~/f/scap-security-guide/RPMS.2017 ~/f/scap-security-guide
~/f/scap-security-guide
RPMS.2017/scap-security-guide-0.1.61-0.0.noarch.rpm RPMS/scap-security-guide-0.1.61-0.0.noarch.rpm differ: byte 225, line 1
Comparing scap-security-guide-0.1.61-0.0.noarch.rpm to scap-security-guide-0.1.61-0.0.noarch.rpm
comparing the rpm tags of scap-security-guide
--- old-rpm-tags
+++ new-rpm-tags
@@ -244,25 +244,25 @@
/usr/share/xml/scap/ssg/content 0
/usr/share/xml/scap/ssg/content/ssg-opensuse-cpe-dictionary.xml e74fe69303dc5c832394ad561fca005b8c51dd5e2f1fc6c1226c01adcdc41555 0
/usr/share/xml/scap/ssg/content/ssg-opensuse-cpe-oval.xml 33243cff2df0cf08a70b59e81740e2e26f21815b17e83c934b4d8703e2552d4c 0
-/usr/share/xml/scap/ssg/content/ssg-opensuse-ds-1.2.xml f82ea40f59509246b9d16c65228539b6ed21b800ce16ecd1cf79e214f4b00297 0
-/usr/share/xml/scap/ssg/content/ssg-opensuse-ds.xml 860555a32bae42e413dee0111b87ac709906cc0fed103154e86f7a9257692262 0
-/usr/share/xml/scap/ssg/content/ssg-opensuse-ocil.xml 1f18f5b673285bd7639bd78ae9d9ef2e5f9e9e8b15999512ebec35f468a688c8 0
+/usr/share/xml/scap/ssg/content/ssg-opensuse-ds-1.2.xml 6ca11b1bb2ec79af1e35be0440789d8ccff46159d3779f3e2546bd33d7f55949 0
+/usr/share/xml/scap/ssg/content/ssg-opensuse-ds.xml e2c109d202172504b31746575902e9667510575f4825bfe94381c79a26302304 0
+/usr/share/xml/scap/ssg/content/ssg-opensuse-ocil.xml b15ea41ab85139bb4321904b1c28ecf024e826a36b547e319d892e74864001f7 0
/usr/share/xml/scap/ssg/content/ssg-opensuse-oval.xml 88b7550c60a125be148293dd73c9cb595721f2f5cb86226388813def51e49fbb 0
-/usr/share/xml/scap/ssg/content/ssg-opensuse-xccdf.xml 56bbd92f5385b95dbc64a33f725360dcdaa6e950b6b41f4edf3e2506463b236f 0
+/usr/share/xml/scap/ssg/content/ssg-opensuse-xccdf.xml 48c4deb627be028a5c2fe2bdf3d288bb59a36fcd77b057c0c05546e91078821e 0
/usr/share/xml/scap/ssg/content/ssg-sle12-cpe-dictionary.xml 87cbf0ec173473eb057058a903543caf888104c4d8b57fc5bcf33a5a0436e5c4 0
/usr/share/xml/scap/ssg/content/ssg-sle12-cpe-oval.xml 7b0f3cc469e8dc66d3cdd409931c2e8513813795ec1cea2a2090b30661c307d5 0
-/usr/share/xml/scap/ssg/content/ssg-sle12-ds-1.2.xml 457a23b3004040e7457b5e8636c2070025f6570269a6cb18d8d45c61e5cdf3ed 0
-/usr/share/xml/scap/ssg/content/ssg-sle12-ds.xml bc5474071ee4db970e636a4548e2dd2e3c0d54a912ce820c3831c0813fc395ff 0
-/usr/share/xml/scap/ssg/content/ssg-sle12-ocil.xml c354bd077256c7eb0053e36dc9d80422841dd6f561481d50bf296e5a61fbd1d4 0
+/usr/share/xml/scap/ssg/content/ssg-sle12-ds-1.2.xml d3baa4d473a003270fb88ef0ee2a511bcbc6aef83f8f959214990903da19b9ec 0
+/usr/share/xml/scap/ssg/content/ssg-sle12-ds.xml 3ab787b60fa7078658e3eecab890d47c0d28c395da9fa78cd29ad63e20328e80 0
+/usr/share/xml/scap/ssg/content/ssg-sle12-ocil.xml fdd6647b262a5e90067ff5100ab82907c6bbdfd51106d69fd81283c47de0700d 0
/usr/share/xml/scap/ssg/content/ssg-sle12-oval.xml 5d9dd540c2d51ae7ad75ce9106605c4b5292c9656d22b02764dc51ab48a80751 0
-/usr/share/xml/scap/ssg/content/ssg-sle12-xccdf.xml 9a643517f959b23e8b59dde1469c1f7d38d8f2ad9b8290577be67cc2d4e978df 0
+/usr/share/xml/scap/ssg/content/ssg-sle12-xccdf.xml 7ece6292ac090e72887740915421c8c8170b30ec4c8ff628d4f3b5722041b7a4 0
/usr/share/xml/scap/ssg/content/ssg-sle15-cpe-dictionary.xml ac6771fb31b41063b1f22199798b68efe280ec48843a41fe8eceac8d4f9cc915 0
/usr/share/xml/scap/ssg/content/ssg-sle15-cpe-oval.xml 81dffa610ef824a0241e899425bd57a70b09c7b3f5f137cf86e570aeffae2f0e 0
-/usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml 80037f59836df811ffb3b77507a7b6b76356b120003c3b3d90faa422325433ef 0
-/usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml ad0190e7f5fb8aed0885e9821459d04a471a32a5033334b01ec2e7097962f9ec 0
-/usr/share/xml/scap/ssg/content/ssg-sle15-ocil.xml a7d9a04832291f50ee8cd4d31b8e0379d7b3a27ed60ea360876cd1c823b53dd2 0
+/usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml 1dfc5143d22e988ff7b3be8f29f34c13cdec08cd922e023a99bfe265e0160814 0
+/usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml 75c3872587728548d1b2e9bfc26af921e0195f18bb14fb9cadcf1de5377a1ef9 0
+/usr/share/xml/scap/ssg/content/ssg-sle15-ocil.xml a69a7d549c8b66ed5cdf6904c1b15b36bc7c2c8a99e50ebad74071f6a26e7337 0
/usr/share/xml/scap/ssg/content/ssg-sle15-oval.xml fb61d2717a307c299dd56287c93d97c23f63ea5d6f7077a22920777a7d95ad9a 0
-/usr/share/xml/scap/ssg/content/ssg-sle15-xccdf.xml 51e4709da6a05259322d18cfdd2a6be5a478811b4332cbe81aaeaae7f1b80d83 0
+/usr/share/xml/scap/ssg/content/ssg-sle15-xccdf.xml d92b3122096348462588d6392cbd928e6026047b4e09d4a7d939a0896840c405 0
___QF_CHECKSUM___
comparing rpmtags
comparing RELEASE
comparing PROVIDES
comparing scripts
comparing filelist
comparing file checksum
creating rename script
RPM file checksum differs.
Extracting packages
/usr/share/xml/scap/ssg/content/ssg-opensuse-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-opensuse-ds-1.2.xml 2022-04-04 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-opensuse-ds-1.2.xml 2022-04-04 00:00:00.000000000 +0000
@@ -13579,256 +13579,250 @@
2022-04-04T00:00:00
-
- Disable PubkeyAuthentication Authentication
-
- ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1
-
-
-
- Verify Permissions on Backup group File
+
+ Ensure SMAP is not disabled during boot
- ocil:ssg-file_permissions_backup_etc_group_action:testaction:1
+ ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1
-
- Enable rsyslog Service
+
+ Record Events that Modify the System's Discretionary Access Controls - chown
- ocil:ssg-service_rsyslog_enabled_action:testaction:1
+ ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1
-
- Disable storing core dump
+
+ Configure auditd to use audispd's syslog plugin
- ocil:ssg-coredump_disable_storage_action:testaction:1
+ ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1
-
- Verify Group Who Owns group File
+
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- ocil:ssg-file_groupowner_etc_group_action:testaction:1
+ ocil:ssg-sudo_remove_nopasswd_action:testaction:1
-
- Resolve information before writing to audit logs
+
+ Verify User Who Owns group File
- ocil:ssg-auditd_log_format_action:testaction:1
+ ocil:ssg-file_owner_etc_group_action:testaction:1
-
- Verify User Who Owns /var/log/messages File
+
+ Verify Root Has A Primary GID 0
- ocil:ssg-file_owner_var_log_messages_action:testaction:1
+ ocil:ssg-accounts_root_gid_zero_action:testaction:1
-
- Disable Kerberos by removing host keytab
+
+ Record Events that Modify the System's Discretionary Access Controls - umount2
- ocil:ssg-kerberos_disable_no_keytab_action:testaction:1
+ ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - removexattr
+
+ Ensure auditd Collects Information on Exporting to Media (successful)
- ocil:ssg-audit_rules_dac_modification_removexattr_action:testaction:1
+ ocil:ssg-audit_rules_media_export_action:testaction:1
-
- Verify that System Executable Have Root Ownership
+
+ Verify that local System.map file (if exists) is readable only by root
- ocil:ssg-dir_ownership_binary_dirs_action:testaction:1
+ ocil:ssg-file_permissions_systemmap_action:testaction:1
-
- Verify Permissions on gshadow File
+
+ Enable the NTP Daemon
- ocil:ssg-file_permissions_etc_gshadow_action:testaction:1
+ ocil:ssg-service_ntp_enabled_action:testaction:1
-
- Ensure No World-Writable Files Exist
+
+ The Chronyd service is enabled
- ocil:ssg-file_permissions_unauthorized_world_writable_action:testaction:1
+ ocil:ssg-service_chronyd_enabled_action:testaction:1
-
- Enable syslog-ng Service
+
+ Don't define allowed commands in sudoers by means of exclusion
- ocil:ssg-service_syslogng_enabled_action:testaction:1
+ ocil:ssg-sudoers_no_command_negation_action:testaction:1
-
- Configure Polyinstantiation of /tmp Directories
+
+ Ensure rsyslog is Installed
- ocil:ssg-accounts_polyinstantiated_tmp_action:testaction:1
+ ocil:ssg-package_rsyslog_installed_action:testaction:1
-
- Restrict Exposed Kernel Pointer Addresses Access
+
+ Only the VDSM User Can Use sudo NOPASSWD
- ocil:ssg-sysctl_kernel_kptr_restrict_action:testaction:1
+ ocil:ssg-sudo_vdsm_nopasswd_action:testaction:1
-
- Force frequent session key renegotiation
+
+ Disable Host-Based Authentication
- ocil:ssg-sshd_rekey_limit_action:testaction:1
+ ocil:ssg-disable_host_auth_action:testaction:1
-
- Configure auditd mail_acct Action on Low Disk Space
+
+ Ensure Log Files Are Owned By Appropriate Group
- ocil:ssg-auditd_data_retention_action_mail_acct_action:testaction:1
+ ocil:ssg-rsyslog_files_groupownership_action:testaction:1
-
- Ensure that System Accounts Are Locked
+
+ Remove the OpenSSH Client and Server Package
- ocil:ssg-no_password_auth_for_systemaccounts_action:testaction:1
+ ocil:ssg-package_openssh_removed_action:testaction:1
-
- Disable SSH Access via Empty Passwords
+
+ Record Events that Modify the System's Discretionary Access Controls - fchown
- ocil:ssg-sshd_disable_empty_passwords_action:testaction:1
+ ocil:ssg-audit_rules_dac_modification_fchown_action:testaction:1
-
- Don't define allowed commands in sudoers by means of exclusion
+
+ Ensure syslog-ng is Installed
- ocil:ssg-sudoers_no_command_negation_action:testaction:1
+ ocil:ssg-package_syslogng_installed_action:testaction:1
-
- Verify Permissions on Backup passwd File
+
+ Set SSH Client Alive Count Max
- ocil:ssg-file_permissions_backup_etc_passwd_action:testaction:1
+ ocil:ssg-sshd_set_keepalive_action:testaction:1
-
- Only the VDSM User Can Use sudo NOPASSWD
+
+ Explicit arguments in sudo specifications
- ocil:ssg-sudo_vdsm_nopasswd_action:testaction:1
+ ocil:ssg-sudoers_explicit_command_args_action:testaction:1
/usr/share/xml/scap/ssg/content/ssg-opensuse-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-opensuse-ds.xml 2022-04-04 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-opensuse-ds.xml 2022-04-04 00:00:00.000000000 +0000
@@ -13579,256 +13579,250 @@
2022-04-04T00:00:00
-
- Disable PubkeyAuthentication Authentication
-
- ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1
-
-
-
- Verify Permissions on Backup group File
+
+ Ensure SMAP is not disabled during boot
- ocil:ssg-file_permissions_backup_etc_group_action:testaction:1
+ ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1
-
- Enable rsyslog Service
+
+ Record Events that Modify the System's Discretionary Access Controls - chown
- ocil:ssg-service_rsyslog_enabled_action:testaction:1
+ ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1
-
- Disable storing core dump
+
+ Configure auditd to use audispd's syslog plugin
- ocil:ssg-coredump_disable_storage_action:testaction:1
+ ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1
-
- Verify Group Who Owns group File
+
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- ocil:ssg-file_groupowner_etc_group_action:testaction:1
+ ocil:ssg-sudo_remove_nopasswd_action:testaction:1
-
- Resolve information before writing to audit logs
+
+ Verify User Who Owns group File
- ocil:ssg-auditd_log_format_action:testaction:1
+ ocil:ssg-file_owner_etc_group_action:testaction:1
-
- Verify User Who Owns /var/log/messages File
+
+ Verify Root Has A Primary GID 0
- ocil:ssg-file_owner_var_log_messages_action:testaction:1
+ ocil:ssg-accounts_root_gid_zero_action:testaction:1
-
- Disable Kerberos by removing host keytab
+
+ Record Events that Modify the System's Discretionary Access Controls - umount2
- ocil:ssg-kerberos_disable_no_keytab_action:testaction:1
+ ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - removexattr
+
+ Ensure auditd Collects Information on Exporting to Media (successful)
- ocil:ssg-audit_rules_dac_modification_removexattr_action:testaction:1
+ ocil:ssg-audit_rules_media_export_action:testaction:1
-
- Verify that System Executable Have Root Ownership
+
+ Verify that local System.map file (if exists) is readable only by root
- ocil:ssg-dir_ownership_binary_dirs_action:testaction:1
+ ocil:ssg-file_permissions_systemmap_action:testaction:1
-
- Verify Permissions on gshadow File
+
+ Enable the NTP Daemon
- ocil:ssg-file_permissions_etc_gshadow_action:testaction:1
+ ocil:ssg-service_ntp_enabled_action:testaction:1
-
- Ensure No World-Writable Files Exist
+
+ The Chronyd service is enabled
- ocil:ssg-file_permissions_unauthorized_world_writable_action:testaction:1
+ ocil:ssg-service_chronyd_enabled_action:testaction:1
-
- Enable syslog-ng Service
+
+ Don't define allowed commands in sudoers by means of exclusion
- ocil:ssg-service_syslogng_enabled_action:testaction:1
+ ocil:ssg-sudoers_no_command_negation_action:testaction:1
-
- Configure Polyinstantiation of /tmp Directories
+
+ Ensure rsyslog is Installed
- ocil:ssg-accounts_polyinstantiated_tmp_action:testaction:1
+ ocil:ssg-package_rsyslog_installed_action:testaction:1
-
- Restrict Exposed Kernel Pointer Addresses Access
+
+ Only the VDSM User Can Use sudo NOPASSWD
- ocil:ssg-sysctl_kernel_kptr_restrict_action:testaction:1
+ ocil:ssg-sudo_vdsm_nopasswd_action:testaction:1
-
- Force frequent session key renegotiation
+
+ Disable Host-Based Authentication
- ocil:ssg-sshd_rekey_limit_action:testaction:1
+ ocil:ssg-disable_host_auth_action:testaction:1
-
- Configure auditd mail_acct Action on Low Disk Space
+
+ Ensure Log Files Are Owned By Appropriate Group
- ocil:ssg-auditd_data_retention_action_mail_acct_action:testaction:1
+ ocil:ssg-rsyslog_files_groupownership_action:testaction:1
-
- Ensure that System Accounts Are Locked
+
+ Remove the OpenSSH Client and Server Package
- ocil:ssg-no_password_auth_for_systemaccounts_action:testaction:1
+ ocil:ssg-package_openssh_removed_action:testaction:1
-
- Disable SSH Access via Empty Passwords
+
+ Record Events that Modify the System's Discretionary Access Controls - fchown
- ocil:ssg-sshd_disable_empty_passwords_action:testaction:1
+ ocil:ssg-audit_rules_dac_modification_fchown_action:testaction:1
-
- Don't define allowed commands in sudoers by means of exclusion
+
+ Ensure syslog-ng is Installed
- ocil:ssg-sudoers_no_command_negation_action:testaction:1
+ ocil:ssg-package_syslogng_installed_action:testaction:1
-
- Verify Permissions on Backup passwd File
+
+ Set SSH Client Alive Count Max
- ocil:ssg-file_permissions_backup_etc_passwd_action:testaction:1
+ ocil:ssg-sshd_set_keepalive_action:testaction:1
-
- Only the VDSM User Can Use sudo NOPASSWD
+
+ Explicit arguments in sudo specifications
- ocil:ssg-sudo_vdsm_nopasswd_action:testaction:1
+ ocil:ssg-sudoers_explicit_command_args_action:testaction:1
/usr/share/xml/scap/ssg/content/ssg-opensuse-ocil.xml differs (XML 1.0 document, ASCII text)
--- old//usr/share/xml/scap/ssg/content/ssg-opensuse-ocil.xml 2022-04-04 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-opensuse-ocil.xml 2022-04-04 00:00:00.000000000 +0000
@@ -7,256 +7,250 @@
2022-04-04T00:00:00
-
- Disable PubkeyAuthentication Authentication
-
- ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1
-
-
-
- Verify Permissions on Backup group File
+
+ Ensure SMAP is not disabled during boot
- ocil:ssg-file_permissions_backup_etc_group_action:testaction:1
+ ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1
-
- Enable rsyslog Service
+
+ Record Events that Modify the System's Discretionary Access Controls - chown
- ocil:ssg-service_rsyslog_enabled_action:testaction:1
+ ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1
-
- Disable storing core dump
+
+ Configure auditd to use audispd's syslog plugin
- ocil:ssg-coredump_disable_storage_action:testaction:1
+ ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1
-
- Verify Group Who Owns group File
+
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- ocil:ssg-file_groupowner_etc_group_action:testaction:1
+ ocil:ssg-sudo_remove_nopasswd_action:testaction:1
-
- Resolve information before writing to audit logs
+
+ Verify User Who Owns group File
- ocil:ssg-auditd_log_format_action:testaction:1
+ ocil:ssg-file_owner_etc_group_action:testaction:1
-
- Verify User Who Owns /var/log/messages File
+
+ Verify Root Has A Primary GID 0
- ocil:ssg-file_owner_var_log_messages_action:testaction:1
+ ocil:ssg-accounts_root_gid_zero_action:testaction:1
-
- Disable Kerberos by removing host keytab
+
+ Record Events that Modify the System's Discretionary Access Controls - umount2
- ocil:ssg-kerberos_disable_no_keytab_action:testaction:1
+ ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - removexattr
+
+ Ensure auditd Collects Information on Exporting to Media (successful)
- ocil:ssg-audit_rules_dac_modification_removexattr_action:testaction:1
+ ocil:ssg-audit_rules_media_export_action:testaction:1
-
- Verify that System Executable Have Root Ownership
+
+ Verify that local System.map file (if exists) is readable only by root
- ocil:ssg-dir_ownership_binary_dirs_action:testaction:1
+ ocil:ssg-file_permissions_systemmap_action:testaction:1
-
- Verify Permissions on gshadow File
+
+ Enable the NTP Daemon
- ocil:ssg-file_permissions_etc_gshadow_action:testaction:1
+ ocil:ssg-service_ntp_enabled_action:testaction:1
-
- Ensure No World-Writable Files Exist
+
+ The Chronyd service is enabled
- ocil:ssg-file_permissions_unauthorized_world_writable_action:testaction:1
+ ocil:ssg-service_chronyd_enabled_action:testaction:1
-
- Enable syslog-ng Service
+
+ Don't define allowed commands in sudoers by means of exclusion
- ocil:ssg-service_syslogng_enabled_action:testaction:1
+ ocil:ssg-sudoers_no_command_negation_action:testaction:1
-
- Configure Polyinstantiation of /tmp Directories
+
+ Ensure rsyslog is Installed
- ocil:ssg-accounts_polyinstantiated_tmp_action:testaction:1
+ ocil:ssg-package_rsyslog_installed_action:testaction:1
-
- Restrict Exposed Kernel Pointer Addresses Access
+
+ Only the VDSM User Can Use sudo NOPASSWD
- ocil:ssg-sysctl_kernel_kptr_restrict_action:testaction:1
+ ocil:ssg-sudo_vdsm_nopasswd_action:testaction:1
-
- Force frequent session key renegotiation
+
+ Disable Host-Based Authentication
- ocil:ssg-sshd_rekey_limit_action:testaction:1
+ ocil:ssg-disable_host_auth_action:testaction:1
-
- Configure auditd mail_acct Action on Low Disk Space
+
+ Ensure Log Files Are Owned By Appropriate Group
- ocil:ssg-auditd_data_retention_action_mail_acct_action:testaction:1
+ ocil:ssg-rsyslog_files_groupownership_action:testaction:1
-
- Ensure that System Accounts Are Locked
+
+ Remove the OpenSSH Client and Server Package
- ocil:ssg-no_password_auth_for_systemaccounts_action:testaction:1
+ ocil:ssg-package_openssh_removed_action:testaction:1
-
- Disable SSH Access via Empty Passwords
+
+ Record Events that Modify the System's Discretionary Access Controls - fchown
- ocil:ssg-sshd_disable_empty_passwords_action:testaction:1
+ ocil:ssg-audit_rules_dac_modification_fchown_action:testaction:1
-
- Don't define allowed commands in sudoers by means of exclusion
+
+ Ensure syslog-ng is Installed
- ocil:ssg-sudoers_no_command_negation_action:testaction:1
+ ocil:ssg-package_syslogng_installed_action:testaction:1
-
- Verify Permissions on Backup passwd File
+
+ Set SSH Client Alive Count Max
- ocil:ssg-file_permissions_backup_etc_passwd_action:testaction:1
+ ocil:ssg-sshd_set_keepalive_action:testaction:1
-
- Only the VDSM User Can Use sudo NOPASSWD
+
+ Explicit arguments in sudo specifications
- ocil:ssg-sudo_vdsm_nopasswd_action:testaction:1
+ ocil:ssg-sudoers_explicit_command_args_action:testaction:1
/usr/share/xml/scap/ssg/content/ssg-opensuse-xccdf.xml differs (XML 1.0 document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-opensuse-xccdf.xml 2022-04-04 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-opensuse-xccdf.xml 2022-04-04 00:00:00.000000000 +0000
@@ -43,24 +43,24 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -68,54 +68,54 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-sle12-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle12-ds-1.2.xml 2022-04-04 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sle12-ds-1.2.xml 2022-04-04 00:00:00.000000000 +0000
@@ -25960,3172 +25960,3172 @@
2022-04-04T00:00:00
-
- Disable PubkeyAuthentication Authentication
+
+ Ensure SMAP is not disabled during boot
- ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1
+ ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1
-
- Record Events that Modify User/Group Information - /etc/gshadow
+
+ Record Events that Modify the System's Discretionary Access Controls - chown
- ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1
+ ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1
-
- Verify User Who Owns /etc/cron.allow file
+
+ Configure auditd to use audispd's syslog plugin
- ocil:ssg-file_owner_cron_allow_action:testaction:1
+ ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1
-
- Verify Permissions on Backup group File
+
+ Configure Notification of Post-AIDE Scan Details
- ocil:ssg-file_permissions_backup_etc_group_action:testaction:1
+ ocil:ssg-aide_scan_notification_action:testaction:1
-
- Enable rsyslog Service
+
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- ocil:ssg-service_rsyslog_enabled_action:testaction:1
+ ocil:ssg-sudo_remove_nopasswd_action:testaction:1
-
- Disable storing core dump
+
+ Record Unsuccessful Access Attempts to Files - open
- ocil:ssg-coredump_disable_storage_action:testaction:1
+ ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1
-
- Verify Group Who Owns group File
+
+ Verify User Who Owns group File
- ocil:ssg-file_groupowner_etc_group_action:testaction:1
+ ocil:ssg-file_owner_etc_group_action:testaction:1
-
- Resolve information before writing to audit logs
+
+ Verify Permissions and Ownership of Old Passwords File
- ocil:ssg-auditd_log_format_action:testaction:1
+ ocil:ssg-file_etc_security_opasswd_action:testaction:1
-
- Configure AIDE to Verify Extended Attributes
+
+ Only Authorized Local User Accounts Exist on Operating System
- ocil:ssg-aide_verify_ext_attributes_action:testaction:1
+ ocil:ssg-accounts_authorized_local_users_action:testaction:1
-
- Enable GNOME3 Screensaver Lock After Idle Period
+
+ Verify Root Has A Primary GID 0
- ocil:ssg-dconf_gnome_screensaver_lock_enabled_action:testaction:1
+ ocil:ssg-accounts_root_gid_zero_action:testaction:1
-
- Verify Group Who Owns SSH Server config file
+
+ Record Events that Modify the System's Discretionary Access Controls - umount2
- ocil:ssg-file_groupowner_sshd_config_action:testaction:1
+ ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1
-
- Verify User Who Owns /var/log/messages File
+
+ Set Deny For Failed Password Attempts
- ocil:ssg-file_owner_var_log_messages_action:testaction:1
+ ocil:ssg-accounts_passwords_pam_tally2_action:testaction:1
-
- Disable Kerberos by removing host keytab
+
+ Install iptables Package
- ocil:ssg-kerberos_disable_no_keytab_action:testaction:1
+ ocil:ssg-package_iptables_installed_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - removexattr
+
+ Ensure auditd Collects Information on Exporting to Media (successful)
- ocil:ssg-audit_rules_dac_modification_removexattr_action:testaction:1
+ ocil:ssg-audit_rules_media_export_action:testaction:1
-
- Verify Group Who Owns cron.hourly
+
+ Verify that local System.map file (if exists) is readable only by root
- ocil:ssg-file_groupowner_cron_hourly_action:testaction:1
+ ocil:ssg-file_permissions_systemmap_action:testaction:1
-
- Verify that System Executable Have Root Ownership
+
+ Enable the NTP Daemon
- ocil:ssg-dir_ownership_binary_dirs_action:testaction:1
+ ocil:ssg-service_ntp_enabled_action:testaction:1
-
- Ensure gpgcheck Enabled for All zypper Package Repositories
+
+ The Chronyd service is enabled
- ocil:ssg-ensure_gpgcheck_never_disabled_action:testaction:1
+ ocil:ssg-service_chronyd_enabled_action:testaction:1
-
- Disable Kernel Parameter for IPv6 Forwarding by default
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - rmmod
- ocil:ssg-sysctl_net_ipv6_conf_default_forwarding_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_rmmod_action:testaction:1
-
- Verify Permissions on gshadow File
+
+ Record Events that Modify User/Group Information - /etc/gshadow
- ocil:ssg-file_permissions_etc_gshadow_action:testaction:1
+ ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1
-
- Verify that system commands directories have root ownership
+
+ Don't define allowed commands in sudoers by means of exclusion
- ocil:ssg-dir_system_commands_root_owned_action:testaction:1
+ ocil:ssg-sudoers_no_command_negation_action:testaction:1
-
- Policy Requires Immediate Change of Temporary Passwords
+
+ Ensure rsyslog is Installed
- ocil:ssg-policy_temp_passwords_immediate_change_action:testaction:1
+ ocil:ssg-package_rsyslog_installed_action:testaction:1
-
- Ensure No World-Writable Files Exist
+
+ Remove User Host-Based Authentication Files
/usr/share/xml/scap/ssg/content/ssg-sle12-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle12-ds.xml 2022-04-04 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sle12-ds.xml 2022-04-04 00:00:00.000000000 +0000
@@ -25962,3172 +25962,3172 @@
2022-04-04T00:00:00
-
- Disable PubkeyAuthentication Authentication
+
+ Ensure SMAP is not disabled during boot
- ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1
+ ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1
-
- Record Events that Modify User/Group Information - /etc/gshadow
+
+ Record Events that Modify the System's Discretionary Access Controls - chown
- ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1
+ ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1
-
- Verify User Who Owns /etc/cron.allow file
+
+ Configure auditd to use audispd's syslog plugin
- ocil:ssg-file_owner_cron_allow_action:testaction:1
+ ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1
-
- Verify Permissions on Backup group File
+
+ Configure Notification of Post-AIDE Scan Details
- ocil:ssg-file_permissions_backup_etc_group_action:testaction:1
+ ocil:ssg-aide_scan_notification_action:testaction:1
-
- Enable rsyslog Service
+
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- ocil:ssg-service_rsyslog_enabled_action:testaction:1
+ ocil:ssg-sudo_remove_nopasswd_action:testaction:1
-
- Disable storing core dump
+
+ Record Unsuccessful Access Attempts to Files - open
- ocil:ssg-coredump_disable_storage_action:testaction:1
+ ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1
-
- Verify Group Who Owns group File
+
+ Verify User Who Owns group File
- ocil:ssg-file_groupowner_etc_group_action:testaction:1
+ ocil:ssg-file_owner_etc_group_action:testaction:1
-
- Resolve information before writing to audit logs
+
+ Verify Permissions and Ownership of Old Passwords File
- ocil:ssg-auditd_log_format_action:testaction:1
+ ocil:ssg-file_etc_security_opasswd_action:testaction:1
-
- Configure AIDE to Verify Extended Attributes
+
+ Only Authorized Local User Accounts Exist on Operating System
- ocil:ssg-aide_verify_ext_attributes_action:testaction:1
+ ocil:ssg-accounts_authorized_local_users_action:testaction:1
-
- Enable GNOME3 Screensaver Lock After Idle Period
+
+ Verify Root Has A Primary GID 0
- ocil:ssg-dconf_gnome_screensaver_lock_enabled_action:testaction:1
+ ocil:ssg-accounts_root_gid_zero_action:testaction:1
-
- Verify Group Who Owns SSH Server config file
+
+ Record Events that Modify the System's Discretionary Access Controls - umount2
- ocil:ssg-file_groupowner_sshd_config_action:testaction:1
+ ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1
-
- Verify User Who Owns /var/log/messages File
+
+ Set Deny For Failed Password Attempts
- ocil:ssg-file_owner_var_log_messages_action:testaction:1
+ ocil:ssg-accounts_passwords_pam_tally2_action:testaction:1
-
- Disable Kerberos by removing host keytab
+
+ Install iptables Package
- ocil:ssg-kerberos_disable_no_keytab_action:testaction:1
+ ocil:ssg-package_iptables_installed_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - removexattr
+
+ Ensure auditd Collects Information on Exporting to Media (successful)
- ocil:ssg-audit_rules_dac_modification_removexattr_action:testaction:1
+ ocil:ssg-audit_rules_media_export_action:testaction:1
-
- Verify Group Who Owns cron.hourly
+
+ Verify that local System.map file (if exists) is readable only by root
- ocil:ssg-file_groupowner_cron_hourly_action:testaction:1
+ ocil:ssg-file_permissions_systemmap_action:testaction:1
-
- Verify that System Executable Have Root Ownership
+
+ Enable the NTP Daemon
- ocil:ssg-dir_ownership_binary_dirs_action:testaction:1
+ ocil:ssg-service_ntp_enabled_action:testaction:1
-
- Ensure gpgcheck Enabled for All zypper Package Repositories
+
+ The Chronyd service is enabled
- ocil:ssg-ensure_gpgcheck_never_disabled_action:testaction:1
+ ocil:ssg-service_chronyd_enabled_action:testaction:1
-
- Disable Kernel Parameter for IPv6 Forwarding by default
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - rmmod
- ocil:ssg-sysctl_net_ipv6_conf_default_forwarding_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_rmmod_action:testaction:1
-
- Verify Permissions on gshadow File
+
+ Record Events that Modify User/Group Information - /etc/gshadow
- ocil:ssg-file_permissions_etc_gshadow_action:testaction:1
+ ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1
-
- Verify that system commands directories have root ownership
+
+ Don't define allowed commands in sudoers by means of exclusion
- ocil:ssg-dir_system_commands_root_owned_action:testaction:1
+ ocil:ssg-sudoers_no_command_negation_action:testaction:1
-
- Policy Requires Immediate Change of Temporary Passwords
+
+ Ensure rsyslog is Installed
- ocil:ssg-policy_temp_passwords_immediate_change_action:testaction:1
+ ocil:ssg-package_rsyslog_installed_action:testaction:1
-
- Ensure No World-Writable Files Exist
+
+ Remove User Host-Based Authentication Files
/usr/share/xml/scap/ssg/content/ssg-sle12-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle12-ocil.xml 2022-04-04 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sle12-ocil.xml 2022-04-04 00:00:00.000000000 +0000
@@ -7,3172 +7,3172 @@
2022-04-04T00:00:00
-
- Disable PubkeyAuthentication Authentication
+
+ Ensure SMAP is not disabled during boot
- ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1
+ ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1
-
- Record Events that Modify User/Group Information - /etc/gshadow
+
+ Record Events that Modify the System's Discretionary Access Controls - chown
- ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1
+ ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1
-
- Verify User Who Owns /etc/cron.allow file
+
+ Configure auditd to use audispd's syslog plugin
- ocil:ssg-file_owner_cron_allow_action:testaction:1
+ ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1
-
- Verify Permissions on Backup group File
+
+ Configure Notification of Post-AIDE Scan Details
- ocil:ssg-file_permissions_backup_etc_group_action:testaction:1
+ ocil:ssg-aide_scan_notification_action:testaction:1
-
- Enable rsyslog Service
+
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- ocil:ssg-service_rsyslog_enabled_action:testaction:1
+ ocil:ssg-sudo_remove_nopasswd_action:testaction:1
-
- Disable storing core dump
+
+ Record Unsuccessful Access Attempts to Files - open
- ocil:ssg-coredump_disable_storage_action:testaction:1
+ ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1
-
- Verify Group Who Owns group File
+
+ Verify User Who Owns group File
- ocil:ssg-file_groupowner_etc_group_action:testaction:1
+ ocil:ssg-file_owner_etc_group_action:testaction:1
-
- Resolve information before writing to audit logs
+
+ Verify Permissions and Ownership of Old Passwords File
- ocil:ssg-auditd_log_format_action:testaction:1
+ ocil:ssg-file_etc_security_opasswd_action:testaction:1
-
- Configure AIDE to Verify Extended Attributes
+
+ Only Authorized Local User Accounts Exist on Operating System
- ocil:ssg-aide_verify_ext_attributes_action:testaction:1
+ ocil:ssg-accounts_authorized_local_users_action:testaction:1
-
- Enable GNOME3 Screensaver Lock After Idle Period
+
+ Verify Root Has A Primary GID 0
- ocil:ssg-dconf_gnome_screensaver_lock_enabled_action:testaction:1
+ ocil:ssg-accounts_root_gid_zero_action:testaction:1
-
- Verify Group Who Owns SSH Server config file
+
+ Record Events that Modify the System's Discretionary Access Controls - umount2
- ocil:ssg-file_groupowner_sshd_config_action:testaction:1
+ ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1
-
- Verify User Who Owns /var/log/messages File
+
+ Set Deny For Failed Password Attempts
- ocil:ssg-file_owner_var_log_messages_action:testaction:1
+ ocil:ssg-accounts_passwords_pam_tally2_action:testaction:1
-
- Disable Kerberos by removing host keytab
+
+ Install iptables Package
- ocil:ssg-kerberos_disable_no_keytab_action:testaction:1
+ ocil:ssg-package_iptables_installed_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - removexattr
+
+ Ensure auditd Collects Information on Exporting to Media (successful)
- ocil:ssg-audit_rules_dac_modification_removexattr_action:testaction:1
+ ocil:ssg-audit_rules_media_export_action:testaction:1
-
- Verify Group Who Owns cron.hourly
+
+ Verify that local System.map file (if exists) is readable only by root
- ocil:ssg-file_groupowner_cron_hourly_action:testaction:1
+ ocil:ssg-file_permissions_systemmap_action:testaction:1
-
- Verify that System Executable Have Root Ownership
+
+ Enable the NTP Daemon
- ocil:ssg-dir_ownership_binary_dirs_action:testaction:1
+ ocil:ssg-service_ntp_enabled_action:testaction:1
-
- Ensure gpgcheck Enabled for All zypper Package Repositories
+
+ The Chronyd service is enabled
- ocil:ssg-ensure_gpgcheck_never_disabled_action:testaction:1
+ ocil:ssg-service_chronyd_enabled_action:testaction:1
-
- Disable Kernel Parameter for IPv6 Forwarding by default
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - rmmod
- ocil:ssg-sysctl_net_ipv6_conf_default_forwarding_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_rmmod_action:testaction:1
-
- Verify Permissions on gshadow File
+
+ Record Events that Modify User/Group Information - /etc/gshadow
- ocil:ssg-file_permissions_etc_gshadow_action:testaction:1
+ ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1
-
- Verify that system commands directories have root ownership
+
+ Don't define allowed commands in sudoers by means of exclusion
- ocil:ssg-dir_system_commands_root_owned_action:testaction:1
+ ocil:ssg-sudoers_no_command_negation_action:testaction:1
-
- Policy Requires Immediate Change of Temporary Passwords
+
+ Ensure rsyslog is Installed
- ocil:ssg-policy_temp_passwords_immediate_change_action:testaction:1
+ ocil:ssg-package_rsyslog_installed_action:testaction:1
-
- Ensure No World-Writable Files Exist
+
+ Remove User Host-Based Authentication Files
/usr/share/xml/scap/ssg/content/ssg-sle12-xccdf.xml differs (XML 1.0 document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle12-xccdf.xml 2022-04-04 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sle12-xccdf.xml 2022-04-04 00:00:00.000000000 +0000
@@ -43,29 +43,24 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -73,40 +68,39 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
+
-
-
+
-
+
@@ -114,24 +108,30 @@
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
+
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml 2022-04-04 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml 2022-04-04 00:00:00.000000000 +0000
@@ -29898,3700 +29898,3700 @@
2022-04-04T00:00:00
-
- Disable PubkeyAuthentication Authentication
+
+ Ensure SMAP is not disabled during boot
- ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1
+ ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1
-
- Record Events that Modify User/Group Information - /etc/gshadow
+
+ Record Events that Modify the System's Discretionary Access Controls - chown
- ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1
+ ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1
-
- Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments
+
+ Configure auditd to use audispd's syslog plugin
- ocil:ssg-sysctl_net_ipv4_tcp_invalid_ratelimit_action:testaction:1
+ ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1
-
- Verify User Who Owns /etc/cron.allow file
+
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- ocil:ssg-file_owner_cron_allow_action:testaction:1
+ ocil:ssg-sudo_remove_nopasswd_action:testaction:1
-
- Verify Permissions on Backup group File
+
+ Record Unsuccessful Access Attempts to Files - open
- ocil:ssg-file_permissions_backup_etc_group_action:testaction:1
+ ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1
-
- Enable rsyslog Service
+
+ Verify User Who Owns group File
- ocil:ssg-service_rsyslog_enabled_action:testaction:1
+ ocil:ssg-file_owner_etc_group_action:testaction:1
-
- Disable storing core dump
+
+ Ensure the Default C Shell Umask is Set Correctly
- ocil:ssg-coredump_disable_storage_action:testaction:1
+ ocil:ssg-accounts_umask_etc_csh_cshrc_action:testaction:1
-
- Verify Group Who Owns group File
+
+ Verify Permissions and Ownership of Old Passwords File
- ocil:ssg-file_groupowner_etc_group_action:testaction:1
+ ocil:ssg-file_etc_security_opasswd_action:testaction:1
-
- Resolve information before writing to audit logs
+
+ Use Only FIPS 140-2 Validated MACs
- ocil:ssg-auditd_log_format_action:testaction:1
+ ocil:ssg-sshd_use_approved_macs_ordered_stig_action:testaction:1
-
- Record Attempts to Alter Process and Session Initiation Information wtmp
+
+ Only Authorized Local User Accounts Exist on Operating System
- ocil:ssg-audit_rules_session_events_wtmp_action:testaction:1
+ ocil:ssg-accounts_authorized_local_users_action:testaction:1
-
- Configure AIDE to Verify Extended Attributes
+
+ Verify Root Has A Primary GID 0
- ocil:ssg-aide_verify_ext_attributes_action:testaction:1
+ ocil:ssg-accounts_root_gid_zero_action:testaction:1
-
- Enable GNOME3 Screensaver Lock After Idle Period
+
+ Record Events that Modify the System's Discretionary Access Controls - umount2
- ocil:ssg-dconf_gnome_screensaver_lock_enabled_action:testaction:1
+ ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1
-
- Verify Group Who Owns SSH Server config file
+
+ Set Deny For Failed Password Attempts
- ocil:ssg-file_groupowner_sshd_config_action:testaction:1
+ ocil:ssg-accounts_passwords_pam_tally2_action:testaction:1
-
- Verify that Interactive Boot is Disabled
+
+ Install iptables Package
- ocil:ssg-grub2_disable_interactive_boot_action:testaction:1
+ ocil:ssg-package_iptables_installed_action:testaction:1
-
- Verify User Who Owns /var/log/messages File
+
+ Ensure auditd Collects Information on Exporting to Media (successful)
- ocil:ssg-file_owner_var_log_messages_action:testaction:1
+ ocil:ssg-audit_rules_media_export_action:testaction:1
-
- Disable Kerberos by removing host keytab
+
+ Verify that local System.map file (if exists) is readable only by root
- ocil:ssg-kerberos_disable_no_keytab_action:testaction:1
+ ocil:ssg-file_permissions_systemmap_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - removexattr
+
+ Enable the NTP Daemon
- ocil:ssg-audit_rules_dac_modification_removexattr_action:testaction:1
+ ocil:ssg-service_ntp_enabled_action:testaction:1
-
- Verify Group Who Owns cron.hourly
+
+ The Chronyd service is enabled
- ocil:ssg-file_groupowner_cron_hourly_action:testaction:1
+ ocil:ssg-service_chronyd_enabled_action:testaction:1
-
- Verify that System Executable Have Root Ownership
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - rmmod
- ocil:ssg-dir_ownership_binary_dirs_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_rmmod_action:testaction:1
-
- Ensure gpgcheck Enabled for All zypper Package Repositories
+
+ Record Events that Modify User/Group Information - /etc/gshadow
- ocil:ssg-ensure_gpgcheck_never_disabled_action:testaction:1
+ ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1
-
- Disable Kernel Parameter for IPv6 Forwarding by default
+
+ Don't define allowed commands in sudoers by means of exclusion
- ocil:ssg-sysctl_net_ipv6_conf_default_forwarding_action:testaction:1
+ ocil:ssg-sudoers_no_command_negation_action:testaction:1
-
- Verify Permissions on gshadow File
+
+ Ensure rsyslog is Installed
/usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml 2022-04-04 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml 2022-04-04 00:00:00.000000000 +0000
@@ -29900,3700 +29900,3700 @@
2022-04-04T00:00:00
-
- Disable PubkeyAuthentication Authentication
+
+ Ensure SMAP is not disabled during boot
- ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1
+ ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1
-
- Record Events that Modify User/Group Information - /etc/gshadow
+
+ Record Events that Modify the System's Discretionary Access Controls - chown
- ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1
+ ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1
-
- Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments
+
+ Configure auditd to use audispd's syslog plugin
- ocil:ssg-sysctl_net_ipv4_tcp_invalid_ratelimit_action:testaction:1
+ ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1
-
- Verify User Who Owns /etc/cron.allow file
+
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- ocil:ssg-file_owner_cron_allow_action:testaction:1
+ ocil:ssg-sudo_remove_nopasswd_action:testaction:1
-
- Verify Permissions on Backup group File
+
+ Record Unsuccessful Access Attempts to Files - open
- ocil:ssg-file_permissions_backup_etc_group_action:testaction:1
+ ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1
-
- Enable rsyslog Service
+
+ Verify User Who Owns group File
- ocil:ssg-service_rsyslog_enabled_action:testaction:1
+ ocil:ssg-file_owner_etc_group_action:testaction:1
-
- Disable storing core dump
+
+ Ensure the Default C Shell Umask is Set Correctly
- ocil:ssg-coredump_disable_storage_action:testaction:1
+ ocil:ssg-accounts_umask_etc_csh_cshrc_action:testaction:1
-
- Verify Group Who Owns group File
+
+ Verify Permissions and Ownership of Old Passwords File
- ocil:ssg-file_groupowner_etc_group_action:testaction:1
+ ocil:ssg-file_etc_security_opasswd_action:testaction:1
-
- Resolve information before writing to audit logs
+
+ Use Only FIPS 140-2 Validated MACs
- ocil:ssg-auditd_log_format_action:testaction:1
+ ocil:ssg-sshd_use_approved_macs_ordered_stig_action:testaction:1
-
- Record Attempts to Alter Process and Session Initiation Information wtmp
+
+ Only Authorized Local User Accounts Exist on Operating System
- ocil:ssg-audit_rules_session_events_wtmp_action:testaction:1
+ ocil:ssg-accounts_authorized_local_users_action:testaction:1
-
- Configure AIDE to Verify Extended Attributes
+
+ Verify Root Has A Primary GID 0
- ocil:ssg-aide_verify_ext_attributes_action:testaction:1
+ ocil:ssg-accounts_root_gid_zero_action:testaction:1
-
- Enable GNOME3 Screensaver Lock After Idle Period
+
+ Record Events that Modify the System's Discretionary Access Controls - umount2
- ocil:ssg-dconf_gnome_screensaver_lock_enabled_action:testaction:1
+ ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1
-
- Verify Group Who Owns SSH Server config file
+
+ Set Deny For Failed Password Attempts
- ocil:ssg-file_groupowner_sshd_config_action:testaction:1
+ ocil:ssg-accounts_passwords_pam_tally2_action:testaction:1
-
- Verify that Interactive Boot is Disabled
+
+ Install iptables Package
- ocil:ssg-grub2_disable_interactive_boot_action:testaction:1
+ ocil:ssg-package_iptables_installed_action:testaction:1
-
- Verify User Who Owns /var/log/messages File
+
+ Ensure auditd Collects Information on Exporting to Media (successful)
- ocil:ssg-file_owner_var_log_messages_action:testaction:1
+ ocil:ssg-audit_rules_media_export_action:testaction:1
-
- Disable Kerberos by removing host keytab
+
+ Verify that local System.map file (if exists) is readable only by root
- ocil:ssg-kerberos_disable_no_keytab_action:testaction:1
+ ocil:ssg-file_permissions_systemmap_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - removexattr
+
+ Enable the NTP Daemon
- ocil:ssg-audit_rules_dac_modification_removexattr_action:testaction:1
+ ocil:ssg-service_ntp_enabled_action:testaction:1
-
- Verify Group Who Owns cron.hourly
+
+ The Chronyd service is enabled
- ocil:ssg-file_groupowner_cron_hourly_action:testaction:1
+ ocil:ssg-service_chronyd_enabled_action:testaction:1
-
- Verify that System Executable Have Root Ownership
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - rmmod
- ocil:ssg-dir_ownership_binary_dirs_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_rmmod_action:testaction:1
-
- Ensure gpgcheck Enabled for All zypper Package Repositories
+
+ Record Events that Modify User/Group Information - /etc/gshadow
- ocil:ssg-ensure_gpgcheck_never_disabled_action:testaction:1
+ ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1
-
- Disable Kernel Parameter for IPv6 Forwarding by default
+
+ Don't define allowed commands in sudoers by means of exclusion
- ocil:ssg-sysctl_net_ipv6_conf_default_forwarding_action:testaction:1
+ ocil:ssg-sudoers_no_command_negation_action:testaction:1
-
- Verify Permissions on gshadow File
+
+ Ensure rsyslog is Installed
/usr/share/xml/scap/ssg/content/ssg-sle15-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle15-ocil.xml 2022-04-04 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sle15-ocil.xml 2022-04-04 00:00:00.000000000 +0000
@@ -7,3700 +7,3700 @@
2022-04-04T00:00:00
-
- Disable PubkeyAuthentication Authentication
+
+ Ensure SMAP is not disabled during boot
- ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1
+ ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1
-
- Record Events that Modify User/Group Information - /etc/gshadow
+
+ Record Events that Modify the System's Discretionary Access Controls - chown
- ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1
+ ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1
-
- Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments
+
+ Configure auditd to use audispd's syslog plugin
- ocil:ssg-sysctl_net_ipv4_tcp_invalid_ratelimit_action:testaction:1
+ ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1
-
- Verify User Who Owns /etc/cron.allow file
+
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- ocil:ssg-file_owner_cron_allow_action:testaction:1
+ ocil:ssg-sudo_remove_nopasswd_action:testaction:1
-
- Verify Permissions on Backup group File
+
+ Record Unsuccessful Access Attempts to Files - open
- ocil:ssg-file_permissions_backup_etc_group_action:testaction:1
+ ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1
-
- Enable rsyslog Service
+
+ Verify User Who Owns group File
- ocil:ssg-service_rsyslog_enabled_action:testaction:1
+ ocil:ssg-file_owner_etc_group_action:testaction:1
-
- Disable storing core dump
+
+ Ensure the Default C Shell Umask is Set Correctly
- ocil:ssg-coredump_disable_storage_action:testaction:1
+ ocil:ssg-accounts_umask_etc_csh_cshrc_action:testaction:1
-
- Verify Group Who Owns group File
+
+ Verify Permissions and Ownership of Old Passwords File
- ocil:ssg-file_groupowner_etc_group_action:testaction:1
+ ocil:ssg-file_etc_security_opasswd_action:testaction:1
-
- Resolve information before writing to audit logs
+
+ Use Only FIPS 140-2 Validated MACs
- ocil:ssg-auditd_log_format_action:testaction:1
+ ocil:ssg-sshd_use_approved_macs_ordered_stig_action:testaction:1
-
- Record Attempts to Alter Process and Session Initiation Information wtmp
+
+ Only Authorized Local User Accounts Exist on Operating System
- ocil:ssg-audit_rules_session_events_wtmp_action:testaction:1
+ ocil:ssg-accounts_authorized_local_users_action:testaction:1
-
- Configure AIDE to Verify Extended Attributes
+
+ Verify Root Has A Primary GID 0
- ocil:ssg-aide_verify_ext_attributes_action:testaction:1
+ ocil:ssg-accounts_root_gid_zero_action:testaction:1
-
- Enable GNOME3 Screensaver Lock After Idle Period
+
+ Record Events that Modify the System's Discretionary Access Controls - umount2
- ocil:ssg-dconf_gnome_screensaver_lock_enabled_action:testaction:1
+ ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1
-
- Verify Group Who Owns SSH Server config file
+
+ Set Deny For Failed Password Attempts
- ocil:ssg-file_groupowner_sshd_config_action:testaction:1
+ ocil:ssg-accounts_passwords_pam_tally2_action:testaction:1
-
- Verify that Interactive Boot is Disabled
+
+ Install iptables Package
- ocil:ssg-grub2_disable_interactive_boot_action:testaction:1
+ ocil:ssg-package_iptables_installed_action:testaction:1
-
- Verify User Who Owns /var/log/messages File
+
+ Ensure auditd Collects Information on Exporting to Media (successful)
- ocil:ssg-file_owner_var_log_messages_action:testaction:1
+ ocil:ssg-audit_rules_media_export_action:testaction:1
-
- Disable Kerberos by removing host keytab
+
+ Verify that local System.map file (if exists) is readable only by root
- ocil:ssg-kerberos_disable_no_keytab_action:testaction:1
+ ocil:ssg-file_permissions_systemmap_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - removexattr
+
+ Enable the NTP Daemon
- ocil:ssg-audit_rules_dac_modification_removexattr_action:testaction:1
+ ocil:ssg-service_ntp_enabled_action:testaction:1
-
- Verify Group Who Owns cron.hourly
+
+ The Chronyd service is enabled
- ocil:ssg-file_groupowner_cron_hourly_action:testaction:1
+ ocil:ssg-service_chronyd_enabled_action:testaction:1
-
- Verify that System Executable Have Root Ownership
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - rmmod
- ocil:ssg-dir_ownership_binary_dirs_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_rmmod_action:testaction:1
-
- Ensure gpgcheck Enabled for All zypper Package Repositories
+
+ Record Events that Modify User/Group Information - /etc/gshadow
- ocil:ssg-ensure_gpgcheck_never_disabled_action:testaction:1
+ ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1
-
- Disable Kernel Parameter for IPv6 Forwarding by default
+
+ Don't define allowed commands in sudoers by means of exclusion
- ocil:ssg-sysctl_net_ipv6_conf_default_forwarding_action:testaction:1
+ ocil:ssg-sudoers_no_command_negation_action:testaction:1
-
- Verify Permissions on gshadow File
+
+ Ensure rsyslog is Installed
/usr/share/xml/scap/ssg/content/ssg-sle15-xccdf.xml differs (XML 1.0 document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle15-xccdf.xml 2022-04-04 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sle15-xccdf.xml 2022-04-04 00:00:00.000000000 +0000
@@ -43,29 +43,24 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -73,40 +68,44 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
+
-
-
+
-
+
+
+
+
+
+
@@ -114,39 +113,40 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
+
+
+
+
-
+
-
+
-
+
-
+
RPMS.2017/scap-security-guide-debian-0.1.61-0.0.noarch.rpm RPMS/scap-security-guide-debian-0.1.61-0.0.noarch.rpm differ: byte 225, line 1
Comparing scap-security-guide-debian-0.1.61-0.0.noarch.rpm to scap-security-guide-debian-0.1.61-0.0.noarch.rpm
comparing the rpm tags of scap-security-guide-debian
--- old-rpm-tags
+++ new-rpm-tags
@@ -224,25 +224,25 @@
/usr/share/xml/scap/ssg/content 0
/usr/share/xml/scap/ssg/content/ssg-debian10-cpe-dictionary.xml d27baca83f907e1d7e4a6093e9f78474c2dbd5d043c895f79c0a692e5e8582d2 0
/usr/share/xml/scap/ssg/content/ssg-debian10-cpe-oval.xml 5b54cdc90f9adff580d5bbf2a224d760db5fb5dde60e346b1d8157ebbf54a54c 0
-/usr/share/xml/scap/ssg/content/ssg-debian10-ds-1.2.xml 8d24ab50f31c430c12cf23b9f124be240aadf8589bbfe4badebdec57e6c4092a 0
-/usr/share/xml/scap/ssg/content/ssg-debian10-ds.xml 12bbcaac94b938dea3dfc8698cad496e4cae1a3d0cbcda84a2dbc6c91fa3b7d6 0
-/usr/share/xml/scap/ssg/content/ssg-debian10-ocil.xml a15917f02879239f56e6cfbdae091f29e4914278a29e12ce7e2982c6df76889d 0
+/usr/share/xml/scap/ssg/content/ssg-debian10-ds-1.2.xml 9a2ee44039c5f5107b13ed5d5d275b8e002a2abc9f1150d0aafef199b122ae1c 0
+/usr/share/xml/scap/ssg/content/ssg-debian10-ds.xml 11a4dff7ea73fc9a3b7851b043e23b6dad348cf12980fc25d83180b20e6459f0 0
+/usr/share/xml/scap/ssg/content/ssg-debian10-ocil.xml 79a5a26866f1e235e13837925afca7a54659cabd0d6c6dbdd11f0f1cfb6d6008 0
/usr/share/xml/scap/ssg/content/ssg-debian10-oval.xml 112d0c507239c168e6651903a1c14b170bc09647bc61c6699d4ebbd84a196a1b 0
-/usr/share/xml/scap/ssg/content/ssg-debian10-xccdf.xml fe1a9125a9fa03f989ea5d1868cff4bab5a11d2f9891cb8fa0998ca0d71c715e 0
+/usr/share/xml/scap/ssg/content/ssg-debian10-xccdf.xml 53539563b67974b0a5cb4191b219ae0e53e7636d8280a064937935938eb48779 0
/usr/share/xml/scap/ssg/content/ssg-debian11-cpe-dictionary.xml a7bb5d3760c4f041cb7bb9518a32f14642eb9ac2a5dbbd58fa994f3d8cc8f142 0
/usr/share/xml/scap/ssg/content/ssg-debian11-cpe-oval.xml 8b5f7fae30186997ea112d8f63d5a217f7dea3f55c626388450880296b3a2bd4 0
-/usr/share/xml/scap/ssg/content/ssg-debian11-ds-1.2.xml aa8b0bcea7de12f82d4bed350ebb4eb5ada960559d0a94be98197e714952bc1a 0
-/usr/share/xml/scap/ssg/content/ssg-debian11-ds.xml 5f4310871382fbb706154c157ca81d7e13801cf036ad6d9398209d17d2169d3e 0
-/usr/share/xml/scap/ssg/content/ssg-debian11-ocil.xml a15917f02879239f56e6cfbdae091f29e4914278a29e12ce7e2982c6df76889d 0
+/usr/share/xml/scap/ssg/content/ssg-debian11-ds-1.2.xml bbd5644db30a280d84af5defe01a1c05772564044df0bdb1d2db8a04c6f00b25 0
+/usr/share/xml/scap/ssg/content/ssg-debian11-ds.xml fc31b3f16fae64f562015442d0676e80010ad85e3aaff32747101d5d89d7ae7e 0
+/usr/share/xml/scap/ssg/content/ssg-debian11-ocil.xml 79a5a26866f1e235e13837925afca7a54659cabd0d6c6dbdd11f0f1cfb6d6008 0
/usr/share/xml/scap/ssg/content/ssg-debian11-oval.xml f5100e870ca4640faab2b4416b994f59d7ea8f8a0d0cc318b6a50d93c8bd1c7c 0
-/usr/share/xml/scap/ssg/content/ssg-debian11-xccdf.xml f6573daaa310deb61694a58433dd3547962822a0cef00b60a2344262b9953ebc 0
+/usr/share/xml/scap/ssg/content/ssg-debian11-xccdf.xml 7810f8e35b6d4193c8de8f8c20ee7ec60da91f5cd1523fbb157e084a420224c5 0
/usr/share/xml/scap/ssg/content/ssg-debian9-cpe-dictionary.xml 2094791bef1ba62d6b2719ba4ceb602d66c6da73357cf9377c78c0af5df0414e 0
/usr/share/xml/scap/ssg/content/ssg-debian9-cpe-oval.xml ec32cd523f692641ff03f94afb66abaf4c1ecb4d1f5a2a78b630d4db40b002f5 0
-/usr/share/xml/scap/ssg/content/ssg-debian9-ds-1.2.xml b89508f56b94247c44597cc1b311d5902bd9620f5a3deca2768ce8dceb50332e 0
-/usr/share/xml/scap/ssg/content/ssg-debian9-ds.xml e4ae19c1cae2e1afaf6383e464d49abe79bee55a1c23b061ded617646f5719d8 0
-/usr/share/xml/scap/ssg/content/ssg-debian9-ocil.xml a15917f02879239f56e6cfbdae091f29e4914278a29e12ce7e2982c6df76889d 0
+/usr/share/xml/scap/ssg/content/ssg-debian9-ds-1.2.xml 9811e0c8bf5d4c377bb1a1c3337e9b193b7b637b962f4cc9716839352c051296 0
+/usr/share/xml/scap/ssg/content/ssg-debian9-ds.xml 5ad7765e65e26acbf99044e6c7b2aa2f925f2a26214c10c3de48b38f92d4094b 0
+/usr/share/xml/scap/ssg/content/ssg-debian9-ocil.xml 79a5a26866f1e235e13837925afca7a54659cabd0d6c6dbdd11f0f1cfb6d6008 0
/usr/share/xml/scap/ssg/content/ssg-debian9-oval.xml d92cae63b72530baef714776585fd38bbd9c6a106e9a7f2d076802e86a9a42ac 0
-/usr/share/xml/scap/ssg/content/ssg-debian9-xccdf.xml 166a2a93eb0f8b1ac9b7a8c24f9115b94b06e42eb984511136c395dd04220ac2 0
+/usr/share/xml/scap/ssg/content/ssg-debian9-xccdf.xml e91c449d45a42f41d475b4ac2014b2fb7d0c7d004b2843e7480b0ae2507fb043 0
___QF_CHECKSUM___
comparing rpmtags
comparing RELEASE
comparing PROVIDES
comparing scripts
comparing filelist
comparing file checksum
creating rename script
RPM file checksum differs.
Extracting packages
/usr/share/xml/scap/ssg/content/ssg-debian10-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian10-ds-1.2.xml 2022-04-04 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian10-ds-1.2.xml 2022-04-04 00:00:00.000000000 +0000
@@ -14927,274 +14927,256 @@
2022-04-04T00:00:00
-
- Disable PubkeyAuthentication Authentication
-
- ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1
-
-
-
- Verify Permissions on Backup group File
-
- ocil:ssg-file_permissions_backup_etc_group_action:testaction:1
-
-
-
- Enable rsyslog Service
-
- ocil:ssg-service_rsyslog_enabled_action:testaction:1
-
-
-
- Disable storing core dump
+
+ Ensure SMAP is not disabled during boot
- ocil:ssg-coredump_disable_storage_action:testaction:1
+ ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1
-
- Verify Group Who Owns group File
+
+ Record Events that Modify the System's Discretionary Access Controls - chown
- ocil:ssg-file_groupowner_etc_group_action:testaction:1
+ ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1
-
- Resolve information before writing to audit logs
+
+ Configure auditd to use audispd's syslog plugin
- ocil:ssg-auditd_log_format_action:testaction:1
+ ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1
-
- Verify User Who Owns /var/log/messages File
+
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- ocil:ssg-file_owner_var_log_messages_action:testaction:1
+ ocil:ssg-sudo_remove_nopasswd_action:testaction:1
-
- Disable Kerberos by removing host keytab
+
+ Record Unsuccessful Access Attempts to Files - open
- ocil:ssg-kerberos_disable_no_keytab_action:testaction:1
+ ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - removexattr
+
+ Verify User Who Owns group File
- ocil:ssg-audit_rules_dac_modification_removexattr_action:testaction:1
+ ocil:ssg-file_owner_etc_group_action:testaction:1
-
- Verify that System Executable Have Root Ownership
+
+ Verify Root Has A Primary GID 0
- ocil:ssg-dir_ownership_binary_dirs_action:testaction:1
+ ocil:ssg-accounts_root_gid_zero_action:testaction:1
-
- Verify Permissions on gshadow File
+
+ Record Events that Modify the System's Discretionary Access Controls - umount2
- ocil:ssg-file_permissions_etc_gshadow_action:testaction:1
+ ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1
-
- Ensure No World-Writable Files Exist
+
+ Ensure auditd Collects Information on Exporting to Media (successful)
- ocil:ssg-file_permissions_unauthorized_world_writable_action:testaction:1
+ ocil:ssg-audit_rules_media_export_action:testaction:1
-
- Enable syslog-ng Service
+
+ Verify that local System.map file (if exists) is readable only by root
- ocil:ssg-service_syslogng_enabled_action:testaction:1
+ ocil:ssg-file_permissions_systemmap_action:testaction:1
-
- Configure Polyinstantiation of /tmp Directories
+
+ Enable the NTP Daemon
- ocil:ssg-accounts_polyinstantiated_tmp_action:testaction:1
+ ocil:ssg-service_ntp_enabled_action:testaction:1
-
- Record Unsuccessful Access Attempts to Files - ftruncate
+
+ The Chronyd service is enabled
- ocil:ssg-audit_rules_unsuccessful_file_modification_ftruncate_action:testaction:1
+ ocil:ssg-service_chronyd_enabled_action:testaction:1
-
- Ensure auditd Collects Information on Kernel Module Loading and Unloading
+
+ Don't define allowed commands in sudoers by means of exclusion
- ocil:ssg-audit_rules_kernel_module_loading_action:testaction:1
+ ocil:ssg-sudoers_no_command_negation_action:testaction:1
-
- Restrict Exposed Kernel Pointer Addresses Access
+
+ Ensure rsyslog is Installed
- ocil:ssg-sysctl_kernel_kptr_restrict_action:testaction:1
+ ocil:ssg-package_rsyslog_installed_action:testaction:1
-
- Force frequent session key renegotiation
+
+ Only the VDSM User Can Use sudo NOPASSWD
- ocil:ssg-sshd_rekey_limit_action:testaction:1
+ ocil:ssg-sudo_vdsm_nopasswd_action:testaction:1
-
- Configure auditd mail_acct Action on Low Disk Space
+
+ Disable Host-Based Authentication
- ocil:ssg-auditd_data_retention_action_mail_acct_action:testaction:1
+ ocil:ssg-disable_host_auth_action:testaction:1
-
- Ensure that System Accounts Are Locked
+
+ Ensure Log Files Are Owned By Appropriate Group
- ocil:ssg-no_password_auth_for_systemaccounts_action:testaction:1
+ ocil:ssg-rsyslog_files_groupownership_action:testaction:1
-
- Disable SSH Access via Empty Passwords
+
+ Record Events that Modify the System's Discretionary Access Controls - fchown
- ocil:ssg-sshd_disable_empty_passwords_action:testaction:1
+ ocil:ssg-audit_rules_dac_modification_fchown_action:testaction:1
-
- Don't define allowed commands in sudoers by means of exclusion
+
+ Ensure syslog-ng is Installed
- ocil:ssg-sudoers_no_command_negation_action:testaction:1
+ ocil:ssg-package_syslogng_installed_action:testaction:1
-
- Verify Permissions on Backup passwd File
+
+ Set SSH Client Alive Count Max
/usr/share/xml/scap/ssg/content/ssg-debian10-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian10-ds.xml 2022-04-04 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian10-ds.xml 2022-04-04 00:00:00.000000000 +0000
@@ -14927,274 +14927,256 @@
2022-04-04T00:00:00
-
- Disable PubkeyAuthentication Authentication
-
- ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1
-
-
-
- Verify Permissions on Backup group File
-
- ocil:ssg-file_permissions_backup_etc_group_action:testaction:1
-
-
-
- Enable rsyslog Service
-
- ocil:ssg-service_rsyslog_enabled_action:testaction:1
-
-
-
- Disable storing core dump
+
+ Ensure SMAP is not disabled during boot
- ocil:ssg-coredump_disable_storage_action:testaction:1
+ ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1
-
- Verify Group Who Owns group File
+
+ Record Events that Modify the System's Discretionary Access Controls - chown
- ocil:ssg-file_groupowner_etc_group_action:testaction:1
+ ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1
-
- Resolve information before writing to audit logs
+
+ Configure auditd to use audispd's syslog plugin
- ocil:ssg-auditd_log_format_action:testaction:1
+ ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1
-
- Verify User Who Owns /var/log/messages File
+
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- ocil:ssg-file_owner_var_log_messages_action:testaction:1
+ ocil:ssg-sudo_remove_nopasswd_action:testaction:1
-
- Disable Kerberos by removing host keytab
+
+ Record Unsuccessful Access Attempts to Files - open
- ocil:ssg-kerberos_disable_no_keytab_action:testaction:1
+ ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - removexattr
+
+ Verify User Who Owns group File
- ocil:ssg-audit_rules_dac_modification_removexattr_action:testaction:1
+ ocil:ssg-file_owner_etc_group_action:testaction:1
-
- Verify that System Executable Have Root Ownership
+
+ Verify Root Has A Primary GID 0
- ocil:ssg-dir_ownership_binary_dirs_action:testaction:1
+ ocil:ssg-accounts_root_gid_zero_action:testaction:1
-
- Verify Permissions on gshadow File
+
+ Record Events that Modify the System's Discretionary Access Controls - umount2
- ocil:ssg-file_permissions_etc_gshadow_action:testaction:1
+ ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1
-
- Ensure No World-Writable Files Exist
+
+ Ensure auditd Collects Information on Exporting to Media (successful)
-