S lchown -S fchmod -S fchownat' => group='chown'
# since 'lchown' & 'fchownat' share 'chown' substring
# Therefore:
# * 1) delete the original rule from audit.rules
# (original '-S lchown -S fchmod -S fchownat' rule would be deleted)
# * 2) delete the -S syscall arguments for this syscall group, but
# keep those not belonging to this syscall group
# (original '-S lchown -S fchmod -S fchownat' would become '-S fchmod'
# * 3) append the modified (filtered) rule again into audit.rules
# if the same rule not already present
#
# 1) Delete the original rule
sed -i -e "\;${rule};d" "$audit_file"
if [ $? -ne 0 ]
then
retval=1
fi
# 2) Delete syscalls for this group, but keep those from other groups
# Convert current rule syscall's string into array splitting by '-S' delimiter
IFS_BKP="$IFS"
IFS=$'-S'
read -a rule_syscalls_as_array <<< "$rule_syscalls"
# Reset IFS back to default
IFS="$IFS_BKP"
# Splitting by "-S" can't be replaced by the readarray functionality easily
# Declare new empty string to hold '-S syscall' arguments from other groups
new_syscalls_for_rule=''
# Walk through existing '-S syscall' arguments
for syscall_arg in "${rule_syscalls_as_array[@]}"
do
# Skip empty $syscall_arg values
if [ "$syscall_arg" == '' ]
then
continue
fi
# If the '-S syscall' doesn't belong to current group add it to the new list
# (together with adding '-S' delimiter back for each of such item found)
if grep -q -v -- "$group" <<< "$syscall_arg"
then
new_syscalls_for_rule="$new_syscalls_for_rule -S $syscall_arg"
fi
done
# Replace original '-S syscall' list with the new one for this rule
updated_rule=${rule//$rule_syscalls/$new_syscalls_for_rule}
# Squeeze repeated whitespace characters in rule definition (if any) into one
updated_rule=$(echo "$updated_rule" | tr -s '[:space:]')
# 3) Append the modified / filtered rule again into audit.rules
# (but only in case it's not present yet to prevent duplicate definitions)
if ! grep -q -- "$updated_rule" "$audit_file"
then
echo "$updated_rule" >> "$audit_file"
fi
fi
else
# $audit_file already contains the expected rule form for this
# architecture & key => don't insert it second time
append_expected_rule=1
fi
done
# We deleted all rules that were subset of the expected one for this arch & key.
# Also isolated rules containing system calls not from this system calls group.
# Now append the expected rule if it's not present in $audit_file yet
if [[ ${append_expected_rule} -eq "0" ]]
then
echo "$full_rule" >> "$audit_file"
fi
done
return $retval
}function set_faillock_option_to_value_in_pam_file {
# If invoked with no arguments, exit. This is an intentional behavior.
[ $# -gt 1 ] || return 0
[ $# -ge 3 ] || die "$0 requires exactly zero, three, or four arguments"
[ $# -le 4 ] || die "$0 requires exactly zero, three, or four arguments"
local _pamFile="$1" _option="$2" _value="$3" _insert_lines_callback="$4"
# pam_faillock.so already present?
if grep -q "^auth.*pam_faillock.so.*" "$_pamFile"; then
# pam_faillock.so present, is the option present?
if grep -q "^auth.*[default=die].*pam_faillock.so.*authfail.*$_option=" "$_pamFile"; then
# both pam_faillock.so & option present, just correct option to the right value
sed -i --follow-symlinks "s/\(^auth.*required.*pam_faillock.so.*preauth.*silent.*\)\($_option *= *\).*/\1\2$_value/" "$_pamFile"
sed -i --follow-symlinks "s/\(^auth.*[default=die].*pam_faillock.so.*authfail.*\)\($_option *= *\).*/\1\2$_value/" "$_pamFile"
# pam_faillock.so present, but the option not yet
else
# append correct option value to appropriate places
sed -i --follow-symlinks "/^auth.*required.*pam_faillock.so.*preauth.*silent.*/ s/$/ $_option=$_value/" "$_pamFile"
sed -i --follow-symlinks "/^auth.*[default=die].*pam_faillock.so.*authfail.*/ s/$/ $_option=$_value/" "$_pamFile"
fi
# pam_faillock.so not present yet
else
test -z "$_insert_lines_callback" || "$_insert_lines_callback" "$_option" "$_value" "$_pamFile"
# insert pam_faillock.so preauth & authfail rows with proper value of the option in question
fi
}function include_merge_files_by_lines {
:
}
# 1: Filename of the "master" file
# 2: Filename of the newly created file
function create_empty_file_like {
local lines_count
lines_count=$(cat "$1" | wc -l)
for _ in $(seq 1 "$lines_count"); do
printf '\n' >> "$2"
done
}
# 1: Filename of the "master" file
# 2: Filename of sample flie
function second_file_is_same_except_newlines {
local lines_of_master lines_of_sample len_of_master line_number i
readarray -t lines_of_master < "$1"
readarray -t lines_of_sample < "$2"
len_of_master="${#lines_of_master[@]}"
if test "$len_of_master" != "${#lines_of_sample[@]}"; then
echo "Files '$1' and '$2' have different number of lines, $len_of_master and ${#lines_of_sample[@]} respectively."
return 1
fi
for line_number in $(seq 1 "$len_of_master"); do
i=$((line_number - 1))
test -n "${lines_of_sample[$i]}" || continue
if test "${lines_of_master[$i]}" != "${lines_of_sample[$i]}"; then
echo "Line $line_number is different in files '$1' and '$2'."
return 1
fi
done
}
# 1: Filename of the "master" file
# 2: Filename of sample flie
# 3: List of indices (1-based, space-separated string)
function merge_first_lines_to_second_on_indices {
local lines_of_master lines_of_sample line_number i
test -f "$2" || create_empty_file_like "$1" "$2"
readarray -t lines_of_master < "$1"
readarray -t lines_of_sample < "$2"
error_msg="$(second_file_is_same_except_newlines "$1" "$2")"
if test $? != 0; then
echo "Error merging lines into '$2': $error_msg" >&2
return 1
fi
for line_number in $3; do
i=$((line_number - 1))
lines_of_sample[$i]="${lines_of_master[$i]}"
done
printf "%s\n" "${lines_of_sample[@]}" > "$2"
}# The populate function isn't directly used by SSG at the moment but it can be
# used for testing purposes and will be used in SSG Testsuite in the future.
function populate {
# code to populate environment variables needed (for unit testing)
if [ -z "${!1}" ]; then
echo "$1 is not defined. Exiting."
exit
fi
}# Function to fix audit file system object watch rule for given path:
# * if rule exists, also verifies the -w bits match the requirements
# * if rule doesn't exist yet, appends expected rule form to $files_to_inspect
# audit rules file, depending on the tool which was used to load audit rules
#
# Expects four arguments (each of them is required) in the form of:
# * audit tool tool used to load audit rules,
# either 'auditctl', or 'augenrules'
# * path value of -w audit rule's argument
# * required access bits value of -p audit rule's argument
# * key value of -k audit rule's argument
#
# Example call:
#
# fix_audit_watch_rule "auditctl" "/etc/localtime" "wa" "audit_time_rules"
#
function fix_audit_watch_rule {
# Load function arguments into local variables
local tool="$1"
local path="$2"
local required_access_bits="$3"
local key="$4"
# Check sanity of the input
if [ $# -ne "4" ]
then
echo "Usage: fix_audit_watch_rule 'tool' 'path' 'bits' 'key'"
echo "Aborting."
exit 1
fi
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
# -----------------------------------------------------------------------------------------
# auditctl | Doesn't matter | /etc/audit/audit.rules |
# -----------------------------------------------------------------------------------------
# augenrules | Yes | /etc/audit/rules.d/*.rules |
# augenrules | No | /etc/audit/rules.d/$key.rules |
# -----------------------------------------------------------------------------------------
declare -a files_to_inspect
files_to_inspect=()
# Check sanity of the specified audit tool
if [ "$tool" != 'auditctl' ] && [ "$tool" != 'augenrules' ]
then
echo "Unknown audit rules loading tool: $1. Aborting."
echo "Use either 'auditctl' or 'augenrules'!"
exit 1
# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
# into the list of files to be inspected
elif [ "$tool" == 'auditctl' ]
then
files_to_inspect+=('/etc/audit/audit.rules')
# If the audit is 'augenrules', then check if rule is already defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
# If rule isn't defined, add '/etc/audit/rules.d/$key.rules' to list of files for inspection.
elif [ "$tool" == 'augenrules' ]
then
readarray -t matches < <(grep -P "[\s]*-w[\s]+$path" /etc/audit/rules.d/*.rules)
# For each of the matched entries
for match in "${matches[@]}"
do
# Extract filepath from the match
rulesd_audit_file=$(echo $match | cut -f1 -d ':')
# Append that path into list of files for inspection
files_to_inspect+=("$rulesd_audit_file")
done
# Case when particular audit rule isn't defined yet
if [ "${#files_to_inspect[@]}" -eq "0" ]
then
# Append '/etc/audit/rules.d/$key.rules' into list of files for inspection
local key_rule_file="/etc/audit/rules.d/$key.rules"
# If the $key.rules file doesn't exist yet, create it with correct permissions
if [ ! -e "$key_rule_file" ]
then
touch "$key_rule_file"
chmod 0640 "$key_rule_file"
fi
files_to_inspect+=("$key_rule_file")
fi
fi
# Finally perform the inspection and possible subsequent audit rule
# correction for each of the files previously identified for inspection
for audit_rules_file in "${files_to_inspect[@]}"
do
# Check if audit watch file system object rule for given path already present
if grep -q -P -- "[\s]*-w[\s]+$path" "$audit_rules_file"
then
# Rule is found => verify yet if existing rule definition contains
# all of the required access type bits
# Escape slashes in path for use in sed pattern below
local esc_path=${path//$'/'/$'\/'}
# Define BRE whitespace class shortcut
local sp="[[:space:]]"
# Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
current_access_bits=$(sed -ne "s/$sp*-w$sp\+$esc_path$sp\+-p$sp\+\([rxwa]\{1,4\}\).*/\1/p" "$audit_rules_file")
# Split required access bits string into characters array
# (to check bit's presence for one bit at a time)
for access_bit in $(echo "$required_access_bits" | grep -o .)
do
# For each from the required access bits (e.g. 'w', 'a') check
# if they are already present in current access bits for rule.
# If not, append that bit at the end
if ! grep -q "$access_bit" <<< "$current_access_bits"
then
# Concatenate the existing mask with the missing bit
current_access_bits="$current_access_bits$access_bit"
fi
done
# Propagate the updated rule's access bits (original + the required
# ones) back into the /etc/audit/audit.rules file for that rule
sed -i "s/\($sp*-w$sp\+$esc_path$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)/\1$current_access_bits\3/" "$audit_rules_file"
else
# Rule isn't present yet. Append it at the end of $audit_rules_file file
# with proper key
echo "-w $path -p $required_access_bits -k $key" >> "$audit_rules_file"
fi
done
}# Print a message to stderr and exit the shell
# $1: The message to print.
# $2: The error code (optional, default is 1)
function die {
local _message="$1" _rc="${2:-1}"
printf '%s\n' "$_message" >&2
exit "$_rc"
}# Function to perform remediation for 'audit_rules_privileged_commands' rule
#
# Expects two arguments:
#
# audit_tool tool used to load audit rules
# One of 'auditctl' or 'augenrules'
#
# min_auid Minimum original ID the user logged in with
#
# Example Call(s):
#
# perform_audit_rules_privileged_commands_remediation "auditctl" "500"
# perform_audit_rules_privileged_commands_remediation "augenrules" "1000"
#
function perform_audit_rules_privileged_commands_remediation {
#
# Load function arguments into local variables
local tool="$1"
local min_auid="$2"
# Check sanity of the input
if [ $# -ne "2" ]
then
echo "Usage: perform_audit_rules_privileged_commands_remediation 'auditctl | augenrules' '500 | 1000'"
echo "Aborting."
exit 1
fi
declare -a files_to_inspect=()
# Check sanity of the specified audit tool
if [ "$tool" != 'auditctl' ] && [ "$tool" != 'augenrules' ]
then
echo "Unknown audit rules loading tool: $1. Aborting."
echo "Use either 'auditctl' or 'augenrules'!"
exit 1
# If the audit tool is 'auditctl', then:
# * add '/etc/audit/audit.rules'to the list of files to be inspected,
# * specify '/etc/audit/audit.rules' as the output audit file, where
# missing rules should be inserted
elif [ "$tool" == 'auditctl' ]
then
files_to_inspect=("/etc/audit/audit.rules")
output_audit_file="/etc/audit/audit.rules"
#
# If the audit tool is 'augenrules', then:
# * add '/etc/audit/rules.d/*.rules' to the list of files to be inspected
# (split by newline),
# * specify /etc/audit/rules.d/privileged.rules' as the output file, where
# missing rules should be inserted
elif [ "$tool" == 'augenrules' ]
then
readarray -t files_to_inspect < <(find /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -print)
output_audit_file="/etc/audit/rules.d/privileged.rules"
fi
# Obtain the list of SUID/SGID binaries on the particular system (split by newline)
# into privileged_binaries array
readarray -t privileged_binaries < <(find / -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null)
# Keep list of SUID/SGID binaries that have been already handled within some previous iteration
declare -a sbinaries_to_skip=()
# For each found sbinary in privileged_binaries list
for sbinary in "${privileged_binaries[@]}"
do
# Check if this sbinary wasn't already handled in some of the previous sbinary iterations
# Return match only if whole sbinary definition matched (not in the case just prefix matched!!!)
if [[ $(sed -ne "\|${sbinary}|p" <<< "${sbinaries_to_skip[*]}") ]]
then
# If so, don't process it second time & go to process next sbinary
continue
fi
# Reset the counter of inspected files when starting to check
# presence of existing audit rule for new sbinary
local count_of_inspected_files=0
# Define expected rule form for this binary
expected_rule="-a always,exit -F path=${sbinary} -F perm=x -F auid>=${min_auid} -F auid!=unset -k privileged"
# If list of audit rules files to be inspected is empty, just add new rule and move on to next binary
if [[ ${#files_to_inspect[@]} -eq 0 ]]; then
echo "$expected_rule" >> "$output_audit_file"
continue
fi
# Replace possible slash '/' character in sbinary definition so we could use it in sed expressions below
sbinary_esc=${sbinary//$'/'/$'\/'}
# For each audit rules file from the list of files to be inspected
for afile in "${files_to_inspect[@]}"
do
# Search current audit rules file's content for match. Match criteria:
# * existing rule is for the same SUID/SGID binary we are currently processing (but
# can contain multiple -F path= elements covering multiple SUID/SGID binaries)
# * existing rule contains all arguments from expected rule form (though can contain
# them in arbitrary order)
base_search=$(sed -e '/-a always,exit/!d' -e '/-F path='"${sbinary_esc}"'/!d' \
-e '/-F path=[^[:space:]]\+/!d' -e '/-F perm=.*/!d' \
-e '/-F auid>='"${min_auid}"'/!d' -e '/-F auid!=\(4294967295\|unset\)/!d' \
-e '/-k \|-F key=/!d' "$afile")
# Increase the count of inspected files for this sbinary
count_of_inspected_files=$((count_of_inspected_files + 1))
# Require execute access type to be set for existing audit rule
exec_access='x'
# Search current audit rules file's content for presence of rule pattern for this sbinary
if [[ $base_search ]]
then
# Current audit rules file already contains rule for this binary =>
# Store the exact form of found rule for this binary for further processing
concrete_rule=$base_search
# Select all other SUID/SGID binaries possibly also present in the found rule
readarray -t handled_sbinaries < <(grep -o -e "-F path=[^[:space:]]\+" <<< "$concrete_rule")
handled_sbinaries=("${handled_sbinaries[@]//-F path=/}")
# Merge the list of such SUID/SGID binaries found in this iteration with global list ignoring duplicates
readarray -t sbinaries_to_skip < <(for i in "${sbinaries_to_skip[@]}" "${handled_sbinaries[@]}"; do echo "$i"; done | sort -du)
# Separate concrete_rule into three sections using hash '#'
# sign as a delimiter around rule's permission section borders
concrete_rule="$(echo "$concrete_rule" | sed -n "s/\(.*\)\+\(-F perm=[rwax]\+\)\+/\1#\2#/p")"
# Split concrete_rule into head, perm, and tail sections using hash '#' delimiter
rule_head=$(cut -d '#' -f 1 <<< "$concrete_rule")
rule_perm=$(cut -d '#' -f 2 <<< "$concrete_rule")
rule_tail=$(cut -d '#' -f 3 <<< "$concrete_rule")
# Extract already present exact access type [r|w|x|a] from rule's permission section
access_type=${rule_perm//-F perm=/}
# Verify current permission access type(s) for rule contain 'x' (execute) permission
if ! grep -q "$exec_access" <<< "$access_type"
then
# If not, append the 'x' (execute) permission to the existing access type bits
access_type="$access_type$exec_access"
# Reconstruct the permissions section for the rule
new_rule_perm="-F perm=$access_type"
# Update existing rule in current audit rules file with the new permission section
sed -i "s#${rule_head}\(.*\)${rule_tail}#${rule_head}${new_rule_perm}${rule_tail}#" "$afile"
fi
# If the required audit rule for particular sbinary wasn't found yet, insert it under following conditions:
#
# * in the "auditctl" mode of operation insert particular rule each time
# (because in this mode there's only one file -- /etc/audit/audit.rules to be inspected for presence of this rule),
#
# * in the "augenrules" mode of operation insert particular rule only once and only in case we have already
# searched all of the files from /etc/audit/rules.d/*.rules location (since that audit rule can be defined
# in any of those files and if not, we want it to be inserted only once into /etc/audit/rules.d/privileged.rules file)
#
elif [ "$tool" == "auditctl" ] || [[ "$tool" == "augenrules" && $count_of_inspected_files -eq "${#files_to_inspect[@]}" ]]
then
# Check if this sbinary wasn't already handled in some of the previous afile iterations
# Return match only if whole sbinary definition matched (not in the case just prefix matched!!!)
if [[ ! $(sed -ne "\|${sbinary}|p" <<< "${sbinaries_to_skip[*]}") ]]
then
# Current audit rules file's content doesn't contain expected rule for this
# SUID/SGID binary yet => append it
echo "$expected_rule" >> "$output_audit_file"
fi
continue
fi
done
done
}# Function to replace configuration setting in config file or add the configuration setting if
# it does not exist.
#
# Expects arguments:
#
# config_file: Configuration file that will be modified
# key: Configuration option to change
# value: Value of the configuration option to change
# cce: The CCE identifier or '@CCENUM@' if no CCE identifier exists
# format: The printf-like format string that will be given stripped key and value as arguments,
# so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =)
#
# Optional arugments:
#
# format: Optional argument to specify the format of how key/value should be
# modified/appended in the configuration file. The default is key = value.
#
# Example Call(s):
#
# With default format of 'key = value':
# replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@'
#
# With custom key/value format:
# replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s'
#
# With a variable:
# replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s'
#
function replace_or_append {
local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option=''
local config_file=$1
local key=$2
local value=$3
local cce=$4
local format=$5
if [ "$case_insensitive_mode" = yes ]; then
sed_case_insensitive_option="i"
grep_case_insensitive_option="-i"
fi
[ -n "$format" ] || format="$default_format"
# Check sanity of the input
[ $# -ge "3" ] || { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; }
# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
# Otherwise, regular sed command will do.
sed_command=('sed' '-i')
if test -L "$config_file"; then
sed_command+=('--follow-symlinks')
fi
# Test that the cce arg is not empty or does not equal @CCENUM@.
# If @CCENUM@ exists, it means that there is no CCE assigned.
if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then
cce="${cce}"
else
cce="CCE"
fi
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "$key")
# shellcheck disable=SC2059
printf -v formatted_output "$format" "$stripped_key" "$value"
# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then
"${sed_command[@]}" "s/${key}\\>.*/$formatted_output/g$sed_case_insensitive_option" "$config_file"
else
# \n is precaution for case where file ends without trailing newline
printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file"
printf '%s\n' "$formatted_output" >> "$config_file"
fi
}logcollectorrootroot00000no000005001010111011enforcingtargetedfalsefalsefalsefalsefalsetruefalsefalsefalsefalsefalsefalsefalsetruefalsefalsefalsefalsetruefalsefalsefalsefalsefalsefalsefalsetruetruefalsefalsefalsetruetruefalsetruefalsefalsefalsefalsefalsefalsefalsetruefalsetruefalsefalsefalsetruefalsefalsefalsetruefalsefalsefalsefalsefalsefalsetruefalsefalsefalsetruetruefalsefalsefalsefalsefalsefalsefalsefalsetruefalsefalsetruefalsefalsefalsefalsefalsefalsefalsetruefalsetruefalsefalsefalsefalsefalsefalsefalsetruefalsefalsefalsefalsefalsetruetruefalsefalsefalsefalsefalsefalsefalsefalsefalsetruefalsefalsetruetruefalsefalsefalsefalsefalsefalsefalsetruefalsefalsefalsefalsefalsefalsefalsefalsefalsefalsefalsefalsefalsetruefalsefalsefalsetruefalsefalsefalsefalsetruefalsefalsefalsefalsetruefalsefalsefalsefalsefalsefalsefalsefalsetruefalsefalsefalsefalsefalsetruefalsetruefalsefalsefalsefalsefalsefalsefalsefalsefalsefalsefalsefalsefalsefalsefalsefalsefalsefalsetruefalsefalsefalsefalsefalsefalsefalsetruefalsefalsetruefalsefalsefalsefalsefalsefalsefalsefalsefalsefalsetruefalsefalsetruefalsefalsefalsefalsefalsefalsefalsefalsefalsefalsetruefalsefalsetruefalsefalsefalsefalsefalsefalsefalsetruefalsefalsefalsefalsefalsefalsefalsefalsefalsefalsetruefalsefalsefalsefalsetruefalsefalsefalsefalsefalsefalsefalsefalsefalsefalsefalsefalsefalsetruefalsefalsefalsefalsefalsefalsefalsetruefalsefalsetruefalsefalsefalsefalsefalsefalsefalsetruefalsetruefalsetruefalsetruefalsefalsefalsetruetruefalse35607127default600104027Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times.[\s\n]+This[\s\n]+is[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+and[\s\n]+related[\s\n]+equipment[\s\n]+are[\s\n]+intended[\s\n]+for[\s\n]+the[\s\n]+communication,[\s\n]+transmission,[\s\n]+processing,[\s\n]+and[\s\n]+storage[\s\n]+of[\s\n]+official[\s\n]+U.S.[\s\n]+Government[\s\n]+or[\s\n]+other[\s\n]+authorized[\s\n]+information[\s\n]+only.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times[\s\n]+to[\s\n]+ensure[\s\n]+proper[\s\n]+functioning[\s\n]+of[\s\n]+equipment[\s\n]+and[\s\n]+systems[\s\n]+including[\s\n]+security[\s\n]+devices[\s\n]+and[\s\n]+systems,[\s\n]+to[\s\n]+prevent[\s\n]+unauthorized[\s\n]+use[\s\n]+and[\s\n]+violations[\s\n]+of[\s\n]+statutes[\s\n]+and[\s\n]+security[\s\n]+regulations,[\s\n]+to[\s\n]+deter[\s\n]+criminal[\s\n]+activity,[\s\n]+and[\s\n]+for[\s\n]+other[\s\n]+similar[\s\n]+purposes.[\s\n]+Any[\s\n]+user[\s\n]+of[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+should[\s\n]+be[\s\n]+aware[\s\n]+that[\s\n]+any[\s\n]+information[\s\n]+placed[\s\n]+in[\s\n]+the[\s\n]+system[\s\n]+is[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+not[\s\n]+subject[\s\n]+to[\s\n]+any[\s\n]+expectation[\s\n]+of[\s\n]+privacy.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+violation[\s\n]+of[\s\n]+criminal[\s\n]+statutes,[\s\n]+this[\s\n]+evidence[\s\n]+and[\s\n]+any[\s\n]+other[\s\n]+related[\s\n]+information,[\s\n]+including[\s\n]+identification[\s\n]+information[\s\n]+about[\s\n]+the[\s\n]+user,[\s\n]+may[\s\n]+be[\s\n]+provided[\s\n]+to[\s\n]+law[\s\n]+enforcement[\s\n]+officials.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+reveals[\s\n]+violations[\s\n]+of[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+unauthorized[\s\n]+use,[\s\n]+employees[\s\n]+who[\s\n]+violate[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+make[\s\n]+unauthorized[\s\n]+use[\s\n]+of[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+appropriate[\s\n]+disciplinary[\s\n]+action.[\s\n]+Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times.5390003-134-14-1-1312/dev/cdrom022rootsinglerotate100singleemaillogcollectorsingle6single5incremental_asyncsingle9000DEFAULT2592000^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd)$smtp.$mydomainloopback-onlysystem.administrator@mail.mil100warn[\s\n]+Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times.[\s\n]+This[\s\n]+is[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+and[\s\n]+related[\s\n]+equipment[\s\n]+are[\s\n]+intended[\s\n]+for[\s\n]+the[\s\n]+communication,[\s\n]+transmission,[\s\n]+processing,[\s\n]+and[\s\n]+storage[\s\n]+of[\s\n]+official[\s\n]+U.S.[\s\n]+Government[\s\n]+or[\s\n]+other[\s\n]+authorized[\s\n]+information[\s\n]+only.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times[\s\n]+to[\s\n]+ensure[\s\n]+proper[\s\n]+functioning[\s\n]+of[\s\n]+equipment[\s\n]+and[\s\n]+systems[\s\n]+including[\s\n]+security[\s\n]+devices[\s\n]+and[\s\n]+systems,[\s\n]+to[\s\n]+prevent[\s\n]+unauthorized[\s\n]+use[\s\n]+and[\s\n]+violations[\s\n]+of[\s\n]+statutes[\s\n]+and[\s\n]+security[\s\n]+regulations,[\s\n]+to[\s\n]+deter[\s\n]+criminal[\s\n]+activity,[\s\n]+and[\s\n]+for[\s\n]+other[\s\n]+similar[\s\n]+purposes.[\s\n]+Any[\s\n]+user[\s\n]+of[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+should[\s\n]+be[\s\n]+aware[\s\n]+that[\s\n]+any[\s\n]+information[\s\n]+placed[\s\n]+in[\s\n]+the[\s\n]+system[\s\n]+is[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+not[\s\n]+subject[\s\n]+to[\s\n]+any[\s\n]+expectation[\s\n]+of[\s\n]+privacy.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+violation[\s\n]+of[\s\n]+criminal[\s\n]+statutes,[\s\n]+this[\s\n]+evidence[\s\n]+and[\s\n]+any[\s\n]+other[\s\n]+related[\s\n]+information,[\s\n]+including[\s\n]+identification[\s\n]+information[\s\n]+about[\s\n]+the[\s\n]+user,[\s\n]+may[\s\n]+be[\s\n]+provided[\s\n]+to[\s\n]+law[\s\n]+enforcement[\s\n]+officials.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+reveals[\s\n]+violations[\s\n]+of[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+unauthorized[\s\n]+use,[\s\n]+employees[\s\n]+who[\s\n]+violate[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+make[\s\n]+unauthorized[\s\n]+use[\s\n]+of[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+appropriate[\s\n]+disciplinary[\s\n]+action.[\s\n]+Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times.180300/etc/openldap/cacerts100.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org22hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.compublic600400nosandboxnotselectednotselectedCCE-80187-8notselectedCCE-80188-6notselectedCCE-80198-5notselectedCCE-27343-3notselectedCCE-80195-1notselectedCCE-80190-2notselectedCCE-80189-4notselectedCCE-80380-9notselectedCCE-80191-0notselectednotselectednotselectedCCE-80194-4notselectedCCE-80192-8notselectedCCE-80193-6notselectedCCE-80197-7notselectedCCE-80196-9notselectedCCE-82178-5notselectedCCE-80357-7notselectedCCE-80438-5notselectedCCE-80173-8notselectedCCE-80174-6notselectedCCE-80176-1notselectednotselectedCCE-80177-9notselectedCCE-80175-3notselectedCCE-80185-2notselectedCCE-80355-1notselectedCCE-80179-5notselectedCCE-80356-9notselectedCCE-80182-9notselectedCCE-80186-0notselectedCCE-80184-5notselectedCCE-80181-1notselectedCCE-80180-3notselectedCCE-80183-7notselectedCCE-80170-4notselectedCCE-80171-2notselectedCCE-82983-8notselectednotselectednotselectednotselectednotselectednotselectedCCE-82999-4notselectedCCE-80998-8notselectedCCE-27349-0notselectedCCE-80447-6notselectedCCE-80542-4notselectedCCE-80162-1notselectedCCE-82893-9notselectedCCE-80161-3notselectedCCE-80166-2notselectedCCE-80168-8notselectedCCE-80159-7notselectedCCE-80164-7notselectedCCE-80158-9notselectedCCE-80160-5notselectedCCE-80167-0notselectedCCE-80165-4notselectedCCE-27495-1notselectedCCE-27434-0notselectedCCE-80163-9notselectedCCE-80157-1notselectedCCE-80156-3notselectedCCE-80999-6notselectedCCE-82024-1notselectedCCE-82162-9notselectedCCE-82160-3notselectednotselectedCCE-82044-9notselectednotselectedCCE-82164-5notselectedCCE-27328-4notselectedCCE-27327-6notselectedCCE-27397-9notselectedCCE-27358-1notselectedCCE-27309-4notselectedCCE-82039-9notselectedCCE-82026-6notselectedCCE-80517-6notselectedCCE-80354-4notselectednotselectedCCE-82351-8notselectedCCE-82023-3notselectedCCE-80518-4notselectednotselectednotselectedCCE-82977-0notselectedCCE-80445-0notselectedCCE-80444-3notselectedCCE-26961-3notselectedCCE-27279-9notselectedCCE-27288-0notselectedCCE-27326-8notselectedCCE-80543-2notselectedCCE-27334-2notselectednotselectednotselectedCCE-82327-8notselectednotselectedCCE-82301-3notselectednotselectednotselectedCCE-80424-5notselectedCCE-80426-0notselectednotselectednotselectednotselectedCCE-82314-6notselectednotselectedCCE-82294-0notselectedCCE-82304-7notselectednotselectednotselectednotselectednotselectednotselectednotselectednotselectednotselectednotselectednotselectednotselectednotselectednotselectednotselectednotselectedCCE-82334-4notselectednotselectednotselectedCCE-82284-1notselectednotselectednotselectednotselectednotselectednotselectednotselectednotselectednotselectednotselectedCCE-82337-7notselectednotselectednotselectednotselectedCCE-80423-7notselectednotselectednotselectednotselectedCCE-82324-5notselectedCCE-82332-8notselectednotselectednotselectednotselectednotselectednotselectednotselectednotselectedCCE-82291-6notselectednotselectedCCE-82295-7notselectednotselectednotselectednotselectedCCE-82346-8notselectednotselectednotselectednotselectedCCE-82335-1notselectednotselectednotselectednotselectednotselectednotselectednotselectednotselectednotselectedCCE-82317-9notselectednotselectednotselectednotselectednotselectednotselectednotselectedCCE-80429-4notselectedCCE-80428-6notselectednotselectednotselectedCCE-82326-0notselectednotselectednotselectedCCE-82328-6notselectednotselectednotselectednotselectednotselectednotselectednotselectednotselectednotselectednotselectednotselectednotselectedCCE-82286-6notselectednotselectednotselectedCCE-82339-3notselectednotselectednotselectednotselectednotselectednotselectednotselectednotselectednotselectedCCE-82320-3notselectednotselectednotselectednotselectedCCE-82290-8notselectedCCE-82325-2notselectednotselectedCCE-80427-8notselectednotselectednotselectedCCE-80419-5notselectednotselectednotselectednotselectednotselectednotselectednotselectednotselectednotselectednotselectedCCE-82300-5notselectednotselectedCCE-80420-3notselectednotselectednotselectednotselectednotselectednotselectedCCE-82285-8notselectednotselectednotselectedCCE-82310-4notselectednotselectednotselectednotselectednotselectednotselectednotselectednotselectednotselectednotselectednotselectednotselectednotselectednotselectednotselectednotselectedCCE-82330-2notselectedCCE-82299-9notselectednotselectednotselectednotselectednotselectedCCE-82319-5notselectednotselectednotselectedCCE-82288-2notselectednotselectedCCE-80422-9notselectednotselectednotselectednotselectednotselectednotselectednotselectednotselectednotselectednotselectedCCE-80421-1notselectednotselectednotselectednotselectednotselectednotselectedCCE-82289-0notselectednotselectednotselectednotselectednotselectedCCE-82322-9notselectednotselectednotselectednotselectednotselectednotselectedCCE-82311-2notselectednotselectednotselectednotselectedCCE-82333-6notselectednotselectednotselectedCCE-82342-7notselectednotselectednotselectednotselectedCCE-82341-9notselectedCCE-82331-0notselectednotselectednotselectednotselectednotselectedCCE-82303-9notselectedCCE-82338-5notselectednotselectedCCE-82293-2notselectednotselectednotselectedCCE-82336-9notselectednotselectednotselectednotselectednotselectednotselectednotselectednotselectedCCE-82292-4notselectednotselectednotselectedCCE-82302-1notselectedCCE-82321-1notselectednotselectednotselectednotselectednotselectedCCE-82313-8notselectednotselectednotselectedCCE-82323-7notselectednotselectedCCE-82298-1notselectednotselectednotselectedCCE-82307-0notselectednotselectednotselectednotselectednotselectednotselectednotselectedCCE-82329-4notselectedCCE-82340-1notselectednotselectedCCE-82296-5notselectednotselectednotselectednotselectedCCE-82312-0notselectednotselectednotselectednotselectednotselectednotselectednotselectednotselectedCCE-82287-4notselectednotselectednotselectednotselectednotselectednotselectednotselectednotselectednotselectedCCE-80418-7notselectednotselectedCCE-82305-4notselectednotselectedCCE-82308-8notselectedCCE-80425-2notselectednotselectedCCE-82318-7notselectednotselectednotselectednotselectedCCE-82306-2notselectednotselectednotselectedCCE-80650-5notselectedCCE-80210-8notselectedCCE-27294-8notselectedCCE-80209-0notselectedCCE-82015-9notselectedCCE-27318-5notselectedCCE-27268-2notselectedCCE-82054-8notselectednotselectedCCE-80208-2notselectedCCE-27355-7notselectedCCE-81000-2notselectedCCE-82049-8notselectedCCE-82016-7notselectedCCE-82036-5notselectedCCE-27051-2notselectedCCE-80521-8notselectedCCE-80522-6notselectedCCE-80211-6notselectedCCE-27286-4notselectedCCE-27352-4notselectedCCE-27503-2notselectedCCE-80206-6notselectedCCE-27287-2notselectedCCE-82185-0notselectedCCE-80449-2notselectedCCE-27335-9notselectedCCE-27511-5notselectedCCE-27351-6notselectedCCE-82347-6notselectedCCE-80568-9notselectedCCE-80569-7notselectedCCE-80519-2notselectedCCE-80565-5notselectedCCE-80567-1notselectedCCE-80520-0notselectedCCE-81002-8notselectedCCE-80207-4notselectedCCE-80201-7notselectedCCE-27557-8notselectedCCE-80527-5notselectedCCE-80525-9notselectedCCE-80529-1notselectedCCE-80434-4notselectedCCE-80352-8notselectedCCE-80534-1notselectedCCE-80531-7notselectedCCE-82041-5notselectedCCE-80535-8notselectedCCE-80524-2notselectedCCE-80532-5notselectedCCE-80528-3notselectedCCE-80523-4notselectedCCE-80533-3notselectedCCE-80526-7notselectedCCE-80530-9notselectedCCE-80199-3notselectedCCE-80200-9notselectedCCE-80536-6notselectedCCE-80205-8notselectedCCE-80202-5notselectedCCE-80203-3notselectedCCE-80204-1notselectednotselectedCCE-27303-7notselectedCCE-26970-4notselectedCCE-26892-0notselectednotselectednotselectedCCE-27275-7notselectedCCE-82050-6notselectedCCE-82043-1notselectedCCE-82038-1notselectedCCE-80353-6notselectedCCE-26884-7notselectedCCE-82030-8notselectedCCE-27297-1passCCE-27350-8notselectedCCE-27293-0notselectedCCE-27512-3notselectedCCE-82055-5notselectedCCE-27214-6notselectedCCE-82045-6notselectedCCE-82020-9notselectedCCE-27360-7notselectedCCE-27345-8notselectedCCE-27200-5notselectedCCE-27160-1notselectednotselectedCCE-80132-4notselectedCCE-81029-1notselectedCCE-80136-5notselectedCCE-80135-7notselectedCCE-80134-0notselectedCCE-81026-7notselectedCCE-80131-6notselectedCCE-80133-2notselectedCCE-82350-0notselectedCCE-80130-8notselectedCCE-82042-3notselectedCCE-82022-5notselectedCCE-82031-6notselectedCCE-82032-4notselectedCCE-82025-8notselectedCCE-26639-5notselectedCCE-82051-4notselectedCCE-82195-9notselectedCCE-82037-3notselectedCCE-82192-6notselectedCCE-82052-2notselectedCCE-82029-0notselectedCCE-82021-7notselectedCCE-82040-7notselectedCCE-82048-0notselectedCCE-82033-2notselectedCCE-27498-5notselectedCCE-27277-3notselectedCCE-27194-0notselectedCCE-26960-5notselectedCCE-80143-1notselectedCCE-80142-3notselectedCCE-80141-5notselectedCCE-82169-4notselectedCCE-80139-9notselectedCCE-26548-8notselectedCCE-80140-7notselectedCCE-80137-3notselectedCCE-80138-1notselectedCCE-80154-8notselectedCCE-80149-8notselectedCCE-80151-4notselectedCCE-80145-6notselectedCCE-80146-4notselectedCCE-82079-5notselectedCCE-82148-8notselectedCCE-82064-7notselectednotselectedCCE-82076-1notselectedCCE-81047-3notselectedCCE-82153-8notselectedCCE-80152-2notselectedCCE-80153-0notselectedCCE-80155-5notselectedCCE-82144-7notselectedCCE-82146-2notselectedCCE-82135-5notselectedCCE-82138-9notselectedCCE-80150-6notselectedCCE-81153-9notselectedCCE-81052-3notselectedCCE-80148-0notselectedCCE-80147-2notselectedCCE-82142-1notselectedCCE-82150-4notselectedCCE-81056-4notselectedCCE-81053-1notselectedCCE-82159-5notselectedCCE-81058-0notselectedCCE-27050-4notselectedCCE-27068-6notselectedCCE-82157-9notselectedCCE-82158-7notselectednotselectedCCE-26900-1notselectednotselectedCCE-80169-6notselectedCCE-27116-3notselectedCCE-27099-1notselectedCCE-80659-6notselectedCCE-27211-2notselectedCCE-27127-0notselectedCCE-81042-4notselectedCCE-82954-9notselectedCCE-27407-6notselectedCCE-82156-1notselectedCCE-27212-0notselectedCCE-27331-8notselectedCCE-80540-8notselectedCCE-82356-7notselectedCCE-80541-6notselectedCCE-82359-1notselectedCCE-80538-2notselectednotselectedCCE-27319-3notselectedCCE-80537-4notselectedCCE-27394-6notselectedCCE-27375-5notselectedCCE-27341-7notselectedCCE-27370-6notselectedCCE-27231-0notselectedCCE-82355-9notselectedCCE-80646-3notselectedCCE-82358-3notselectedCCE-27348-2notselectedCCE-80539-0notselectedCCE-82357-5notselectednotselectedCCE-27461-3notselectedCCE-27076-9notselectedCCE-27192-4notselectednotselectednotselectedCCE-27301-1notselectednotselectednotselectednotselectednotselectednotselectedCCE-27097-5notselectednotselectedCCE-80431-0notselectednotselectednotselectedCCE-82071-2notselectedCCE-27447-2notselectedCCE-80430-2notselectedCCE-80125-8notselectedCCE-27168-4notselectedCCE-80997-0notselectedCCE-27205-4notselectedCCE-80432-8notselectednotselectednotselectedCCE-80435-1notselectedCCE-80433-6notselectedCCE-27129-6notselectedCCE-80547-3notselectedCCE-80414-6notselectedCCE-80415-3notselectedCCE-27204-7notselectedCCE-80384-1notselectedCCE-80383-3notselectedCCE-80994-7notselectedCCE-27299-7notselectedCCE-27216-1notselectedCCE-27310-2notselectedCCE-27219-5notselectedCCE-27290-6notselectedCCE-27356-5notselectedCCE-27213-8notselectedCCE-27364-9notselectedCCE-27387-0notselectedCCE-27339-1notselectedCCE-27367-2notselectedCCE-27353-2notselectedCCE-27280-7notselectedCCE-27393-8notselectedCCE-27083-5notselectedCCE-27389-6notselectedCCE-27388-8notselectedCCE-27410-0notselectedCCE-82094-4notselectedCCE-82082-9notselectedCCE-81143-0notselectedCCE-81086-1notselectedCCE-81121-6notselectedCCE-81084-6notselectedCCE-81115-8notselectedCCE-82097-7notselectedCCE-81078-8notselectedCCE-82112-4notselectedCCE-80389-0notselectedCCE-81098-6notselectedCCE-81082-0notselectedCCE-81080-4notselectedCCE-81090-3notselectedCCE-81092-9notselectedCCE-82121-5notselectedCCE-80387-4notselectedCCE-82127-2notselectedCCE-81123-2notselectedCCE-82109-0notselectedCCE-82088-6notselectedCCE-81100-0notselectedCCE-80385-8notselectedCCE-82103-3notselectedCCE-81119-0notselectedCCE-81102-6notselectedCCE-82124-9notselectedCCE-81106-7notselectedCCE-82106-6notselectedCCE-81146-3notselectedCCE-81096-0notselectedCCE-82012-6notselectednotselectednotselectedCCE-80386-6notselectedCCE-82115-7notselectedCCE-81094-5notselectedCCE-82004-3notselectedCCE-82130-6notselectedCCE-81117-4notselectedCCE-80388-2notselectedCCE-82001-9notselectedCCE-80390-8notselectednotselectedCCE-81127-3notselectedCCE-81149-7notselectedCCE-82085-2notselectedCCE-81140-6notselectedCCE-82133-0notselectedCCE-81104-2notselectedCCE-82091-0notselectedCCE-82009-2notselectedCCE-81137-2notselectedCCE-82118-1notselectedCCE-27347-4notselectedCCE-81088-7notselectedCCE-81125-7notselectedCCE-81134-9notselectedCCE-81108-3notselectedCCE-81131-5notselectedCCE-82100-9notselectedCCE-82362-5notselectedCCE-80660-4notselectedCCE-80392-4notselectedCCE-80391-6notselectedCCE-80393-2notselectedCCE-80394-0notselectedCCE-80412-0notselectedCCE-80662-0notselectedCCE-27206-2notselectedCCE-80995-4notselectedCCE-80413-8notselectedCCE-80996-2notselectedCCE-80395-7notselectedCCE-80401-3notselectedCCE-82074-6notselectedCCE-80406-2notselectedCCE-80404-7notselectedCCE-82200-7notselectedCCE-80397-3notselectedCCE-80398-1notselectedCCE-80399-9notselectedCCE-81060-6notselectedCCE-80411-2notselectedCCE-80410-4notselectedCCE-80405-4notselectedCCE-80396-5notselectedCCE-80409-6notselectedCCE-80408-8notselectedCCE-80402-1notselectedCCE-81064-8notselectedCCE-81070-5notselectedCCE-80407-0notselectedCCE-27437-3notselectedCCE-80400-5notselectedCCE-80403-9notselectedCCE-82370-8notselectedCCE-82348-4notselectedCCE-81004-4notselectedCCE-27446-4notselectednotselectednotselectedCCE-80544-0notselectedCCE-80370-0notselectedCCE-80113-4notselectedCCE-80114-2notselectedCCE-80371-8notselectednotselectedCCE-80111-8notselectednotselectedCCE-80110-0notselectedCCE-80563-0notselectednotselectednotselectednotselectedCCE-80112-6notselectedCCE-80564-8notselectednotselectednotselectedCCE-80123-3notselectedCCE-80122-5notselectedCCE-80117-5notselectednotselectednotselectednotselectedCCE-80124-1notselectedCCE-80116-7notselectedCCE-80115-9notselectedCCE-80108-4notselectedCCE-80107-6notselectednotselectedCCE-80104-3notselectedCCE-80109-2notselectedCCE-80106-8notselectednotselectedCCE-80105-0notselectedCCE-80118-3notselectednotselectednotselectednotselectedCCE-80119-1notselectedCCE-80121-7notselectedCCE-80120-9notselectedCCE-82213-0notselectedCCE-82349-2notselectedCCE-80350-2notselectedCCE-80351-0notselectedCCE-82278-3notselectedCCE-82990-3notselectedCCE-82980-4notselectedCCE-82957-2notselectedCCE-82951-5notselectedCCE-82966-3notselectedCCE-82969-7notselectednotselectednotselectedCCE-82219-7notselectedCCE-82638-8notselectedCCE-82996-0notselectedCCE-82911-9notselectedCCE-82917-6notselectedCCE-82930-9notselectedCCE-82937-4notselectedCCE-82927-5notselectedCCE-82947-3notselectedCCE-82914-3notselectedCCE-82940-8notselectedCCE-82944-0notselectedCCE-82920-0notselectedCCE-82908-5notselectedCCE-82905-1notselectedCCE-82924-2notselectedCCE-27078-5notselectedCCE-80358-5notselectednotselectedCCE-80359-3notselectednotselectednotselectedCCE-82371-6notselectedCCE-80657-0notselectednotselectedCCE-27140-3notselectedCCE-26818-5notselectedCCE-80128-2notselectedCCE-80367-6notselectedCCE-80129-0notselectedCCE-80127-4notselectedCCE-80369-2notselectedCCE-80126-6notselectedCCE-80368-4notselectedCCE-27209-6notselectedCCE-80545-7notselectedCCE-27157-7notselectedCCE-27096-7notselectedCCE-80376-7notselectedCCE-80375-9notselectedCCE-80377-5notselectedCCE-80374-2notselectedCCE-26952-2notselectedCCE-27220-3notselectedCCE-26876-3notselectedCCE-26895-3notselectedCCE-26957-1notselectedCCE-80348-6notselectedCCE-80346-0notselectedCCE-26989-4notselectedCCE-80347-8notselectedCCE-27128-8notselectedCCE-80144-9notselectednotselectedCCE-82353-4notselectedCCE-82014-2notselectedCCE-82053-0notselectedCCE-82035-7notselectedCCE-82034-0notselectedCCE-27274-0notselectedCCE-27342-5notselectedCCE-27336-7notselectedCCE-27337-5notselectedCCE-27408-4notselectedCCE-80513-5notselectedCCE-80514-3notselectedCCE-27406-8notselectedCCE-27305-2notselectedCCE-27165-0notselectedCCE-27401-9notselectedCCE-27396-1notselectedCCE-27399-5notselectedCCE-27385-4notselectedCCE-80443-5notselectedCCE-80213-2notselectedCCE-80212-4notselectedCCE-80214-0notselectedCCE-27361-5notselectedCCE-27354-0notselectedCCE-27443-1notselectedCCE-27432-4notselectedCCE-27210-4notselectedCCE-82751-9notselectednotselectedCCE-80248-8notselectedCCE-80247-0notselectedCCE-80250-4notselectedCCE-80251-2notselectedCCE-80249-6notselectednotselectedCCE-80246-2notselectedCCE-80245-4notselectedCCE-80244-7notselectedCCE-80276-9notselectedCCE-82732-9notselectedCCE-27386-2notselectedCCE-80275-1notselectedCCE-80274-4notselectednotselectedCCE-27323-5notselectednotselectedCCE-80345-2notselectedCCE-80344-5notselectedCCE-82217-1notselectedCCE-82270-0notselectedCCE-82208-0notselectedCCE-82232-0notselectedCCE-82222-1notselectedCCE-82229-6notselectedCCE-82242-9notselectedCCE-82239-5notselectedCCE-82205-6notselectedCCE-82265-0notselectedCCE-82259-3notselectedCCE-82262-7notselectedCCE-82276-7notselectedCCE-82226-2notselectedCCE-82250-2notselectedCCE-82236-1notselectedCCE-82255-1notselectedCCE-82246-0notselectedCCE-80379-1notselectedCCE-80378-3notselectedCCE-27218-7notselectedCCE-27285-6notselectedCCE-27594-1notselectedCCE-27191-6notselectedCCE-80327-0notselectedCCE-80329-6notselectedCCE-80328-8notselectedCCE-80326-2notselectedCCE-80325-4notselectedCCE-80293-4notselectedCCE-80291-8notselectedCCE-80292-6notselectedCCE-80448-4notselectedCCE-80288-4notselectedCCE-80287-6notselectedCCE-82380-7notselectedCCE-80289-2notselectednotselectedCCE-80290-0notselectedCCE-80512-7notselectedCCE-80278-5notselectedCCE-80277-7notselectedCCE-80360-1notselectedCCE-80279-3notselectedCCE-80280-1notselectedCCE-80281-9notselectedCCE-82960-6notselectedCCE-80301-5notselectedCCE-80300-7notselectedCCE-81130-7notselectednotselectednotselectedCCE-80551-5notselectednotselectednotselectedCCE-80548-1notselectednotselectednotselectedCCE-80549-9notselectedCCE-80550-7notselectednotselectedCCE-80302-3notselectedCCE-80303-1notselectednotselectedCCE-80561-4notselectednotselectedCCE-80562-2notselectedCCE-80322-1notselectedCCE-80382-5notselectedCCE-80323-9notselectedCCE-80381-7notselectedCCE-80324-7notselectedCCE-80321-3notselectedCCE-80558-0notselectedCCE-80557-2notselectedCCE-80559-8notselectedCCE-80320-5notselectedCCE-80317-1notselectedCCE-80318-9notselectedCCE-80316-3notselectedCCE-80554-9notselectedCCE-80553-1notselectedCCE-80556-4notselectedCCE-80319-7notselectedCCE-80555-6notselectedCCE-80306-4notselectedCCE-80308-0notselectedCCE-80304-9notselectedCCE-80310-6notselectedCCE-80312-2notselectedCCE-80315-5notselectedCCE-80309-8notselectedCCE-80313-0notselectedCCE-80305-6notselectedCCE-80314-8notselectedCCE-80311-4notselectedCCE-80307-2notselectedCCE-80552-3notselectedCCE-80560-6notselectednotselectednotselectednotselectednotselectednotselectednotselectednotselectedCCE-82993-7notselectedCCE-80362-7notselectedCCE-80363-5notselectedCCE-80364-3notselectedCCE-80437-7notselectedCCE-80570-5notselectedCCE-80365-0notselectedCCE-80366-8notselectedCCE-80515-0notselectedCCE-80546-5notselectedCCE-80516-8notselectednotselectednotselectedCCE-27444-9notselectednotselectedCCE-27012-4notselectednotselectedCCE-80439-3notselectedCCE-27278-1notselectednotselectednotselectednotselectedCCE-82403-7notselectedCCE-81040-8notselectedCCE-80265-2notselectedCCE-80257-9notselectedCCE-80255-3notselectedCCE-80260-3notselectedCCE-80252-0notselectedCCE-80258-7notselectedCCE-80261-1notselectedCCE-80253-8notselectedCCE-80267-8notselectedCCE-80269-4notselectedCCE-80259-5notselectedCCE-80263-7notselectedCCE-80272-8notselectedCCE-80266-0notselectedCCE-82027-4notselectednotselectedCCE-80256-1notselectedCCE-80271-0notselectedCCE-80254-6notselectedCCE-80262-9notselectedCCE-80268-6notselectedCCE-80270-2notselectedCCE-80264-5notselectedCCE-80273-6notselectedCCE-80215-7notselectednotselectedCCE-80216-5notselectedCCE-80217-3notselectedCCE-82899-6notselectedCCE-80218-1notselectedCCE-27311-0notselectedCCE-82902-8notselectedCCE-27485-2notselectedCCE-82895-4notselectednotselectedCCE-82364-1notselectedCCE-80372-6notselectedCCE-27471-2notselectedCCE-27082-7notselectedCCE-80373-4notselectedCCE-80219-9notselectedCCE-27314-4notselectednotselectednotselectedCCE-27455-5notselectedCCE-80645-5notselectedCCE-80221-5notselectedCCE-27320-1notselectedCCE-27377-1notselectedCCE-27433-2notselectedCCE-27363-1notselectedCCE-82344-3notselectedCCE-80226-4notselectedCCE-27295-5notselectedCCE-27413-4notselectedCCE-80361-9notselectedCCE-82354-2notselectedCCE-82419-3notselectednotselectedCCE-80222-3notselectedCCE-80223-1notselectedCCE-80225-6notselectedCCE-82363-3notselectedCCE-80220-7notselectedCCE-80224-9notselectedCCE-27445-6notselectedCCE-80337-9notselectedCCE-80336-1notselectedCCE-80333-8notselectedCCE-80332-0notselectednotselectedCCE-80334-6notselectedCCE-80331-2notselectedCCE-80330-4notselectednotselectedCCE-80298-3notselectedCCE-80299-1notselectedCCE-80296-7notselectedCCE-80297-5notselectedCCE-80295-9notselectedCCE-80294-2notselectednotselectedCCE-82461-5notselectednotselectednotselectednotselectedCCE-82933-3notselectedCCE-80241-3notselectedCCE-80242-1notselectednotselectedCCE-80243-9notselectedCCE-27464-7notselectedCCE-80228-0notselectedCCE-80231-4notselectedCCE-80229-8notselectedCCE-80230-6notselectednotselectedCCE-80232-2notselectedCCE-80233-0notselectedCCE-80234-8notselectedCCE-80235-5notselectedCCE-27458-9notselectedCCE-80436-9notselectedCCE-80240-5notselectedCCE-80239-7notselectedCCE-80237-1notselectedCCE-80238-9notselectedCCE-80236-3notselectedCCE-80282-7notselectedCCE-80283-5notselectedCCE-80284-3notselectednotselectedCCE-80440-1notselectedCCE-80441-9notselectedCCE-80442-7notselectedCCE-80338-7notselectedCCE-80340-3notselectedCCE-82369-0notselectedCCE-80339-5notselectedCCE-80341-1notselectedCCE-80343-7notselectedCCE-80286-8notselectedCCE-80285-0100.000000