~/f/scap-security-guide/RPMS.2017 ~/f/scap-security-guide ~/f/scap-security-guide RPMS.2017/scap-security-guide-0.1.61-0.0.noarch.rpm RPMS/scap-security-guide-0.1.61-0.0.noarch.rpm differ: byte 225, line 1 Comparing scap-security-guide-0.1.61-0.0.noarch.rpm to scap-security-guide-0.1.61-0.0.noarch.rpm comparing the rpm tags of scap-security-guide --- old-rpm-tags +++ new-rpm-tags @@ -244,25 +244,25 @@ /usr/share/xml/scap/ssg/content 0 /usr/share/xml/scap/ssg/content/ssg-opensuse-cpe-dictionary.xml e74fe69303dc5c832394ad561fca005b8c51dd5e2f1fc6c1226c01adcdc41555 0 /usr/share/xml/scap/ssg/content/ssg-opensuse-cpe-oval.xml 33243cff2df0cf08a70b59e81740e2e26f21815b17e83c934b4d8703e2552d4c 0 -/usr/share/xml/scap/ssg/content/ssg-opensuse-ds-1.2.xml f82ea40f59509246b9d16c65228539b6ed21b800ce16ecd1cf79e214f4b00297 0 -/usr/share/xml/scap/ssg/content/ssg-opensuse-ds.xml 860555a32bae42e413dee0111b87ac709906cc0fed103154e86f7a9257692262 0 -/usr/share/xml/scap/ssg/content/ssg-opensuse-ocil.xml 1f18f5b673285bd7639bd78ae9d9ef2e5f9e9e8b15999512ebec35f468a688c8 0 +/usr/share/xml/scap/ssg/content/ssg-opensuse-ds-1.2.xml 6ca11b1bb2ec79af1e35be0440789d8ccff46159d3779f3e2546bd33d7f55949 0 +/usr/share/xml/scap/ssg/content/ssg-opensuse-ds.xml e2c109d202172504b31746575902e9667510575f4825bfe94381c79a26302304 0 +/usr/share/xml/scap/ssg/content/ssg-opensuse-ocil.xml b15ea41ab85139bb4321904b1c28ecf024e826a36b547e319d892e74864001f7 0 /usr/share/xml/scap/ssg/content/ssg-opensuse-oval.xml 88b7550c60a125be148293dd73c9cb595721f2f5cb86226388813def51e49fbb 0 -/usr/share/xml/scap/ssg/content/ssg-opensuse-xccdf.xml 56bbd92f5385b95dbc64a33f725360dcdaa6e950b6b41f4edf3e2506463b236f 0 +/usr/share/xml/scap/ssg/content/ssg-opensuse-xccdf.xml 48c4deb627be028a5c2fe2bdf3d288bb59a36fcd77b057c0c05546e91078821e 0 /usr/share/xml/scap/ssg/content/ssg-sle12-cpe-dictionary.xml 87cbf0ec173473eb057058a903543caf888104c4d8b57fc5bcf33a5a0436e5c4 0 /usr/share/xml/scap/ssg/content/ssg-sle12-cpe-oval.xml 7b0f3cc469e8dc66d3cdd409931c2e8513813795ec1cea2a2090b30661c307d5 0 -/usr/share/xml/scap/ssg/content/ssg-sle12-ds-1.2.xml 457a23b3004040e7457b5e8636c2070025f6570269a6cb18d8d45c61e5cdf3ed 0 -/usr/share/xml/scap/ssg/content/ssg-sle12-ds.xml bc5474071ee4db970e636a4548e2dd2e3c0d54a912ce820c3831c0813fc395ff 0 -/usr/share/xml/scap/ssg/content/ssg-sle12-ocil.xml c354bd077256c7eb0053e36dc9d80422841dd6f561481d50bf296e5a61fbd1d4 0 +/usr/share/xml/scap/ssg/content/ssg-sle12-ds-1.2.xml d3baa4d473a003270fb88ef0ee2a511bcbc6aef83f8f959214990903da19b9ec 0 +/usr/share/xml/scap/ssg/content/ssg-sle12-ds.xml 3ab787b60fa7078658e3eecab890d47c0d28c395da9fa78cd29ad63e20328e80 0 +/usr/share/xml/scap/ssg/content/ssg-sle12-ocil.xml fdd6647b262a5e90067ff5100ab82907c6bbdfd51106d69fd81283c47de0700d 0 /usr/share/xml/scap/ssg/content/ssg-sle12-oval.xml 5d9dd540c2d51ae7ad75ce9106605c4b5292c9656d22b02764dc51ab48a80751 0 -/usr/share/xml/scap/ssg/content/ssg-sle12-xccdf.xml 9a643517f959b23e8b59dde1469c1f7d38d8f2ad9b8290577be67cc2d4e978df 0 +/usr/share/xml/scap/ssg/content/ssg-sle12-xccdf.xml 7ece6292ac090e72887740915421c8c8170b30ec4c8ff628d4f3b5722041b7a4 0 /usr/share/xml/scap/ssg/content/ssg-sle15-cpe-dictionary.xml ac6771fb31b41063b1f22199798b68efe280ec48843a41fe8eceac8d4f9cc915 0 /usr/share/xml/scap/ssg/content/ssg-sle15-cpe-oval.xml 81dffa610ef824a0241e899425bd57a70b09c7b3f5f137cf86e570aeffae2f0e 0 -/usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml 80037f59836df811ffb3b77507a7b6b76356b120003c3b3d90faa422325433ef 0 -/usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml ad0190e7f5fb8aed0885e9821459d04a471a32a5033334b01ec2e7097962f9ec 0 -/usr/share/xml/scap/ssg/content/ssg-sle15-ocil.xml a7d9a04832291f50ee8cd4d31b8e0379d7b3a27ed60ea360876cd1c823b53dd2 0 +/usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml 1dfc5143d22e988ff7b3be8f29f34c13cdec08cd922e023a99bfe265e0160814 0 +/usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml 75c3872587728548d1b2e9bfc26af921e0195f18bb14fb9cadcf1de5377a1ef9 0 +/usr/share/xml/scap/ssg/content/ssg-sle15-ocil.xml a69a7d549c8b66ed5cdf6904c1b15b36bc7c2c8a99e50ebad74071f6a26e7337 0 /usr/share/xml/scap/ssg/content/ssg-sle15-oval.xml fb61d2717a307c299dd56287c93d97c23f63ea5d6f7077a22920777a7d95ad9a 0 -/usr/share/xml/scap/ssg/content/ssg-sle15-xccdf.xml 51e4709da6a05259322d18cfdd2a6be5a478811b4332cbe81aaeaae7f1b80d83 0 +/usr/share/xml/scap/ssg/content/ssg-sle15-xccdf.xml d92b3122096348462588d6392cbd928e6026047b4e09d4a7d939a0896840c405 0 ___QF_CHECKSUM___ comparing rpmtags comparing RELEASE comparing PROVIDES comparing scripts comparing filelist comparing file checksum creating rename script RPM file checksum differs. Extracting packages /usr/share/xml/scap/ssg/content/ssg-opensuse-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-opensuse-ds-1.2.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-opensuse-ds-1.2.xml 2022-04-04 00:00:00.000000000 +0000 @@ -13579,256 +13579,250 @@ 2022-04-04T00:00:00 - - Disable PubkeyAuthentication Authentication - - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 - - - - Verify Permissions on Backup group File + + Ensure SMAP is not disabled during boot - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Enable rsyslog Service + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-service_rsyslog_enabled_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Disable storing core dump + + Configure auditd to use audispd's syslog plugin - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Verify Group Who Owns group File + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Resolve information before writing to audit logs + + Verify User Who Owns group File - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Verify User Who Owns /var/log/messages File + + Verify Root Has A Primary GID 0 - ocil:ssg-file_owner_var_log_messages_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Disable Kerberos by removing host keytab + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-kerberos_disable_no_keytab_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - removexattr + + Ensure auditd Collects Information on Exporting to Media (successful) - ocil:ssg-audit_rules_dac_modification_removexattr_action:testaction:1 + ocil:ssg-audit_rules_media_export_action:testaction:1 - - Verify that System Executable Have Root Ownership + + Verify that local System.map file (if exists) is readable only by root - ocil:ssg-dir_ownership_binary_dirs_action:testaction:1 + ocil:ssg-file_permissions_systemmap_action:testaction:1 - - Verify Permissions on gshadow File + + Enable the NTP Daemon - ocil:ssg-file_permissions_etc_gshadow_action:testaction:1 + ocil:ssg-service_ntp_enabled_action:testaction:1 - - Ensure No World-Writable Files Exist + + The Chronyd service is enabled - ocil:ssg-file_permissions_unauthorized_world_writable_action:testaction:1 + ocil:ssg-service_chronyd_enabled_action:testaction:1 - - Enable syslog-ng Service + + Don't define allowed commands in sudoers by means of exclusion - ocil:ssg-service_syslogng_enabled_action:testaction:1 + ocil:ssg-sudoers_no_command_negation_action:testaction:1 - - Configure Polyinstantiation of /tmp Directories + + Ensure rsyslog is Installed - ocil:ssg-accounts_polyinstantiated_tmp_action:testaction:1 + ocil:ssg-package_rsyslog_installed_action:testaction:1 - - Restrict Exposed Kernel Pointer Addresses Access + + Only the VDSM User Can Use sudo NOPASSWD - ocil:ssg-sysctl_kernel_kptr_restrict_action:testaction:1 + ocil:ssg-sudo_vdsm_nopasswd_action:testaction:1 - - Force frequent session key renegotiation + + Disable Host-Based Authentication - ocil:ssg-sshd_rekey_limit_action:testaction:1 + ocil:ssg-disable_host_auth_action:testaction:1 - - Configure auditd mail_acct Action on Low Disk Space + + Ensure Log Files Are Owned By Appropriate Group - ocil:ssg-auditd_data_retention_action_mail_acct_action:testaction:1 + ocil:ssg-rsyslog_files_groupownership_action:testaction:1 - - Ensure that System Accounts Are Locked + + Remove the OpenSSH Client and Server Package - ocil:ssg-no_password_auth_for_systemaccounts_action:testaction:1 + ocil:ssg-package_openssh_removed_action:testaction:1 - - Disable SSH Access via Empty Passwords + + Record Events that Modify the System's Discretionary Access Controls - fchown - ocil:ssg-sshd_disable_empty_passwords_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_fchown_action:testaction:1 - - Don't define allowed commands in sudoers by means of exclusion + + Ensure syslog-ng is Installed - ocil:ssg-sudoers_no_command_negation_action:testaction:1 + ocil:ssg-package_syslogng_installed_action:testaction:1 - - Verify Permissions on Backup passwd File + + Set SSH Client Alive Count Max - ocil:ssg-file_permissions_backup_etc_passwd_action:testaction:1 + ocil:ssg-sshd_set_keepalive_action:testaction:1 - - Only the VDSM User Can Use sudo NOPASSWD + + Explicit arguments in sudo specifications - ocil:ssg-sudo_vdsm_nopasswd_action:testaction:1 + ocil:ssg-sudoers_explicit_command_args_action:testaction:1 /usr/share/xml/scap/ssg/content/ssg-opensuse-ds.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-opensuse-ds.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-opensuse-ds.xml 2022-04-04 00:00:00.000000000 +0000 @@ -13579,256 +13579,250 @@ 2022-04-04T00:00:00 - - Disable PubkeyAuthentication Authentication - - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 - - - - Verify Permissions on Backup group File + + Ensure SMAP is not disabled during boot - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Enable rsyslog Service + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-service_rsyslog_enabled_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Disable storing core dump + + Configure auditd to use audispd's syslog plugin - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Verify Group Who Owns group File + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Resolve information before writing to audit logs + + Verify User Who Owns group File - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Verify User Who Owns /var/log/messages File + + Verify Root Has A Primary GID 0 - ocil:ssg-file_owner_var_log_messages_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Disable Kerberos by removing host keytab + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-kerberos_disable_no_keytab_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - removexattr + + Ensure auditd Collects Information on Exporting to Media (successful) - ocil:ssg-audit_rules_dac_modification_removexattr_action:testaction:1 + ocil:ssg-audit_rules_media_export_action:testaction:1 - - Verify that System Executable Have Root Ownership + + Verify that local System.map file (if exists) is readable only by root - ocil:ssg-dir_ownership_binary_dirs_action:testaction:1 + ocil:ssg-file_permissions_systemmap_action:testaction:1 - - Verify Permissions on gshadow File + + Enable the NTP Daemon - ocil:ssg-file_permissions_etc_gshadow_action:testaction:1 + ocil:ssg-service_ntp_enabled_action:testaction:1 - - Ensure No World-Writable Files Exist + + The Chronyd service is enabled - ocil:ssg-file_permissions_unauthorized_world_writable_action:testaction:1 + ocil:ssg-service_chronyd_enabled_action:testaction:1 - - Enable syslog-ng Service + + Don't define allowed commands in sudoers by means of exclusion - ocil:ssg-service_syslogng_enabled_action:testaction:1 + ocil:ssg-sudoers_no_command_negation_action:testaction:1 - - Configure Polyinstantiation of /tmp Directories + + Ensure rsyslog is Installed - ocil:ssg-accounts_polyinstantiated_tmp_action:testaction:1 + ocil:ssg-package_rsyslog_installed_action:testaction:1 - - Restrict Exposed Kernel Pointer Addresses Access + + Only the VDSM User Can Use sudo NOPASSWD - ocil:ssg-sysctl_kernel_kptr_restrict_action:testaction:1 + ocil:ssg-sudo_vdsm_nopasswd_action:testaction:1 - - Force frequent session key renegotiation + + Disable Host-Based Authentication - ocil:ssg-sshd_rekey_limit_action:testaction:1 + ocil:ssg-disable_host_auth_action:testaction:1 - - Configure auditd mail_acct Action on Low Disk Space + + Ensure Log Files Are Owned By Appropriate Group - ocil:ssg-auditd_data_retention_action_mail_acct_action:testaction:1 + ocil:ssg-rsyslog_files_groupownership_action:testaction:1 - - Ensure that System Accounts Are Locked + + Remove the OpenSSH Client and Server Package - ocil:ssg-no_password_auth_for_systemaccounts_action:testaction:1 + ocil:ssg-package_openssh_removed_action:testaction:1 - - Disable SSH Access via Empty Passwords + + Record Events that Modify the System's Discretionary Access Controls - fchown - ocil:ssg-sshd_disable_empty_passwords_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_fchown_action:testaction:1 - - Don't define allowed commands in sudoers by means of exclusion + + Ensure syslog-ng is Installed - ocil:ssg-sudoers_no_command_negation_action:testaction:1 + ocil:ssg-package_syslogng_installed_action:testaction:1 - - Verify Permissions on Backup passwd File + + Set SSH Client Alive Count Max - ocil:ssg-file_permissions_backup_etc_passwd_action:testaction:1 + ocil:ssg-sshd_set_keepalive_action:testaction:1 - - Only the VDSM User Can Use sudo NOPASSWD + + Explicit arguments in sudo specifications - ocil:ssg-sudo_vdsm_nopasswd_action:testaction:1 + ocil:ssg-sudoers_explicit_command_args_action:testaction:1 /usr/share/xml/scap/ssg/content/ssg-opensuse-ocil.xml differs (XML 1.0 document, ASCII text) --- old//usr/share/xml/scap/ssg/content/ssg-opensuse-ocil.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-opensuse-ocil.xml 2022-04-04 00:00:00.000000000 +0000 @@ -7,256 +7,250 @@ 2022-04-04T00:00:00 - - Disable PubkeyAuthentication Authentication - - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 - - - - Verify Permissions on Backup group File + + Ensure SMAP is not disabled during boot - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Enable rsyslog Service + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-service_rsyslog_enabled_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Disable storing core dump + + Configure auditd to use audispd's syslog plugin - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Verify Group Who Owns group File + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Resolve information before writing to audit logs + + Verify User Who Owns group File - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Verify User Who Owns /var/log/messages File + + Verify Root Has A Primary GID 0 - ocil:ssg-file_owner_var_log_messages_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Disable Kerberos by removing host keytab + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-kerberos_disable_no_keytab_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - removexattr + + Ensure auditd Collects Information on Exporting to Media (successful) - ocil:ssg-audit_rules_dac_modification_removexattr_action:testaction:1 + ocil:ssg-audit_rules_media_export_action:testaction:1 - - Verify that System Executable Have Root Ownership + + Verify that local System.map file (if exists) is readable only by root - ocil:ssg-dir_ownership_binary_dirs_action:testaction:1 + ocil:ssg-file_permissions_systemmap_action:testaction:1 - - Verify Permissions on gshadow File + + Enable the NTP Daemon - ocil:ssg-file_permissions_etc_gshadow_action:testaction:1 + ocil:ssg-service_ntp_enabled_action:testaction:1 - - Ensure No World-Writable Files Exist + + The Chronyd service is enabled - ocil:ssg-file_permissions_unauthorized_world_writable_action:testaction:1 + ocil:ssg-service_chronyd_enabled_action:testaction:1 - - Enable syslog-ng Service + + Don't define allowed commands in sudoers by means of exclusion - ocil:ssg-service_syslogng_enabled_action:testaction:1 + ocil:ssg-sudoers_no_command_negation_action:testaction:1 - - Configure Polyinstantiation of /tmp Directories + + Ensure rsyslog is Installed - ocil:ssg-accounts_polyinstantiated_tmp_action:testaction:1 + ocil:ssg-package_rsyslog_installed_action:testaction:1 - - Restrict Exposed Kernel Pointer Addresses Access + + Only the VDSM User Can Use sudo NOPASSWD - ocil:ssg-sysctl_kernel_kptr_restrict_action:testaction:1 + ocil:ssg-sudo_vdsm_nopasswd_action:testaction:1 - - Force frequent session key renegotiation + + Disable Host-Based Authentication - ocil:ssg-sshd_rekey_limit_action:testaction:1 + ocil:ssg-disable_host_auth_action:testaction:1 - - Configure auditd mail_acct Action on Low Disk Space + + Ensure Log Files Are Owned By Appropriate Group - ocil:ssg-auditd_data_retention_action_mail_acct_action:testaction:1 + ocil:ssg-rsyslog_files_groupownership_action:testaction:1 - - Ensure that System Accounts Are Locked + + Remove the OpenSSH Client and Server Package - ocil:ssg-no_password_auth_for_systemaccounts_action:testaction:1 + ocil:ssg-package_openssh_removed_action:testaction:1 - - Disable SSH Access via Empty Passwords + + Record Events that Modify the System's Discretionary Access Controls - fchown - ocil:ssg-sshd_disable_empty_passwords_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_fchown_action:testaction:1 - - Don't define allowed commands in sudoers by means of exclusion + + Ensure syslog-ng is Installed - ocil:ssg-sudoers_no_command_negation_action:testaction:1 + ocil:ssg-package_syslogng_installed_action:testaction:1 - - Verify Permissions on Backup passwd File + + Set SSH Client Alive Count Max - ocil:ssg-file_permissions_backup_etc_passwd_action:testaction:1 + ocil:ssg-sshd_set_keepalive_action:testaction:1 - - Only the VDSM User Can Use sudo NOPASSWD + + Explicit arguments in sudo specifications - ocil:ssg-sudo_vdsm_nopasswd_action:testaction:1 + ocil:ssg-sudoers_explicit_command_args_action:testaction:1 /usr/share/xml/scap/ssg/content/ssg-opensuse-xccdf.xml differs (XML 1.0 document, UTF-8 Unicode text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-opensuse-xccdf.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-opensuse-xccdf.xml 2022-04-04 00:00:00.000000000 +0000 @@ -43,24 +43,24 @@ countries. All other names are registered trademarks or trademarks of their respective companies. - + - + - + - + - + - + - + - + @@ -68,54 +68,54 @@ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + /usr/share/xml/scap/ssg/content/ssg-sle12-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-sle12-ds-1.2.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-sle12-ds-1.2.xml 2022-04-04 00:00:00.000000000 +0000 @@ -25960,3172 +25960,3172 @@ 2022-04-04T00:00:00 - - Disable PubkeyAuthentication Authentication + + Ensure SMAP is not disabled during boot - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Record Events that Modify User/Group Information - /etc/gshadow + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Verify User Who Owns /etc/cron.allow file + + Configure auditd to use audispd's syslog plugin - ocil:ssg-file_owner_cron_allow_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Verify Permissions on Backup group File + + Configure Notification of Post-AIDE Scan Details - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 + ocil:ssg-aide_scan_notification_action:testaction:1 - - Enable rsyslog Service + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-service_rsyslog_enabled_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Disable storing core dump + + Record Unsuccessful Access Attempts to Files - open - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1 - - Verify Group Who Owns group File + + Verify User Who Owns group File - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Resolve information before writing to audit logs + + Verify Permissions and Ownership of Old Passwords File - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-file_etc_security_opasswd_action:testaction:1 - - Configure AIDE to Verify Extended Attributes + + Only Authorized Local User Accounts Exist on Operating System - ocil:ssg-aide_verify_ext_attributes_action:testaction:1 + ocil:ssg-accounts_authorized_local_users_action:testaction:1 - - Enable GNOME3 Screensaver Lock After Idle Period + + Verify Root Has A Primary GID 0 - ocil:ssg-dconf_gnome_screensaver_lock_enabled_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Verify Group Who Owns SSH Server config file + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-file_groupowner_sshd_config_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Verify User Who Owns /var/log/messages File + + Set Deny For Failed Password Attempts - ocil:ssg-file_owner_var_log_messages_action:testaction:1 + ocil:ssg-accounts_passwords_pam_tally2_action:testaction:1 - - Disable Kerberos by removing host keytab + + Install iptables Package - ocil:ssg-kerberos_disable_no_keytab_action:testaction:1 + ocil:ssg-package_iptables_installed_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - removexattr + + Ensure auditd Collects Information on Exporting to Media (successful) - ocil:ssg-audit_rules_dac_modification_removexattr_action:testaction:1 + ocil:ssg-audit_rules_media_export_action:testaction:1 - - Verify Group Who Owns cron.hourly + + Verify that local System.map file (if exists) is readable only by root - ocil:ssg-file_groupowner_cron_hourly_action:testaction:1 + ocil:ssg-file_permissions_systemmap_action:testaction:1 - - Verify that System Executable Have Root Ownership + + Enable the NTP Daemon - ocil:ssg-dir_ownership_binary_dirs_action:testaction:1 + ocil:ssg-service_ntp_enabled_action:testaction:1 - - Ensure gpgcheck Enabled for All zypper Package Repositories + + The Chronyd service is enabled - ocil:ssg-ensure_gpgcheck_never_disabled_action:testaction:1 + ocil:ssg-service_chronyd_enabled_action:testaction:1 - - Disable Kernel Parameter for IPv6 Forwarding by default + + Ensure auditd Collects Information on the Use of Privileged Commands - rmmod - ocil:ssg-sysctl_net_ipv6_conf_default_forwarding_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_rmmod_action:testaction:1 - - Verify Permissions on gshadow File + + Record Events that Modify User/Group Information - /etc/gshadow - ocil:ssg-file_permissions_etc_gshadow_action:testaction:1 + ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 - - Verify that system commands directories have root ownership + + Don't define allowed commands in sudoers by means of exclusion - ocil:ssg-dir_system_commands_root_owned_action:testaction:1 + ocil:ssg-sudoers_no_command_negation_action:testaction:1 - - Policy Requires Immediate Change of Temporary Passwords + + Ensure rsyslog is Installed - ocil:ssg-policy_temp_passwords_immediate_change_action:testaction:1 + ocil:ssg-package_rsyslog_installed_action:testaction:1 - - Ensure No World-Writable Files Exist + + Remove User Host-Based Authentication Files /usr/share/xml/scap/ssg/content/ssg-sle12-ds.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-sle12-ds.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-sle12-ds.xml 2022-04-04 00:00:00.000000000 +0000 @@ -25962,3172 +25962,3172 @@ 2022-04-04T00:00:00 - - Disable PubkeyAuthentication Authentication + + Ensure SMAP is not disabled during boot - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Record Events that Modify User/Group Information - /etc/gshadow + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Verify User Who Owns /etc/cron.allow file + + Configure auditd to use audispd's syslog plugin - ocil:ssg-file_owner_cron_allow_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Verify Permissions on Backup group File + + Configure Notification of Post-AIDE Scan Details - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 + ocil:ssg-aide_scan_notification_action:testaction:1 - - Enable rsyslog Service + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-service_rsyslog_enabled_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Disable storing core dump + + Record Unsuccessful Access Attempts to Files - open - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1 - - Verify Group Who Owns group File + + Verify User Who Owns group File - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Resolve information before writing to audit logs + + Verify Permissions and Ownership of Old Passwords File - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-file_etc_security_opasswd_action:testaction:1 - - Configure AIDE to Verify Extended Attributes + + Only Authorized Local User Accounts Exist on Operating System - ocil:ssg-aide_verify_ext_attributes_action:testaction:1 + ocil:ssg-accounts_authorized_local_users_action:testaction:1 - - Enable GNOME3 Screensaver Lock After Idle Period + + Verify Root Has A Primary GID 0 - ocil:ssg-dconf_gnome_screensaver_lock_enabled_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Verify Group Who Owns SSH Server config file + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-file_groupowner_sshd_config_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Verify User Who Owns /var/log/messages File + + Set Deny For Failed Password Attempts - ocil:ssg-file_owner_var_log_messages_action:testaction:1 + ocil:ssg-accounts_passwords_pam_tally2_action:testaction:1 - - Disable Kerberos by removing host keytab + + Install iptables Package - ocil:ssg-kerberos_disable_no_keytab_action:testaction:1 + ocil:ssg-package_iptables_installed_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - removexattr + + Ensure auditd Collects Information on Exporting to Media (successful) - ocil:ssg-audit_rules_dac_modification_removexattr_action:testaction:1 + ocil:ssg-audit_rules_media_export_action:testaction:1 - - Verify Group Who Owns cron.hourly + + Verify that local System.map file (if exists) is readable only by root - ocil:ssg-file_groupowner_cron_hourly_action:testaction:1 + ocil:ssg-file_permissions_systemmap_action:testaction:1 - - Verify that System Executable Have Root Ownership + + Enable the NTP Daemon - ocil:ssg-dir_ownership_binary_dirs_action:testaction:1 + ocil:ssg-service_ntp_enabled_action:testaction:1 - - Ensure gpgcheck Enabled for All zypper Package Repositories + + The Chronyd service is enabled - ocil:ssg-ensure_gpgcheck_never_disabled_action:testaction:1 + ocil:ssg-service_chronyd_enabled_action:testaction:1 - - Disable Kernel Parameter for IPv6 Forwarding by default + + Ensure auditd Collects Information on the Use of Privileged Commands - rmmod - ocil:ssg-sysctl_net_ipv6_conf_default_forwarding_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_rmmod_action:testaction:1 - - Verify Permissions on gshadow File + + Record Events that Modify User/Group Information - /etc/gshadow - ocil:ssg-file_permissions_etc_gshadow_action:testaction:1 + ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 - - Verify that system commands directories have root ownership + + Don't define allowed commands in sudoers by means of exclusion - ocil:ssg-dir_system_commands_root_owned_action:testaction:1 + ocil:ssg-sudoers_no_command_negation_action:testaction:1 - - Policy Requires Immediate Change of Temporary Passwords + + Ensure rsyslog is Installed - ocil:ssg-policy_temp_passwords_immediate_change_action:testaction:1 + ocil:ssg-package_rsyslog_installed_action:testaction:1 - - Ensure No World-Writable Files Exist + + Remove User Host-Based Authentication Files /usr/share/xml/scap/ssg/content/ssg-sle12-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-sle12-ocil.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-sle12-ocil.xml 2022-04-04 00:00:00.000000000 +0000 @@ -7,3172 +7,3172 @@ 2022-04-04T00:00:00 - - Disable PubkeyAuthentication Authentication + + Ensure SMAP is not disabled during boot - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Record Events that Modify User/Group Information - /etc/gshadow + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Verify User Who Owns /etc/cron.allow file + + Configure auditd to use audispd's syslog plugin - ocil:ssg-file_owner_cron_allow_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Verify Permissions on Backup group File + + Configure Notification of Post-AIDE Scan Details - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 + ocil:ssg-aide_scan_notification_action:testaction:1 - - Enable rsyslog Service + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-service_rsyslog_enabled_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Disable storing core dump + + Record Unsuccessful Access Attempts to Files - open - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1 - - Verify Group Who Owns group File + + Verify User Who Owns group File - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Resolve information before writing to audit logs + + Verify Permissions and Ownership of Old Passwords File - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-file_etc_security_opasswd_action:testaction:1 - - Configure AIDE to Verify Extended Attributes + + Only Authorized Local User Accounts Exist on Operating System - ocil:ssg-aide_verify_ext_attributes_action:testaction:1 + ocil:ssg-accounts_authorized_local_users_action:testaction:1 - - Enable GNOME3 Screensaver Lock After Idle Period + + Verify Root Has A Primary GID 0 - ocil:ssg-dconf_gnome_screensaver_lock_enabled_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Verify Group Who Owns SSH Server config file + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-file_groupowner_sshd_config_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Verify User Who Owns /var/log/messages File + + Set Deny For Failed Password Attempts - ocil:ssg-file_owner_var_log_messages_action:testaction:1 + ocil:ssg-accounts_passwords_pam_tally2_action:testaction:1 - - Disable Kerberos by removing host keytab + + Install iptables Package - ocil:ssg-kerberos_disable_no_keytab_action:testaction:1 + ocil:ssg-package_iptables_installed_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - removexattr + + Ensure auditd Collects Information on Exporting to Media (successful) - ocil:ssg-audit_rules_dac_modification_removexattr_action:testaction:1 + ocil:ssg-audit_rules_media_export_action:testaction:1 - - Verify Group Who Owns cron.hourly + + Verify that local System.map file (if exists) is readable only by root - ocil:ssg-file_groupowner_cron_hourly_action:testaction:1 + ocil:ssg-file_permissions_systemmap_action:testaction:1 - - Verify that System Executable Have Root Ownership + + Enable the NTP Daemon - ocil:ssg-dir_ownership_binary_dirs_action:testaction:1 + ocil:ssg-service_ntp_enabled_action:testaction:1 - - Ensure gpgcheck Enabled for All zypper Package Repositories + + The Chronyd service is enabled - ocil:ssg-ensure_gpgcheck_never_disabled_action:testaction:1 + ocil:ssg-service_chronyd_enabled_action:testaction:1 - - Disable Kernel Parameter for IPv6 Forwarding by default + + Ensure auditd Collects Information on the Use of Privileged Commands - rmmod - ocil:ssg-sysctl_net_ipv6_conf_default_forwarding_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_rmmod_action:testaction:1 - - Verify Permissions on gshadow File + + Record Events that Modify User/Group Information - /etc/gshadow - ocil:ssg-file_permissions_etc_gshadow_action:testaction:1 + ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 - - Verify that system commands directories have root ownership + + Don't define allowed commands in sudoers by means of exclusion - ocil:ssg-dir_system_commands_root_owned_action:testaction:1 + ocil:ssg-sudoers_no_command_negation_action:testaction:1 - - Policy Requires Immediate Change of Temporary Passwords + + Ensure rsyslog is Installed - ocil:ssg-policy_temp_passwords_immediate_change_action:testaction:1 + ocil:ssg-package_rsyslog_installed_action:testaction:1 - - Ensure No World-Writable Files Exist + + Remove User Host-Based Authentication Files /usr/share/xml/scap/ssg/content/ssg-sle12-xccdf.xml differs (XML 1.0 document, UTF-8 Unicode text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-sle12-xccdf.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-sle12-xccdf.xml 2022-04-04 00:00:00.000000000 +0000 @@ -43,29 +43,24 @@ countries. All other names are registered trademarks or trademarks of their respective companies. - - - - - - + - + - + - + - + - + - + - + @@ -73,40 +68,39 @@ - + - + - + - + - + - + - + - + - + - + - - + + - - + - + @@ -114,24 +108,30 @@ - + - + - + - + - + + + + + + + - + - + - + /usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml 2022-04-04 00:00:00.000000000 +0000 @@ -29898,3700 +29898,3700 @@ 2022-04-04T00:00:00 - - Disable PubkeyAuthentication Authentication + + Ensure SMAP is not disabled during boot - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Record Events that Modify User/Group Information - /etc/gshadow + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments + + Configure auditd to use audispd's syslog plugin - ocil:ssg-sysctl_net_ipv4_tcp_invalid_ratelimit_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Verify User Who Owns /etc/cron.allow file + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-file_owner_cron_allow_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Verify Permissions on Backup group File + + Record Unsuccessful Access Attempts to Files - open - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1 - - Enable rsyslog Service + + Verify User Who Owns group File - ocil:ssg-service_rsyslog_enabled_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Disable storing core dump + + Ensure the Default C Shell Umask is Set Correctly - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-accounts_umask_etc_csh_cshrc_action:testaction:1 - - Verify Group Who Owns group File + + Verify Permissions and Ownership of Old Passwords File - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-file_etc_security_opasswd_action:testaction:1 - - Resolve information before writing to audit logs + + Use Only FIPS 140-2 Validated MACs - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-sshd_use_approved_macs_ordered_stig_action:testaction:1 - - Record Attempts to Alter Process and Session Initiation Information wtmp + + Only Authorized Local User Accounts Exist on Operating System - ocil:ssg-audit_rules_session_events_wtmp_action:testaction:1 + ocil:ssg-accounts_authorized_local_users_action:testaction:1 - - Configure AIDE to Verify Extended Attributes + + Verify Root Has A Primary GID 0 - ocil:ssg-aide_verify_ext_attributes_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Enable GNOME3 Screensaver Lock After Idle Period + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-dconf_gnome_screensaver_lock_enabled_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Verify Group Who Owns SSH Server config file + + Set Deny For Failed Password Attempts - ocil:ssg-file_groupowner_sshd_config_action:testaction:1 + ocil:ssg-accounts_passwords_pam_tally2_action:testaction:1 - - Verify that Interactive Boot is Disabled + + Install iptables Package - ocil:ssg-grub2_disable_interactive_boot_action:testaction:1 + ocil:ssg-package_iptables_installed_action:testaction:1 - - Verify User Who Owns /var/log/messages File + + Ensure auditd Collects Information on Exporting to Media (successful) - ocil:ssg-file_owner_var_log_messages_action:testaction:1 + ocil:ssg-audit_rules_media_export_action:testaction:1 - - Disable Kerberos by removing host keytab + + Verify that local System.map file (if exists) is readable only by root - ocil:ssg-kerberos_disable_no_keytab_action:testaction:1 + ocil:ssg-file_permissions_systemmap_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - removexattr + + Enable the NTP Daemon - ocil:ssg-audit_rules_dac_modification_removexattr_action:testaction:1 + ocil:ssg-service_ntp_enabled_action:testaction:1 - - Verify Group Who Owns cron.hourly + + The Chronyd service is enabled - ocil:ssg-file_groupowner_cron_hourly_action:testaction:1 + ocil:ssg-service_chronyd_enabled_action:testaction:1 - - Verify that System Executable Have Root Ownership + + Ensure auditd Collects Information on the Use of Privileged Commands - rmmod - ocil:ssg-dir_ownership_binary_dirs_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_rmmod_action:testaction:1 - - Ensure gpgcheck Enabled for All zypper Package Repositories + + Record Events that Modify User/Group Information - /etc/gshadow - ocil:ssg-ensure_gpgcheck_never_disabled_action:testaction:1 + ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 - - Disable Kernel Parameter for IPv6 Forwarding by default + + Don't define allowed commands in sudoers by means of exclusion - ocil:ssg-sysctl_net_ipv6_conf_default_forwarding_action:testaction:1 + ocil:ssg-sudoers_no_command_negation_action:testaction:1 - - Verify Permissions on gshadow File + + Ensure rsyslog is Installed /usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml 2022-04-04 00:00:00.000000000 +0000 @@ -29900,3700 +29900,3700 @@ 2022-04-04T00:00:00 - - Disable PubkeyAuthentication Authentication + + Ensure SMAP is not disabled during boot - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Record Events that Modify User/Group Information - /etc/gshadow + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments + + Configure auditd to use audispd's syslog plugin - ocil:ssg-sysctl_net_ipv4_tcp_invalid_ratelimit_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Verify User Who Owns /etc/cron.allow file + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-file_owner_cron_allow_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Verify Permissions on Backup group File + + Record Unsuccessful Access Attempts to Files - open - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1 - - Enable rsyslog Service + + Verify User Who Owns group File - ocil:ssg-service_rsyslog_enabled_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Disable storing core dump + + Ensure the Default C Shell Umask is Set Correctly - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-accounts_umask_etc_csh_cshrc_action:testaction:1 - - Verify Group Who Owns group File + + Verify Permissions and Ownership of Old Passwords File - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-file_etc_security_opasswd_action:testaction:1 - - Resolve information before writing to audit logs + + Use Only FIPS 140-2 Validated MACs - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-sshd_use_approved_macs_ordered_stig_action:testaction:1 - - Record Attempts to Alter Process and Session Initiation Information wtmp + + Only Authorized Local User Accounts Exist on Operating System - ocil:ssg-audit_rules_session_events_wtmp_action:testaction:1 + ocil:ssg-accounts_authorized_local_users_action:testaction:1 - - Configure AIDE to Verify Extended Attributes + + Verify Root Has A Primary GID 0 - ocil:ssg-aide_verify_ext_attributes_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Enable GNOME3 Screensaver Lock After Idle Period + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-dconf_gnome_screensaver_lock_enabled_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Verify Group Who Owns SSH Server config file + + Set Deny For Failed Password Attempts - ocil:ssg-file_groupowner_sshd_config_action:testaction:1 + ocil:ssg-accounts_passwords_pam_tally2_action:testaction:1 - - Verify that Interactive Boot is Disabled + + Install iptables Package - ocil:ssg-grub2_disable_interactive_boot_action:testaction:1 + ocil:ssg-package_iptables_installed_action:testaction:1 - - Verify User Who Owns /var/log/messages File + + Ensure auditd Collects Information on Exporting to Media (successful) - ocil:ssg-file_owner_var_log_messages_action:testaction:1 + ocil:ssg-audit_rules_media_export_action:testaction:1 - - Disable Kerberos by removing host keytab + + Verify that local System.map file (if exists) is readable only by root - ocil:ssg-kerberos_disable_no_keytab_action:testaction:1 + ocil:ssg-file_permissions_systemmap_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - removexattr + + Enable the NTP Daemon - ocil:ssg-audit_rules_dac_modification_removexattr_action:testaction:1 + ocil:ssg-service_ntp_enabled_action:testaction:1 - - Verify Group Who Owns cron.hourly + + The Chronyd service is enabled - ocil:ssg-file_groupowner_cron_hourly_action:testaction:1 + ocil:ssg-service_chronyd_enabled_action:testaction:1 - - Verify that System Executable Have Root Ownership + + Ensure auditd Collects Information on the Use of Privileged Commands - rmmod - ocil:ssg-dir_ownership_binary_dirs_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_rmmod_action:testaction:1 - - Ensure gpgcheck Enabled for All zypper Package Repositories + + Record Events that Modify User/Group Information - /etc/gshadow - ocil:ssg-ensure_gpgcheck_never_disabled_action:testaction:1 + ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 - - Disable Kernel Parameter for IPv6 Forwarding by default + + Don't define allowed commands in sudoers by means of exclusion - ocil:ssg-sysctl_net_ipv6_conf_default_forwarding_action:testaction:1 + ocil:ssg-sudoers_no_command_negation_action:testaction:1 - - Verify Permissions on gshadow File + + Ensure rsyslog is Installed /usr/share/xml/scap/ssg/content/ssg-sle15-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-sle15-ocil.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-sle15-ocil.xml 2022-04-04 00:00:00.000000000 +0000 @@ -7,3700 +7,3700 @@ 2022-04-04T00:00:00 - - Disable PubkeyAuthentication Authentication + + Ensure SMAP is not disabled during boot - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Record Events that Modify User/Group Information - /etc/gshadow + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments + + Configure auditd to use audispd's syslog plugin - ocil:ssg-sysctl_net_ipv4_tcp_invalid_ratelimit_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Verify User Who Owns /etc/cron.allow file + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-file_owner_cron_allow_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Verify Permissions on Backup group File + + Record Unsuccessful Access Attempts to Files - open - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1 - - Enable rsyslog Service + + Verify User Who Owns group File - ocil:ssg-service_rsyslog_enabled_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Disable storing core dump + + Ensure the Default C Shell Umask is Set Correctly - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-accounts_umask_etc_csh_cshrc_action:testaction:1 - - Verify Group Who Owns group File + + Verify Permissions and Ownership of Old Passwords File - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-file_etc_security_opasswd_action:testaction:1 - - Resolve information before writing to audit logs + + Use Only FIPS 140-2 Validated MACs - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-sshd_use_approved_macs_ordered_stig_action:testaction:1 - - Record Attempts to Alter Process and Session Initiation Information wtmp + + Only Authorized Local User Accounts Exist on Operating System - ocil:ssg-audit_rules_session_events_wtmp_action:testaction:1 + ocil:ssg-accounts_authorized_local_users_action:testaction:1 - - Configure AIDE to Verify Extended Attributes + + Verify Root Has A Primary GID 0 - ocil:ssg-aide_verify_ext_attributes_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Enable GNOME3 Screensaver Lock After Idle Period + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-dconf_gnome_screensaver_lock_enabled_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Verify Group Who Owns SSH Server config file + + Set Deny For Failed Password Attempts - ocil:ssg-file_groupowner_sshd_config_action:testaction:1 + ocil:ssg-accounts_passwords_pam_tally2_action:testaction:1 - - Verify that Interactive Boot is Disabled + + Install iptables Package - ocil:ssg-grub2_disable_interactive_boot_action:testaction:1 + ocil:ssg-package_iptables_installed_action:testaction:1 - - Verify User Who Owns /var/log/messages File + + Ensure auditd Collects Information on Exporting to Media (successful) - ocil:ssg-file_owner_var_log_messages_action:testaction:1 + ocil:ssg-audit_rules_media_export_action:testaction:1 - - Disable Kerberos by removing host keytab + + Verify that local System.map file (if exists) is readable only by root - ocil:ssg-kerberos_disable_no_keytab_action:testaction:1 + ocil:ssg-file_permissions_systemmap_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - removexattr + + Enable the NTP Daemon - ocil:ssg-audit_rules_dac_modification_removexattr_action:testaction:1 + ocil:ssg-service_ntp_enabled_action:testaction:1 - - Verify Group Who Owns cron.hourly + + The Chronyd service is enabled - ocil:ssg-file_groupowner_cron_hourly_action:testaction:1 + ocil:ssg-service_chronyd_enabled_action:testaction:1 - - Verify that System Executable Have Root Ownership + + Ensure auditd Collects Information on the Use of Privileged Commands - rmmod - ocil:ssg-dir_ownership_binary_dirs_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_rmmod_action:testaction:1 - - Ensure gpgcheck Enabled for All zypper Package Repositories + + Record Events that Modify User/Group Information - /etc/gshadow - ocil:ssg-ensure_gpgcheck_never_disabled_action:testaction:1 + ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 - - Disable Kernel Parameter for IPv6 Forwarding by default + + Don't define allowed commands in sudoers by means of exclusion - ocil:ssg-sysctl_net_ipv6_conf_default_forwarding_action:testaction:1 + ocil:ssg-sudoers_no_command_negation_action:testaction:1 - - Verify Permissions on gshadow File + + Ensure rsyslog is Installed /usr/share/xml/scap/ssg/content/ssg-sle15-xccdf.xml differs (XML 1.0 document, UTF-8 Unicode text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-sle15-xccdf.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-sle15-xccdf.xml 2022-04-04 00:00:00.000000000 +0000 @@ -43,29 +43,24 @@ countries. All other names are registered trademarks or trademarks of their respective companies. - - - - - - + - + - + - + - + - + - + - + @@ -73,40 +68,44 @@ - + - + - + - + - + - + - + - + - + - + - - + + - - + - + + + + + + @@ -114,39 +113,40 @@ - + - + - + - + - + - + - + - + - - - + + + + - + - + - + - + RPMS.2017/scap-security-guide-debian-0.1.61-0.0.noarch.rpm RPMS/scap-security-guide-debian-0.1.61-0.0.noarch.rpm differ: byte 225, line 1 Comparing scap-security-guide-debian-0.1.61-0.0.noarch.rpm to scap-security-guide-debian-0.1.61-0.0.noarch.rpm comparing the rpm tags of scap-security-guide-debian --- old-rpm-tags +++ new-rpm-tags @@ -224,25 +224,25 @@ /usr/share/xml/scap/ssg/content 0 /usr/share/xml/scap/ssg/content/ssg-debian10-cpe-dictionary.xml d27baca83f907e1d7e4a6093e9f78474c2dbd5d043c895f79c0a692e5e8582d2 0 /usr/share/xml/scap/ssg/content/ssg-debian10-cpe-oval.xml 5b54cdc90f9adff580d5bbf2a224d760db5fb5dde60e346b1d8157ebbf54a54c 0 -/usr/share/xml/scap/ssg/content/ssg-debian10-ds-1.2.xml 8d24ab50f31c430c12cf23b9f124be240aadf8589bbfe4badebdec57e6c4092a 0 -/usr/share/xml/scap/ssg/content/ssg-debian10-ds.xml 12bbcaac94b938dea3dfc8698cad496e4cae1a3d0cbcda84a2dbc6c91fa3b7d6 0 -/usr/share/xml/scap/ssg/content/ssg-debian10-ocil.xml a15917f02879239f56e6cfbdae091f29e4914278a29e12ce7e2982c6df76889d 0 +/usr/share/xml/scap/ssg/content/ssg-debian10-ds-1.2.xml 9a2ee44039c5f5107b13ed5d5d275b8e002a2abc9f1150d0aafef199b122ae1c 0 +/usr/share/xml/scap/ssg/content/ssg-debian10-ds.xml 11a4dff7ea73fc9a3b7851b043e23b6dad348cf12980fc25d83180b20e6459f0 0 +/usr/share/xml/scap/ssg/content/ssg-debian10-ocil.xml 79a5a26866f1e235e13837925afca7a54659cabd0d6c6dbdd11f0f1cfb6d6008 0 /usr/share/xml/scap/ssg/content/ssg-debian10-oval.xml 112d0c507239c168e6651903a1c14b170bc09647bc61c6699d4ebbd84a196a1b 0 -/usr/share/xml/scap/ssg/content/ssg-debian10-xccdf.xml fe1a9125a9fa03f989ea5d1868cff4bab5a11d2f9891cb8fa0998ca0d71c715e 0 +/usr/share/xml/scap/ssg/content/ssg-debian10-xccdf.xml 53539563b67974b0a5cb4191b219ae0e53e7636d8280a064937935938eb48779 0 /usr/share/xml/scap/ssg/content/ssg-debian11-cpe-dictionary.xml a7bb5d3760c4f041cb7bb9518a32f14642eb9ac2a5dbbd58fa994f3d8cc8f142 0 /usr/share/xml/scap/ssg/content/ssg-debian11-cpe-oval.xml 8b5f7fae30186997ea112d8f63d5a217f7dea3f55c626388450880296b3a2bd4 0 -/usr/share/xml/scap/ssg/content/ssg-debian11-ds-1.2.xml aa8b0bcea7de12f82d4bed350ebb4eb5ada960559d0a94be98197e714952bc1a 0 -/usr/share/xml/scap/ssg/content/ssg-debian11-ds.xml 5f4310871382fbb706154c157ca81d7e13801cf036ad6d9398209d17d2169d3e 0 -/usr/share/xml/scap/ssg/content/ssg-debian11-ocil.xml a15917f02879239f56e6cfbdae091f29e4914278a29e12ce7e2982c6df76889d 0 +/usr/share/xml/scap/ssg/content/ssg-debian11-ds-1.2.xml bbd5644db30a280d84af5defe01a1c05772564044df0bdb1d2db8a04c6f00b25 0 +/usr/share/xml/scap/ssg/content/ssg-debian11-ds.xml fc31b3f16fae64f562015442d0676e80010ad85e3aaff32747101d5d89d7ae7e 0 +/usr/share/xml/scap/ssg/content/ssg-debian11-ocil.xml 79a5a26866f1e235e13837925afca7a54659cabd0d6c6dbdd11f0f1cfb6d6008 0 /usr/share/xml/scap/ssg/content/ssg-debian11-oval.xml f5100e870ca4640faab2b4416b994f59d7ea8f8a0d0cc318b6a50d93c8bd1c7c 0 -/usr/share/xml/scap/ssg/content/ssg-debian11-xccdf.xml f6573daaa310deb61694a58433dd3547962822a0cef00b60a2344262b9953ebc 0 +/usr/share/xml/scap/ssg/content/ssg-debian11-xccdf.xml 7810f8e35b6d4193c8de8f8c20ee7ec60da91f5cd1523fbb157e084a420224c5 0 /usr/share/xml/scap/ssg/content/ssg-debian9-cpe-dictionary.xml 2094791bef1ba62d6b2719ba4ceb602d66c6da73357cf9377c78c0af5df0414e 0 /usr/share/xml/scap/ssg/content/ssg-debian9-cpe-oval.xml ec32cd523f692641ff03f94afb66abaf4c1ecb4d1f5a2a78b630d4db40b002f5 0 -/usr/share/xml/scap/ssg/content/ssg-debian9-ds-1.2.xml b89508f56b94247c44597cc1b311d5902bd9620f5a3deca2768ce8dceb50332e 0 -/usr/share/xml/scap/ssg/content/ssg-debian9-ds.xml e4ae19c1cae2e1afaf6383e464d49abe79bee55a1c23b061ded617646f5719d8 0 -/usr/share/xml/scap/ssg/content/ssg-debian9-ocil.xml a15917f02879239f56e6cfbdae091f29e4914278a29e12ce7e2982c6df76889d 0 +/usr/share/xml/scap/ssg/content/ssg-debian9-ds-1.2.xml 9811e0c8bf5d4c377bb1a1c3337e9b193b7b637b962f4cc9716839352c051296 0 +/usr/share/xml/scap/ssg/content/ssg-debian9-ds.xml 5ad7765e65e26acbf99044e6c7b2aa2f925f2a26214c10c3de48b38f92d4094b 0 +/usr/share/xml/scap/ssg/content/ssg-debian9-ocil.xml 79a5a26866f1e235e13837925afca7a54659cabd0d6c6dbdd11f0f1cfb6d6008 0 /usr/share/xml/scap/ssg/content/ssg-debian9-oval.xml d92cae63b72530baef714776585fd38bbd9c6a106e9a7f2d076802e86a9a42ac 0 -/usr/share/xml/scap/ssg/content/ssg-debian9-xccdf.xml 166a2a93eb0f8b1ac9b7a8c24f9115b94b06e42eb984511136c395dd04220ac2 0 +/usr/share/xml/scap/ssg/content/ssg-debian9-xccdf.xml e91c449d45a42f41d475b4ac2014b2fb7d0c7d004b2843e7480b0ae2507fb043 0 ___QF_CHECKSUM___ comparing rpmtags comparing RELEASE comparing PROVIDES comparing scripts comparing filelist comparing file checksum creating rename script RPM file checksum differs. Extracting packages /usr/share/xml/scap/ssg/content/ssg-debian10-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-debian10-ds-1.2.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-debian10-ds-1.2.xml 2022-04-04 00:00:00.000000000 +0000 @@ -14927,274 +14927,256 @@ 2022-04-04T00:00:00 - - Disable PubkeyAuthentication Authentication - - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 - - - - Verify Permissions on Backup group File - - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 - - - - Enable rsyslog Service - - ocil:ssg-service_rsyslog_enabled_action:testaction:1 - - - - Disable storing core dump + + Ensure SMAP is not disabled during boot - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Verify Group Who Owns group File + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Resolve information before writing to audit logs + + Configure auditd to use audispd's syslog plugin - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Verify User Who Owns /var/log/messages File + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-file_owner_var_log_messages_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Disable Kerberos by removing host keytab + + Record Unsuccessful Access Attempts to Files - open - ocil:ssg-kerberos_disable_no_keytab_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - removexattr + + Verify User Who Owns group File - ocil:ssg-audit_rules_dac_modification_removexattr_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Verify that System Executable Have Root Ownership + + Verify Root Has A Primary GID 0 - ocil:ssg-dir_ownership_binary_dirs_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Verify Permissions on gshadow File + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-file_permissions_etc_gshadow_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Ensure No World-Writable Files Exist + + Ensure auditd Collects Information on Exporting to Media (successful) - ocil:ssg-file_permissions_unauthorized_world_writable_action:testaction:1 + ocil:ssg-audit_rules_media_export_action:testaction:1 - - Enable syslog-ng Service + + Verify that local System.map file (if exists) is readable only by root - ocil:ssg-service_syslogng_enabled_action:testaction:1 + ocil:ssg-file_permissions_systemmap_action:testaction:1 - - Configure Polyinstantiation of /tmp Directories + + Enable the NTP Daemon - ocil:ssg-accounts_polyinstantiated_tmp_action:testaction:1 + ocil:ssg-service_ntp_enabled_action:testaction:1 - - Record Unsuccessful Access Attempts to Files - ftruncate + + The Chronyd service is enabled - ocil:ssg-audit_rules_unsuccessful_file_modification_ftruncate_action:testaction:1 + ocil:ssg-service_chronyd_enabled_action:testaction:1 - - Ensure auditd Collects Information on Kernel Module Loading and Unloading + + Don't define allowed commands in sudoers by means of exclusion - ocil:ssg-audit_rules_kernel_module_loading_action:testaction:1 + ocil:ssg-sudoers_no_command_negation_action:testaction:1 - - Restrict Exposed Kernel Pointer Addresses Access + + Ensure rsyslog is Installed - ocil:ssg-sysctl_kernel_kptr_restrict_action:testaction:1 + ocil:ssg-package_rsyslog_installed_action:testaction:1 - - Force frequent session key renegotiation + + Only the VDSM User Can Use sudo NOPASSWD - ocil:ssg-sshd_rekey_limit_action:testaction:1 + ocil:ssg-sudo_vdsm_nopasswd_action:testaction:1 - - Configure auditd mail_acct Action on Low Disk Space + + Disable Host-Based Authentication - ocil:ssg-auditd_data_retention_action_mail_acct_action:testaction:1 + ocil:ssg-disable_host_auth_action:testaction:1 - - Ensure that System Accounts Are Locked + + Ensure Log Files Are Owned By Appropriate Group - ocil:ssg-no_password_auth_for_systemaccounts_action:testaction:1 + ocil:ssg-rsyslog_files_groupownership_action:testaction:1 - - Disable SSH Access via Empty Passwords + + Record Events that Modify the System's Discretionary Access Controls - fchown - ocil:ssg-sshd_disable_empty_passwords_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_fchown_action:testaction:1 - - Don't define allowed commands in sudoers by means of exclusion + + Ensure syslog-ng is Installed - ocil:ssg-sudoers_no_command_negation_action:testaction:1 + ocil:ssg-package_syslogng_installed_action:testaction:1 - - Verify Permissions on Backup passwd File + + Set SSH Client Alive Count Max /usr/share/xml/scap/ssg/content/ssg-debian10-ds.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-debian10-ds.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-debian10-ds.xml 2022-04-04 00:00:00.000000000 +0000 @@ -14927,274 +14927,256 @@ 2022-04-04T00:00:00 - - Disable PubkeyAuthentication Authentication - - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 - - - - Verify Permissions on Backup group File - - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 - - - - Enable rsyslog Service - - ocil:ssg-service_rsyslog_enabled_action:testaction:1 - - - - Disable storing core dump + + Ensure SMAP is not disabled during boot - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Verify Group Who Owns group File + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Resolve information before writing to audit logs + + Configure auditd to use audispd's syslog plugin - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Verify User Who Owns /var/log/messages File + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-file_owner_var_log_messages_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Disable Kerberos by removing host keytab + + Record Unsuccessful Access Attempts to Files - open - ocil:ssg-kerberos_disable_no_keytab_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - removexattr + + Verify User Who Owns group File - ocil:ssg-audit_rules_dac_modification_removexattr_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Verify that System Executable Have Root Ownership + + Verify Root Has A Primary GID 0 - ocil:ssg-dir_ownership_binary_dirs_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Verify Permissions on gshadow File + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-file_permissions_etc_gshadow_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Ensure No World-Writable Files Exist + + Ensure auditd Collects Information on Exporting to Media (successful) - ocil:ssg-file_permissions_unauthorized_world_writable_action:testaction:1 + ocil:ssg-audit_rules_media_export_action:testaction:1 - - Enable syslog-ng Service + + Verify that local System.map file (if exists) is readable only by root - ocil:ssg-service_syslogng_enabled_action:testaction:1 + ocil:ssg-file_permissions_systemmap_action:testaction:1 - - Configure Polyinstantiation of /tmp Directories + + Enable the NTP Daemon - ocil:ssg-accounts_polyinstantiated_tmp_action:testaction:1 + ocil:ssg-service_ntp_enabled_action:testaction:1 - - Record Unsuccessful Access Attempts to Files - ftruncate + + The Chronyd service is enabled - ocil:ssg-audit_rules_unsuccessful_file_modification_ftruncate_action:testaction:1 + ocil:ssg-service_chronyd_enabled_action:testaction:1 - - Ensure auditd Collects Information on Kernel Module Loading and Unloading + + Don't define allowed commands in sudoers by means of exclusion - ocil:ssg-audit_rules_kernel_module_loading_action:testaction:1 + ocil:ssg-sudoers_no_command_negation_action:testaction:1 - - Restrict Exposed Kernel Pointer Addresses Access + + Ensure rsyslog is Installed - ocil:ssg-sysctl_kernel_kptr_restrict_action:testaction:1 + ocil:ssg-package_rsyslog_installed_action:testaction:1 - - Force frequent session key renegotiation + + Only the VDSM User Can Use sudo NOPASSWD - ocil:ssg-sshd_rekey_limit_action:testaction:1 + ocil:ssg-sudo_vdsm_nopasswd_action:testaction:1 - - Configure auditd mail_acct Action on Low Disk Space + + Disable Host-Based Authentication - ocil:ssg-auditd_data_retention_action_mail_acct_action:testaction:1 + ocil:ssg-disable_host_auth_action:testaction:1 - - Ensure that System Accounts Are Locked + + Ensure Log Files Are Owned By Appropriate Group - ocil:ssg-no_password_auth_for_systemaccounts_action:testaction:1 + ocil:ssg-rsyslog_files_groupownership_action:testaction:1 - - Disable SSH Access via Empty Passwords + + Record Events that Modify the System's Discretionary Access Controls - fchown - ocil:ssg-sshd_disable_empty_passwords_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_fchown_action:testaction:1 - - Don't define allowed commands in sudoers by means of exclusion + + Ensure syslog-ng is Installed - ocil:ssg-sudoers_no_command_negation_action:testaction:1 + ocil:ssg-package_syslogng_installed_action:testaction:1 - - Verify Permissions on Backup passwd File + + Set SSH Client Alive Count Max /usr/share/xml/scap/ssg/content/ssg-debian10-ocil.xml differs (XML 1.0 document, ASCII text) --- old//usr/share/xml/scap/ssg/content/ssg-debian10-ocil.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-debian10-ocil.xml 2022-04-04 00:00:00.000000000 +0000 @@ -7,274 +7,256 @@ 2022-04-04T00:00:00 - - Disable PubkeyAuthentication Authentication - - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 - - - - Verify Permissions on Backup group File - - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 - - - - Enable rsyslog Service - - ocil:ssg-service_rsyslog_enabled_action:testaction:1 - - - - Disable storing core dump + + Ensure SMAP is not disabled during boot - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Verify Group Who Owns group File + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Resolve information before writing to audit logs + + Configure auditd to use audispd's syslog plugin - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Verify User Who Owns /var/log/messages File + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-file_owner_var_log_messages_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Disable Kerberos by removing host keytab + + Record Unsuccessful Access Attempts to Files - open - ocil:ssg-kerberos_disable_no_keytab_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - removexattr + + Verify User Who Owns group File - ocil:ssg-audit_rules_dac_modification_removexattr_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Verify that System Executable Have Root Ownership + + Verify Root Has A Primary GID 0 - ocil:ssg-dir_ownership_binary_dirs_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Verify Permissions on gshadow File + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-file_permissions_etc_gshadow_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Ensure No World-Writable Files Exist + + Ensure auditd Collects Information on Exporting to Media (successful) - ocil:ssg-file_permissions_unauthorized_world_writable_action:testaction:1 + ocil:ssg-audit_rules_media_export_action:testaction:1 - - Enable syslog-ng Service + + Verify that local System.map file (if exists) is readable only by root - ocil:ssg-service_syslogng_enabled_action:testaction:1 + ocil:ssg-file_permissions_systemmap_action:testaction:1 - - Configure Polyinstantiation of /tmp Directories + + Enable the NTP Daemon - ocil:ssg-accounts_polyinstantiated_tmp_action:testaction:1 + ocil:ssg-service_ntp_enabled_action:testaction:1 - - Record Unsuccessful Access Attempts to Files - ftruncate + + The Chronyd service is enabled - ocil:ssg-audit_rules_unsuccessful_file_modification_ftruncate_action:testaction:1 + ocil:ssg-service_chronyd_enabled_action:testaction:1 - - Ensure auditd Collects Information on Kernel Module Loading and Unloading + + Don't define allowed commands in sudoers by means of exclusion - ocil:ssg-audit_rules_kernel_module_loading_action:testaction:1 + ocil:ssg-sudoers_no_command_negation_action:testaction:1 - - Restrict Exposed Kernel Pointer Addresses Access + + Ensure rsyslog is Installed - ocil:ssg-sysctl_kernel_kptr_restrict_action:testaction:1 + ocil:ssg-package_rsyslog_installed_action:testaction:1 - - Force frequent session key renegotiation + + Only the VDSM User Can Use sudo NOPASSWD - ocil:ssg-sshd_rekey_limit_action:testaction:1 + ocil:ssg-sudo_vdsm_nopasswd_action:testaction:1 - - Configure auditd mail_acct Action on Low Disk Space + + Disable Host-Based Authentication - ocil:ssg-auditd_data_retention_action_mail_acct_action:testaction:1 + ocil:ssg-disable_host_auth_action:testaction:1 - - Ensure that System Accounts Are Locked + + Ensure Log Files Are Owned By Appropriate Group - ocil:ssg-no_password_auth_for_systemaccounts_action:testaction:1 + ocil:ssg-rsyslog_files_groupownership_action:testaction:1 - - Disable SSH Access via Empty Passwords + + Record Events that Modify the System's Discretionary Access Controls - fchown - ocil:ssg-sshd_disable_empty_passwords_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_fchown_action:testaction:1 - - Don't define allowed commands in sudoers by means of exclusion + + Ensure syslog-ng is Installed - ocil:ssg-sudoers_no_command_negation_action:testaction:1 + ocil:ssg-package_syslogng_installed_action:testaction:1 - - Verify Permissions on Backup passwd File + + Set SSH Client Alive Count Max /usr/share/xml/scap/ssg/content/ssg-debian10-xccdf.xml differs (XML 1.0 document, UTF-8 Unicode text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-debian10-xccdf.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-debian10-xccdf.xml 2022-04-04 00:00:00.000000000 +0000 @@ -43,24 +43,24 @@ countries. All other names are registered trademarks or trademarks of their respective companies. - + - + - + - + - + - + - + - + @@ -68,59 +68,59 @@ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + /usr/share/xml/scap/ssg/content/ssg-debian11-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-debian11-ds-1.2.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-debian11-ds-1.2.xml 2022-04-04 00:00:00.000000000 +0000 @@ -14927,274 +14927,256 @@ 2022-04-04T00:00:00 - - Disable PubkeyAuthentication Authentication - - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 - - - - Verify Permissions on Backup group File - - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 - - - - Enable rsyslog Service - - ocil:ssg-service_rsyslog_enabled_action:testaction:1 - - - - Disable storing core dump + + Ensure SMAP is not disabled during boot - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Verify Group Who Owns group File + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Resolve information before writing to audit logs + + Configure auditd to use audispd's syslog plugin - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Verify User Who Owns /var/log/messages File + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-file_owner_var_log_messages_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Disable Kerberos by removing host keytab + + Record Unsuccessful Access Attempts to Files - open - ocil:ssg-kerberos_disable_no_keytab_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - removexattr + + Verify User Who Owns group File - ocil:ssg-audit_rules_dac_modification_removexattr_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Verify that System Executable Have Root Ownership + + Verify Root Has A Primary GID 0 - ocil:ssg-dir_ownership_binary_dirs_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Verify Permissions on gshadow File + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-file_permissions_etc_gshadow_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Ensure No World-Writable Files Exist + + Ensure auditd Collects Information on Exporting to Media (successful) - ocil:ssg-file_permissions_unauthorized_world_writable_action:testaction:1 + ocil:ssg-audit_rules_media_export_action:testaction:1 - - Enable syslog-ng Service + + Verify that local System.map file (if exists) is readable only by root - ocil:ssg-service_syslogng_enabled_action:testaction:1 + ocil:ssg-file_permissions_systemmap_action:testaction:1 - - Configure Polyinstantiation of /tmp Directories + + Enable the NTP Daemon - ocil:ssg-accounts_polyinstantiated_tmp_action:testaction:1 + ocil:ssg-service_ntp_enabled_action:testaction:1 - - Record Unsuccessful Access Attempts to Files - ftruncate + + The Chronyd service is enabled - ocil:ssg-audit_rules_unsuccessful_file_modification_ftruncate_action:testaction:1 + ocil:ssg-service_chronyd_enabled_action:testaction:1 - - Ensure auditd Collects Information on Kernel Module Loading and Unloading + + Don't define allowed commands in sudoers by means of exclusion - ocil:ssg-audit_rules_kernel_module_loading_action:testaction:1 + ocil:ssg-sudoers_no_command_negation_action:testaction:1 - - Restrict Exposed Kernel Pointer Addresses Access + + Ensure rsyslog is Installed - ocil:ssg-sysctl_kernel_kptr_restrict_action:testaction:1 + ocil:ssg-package_rsyslog_installed_action:testaction:1 - - Force frequent session key renegotiation + + Only the VDSM User Can Use sudo NOPASSWD - ocil:ssg-sshd_rekey_limit_action:testaction:1 + ocil:ssg-sudo_vdsm_nopasswd_action:testaction:1 - - Configure auditd mail_acct Action on Low Disk Space + + Disable Host-Based Authentication - ocil:ssg-auditd_data_retention_action_mail_acct_action:testaction:1 + ocil:ssg-disable_host_auth_action:testaction:1 - - Ensure that System Accounts Are Locked + + Ensure Log Files Are Owned By Appropriate Group - ocil:ssg-no_password_auth_for_systemaccounts_action:testaction:1 + ocil:ssg-rsyslog_files_groupownership_action:testaction:1 - - Disable SSH Access via Empty Passwords + + Record Events that Modify the System's Discretionary Access Controls - fchown - ocil:ssg-sshd_disable_empty_passwords_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_fchown_action:testaction:1 - - Don't define allowed commands in sudoers by means of exclusion + + Ensure syslog-ng is Installed - ocil:ssg-sudoers_no_command_negation_action:testaction:1 + ocil:ssg-package_syslogng_installed_action:testaction:1 - - Verify Permissions on Backup passwd File + + Set SSH Client Alive Count Max /usr/share/xml/scap/ssg/content/ssg-debian11-ds.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-debian11-ds.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-debian11-ds.xml 2022-04-04 00:00:00.000000000 +0000 @@ -14927,274 +14927,256 @@ 2022-04-04T00:00:00 - - Disable PubkeyAuthentication Authentication - - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 - - - - Verify Permissions on Backup group File - - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 - - - - Enable rsyslog Service - - ocil:ssg-service_rsyslog_enabled_action:testaction:1 - - - - Disable storing core dump + + Ensure SMAP is not disabled during boot - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Verify Group Who Owns group File + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Resolve information before writing to audit logs + + Configure auditd to use audispd's syslog plugin - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Verify User Who Owns /var/log/messages File + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-file_owner_var_log_messages_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Disable Kerberos by removing host keytab + + Record Unsuccessful Access Attempts to Files - open - ocil:ssg-kerberos_disable_no_keytab_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - removexattr + + Verify User Who Owns group File - ocil:ssg-audit_rules_dac_modification_removexattr_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Verify that System Executable Have Root Ownership + + Verify Root Has A Primary GID 0 - ocil:ssg-dir_ownership_binary_dirs_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Verify Permissions on gshadow File + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-file_permissions_etc_gshadow_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Ensure No World-Writable Files Exist + + Ensure auditd Collects Information on Exporting to Media (successful) - ocil:ssg-file_permissions_unauthorized_world_writable_action:testaction:1 + ocil:ssg-audit_rules_media_export_action:testaction:1 - - Enable syslog-ng Service + + Verify that local System.map file (if exists) is readable only by root - ocil:ssg-service_syslogng_enabled_action:testaction:1 + ocil:ssg-file_permissions_systemmap_action:testaction:1 - - Configure Polyinstantiation of /tmp Directories + + Enable the NTP Daemon - ocil:ssg-accounts_polyinstantiated_tmp_action:testaction:1 + ocil:ssg-service_ntp_enabled_action:testaction:1 - - Record Unsuccessful Access Attempts to Files - ftruncate + + The Chronyd service is enabled - ocil:ssg-audit_rules_unsuccessful_file_modification_ftruncate_action:testaction:1 + ocil:ssg-service_chronyd_enabled_action:testaction:1 - - Ensure auditd Collects Information on Kernel Module Loading and Unloading + + Don't define allowed commands in sudoers by means of exclusion - ocil:ssg-audit_rules_kernel_module_loading_action:testaction:1 + ocil:ssg-sudoers_no_command_negation_action:testaction:1 - - Restrict Exposed Kernel Pointer Addresses Access + + Ensure rsyslog is Installed - ocil:ssg-sysctl_kernel_kptr_restrict_action:testaction:1 + ocil:ssg-package_rsyslog_installed_action:testaction:1 - - Force frequent session key renegotiation + + Only the VDSM User Can Use sudo NOPASSWD - ocil:ssg-sshd_rekey_limit_action:testaction:1 + ocil:ssg-sudo_vdsm_nopasswd_action:testaction:1 - - Configure auditd mail_acct Action on Low Disk Space + + Disable Host-Based Authentication - ocil:ssg-auditd_data_retention_action_mail_acct_action:testaction:1 + ocil:ssg-disable_host_auth_action:testaction:1 - - Ensure that System Accounts Are Locked + + Ensure Log Files Are Owned By Appropriate Group - ocil:ssg-no_password_auth_for_systemaccounts_action:testaction:1 + ocil:ssg-rsyslog_files_groupownership_action:testaction:1 - - Disable SSH Access via Empty Passwords + + Record Events that Modify the System's Discretionary Access Controls - fchown - ocil:ssg-sshd_disable_empty_passwords_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_fchown_action:testaction:1 - - Don't define allowed commands in sudoers by means of exclusion + + Ensure syslog-ng is Installed - ocil:ssg-sudoers_no_command_negation_action:testaction:1 + ocil:ssg-package_syslogng_installed_action:testaction:1 - - Verify Permissions on Backup passwd File + + Set SSH Client Alive Count Max /usr/share/xml/scap/ssg/content/ssg-debian11-ocil.xml differs (XML 1.0 document, ASCII text) --- old//usr/share/xml/scap/ssg/content/ssg-debian11-ocil.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-debian11-ocil.xml 2022-04-04 00:00:00.000000000 +0000 @@ -7,274 +7,256 @@ 2022-04-04T00:00:00 - - Disable PubkeyAuthentication Authentication - - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 - - - - Verify Permissions on Backup group File - - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 - - - - Enable rsyslog Service - - ocil:ssg-service_rsyslog_enabled_action:testaction:1 - - - - Disable storing core dump + + Ensure SMAP is not disabled during boot - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Verify Group Who Owns group File + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Resolve information before writing to audit logs + + Configure auditd to use audispd's syslog plugin - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Verify User Who Owns /var/log/messages File + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-file_owner_var_log_messages_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Disable Kerberos by removing host keytab + + Record Unsuccessful Access Attempts to Files - open - ocil:ssg-kerberos_disable_no_keytab_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - removexattr + + Verify User Who Owns group File - ocil:ssg-audit_rules_dac_modification_removexattr_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Verify that System Executable Have Root Ownership + + Verify Root Has A Primary GID 0 - ocil:ssg-dir_ownership_binary_dirs_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Verify Permissions on gshadow File + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-file_permissions_etc_gshadow_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Ensure No World-Writable Files Exist + + Ensure auditd Collects Information on Exporting to Media (successful) - ocil:ssg-file_permissions_unauthorized_world_writable_action:testaction:1 + ocil:ssg-audit_rules_media_export_action:testaction:1 - - Enable syslog-ng Service + + Verify that local System.map file (if exists) is readable only by root - ocil:ssg-service_syslogng_enabled_action:testaction:1 + ocil:ssg-file_permissions_systemmap_action:testaction:1 - - Configure Polyinstantiation of /tmp Directories + + Enable the NTP Daemon - ocil:ssg-accounts_polyinstantiated_tmp_action:testaction:1 + ocil:ssg-service_ntp_enabled_action:testaction:1 - - Record Unsuccessful Access Attempts to Files - ftruncate + + The Chronyd service is enabled - ocil:ssg-audit_rules_unsuccessful_file_modification_ftruncate_action:testaction:1 + ocil:ssg-service_chronyd_enabled_action:testaction:1 - - Ensure auditd Collects Information on Kernel Module Loading and Unloading + + Don't define allowed commands in sudoers by means of exclusion - ocil:ssg-audit_rules_kernel_module_loading_action:testaction:1 + ocil:ssg-sudoers_no_command_negation_action:testaction:1 - - Restrict Exposed Kernel Pointer Addresses Access + + Ensure rsyslog is Installed - ocil:ssg-sysctl_kernel_kptr_restrict_action:testaction:1 + ocil:ssg-package_rsyslog_installed_action:testaction:1 - - Force frequent session key renegotiation + + Only the VDSM User Can Use sudo NOPASSWD - ocil:ssg-sshd_rekey_limit_action:testaction:1 + ocil:ssg-sudo_vdsm_nopasswd_action:testaction:1 - - Configure auditd mail_acct Action on Low Disk Space + + Disable Host-Based Authentication - ocil:ssg-auditd_data_retention_action_mail_acct_action:testaction:1 + ocil:ssg-disable_host_auth_action:testaction:1 - - Ensure that System Accounts Are Locked + + Ensure Log Files Are Owned By Appropriate Group - ocil:ssg-no_password_auth_for_systemaccounts_action:testaction:1 + ocil:ssg-rsyslog_files_groupownership_action:testaction:1 - - Disable SSH Access via Empty Passwords + + Record Events that Modify the System's Discretionary Access Controls - fchown - ocil:ssg-sshd_disable_empty_passwords_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_fchown_action:testaction:1 - - Don't define allowed commands in sudoers by means of exclusion + + Ensure syslog-ng is Installed - ocil:ssg-sudoers_no_command_negation_action:testaction:1 + ocil:ssg-package_syslogng_installed_action:testaction:1 - - Verify Permissions on Backup passwd File + + Set SSH Client Alive Count Max /usr/share/xml/scap/ssg/content/ssg-debian11-xccdf.xml differs (XML 1.0 document, UTF-8 Unicode text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-debian11-xccdf.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-debian11-xccdf.xml 2022-04-04 00:00:00.000000000 +0000 @@ -43,24 +43,24 @@ countries. All other names are registered trademarks or trademarks of their respective companies. - + - + - + - + - + - + - + - + @@ -68,59 +68,59 @@ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + /usr/share/xml/scap/ssg/content/ssg-debian9-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-debian9-ds-1.2.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-debian9-ds-1.2.xml 2022-04-04 00:00:00.000000000 +0000 @@ -14927,274 +14927,256 @@ 2022-04-04T00:00:00 - - Disable PubkeyAuthentication Authentication - - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 - - - - Verify Permissions on Backup group File - - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 - - - - Enable rsyslog Service - - ocil:ssg-service_rsyslog_enabled_action:testaction:1 - - - - Disable storing core dump + + Ensure SMAP is not disabled during boot - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Verify Group Who Owns group File + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Resolve information before writing to audit logs + + Configure auditd to use audispd's syslog plugin - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Verify User Who Owns /var/log/messages File + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-file_owner_var_log_messages_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Disable Kerberos by removing host keytab + + Record Unsuccessful Access Attempts to Files - open - ocil:ssg-kerberos_disable_no_keytab_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - removexattr + + Verify User Who Owns group File - ocil:ssg-audit_rules_dac_modification_removexattr_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Verify that System Executable Have Root Ownership + + Verify Root Has A Primary GID 0 - ocil:ssg-dir_ownership_binary_dirs_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Verify Permissions on gshadow File + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-file_permissions_etc_gshadow_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Ensure No World-Writable Files Exist + + Ensure auditd Collects Information on Exporting to Media (successful) - ocil:ssg-file_permissions_unauthorized_world_writable_action:testaction:1 + ocil:ssg-audit_rules_media_export_action:testaction:1 - - Enable syslog-ng Service + + Verify that local System.map file (if exists) is readable only by root - ocil:ssg-service_syslogng_enabled_action:testaction:1 + ocil:ssg-file_permissions_systemmap_action:testaction:1 - - Configure Polyinstantiation of /tmp Directories + + Enable the NTP Daemon - ocil:ssg-accounts_polyinstantiated_tmp_action:testaction:1 + ocil:ssg-service_ntp_enabled_action:testaction:1 - - Record Unsuccessful Access Attempts to Files - ftruncate + + The Chronyd service is enabled - ocil:ssg-audit_rules_unsuccessful_file_modification_ftruncate_action:testaction:1 + ocil:ssg-service_chronyd_enabled_action:testaction:1 - - Ensure auditd Collects Information on Kernel Module Loading and Unloading + + Don't define allowed commands in sudoers by means of exclusion - ocil:ssg-audit_rules_kernel_module_loading_action:testaction:1 + ocil:ssg-sudoers_no_command_negation_action:testaction:1 - - Restrict Exposed Kernel Pointer Addresses Access + + Ensure rsyslog is Installed - ocil:ssg-sysctl_kernel_kptr_restrict_action:testaction:1 + ocil:ssg-package_rsyslog_installed_action:testaction:1 - - Force frequent session key renegotiation + + Only the VDSM User Can Use sudo NOPASSWD - ocil:ssg-sshd_rekey_limit_action:testaction:1 + ocil:ssg-sudo_vdsm_nopasswd_action:testaction:1 - - Configure auditd mail_acct Action on Low Disk Space + + Disable Host-Based Authentication - ocil:ssg-auditd_data_retention_action_mail_acct_action:testaction:1 + ocil:ssg-disable_host_auth_action:testaction:1 - - Ensure that System Accounts Are Locked + + Ensure Log Files Are Owned By Appropriate Group - ocil:ssg-no_password_auth_for_systemaccounts_action:testaction:1 + ocil:ssg-rsyslog_files_groupownership_action:testaction:1 - - Disable SSH Access via Empty Passwords + + Record Events that Modify the System's Discretionary Access Controls - fchown - ocil:ssg-sshd_disable_empty_passwords_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_fchown_action:testaction:1 - - Don't define allowed commands in sudoers by means of exclusion + + Ensure syslog-ng is Installed - ocil:ssg-sudoers_no_command_negation_action:testaction:1 + ocil:ssg-package_syslogng_installed_action:testaction:1 - - Verify Permissions on Backup passwd File + + Set SSH Client Alive Count Max /usr/share/xml/scap/ssg/content/ssg-debian9-ds.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-debian9-ds.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-debian9-ds.xml 2022-04-04 00:00:00.000000000 +0000 @@ -14927,274 +14927,256 @@ 2022-04-04T00:00:00 - - Disable PubkeyAuthentication Authentication - - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 - - - - Verify Permissions on Backup group File - - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 - - - - Enable rsyslog Service - - ocil:ssg-service_rsyslog_enabled_action:testaction:1 - - - - Disable storing core dump + + Ensure SMAP is not disabled during boot - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Verify Group Who Owns group File + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Resolve information before writing to audit logs + + Configure auditd to use audispd's syslog plugin - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Verify User Who Owns /var/log/messages File + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-file_owner_var_log_messages_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Disable Kerberos by removing host keytab + + Record Unsuccessful Access Attempts to Files - open - ocil:ssg-kerberos_disable_no_keytab_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - removexattr + + Verify User Who Owns group File - ocil:ssg-audit_rules_dac_modification_removexattr_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Verify that System Executable Have Root Ownership + + Verify Root Has A Primary GID 0 - ocil:ssg-dir_ownership_binary_dirs_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Verify Permissions on gshadow File + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-file_permissions_etc_gshadow_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Ensure No World-Writable Files Exist + + Ensure auditd Collects Information on Exporting to Media (successful) - ocil:ssg-file_permissions_unauthorized_world_writable_action:testaction:1 + ocil:ssg-audit_rules_media_export_action:testaction:1 - - Enable syslog-ng Service + + Verify that local System.map file (if exists) is readable only by root - ocil:ssg-service_syslogng_enabled_action:testaction:1 + ocil:ssg-file_permissions_systemmap_action:testaction:1 - - Configure Polyinstantiation of /tmp Directories + + Enable the NTP Daemon - ocil:ssg-accounts_polyinstantiated_tmp_action:testaction:1 + ocil:ssg-service_ntp_enabled_action:testaction:1 - - Record Unsuccessful Access Attempts to Files - ftruncate + + The Chronyd service is enabled - ocil:ssg-audit_rules_unsuccessful_file_modification_ftruncate_action:testaction:1 + ocil:ssg-service_chronyd_enabled_action:testaction:1 - - Ensure auditd Collects Information on Kernel Module Loading and Unloading + + Don't define allowed commands in sudoers by means of exclusion - ocil:ssg-audit_rules_kernel_module_loading_action:testaction:1 + ocil:ssg-sudoers_no_command_negation_action:testaction:1 - - Restrict Exposed Kernel Pointer Addresses Access + + Ensure rsyslog is Installed - ocil:ssg-sysctl_kernel_kptr_restrict_action:testaction:1 + ocil:ssg-package_rsyslog_installed_action:testaction:1 - - Force frequent session key renegotiation + + Only the VDSM User Can Use sudo NOPASSWD - ocil:ssg-sshd_rekey_limit_action:testaction:1 + ocil:ssg-sudo_vdsm_nopasswd_action:testaction:1 - - Configure auditd mail_acct Action on Low Disk Space + + Disable Host-Based Authentication - ocil:ssg-auditd_data_retention_action_mail_acct_action:testaction:1 + ocil:ssg-disable_host_auth_action:testaction:1 - - Ensure that System Accounts Are Locked + + Ensure Log Files Are Owned By Appropriate Group - ocil:ssg-no_password_auth_for_systemaccounts_action:testaction:1 + ocil:ssg-rsyslog_files_groupownership_action:testaction:1 - - Disable SSH Access via Empty Passwords + + Record Events that Modify the System's Discretionary Access Controls - fchown - ocil:ssg-sshd_disable_empty_passwords_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_fchown_action:testaction:1 - - Don't define allowed commands in sudoers by means of exclusion + + Ensure syslog-ng is Installed - ocil:ssg-sudoers_no_command_negation_action:testaction:1 + ocil:ssg-package_syslogng_installed_action:testaction:1 - - Verify Permissions on Backup passwd File + + Set SSH Client Alive Count Max /usr/share/xml/scap/ssg/content/ssg-debian9-ocil.xml differs (XML 1.0 document, ASCII text) --- old//usr/share/xml/scap/ssg/content/ssg-debian9-ocil.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-debian9-ocil.xml 2022-04-04 00:00:00.000000000 +0000 @@ -7,274 +7,256 @@ 2022-04-04T00:00:00 - - Disable PubkeyAuthentication Authentication - - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 - - - - Verify Permissions on Backup group File - - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 - - - - Enable rsyslog Service - - ocil:ssg-service_rsyslog_enabled_action:testaction:1 - - - - Disable storing core dump + + Ensure SMAP is not disabled during boot - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Verify Group Who Owns group File + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Resolve information before writing to audit logs + + Configure auditd to use audispd's syslog plugin - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Verify User Who Owns /var/log/messages File + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-file_owner_var_log_messages_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Disable Kerberos by removing host keytab + + Record Unsuccessful Access Attempts to Files - open - ocil:ssg-kerberos_disable_no_keytab_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - removexattr + + Verify User Who Owns group File - ocil:ssg-audit_rules_dac_modification_removexattr_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Verify that System Executable Have Root Ownership + + Verify Root Has A Primary GID 0 - ocil:ssg-dir_ownership_binary_dirs_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Verify Permissions on gshadow File + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-file_permissions_etc_gshadow_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Ensure No World-Writable Files Exist + + Ensure auditd Collects Information on Exporting to Media (successful) - ocil:ssg-file_permissions_unauthorized_world_writable_action:testaction:1 + ocil:ssg-audit_rules_media_export_action:testaction:1 - - Enable syslog-ng Service + + Verify that local System.map file (if exists) is readable only by root - ocil:ssg-service_syslogng_enabled_action:testaction:1 + ocil:ssg-file_permissions_systemmap_action:testaction:1 - - Configure Polyinstantiation of /tmp Directories + + Enable the NTP Daemon - ocil:ssg-accounts_polyinstantiated_tmp_action:testaction:1 + ocil:ssg-service_ntp_enabled_action:testaction:1 - - Record Unsuccessful Access Attempts to Files - ftruncate + + The Chronyd service is enabled - ocil:ssg-audit_rules_unsuccessful_file_modification_ftruncate_action:testaction:1 + ocil:ssg-service_chronyd_enabled_action:testaction:1 - - Ensure auditd Collects Information on Kernel Module Loading and Unloading + + Don't define allowed commands in sudoers by means of exclusion - ocil:ssg-audit_rules_kernel_module_loading_action:testaction:1 + ocil:ssg-sudoers_no_command_negation_action:testaction:1 - - Restrict Exposed Kernel Pointer Addresses Access + + Ensure rsyslog is Installed - ocil:ssg-sysctl_kernel_kptr_restrict_action:testaction:1 + ocil:ssg-package_rsyslog_installed_action:testaction:1 - - Force frequent session key renegotiation + + Only the VDSM User Can Use sudo NOPASSWD - ocil:ssg-sshd_rekey_limit_action:testaction:1 + ocil:ssg-sudo_vdsm_nopasswd_action:testaction:1 - - Configure auditd mail_acct Action on Low Disk Space + + Disable Host-Based Authentication - ocil:ssg-auditd_data_retention_action_mail_acct_action:testaction:1 + ocil:ssg-disable_host_auth_action:testaction:1 - - Ensure that System Accounts Are Locked + + Ensure Log Files Are Owned By Appropriate Group - ocil:ssg-no_password_auth_for_systemaccounts_action:testaction:1 + ocil:ssg-rsyslog_files_groupownership_action:testaction:1 - - Disable SSH Access via Empty Passwords + + Record Events that Modify the System's Discretionary Access Controls - fchown - ocil:ssg-sshd_disable_empty_passwords_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_fchown_action:testaction:1 - - Don't define allowed commands in sudoers by means of exclusion + + Ensure syslog-ng is Installed - ocil:ssg-sudoers_no_command_negation_action:testaction:1 + ocil:ssg-package_syslogng_installed_action:testaction:1 - - Verify Permissions on Backup passwd File + + Set SSH Client Alive Count Max /usr/share/xml/scap/ssg/content/ssg-debian9-xccdf.xml differs (XML 1.0 document, UTF-8 Unicode text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-debian9-xccdf.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-debian9-xccdf.xml 2022-04-04 00:00:00.000000000 +0000 @@ -43,24 +43,24 @@ countries. All other names are registered trademarks or trademarks of their respective companies. - + - + - + - + - + - + - + - + @@ -68,59 +68,59 @@ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + RPMS.2017/scap-security-guide-redhat-0.1.61-0.0.noarch.rpm RPMS/scap-security-guide-redhat-0.1.61-0.0.noarch.rpm differ: byte 225, line 1 Comparing scap-security-guide-redhat-0.1.61-0.0.noarch.rpm to scap-security-guide-redhat-0.1.61-0.0.noarch.rpm comparing the rpm tags of scap-security-guide-redhat --- old-rpm-tags +++ new-rpm-tags @@ -781,45 +781,45 @@ /usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-pci-dss.html 98bf8c00cc467e66edd2a85d877b7cdd56ee5b58e108793ccf6efb44749caa74 2 /usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-standard.html bbe0df8aa705d920e5584f7fcedbca377802820fb8db63d704204b192324c67b 2 /usr/share/doc/scap-security-guide/tables 0 -/usr/share/doc/scap-security-guide/tables/table-ol7-anssirefs.html c4f8e76f41c96155506c813526a1032fb38d9f299c4da1f20aa8792b08c897f2 2 -/usr/share/doc/scap-security-guide/tables/table-ol7-cuirefs.html 640e4356289a97ad49f5fa57ee9575b4423b59dc19556771d76e9b96b808b471 2 +/usr/share/doc/scap-security-guide/tables/table-ol7-anssirefs.html 60c5254c76812250b0ab56e0822743f1806b861856d2093a6678198bc6accc27 2 +/usr/share/doc/scap-security-guide/tables/table-ol7-cuirefs.html ce8baf76e6f1c400aa389c0374c229dcd5c1604a542c0e120e1692d0a0db482d 2 /usr/share/doc/scap-security-guide/tables/table-ol7-nistrefs-standard.html 9140c13fc429c1d06c7f27983f911bcaccae0d49b4d6173ec7bfa13d97ca470c 2 /usr/share/doc/scap-security-guide/tables/table-ol7-nistrefs-stig.html 7c1a5df453fc119409501e414a00c5aa94181811e6b9e1d726ece5b46a0e6d4d 2 /usr/share/doc/scap-security-guide/tables/table-ol7-nistrefs-stig_gui.html 08b287450a370cdd066087874c1915c2115a09986d123ddd7fe96b5e9a28486c 2 -/usr/share/doc/scap-security-guide/tables/table-ol7-nistrefs.html 1655b0167dd9cdf786afb413c1db05a4851d1fe16680a0dc2588575a3f6879e5 2 -/usr/share/doc/scap-security-guide/tables/table-ol7-ospprefs.html 931f87a073f85ddf3ba1b486b36430712214d6c7c611151a927a9da1a2d43151 2 -/usr/share/doc/scap-security-guide/tables/table-ol7-pcidssrefs.html 57ac41eb2e69319e94a04de75d9faebd59d3c834a1bfdf11f63879d5a91c6b74 2 +/usr/share/doc/scap-security-guide/tables/table-ol7-nistrefs.html 31edd5d795696332f9b1dd58ec48bd0503ce23402fa17e270868cf7f74c64242 2 +/usr/share/doc/scap-security-guide/tables/table-ol7-ospprefs.html 1a17c172e85c696a2aa56b724b7e527b86e6ed7c871182bbab183f6b575d54c8 2 +/usr/share/doc/scap-security-guide/tables/table-ol7-pcidssrefs.html d6127b2471ab12f51d2e6ae60b9fd9ea53281cb8c036a26dabb17bbb57d2c245 2 /usr/share/doc/scap-security-guide/tables/table-ol7-stig-testinfo.html 86ea99ac217367d448a60cfaf63a1178e5cb10ef7bd066640b0b173477940f95 2 /usr/share/doc/scap-security-guide/tables/table-ol7-stig.html 7487c99bcc123d5d4b095f47b4deaf053a7dbe212203c9207512e486b98978de 2 /usr/share/doc/scap-security-guide/tables/table-ol7-stig_gui-testinfo.html 8d7191eda1af51af8e0a50b946e98f61783c4ec9d383d0d7db9bb04bd72af117 2 -/usr/share/doc/scap-security-guide/tables/table-ol8-anssirefs.html 5107dec5e750dfaeb71bcd95046431932138ead3873c03969cadff96f37e4fdf 2 -/usr/share/doc/scap-security-guide/tables/table-ol8-cuirefs.html 0114d37d99087d065b185c8893d3a17ce74b265df2f60167eb990fd6562964f8 2 +/usr/share/doc/scap-security-guide/tables/table-ol8-anssirefs.html d96903946785948563f3daa4abac9a12580414e1de99be56c5873016403207eb 2 +/usr/share/doc/scap-security-guide/tables/table-ol8-cuirefs.html cde0c22a96aedfe6e5185cf62fc44b2ef4d71540001cebc40237a6c18e04731a 2 /usr/share/doc/scap-security-guide/tables/table-ol8-nistrefs-ospp.html 659e04e84921e8094820c7b6b11bfe7c74624c93be321baeed01f910c6f8fbac 2 /usr/share/doc/scap-security-guide/tables/table-ol8-nistrefs-standard.html aec18bba5fdc76a4a544a485219ea15533755572ab60e1adbf839587813be71e 2 /usr/share/doc/scap-security-guide/tables/table-ol8-nistrefs-stig.html 90513de54a20e28fa4e1bf1f151c888e6dc20c390b073bac93a00e7f0660f383 2 -/usr/share/doc/scap-security-guide/tables/table-ol8-nistrefs.html fd20ce63e60571af9d0e9180ce4bee976752c0e7f3d9dfcd02feeb4f266bca7c 2 -/usr/share/doc/scap-security-guide/tables/table-ol8-pcidssrefs.html 24d1d826121c40a8e1a6ae232483881627978351482ad5010ba42a72b4e26748 2 +/usr/share/doc/scap-security-guide/tables/table-ol8-nistrefs.html 23051a7e34e7ccdf7635bba7764d31090d6acf6c7de9c4e1940737327131fa8d 2 +/usr/share/doc/scap-security-guide/tables/table-ol8-pcidssrefs.html 517b0c0f22490f50a75348a03b8aece64a2dee3122117694f56ba63ae7f35ddb 2 /usr/share/doc/scap-security-guide/tables/table-ol8-stig-testinfo.html aa53b65553e5de71ded941afdc1645c47f89ee83b42da2334dccc0d8a5715a50 2 /usr/share/doc/scap-security-guide/tables/table-ol8-stig.html 388fc3b6bba209c7dbb1dd1962b021d26c4ce4adbbcd1cbc28080580b430fd3f 2 /usr/share/doc/scap-security-guide/tables/table-ol9-nistrefs-standard.html e329d6c97c056225e2595ddadc6b07ac3afb3c8450163388010bb4ca0691872b 2 /usr/share/doc/scap-security-guide/tables/table-rhcos4-cces.html 3b39c5a90eaa422b192b63a1bc26b96808987095577435089a280cf72096c6f9 2 -/usr/share/doc/scap-security-guide/tables/table-rhcos4-nistrefs.html 17e346ac3170b265db64b58fdb404706542e7f7b092559797efa5898ce2785ae 2 +/usr/share/doc/scap-security-guide/tables/table-rhcos4-nistrefs.html 5f63e4711f1f49a0812b80b15f4f658ec54d699c658d1dc48d5e43c8e7560f96 2 /usr/share/doc/scap-security-guide/tables/table-rhcos4-ospp.html 986c0bdc16893c46f7bdbc09fbeeded2851e9b86fa73bbf57df00d555f0aaa17 2 /usr/share/doc/scap-security-guide/tables/table-rhel7-anssirefs-nt28_enhanced.html c09e961b3464b45d99ddeb16f570c33b54b4a4a34444da845438c02bd24d71f8 2 /usr/share/doc/scap-security-guide/tables/table-rhel7-anssirefs-nt28_high.html 001562bed5cf3cc63426ae8e60cf9dc8f969e42eb3401ec3795ef59c86d05c62 2 /usr/share/doc/scap-security-guide/tables/table-rhel7-anssirefs-nt28_intermediary.html 8bece0620e6ba8ea8824d55a7e44bf0e13b934bd7ec675332472d639e40c655f 2 /usr/share/doc/scap-security-guide/tables/table-rhel7-anssirefs-nt28_minimal.html 6781823a43841d9efda111ae2670962750618e01aefc41fd2486002e8834ed9a 2 -/usr/share/doc/scap-security-guide/tables/table-rhel7-anssirefs.html 3f73306c2baf6315f35e8d42ecdbe2ddcfb2b1c6aa289dd53d0a4d4d183ee6d6 2 +/usr/share/doc/scap-security-guide/tables/table-rhel7-anssirefs.html 9e9239e1b8a3c15359ce188643f579d34b9c0a378cf4a9f6a5d98d5048197834 2 /usr/share/doc/scap-security-guide/tables/table-rhel7-cces.html 676bcfebd99e0561e65b87633b0a85c7d88f8b7d9802d3c6dc676245a82f8983 2 -/usr/share/doc/scap-security-guide/tables/table-rhel7-cisrefs.html 96425d25629e903fa162bf3442c53da329879d1dcf507ceb22fc5736aaab3939 2 -/usr/share/doc/scap-security-guide/tables/table-rhel7-cuirefs.html 4c6d616fe8caa076b8eb333ca50c1288720c7eec2bd6412df969bda895f0d0de 2 +/usr/share/doc/scap-security-guide/tables/table-rhel7-cisrefs.html a4a85888adfc8082fd02dd482d5c831e9f35e65692e41cd6db3451fada073c05 2 +/usr/share/doc/scap-security-guide/tables/table-rhel7-cuirefs.html 987fbf7b123f09cd986ee1fed00a73f4e7eaae8acd133ebe6ab0e10fd1bcae0c 2 /usr/share/doc/scap-security-guide/tables/table-rhel7-nistrefs-C2S.html 87dfbb8ba0072356d0b8d7b7b3416184c16e50bd75fcebea972d594b4920c8c3 2 /usr/share/doc/scap-security-guide/tables/table-rhel7-nistrefs-ospp.html 05090681273cd8b8e220611630dd3e824e18ee1a63f128d86fb8eee9bad3fc3d 2 /usr/share/doc/scap-security-guide/tables/table-rhel7-nistrefs-standard.html 4b0f887a9e70ab4ad52dc37c05ebcd4180874195bcdac498680fb8b3c6e4fd2a 2 /usr/share/doc/scap-security-guide/tables/table-rhel7-nistrefs-stig.html 1e166e75b92dfdbbdd79f0c29171bae57db3bc8625f5e41c42346558cb895f89 2 -/usr/share/doc/scap-security-guide/tables/table-rhel7-nistrefs.html 1dc56277bdec77585f1402a5a4e86f2bb2b7bdd23626333b5e690a91815b7869 2 -/usr/share/doc/scap-security-guide/tables/table-rhel7-ospprefs.html c10076c956c9c629ee7dc412ec2c83d46bfff67231f8bc4c37a98b2cd4e80298 2 -/usr/share/doc/scap-security-guide/tables/table-rhel7-pcidssrefs.html 1a3e73847c3a3a0291ec4945ba8ef5b16a9fe3fb2acab6311e4e344b733c6879 2 +/usr/share/doc/scap-security-guide/tables/table-rhel7-nistrefs.html 31b1708ccb46ba9985213c3d11006c8f861fb461d3ded959a2635498ba5d844c 2 +/usr/share/doc/scap-security-guide/tables/table-rhel7-ospprefs.html f3aa342c34a9fe0aad9679e23c489e5d4126bd4e6f0933a7f7b025907ee4b069 2 +/usr/share/doc/scap-security-guide/tables/table-rhel7-pcidssrefs.html becb12bf4baab38ea07a092f7c5d0711140aba0359b4f9dbda722754b2a047fa 2 /usr/share/doc/scap-security-guide/tables/table-rhel7-srgmap-flat.html 567502057ab2bf7e840ee6191b759fed5a8c3ad332c9bf9387e9f66f2c0d6b5f 2 /usr/share/doc/scap-security-guide/tables/table-rhel7-srgmap.html ba3f303266c1b8a49b698d34681aa1f554fd58f1c07349fc7d40fbe3956fc282 2 /usr/share/doc/scap-security-guide/tables/table-rhel7-stig-testinfo.html fb13f507c7de506177bcad6f42e034a45d806b63c30705a762d8c1a892c25636 2 @@ -829,15 +829,15 @@ /usr/share/doc/scap-security-guide/tables/table-rhel8-anssirefs-bp28_high.html 6bd30d9c111f63c0a0172aea40452ff8146219866c4f127fba2ed1d19b20bd4b 2 /usr/share/doc/scap-security-guide/tables/table-rhel8-anssirefs-bp28_intermediary.html e67ab48882a9ee596021138d3adaf89c6da26ef7e7ecd97d5c2daecc22bd1249 2 /usr/share/doc/scap-security-guide/tables/table-rhel8-anssirefs-bp28_minimal.html 77fd3ca1747ec1abf5603c7b75ed6ee5cc6d58280c703776377c63b4a9ddcb3e 2 -/usr/share/doc/scap-security-guide/tables/table-rhel8-anssirefs.html 8b3510293a820e18390371220827c67b490852c3b4d58e7fdef9861c01c343b7 2 +/usr/share/doc/scap-security-guide/tables/table-rhel8-anssirefs.html 92765a90d577e7fbc63022600381144003b25a567de9e5af94b5cea3475660b2 2 /usr/share/doc/scap-security-guide/tables/table-rhel8-cces.html ed3beb65b27d03a56a1f67ee299f31276f02ba44fd36a9b3188d314197743a55 2 -/usr/share/doc/scap-security-guide/tables/table-rhel8-cisrefs.html fa84535f82a65873880f14c5c428c6fce3d3a6b3f2206810d4a7d4c04a95acec 2 -/usr/share/doc/scap-security-guide/tables/table-rhel8-cuirefs.html fb345b7194aebdb6038d6a507a9e30fd29b1bc05727861c7c17d28f70d9e03d7 2 +/usr/share/doc/scap-security-guide/tables/table-rhel8-cisrefs.html 7b287d257ec780e8f2ecf717372a15bec4c04e3183f7077dd875b3cfed7c4e80 2 +/usr/share/doc/scap-security-guide/tables/table-rhel8-cuirefs.html 536a8fe35cd296cb2c1e222142e1691a0f85d6ee22b9a536f67527539d6ad0f7 2 /usr/share/doc/scap-security-guide/tables/table-rhel8-nistrefs-ospp.html 5fd7a9984a58037b62de14c1530797ab2c00469f83b5627ce680f9d45cc086b5 2 /usr/share/doc/scap-security-guide/tables/table-rhel8-nistrefs-standard.html 233a4be874281f348df71ceac63188a73719201199081218772408e1808470b7 2 /usr/share/doc/scap-security-guide/tables/table-rhel8-nistrefs-stig.html 8b5414f60f426d930fb248ac884057f42e86ebccd485bf4115af72ebcea84593 2 -/usr/share/doc/scap-security-guide/tables/table-rhel8-nistrefs.html fff0b7c02e9d757d36ce759ab4f4d05b55c1606cdce568adc3c192f331adbef1 2 -/usr/share/doc/scap-security-guide/tables/table-rhel8-pcidssrefs.html dd598de1929532f03abc548472c4bf0ae71238848e4454dafff5b99a4fb1ff79 2 +/usr/share/doc/scap-security-guide/tables/table-rhel8-nistrefs.html 6a513366f81b67be12da7242dddd4f49409af0a632e333eb4e07646142f7ac05 2 +/usr/share/doc/scap-security-guide/tables/table-rhel8-pcidssrefs.html 40d1440ed74124979c47b050a27f32a7a187a05826169bb12a642c923318a4b6 2 /usr/share/doc/scap-security-guide/tables/table-rhel8-srgmap-flat.html e134b9f1128f8be16ed5ab987ed651516fe387459dd333daef2fd55066985dc6 2 /usr/share/doc/scap-security-guide/tables/table-rhel8-srgmap.html 807970d9538f70ad6ac79ea8f199b5e3fa11454ba67a2f66a876dc2497724644 2 /usr/share/doc/scap-security-guide/tables/table-rhel8-stig-testinfo.html 4fd361ff320702869ed40ea26ee3d938392d38640231226eadd67f14bbfb0a6d 2 @@ -1125,86 +1125,86 @@ /usr/share/scap-security-guide/kickstart/ssg-rhel9-stig-ks.cfg c2ce20c85b2cf921f5f9b380a2f79d03dc8a6f6133b6469276913121bb4055bd 0 /usr/share/scap-security-guide/kickstart/ssg-rhel9-stig_gui-ks.cfg 870b2a045485eaf1bdf62697428c266878a5a8ada0b3da8e363ed004572cbdd0 0 /usr/share/scap-security-guide/tailoring 0 -/usr/share/scap-security-guide/tailoring/rhel7_stig_delta_tailoring.xml 6d31d96f80a23a4a10380d9cd178038836bc21312cfd8de812aac1204b5a76e1 0 -/usr/share/scap-security-guide/tailoring/rhel8_stig_delta_tailoring.xml 6c160cceb28576fc7f7447f81f1f85f75bc2bbd2c6444101dabcaa795c02d3c5 0 +/usr/share/scap-security-guide/tailoring/rhel7_stig_delta_tailoring.xml 68a8a46c5794a52087b605c78b8a7a69719b5393eebe8e6953e1d902e8e336b9 0 +/usr/share/scap-security-guide/tailoring/rhel8_stig_delta_tailoring.xml 0ae91c774729555cdd24bbf2796870ee1a211c193f28ddc0cb4f364750fb00b7 0 /usr/share/xml/scap 0 /usr/share/xml/scap/ssg 0 /usr/share/xml/scap/ssg/content 0 -/usr/share/xml/scap/ssg/content/ssg-centos7-ds-1.2.xml 9a6606c2e8e211f11a65d23893feb4ec9350b7ccdf24a709ec80ebc069ed8e3c 0 -/usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml 38713218c685e254a467810f014db4d40d7cc4a2e581870fe55b79ed52a22e1b 0 -/usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml db99d8764daf26eba6be0fd10ed495e7990b491e03e4a9c1f6dccd1e66f9be4a 0 -/usr/share/xml/scap/ssg/content/ssg-centos8-ds-1.2.xml 0410028e729459e9446a454bc2fa93439a7b6dbda0794270c70bee142d37f5fa 0 -/usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml 676c5127ed035c142b773e017eb407429694ccd3631f244a380a4279312604a3 0 -/usr/share/xml/scap/ssg/content/ssg-centos8-xccdf.xml f2bc04a3afa0404f38ba8227df467c7003797e546a6dce4e95903592de1b9006 0 -/usr/share/xml/scap/ssg/content/ssg-cs9-ds-1.2.xml d57b7fe9df819b69ddfc1cabd05a22e07a57e9b24d32ea368e65df4bba4382d9 0 -/usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml 5de680f855ce3f805acd7aed3e9dc9dcfe8de8f5deb7a035c3f862fee4368fbc 0 -/usr/share/xml/scap/ssg/content/ssg-cs9-xccdf.xml 05e7a894ed34f0a99a518ba0c1c10ee0e52dceaf90b7d5e64e64872de8c3e111 0 +/usr/share/xml/scap/ssg/content/ssg-centos7-ds-1.2.xml 5ef87b640e81cf9ee31ebc57c27c69ec222b847260ff9ea743d7ecd28946edd6 0 +/usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml 46288b556ce4221cbd622c7c70e692b535e739a157369a137d7f352cf30f62ed 0 +/usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml 207fbee0ada2151e011306fef681088df73cea79b7fb4b3477872cbd3bb570b8 0 +/usr/share/xml/scap/ssg/content/ssg-centos8-ds-1.2.xml 3f4bc151f8e7374301ecb532f6e88d15e09544902b81398ffb44651d669e0734 0 +/usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml 04f6c6afe912a3a656f120e874a870b10f74d7453461c496bdef31b0ba1ada8b 0 +/usr/share/xml/scap/ssg/content/ssg-centos8-xccdf.xml 4477fc0ea61583b2e7b63b3470871d87ee086c5b56116b5f1ff6d23eda4ca3b0 0 +/usr/share/xml/scap/ssg/content/ssg-cs9-ds-1.2.xml c9792abd1d0bdaaba0fcc65b8a31b3eacf792029cac8898d1a1ed81b5f760c9f 0 +/usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml 918ed7ee5beea62fbac371f1d25ec116c0536bb66113c4a787dd12beedf0bd3b 0 +/usr/share/xml/scap/ssg/content/ssg-cs9-xccdf.xml b1e958412c6f4038bc2fcbb4f457bf7616b94d6e42d28d5ba16545a90efae4bd 0 /usr/share/xml/scap/ssg/content/ssg-fedora-cpe-dictionary.xml c8d5f0a2f8acf0028f9b74e68518b0738539bec86eda83407164f2ce3223dd58 0 /usr/share/xml/scap/ssg/content/ssg-fedora-cpe-oval.xml 1513731ed8399739fba71370f6c663d46176e0d3fd4cc85154cbf45d5dfdd467 0 -/usr/share/xml/scap/ssg/content/ssg-fedora-ds-1.2.xml d7b34ce3af7fa0e7eb8242615cefd75823a4d665b3a2dc90b96edab253086fac 0 -/usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml 6bbed931b16c83a6cf84f2454d953e603263af7ff78853843e92a7b1004c6327 0 -/usr/share/xml/scap/ssg/content/ssg-fedora-ocil.xml b9c8e196d472f2235c64b30da7edbba9571e314aff575c006a45d26e0eabb184 0 +/usr/share/xml/scap/ssg/content/ssg-fedora-ds-1.2.xml d940a2c7afd2442a2b304cc5f9579b15c28f4c5167812e7a931f971954dd4b19 0 +/usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml aa39b1353d2de8843919f9ed52c4a81f660a27777002350d2f72747b939f17fa 0 +/usr/share/xml/scap/ssg/content/ssg-fedora-ocil.xml e36d89b8198a5148da6ab3c94e0fe434f63e5ae34f9ade19882942d46e7511f4 0 /usr/share/xml/scap/ssg/content/ssg-fedora-oval.xml b6c25db6bbc0a2275daaaaea7d668c56b5bdd35dc354d06b75fe096847d8883b 0 -/usr/share/xml/scap/ssg/content/ssg-fedora-xccdf.xml eb1d23502a08e049d09deccbccd15b1cbcc9eff6ab90b630cefd3b0c6b64da4c 0 +/usr/share/xml/scap/ssg/content/ssg-fedora-xccdf.xml 1b48c0b9a64e943aaf7565ae4b98cc487983270b1089e92ec176116523d1330f 0 /usr/share/xml/scap/ssg/content/ssg-ol7-cpe-dictionary.xml 5e7eed9a1a733623dbdc77f310ea4c5fb8b162b49368434bdfd956ba4a734fca 0 /usr/share/xml/scap/ssg/content/ssg-ol7-cpe-oval.xml 601b6883cc2145ca78eb5897029170a00d1032af85e7a21b6e632808dd65fc31 0 -/usr/share/xml/scap/ssg/content/ssg-ol7-ds-1.2.xml 3ee34dfbe0182f29952995a586c44a1d14f55426428d6944790d78fdbd86602a 0 -/usr/share/xml/scap/ssg/content/ssg-ol7-ds.xml 92fe55e9907c3fca88b2f9bb3771b9312e257ffbfd6d58900d8b6721fa0a4447 0 -/usr/share/xml/scap/ssg/content/ssg-ol7-ocil.xml 39d9b73223b7b178cf33affa31b4db7c3e4a46af21b8b033048971e3eeb2401c 0 +/usr/share/xml/scap/ssg/content/ssg-ol7-ds-1.2.xml 8e0ed06ca734b82f9b925647a914143d9ed3cf8619a5d393b4c4aca9ba9426ef 0 +/usr/share/xml/scap/ssg/content/ssg-ol7-ds.xml 69a089fe5dbddc23934988d78c55e6322d09f4f4a690eee06c050e30e0a66ffc 0 +/usr/share/xml/scap/ssg/content/ssg-ol7-ocil.xml a99b56dcd6409b194f63f5da10d7240c4eca6a56e3063f983205cb2aec6f1ff7 0 /usr/share/xml/scap/ssg/content/ssg-ol7-oval.xml 836740fb9c61cc09334796471ca847dcc57e99484d93c09c9c2285fbdce5c490 0 -/usr/share/xml/scap/ssg/content/ssg-ol7-xccdf.xml c8f3c4c9dfb5386b453e5839db18d0170faf09fcac6764975ca16d191c190d1c 0 +/usr/share/xml/scap/ssg/content/ssg-ol7-xccdf.xml 01db2a9f0c3a1dfc0f5c5c14caf88c6f615f062b0cc718801495606f7a8c9e61 0 /usr/share/xml/scap/ssg/content/ssg-ol8-cpe-dictionary.xml 3124a453d0961ef1f92742b355968daa1bc3b7f18b9af07e9d548e0a82d60957 0 /usr/share/xml/scap/ssg/content/ssg-ol8-cpe-oval.xml 0c3c4de1bf9096bf2be663747025d67786efd271da884d51422fa93abf92c0f1 0 -/usr/share/xml/scap/ssg/content/ssg-ol8-ds-1.2.xml 1fbb3635377c14d0d238d18471c8d2de278132b5b7978deed0ae9dd1b5f7e889 0 -/usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml 6731ddfde90452df4c7b8f322a45c5e46e37f260e510d6d6ced7c2bd57d49481 0 -/usr/share/xml/scap/ssg/content/ssg-ol8-ocil.xml b188a0368c04090a13eb7147570a781b64a4c68b784965a2abf0deeadf21728a 0 +/usr/share/xml/scap/ssg/content/ssg-ol8-ds-1.2.xml cf68f14351c6fcd45633ffd8faf5e5dc80a6a679a26ec75a39d4617f02eeb30a 0 +/usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml 9141b3582a45c597ed41044600159653768edd83568a6c68f97aa920409a3215 0 +/usr/share/xml/scap/ssg/content/ssg-ol8-ocil.xml 4933842c28f1a78c22fdf836934518c34cb1140e4d913e40ab3e7c61c3713585 0 /usr/share/xml/scap/ssg/content/ssg-ol8-oval.xml 1517729a279b1c1e3d13980f761cba8f82453099625c39fe8f67c22a6bfd9345 0 -/usr/share/xml/scap/ssg/content/ssg-ol8-xccdf.xml f7773f9a6e1368d2ba217647711dcafcd4c0983b33f7b7676052ee67ae172cf8 0 +/usr/share/xml/scap/ssg/content/ssg-ol8-xccdf.xml 68e46628268b48829f86a40570435b6336a10ab58b1e0605b5ba3cf7d3f60e1b 0 /usr/share/xml/scap/ssg/content/ssg-ol9-cpe-dictionary.xml 34d4fb07c529f9b02be7f8ef7536a8bf7a6d8f0cf932630bc5867faa7b5030c0 0 /usr/share/xml/scap/ssg/content/ssg-ol9-cpe-oval.xml 6a83d68e1a7495472ad571b7e0155dedc188dbd73409922249e56324ddf2891e 0 -/usr/share/xml/scap/ssg/content/ssg-ol9-ds-1.2.xml 6455282a89cc884390d1b009088d0374638e300f6117ba76adce027a6b4465b6 0 -/usr/share/xml/scap/ssg/content/ssg-ol9-ds.xml 72bb2c4fd602ebc829f2609306cc6c7ceb10e20b9e2b8074918a2e9f73f1796a 0 -/usr/share/xml/scap/ssg/content/ssg-ol9-ocil.xml c87dbb3b03beae34044022b77b70caabc2060a35008838150376d48d68d6b599 0 +/usr/share/xml/scap/ssg/content/ssg-ol9-ds-1.2.xml 5ec0f5da081f9914d9a8be0d59e9cf2f080c7822af80f0384fc92b7418701b54 0 +/usr/share/xml/scap/ssg/content/ssg-ol9-ds.xml 6555d9c5b5ee003806c60a1a693072f8f4a3388a553d7ba9841ab99b30fa057e 0 +/usr/share/xml/scap/ssg/content/ssg-ol9-ocil.xml 211d3c2d17600043f3b06252617a0ce2b159e218dd92c10a2025a80337d4a538 0 /usr/share/xml/scap/ssg/content/ssg-ol9-oval.xml 2337c700a410ae82851fe3666006c55cbc3fd6dda808b96eb240074d3d59eb98 0 -/usr/share/xml/scap/ssg/content/ssg-ol9-xccdf.xml c4576dfe9b653dcdcf8dd746419b770a97892534ce6f5bcbbe9b1e917137abcc 0 +/usr/share/xml/scap/ssg/content/ssg-ol9-xccdf.xml fce57fa28b20428071bc60ee97917c96822312c8f095c36df230fb959c54ec11 0 /usr/share/xml/scap/ssg/content/ssg-rhcos4-cpe-dictionary.xml ce0e47b1662da5a097f0d1345ba2b60d417e3da6d9d280d2e2e96a612e6b8bef 0 /usr/share/xml/scap/ssg/content/ssg-rhcos4-cpe-oval.xml 01810c68964e86a04a4e8275db292a4eb8a275212cde86bfeae0e83b5b2db4dd 0 -/usr/share/xml/scap/ssg/content/ssg-rhcos4-ds-1.2.xml 20ae5dd78a6ad15c34eea5f5456781d00ca11c8d2b5310b5afef276ba847577a 0 -/usr/share/xml/scap/ssg/content/ssg-rhcos4-ds.xml 3f635c36e463f93a12ae4cfa43c7304979a71cfb27741d439d0c2e2d470138c7 0 -/usr/share/xml/scap/ssg/content/ssg-rhcos4-ocil.xml c36d568d7c35cf43e7974f5b4670dddb9ddb3a32103c7dc727a05e7afa9dfaff 0 +/usr/share/xml/scap/ssg/content/ssg-rhcos4-ds-1.2.xml 5cc74aa87326fecd0453cbff329961ac16bb80c210e5f561b0e1a17abb718e0c 0 +/usr/share/xml/scap/ssg/content/ssg-rhcos4-ds.xml 73ba78db834714ac3a32fa0be13029a9f913b6c9fa25c1a1f5c1762ebaa16902 0 +/usr/share/xml/scap/ssg/content/ssg-rhcos4-ocil.xml e1a7676e1c968d5248dd4c72f8daee115d4bed9081fc7cd6cf4f37d9a0aca317 0 /usr/share/xml/scap/ssg/content/ssg-rhcos4-oval.xml d18e5c10ec6a418da2aaeb2a4edc934164fd74ee79514a49a47a1f4280e40e75 0 -/usr/share/xml/scap/ssg/content/ssg-rhcos4-xccdf.xml 508527e60e3bc57826b55c6eea80dc93690c2eb88f352c6ab926f7e039b148a5 0 +/usr/share/xml/scap/ssg/content/ssg-rhcos4-xccdf.xml b5aa761158c2c9fb7a1579a85e26e293ec0b34fab26c2e9f83243fda70adc77b 0 /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml 3de9bda65d07d283299b6d7d262333656a554c07a7ac4a20cbf07c07a864f1ac 0 /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-oval.xml 91acb43372665cd46d8c6d69e302c2ebfbc23b73f23683e750a70a37aa7f90bd 0 -/usr/share/xml/scap/ssg/content/ssg-rhel7-ds-1.2.xml 3588e9bcfc9398fbfded9aa9ddfba6f50fdeb7832f8088af55979c3eb442987e 0 -/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml 299e72d82292b1f91366e9bc1ad8355de48170dc467a25835cd777094e67a562 0 -/usr/share/xml/scap/ssg/content/ssg-rhel7-ocil.xml 3cb9b8b064ba5c253f7d049c0b00205ae9c6b631718ab9fbb5fe0ca0e5d89530 0 +/usr/share/xml/scap/ssg/content/ssg-rhel7-ds-1.2.xml a7fe41ce1a72efcc821ec6b285c688067c84a5521445805ba43e86bacb4a1871 0 +/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml 69002b2ed41e706302ab93a7a2b1fa19cf73ae865fe5e6cb4f2f7988b9b92eeb 0 +/usr/share/xml/scap/ssg/content/ssg-rhel7-ocil.xml 940ee89210dd81c7a9df9ccb199817bef4ef27b5124749fb45a8d863b186d6c2 0 /usr/share/xml/scap/ssg/content/ssg-rhel7-oval.xml 218b6ec69c59a7e88791e75ebca9ff769b8603e2695d649829f2dc17ef496f63 0 -/usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml 684a9d8176634e22e987dd24e28ac81d7d1986c5de3f7782ad647967126d988b 0 +/usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml 3422023705e09a6153b73a82f748cd9986dc6566ce706ddc3e4b2e753b437d6f 0 /usr/share/xml/scap/ssg/content/ssg-rhel8-cpe-dictionary.xml 3040dd62c0cada63b4ff1349a08a764dfa0925abb5c94257933aae4e54f0772c 0 /usr/share/xml/scap/ssg/content/ssg-rhel8-cpe-oval.xml 6e0f919035c269af259102a0820974827cc97af6a07502abc12d4f062104543f 0 -/usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml 5e9720647c500729c3b5dd8b3563827fcd5a06a59ebc876ca634055337ec5cf6 0 -/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml 4451ec1b0dc7d7ce70097348aad35ae0dfae71d927836d627983b23c98347887 0 -/usr/share/xml/scap/ssg/content/ssg-rhel8-ocil.xml 37c2f1164b62a80c8d1c5497c1c039b939022c61ccdb9177f3568313132e7431 0 +/usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml 0bdf2b1d5040f2bd088b3d3ccc9c376893dac934a15d8cb2e3236d7e5c7cfbe8 0 +/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml 601d1da64106a44a762141563c00d52b40d3f8f39267003dc040c965e658542f 0 +/usr/share/xml/scap/ssg/content/ssg-rhel8-ocil.xml 7e7ae4a0837aa0dbf82c014198c69e52a72efc2992ab4005f4a58f028dffb98d 0 /usr/share/xml/scap/ssg/content/ssg-rhel8-oval.xml a2f18c7303d3afb69fbd694970d9abfd8bae9dc79948d4e1eb5f273afd9b6567 0 -/usr/share/xml/scap/ssg/content/ssg-rhel8-xccdf.xml 4a720eacddcc1d9d8dd9d4f2e0fab3b0ba8de47265e95879b5909c870f107f7e 0 +/usr/share/xml/scap/ssg/content/ssg-rhel8-xccdf.xml 0d440dd5aabb23a6744f7dc8b6222c394ec52a3600856941f3cd89084f7bee2f 0 /usr/share/xml/scap/ssg/content/ssg-rhel9-cpe-dictionary.xml 84db9cb513d6ddeb497b45a387a12b7f22ccb2d95deb983d44a95224f620fbc3 0 /usr/share/xml/scap/ssg/content/ssg-rhel9-cpe-oval.xml 3860063609dfea3a10d62674d204909eb4cbb3a864edbefd5224f2d7a4ea8d6a 0 -/usr/share/xml/scap/ssg/content/ssg-rhel9-ds-1.2.xml ef0094fa331cd9983ebbddb37c9d4b35e54904d839b709070c16ccca6825152d 0 -/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml b90bc8d85b2a637e8fdcc67604314d462da33e7b511202e78b5cdddabaf42c67 0 -/usr/share/xml/scap/ssg/content/ssg-rhel9-ocil.xml e334474f8062f96707b8fc9c8c99c836f92f5fd0df48114c75e632dd1d9b523f 0 +/usr/share/xml/scap/ssg/content/ssg-rhel9-ds-1.2.xml a3636d9ea98ed27db1ba53d76986d3e93bcf456bc81c0dbc3b92719612775b94 0 +/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml dfa764d35bcc5556f7091a4f1cdbf6f603c1d8fde837e37c1a5716a399f9ced2 0 +/usr/share/xml/scap/ssg/content/ssg-rhel9-ocil.xml 4e6fddd150999785312a021192c1e6a9e4fbea80b32ad6e935c587dd8dc93b76 0 /usr/share/xml/scap/ssg/content/ssg-rhel9-oval.xml 90338d950facea37d23df6523cd889fa2f76435cd5d89564ec01b60dfd97c88f 0 -/usr/share/xml/scap/ssg/content/ssg-rhel9-xccdf.xml 818014c429743dfd422ca932e0f8a8cf6ad5396c1d0b4f3f120f5158b97b1b90 0 +/usr/share/xml/scap/ssg/content/ssg-rhel9-xccdf.xml f0bfcda9982f439ff870af12c47f05f7e1a3d5076f126107a66659a213d35a3c 0 /usr/share/xml/scap/ssg/content/ssg-rhv4-cpe-dictionary.xml 74210b5efa58bbbdb9133dd82d36a7e4aa0d75869d34e0ac89ea1d01469970d3 0 /usr/share/xml/scap/ssg/content/ssg-rhv4-cpe-oval.xml 4fb66d4eca08ddcf24ddbd8f78eb387750663826f152885580f9d2bd1a2742eb 0 -/usr/share/xml/scap/ssg/content/ssg-rhv4-ds-1.2.xml ecebf20887581fbbfe13ec315014710fe8e0dd6b22120e84becc56723048f8ec 0 -/usr/share/xml/scap/ssg/content/ssg-rhv4-ds.xml 008f826457b5915712a3d2179727a033675d5ea7dd4c3c8b85e53291fc000481 0 -/usr/share/xml/scap/ssg/content/ssg-rhv4-ocil.xml 3e62f291ab61f6038f603513b9e194e6f17b863381629e1ff75b470ae61e0d7c 0 +/usr/share/xml/scap/ssg/content/ssg-rhv4-ds-1.2.xml 0187612e333a8cf3443d16c6a8dade9b3a404fb7ed0cc3ced70b913c3c6f8bdd 0 +/usr/share/xml/scap/ssg/content/ssg-rhv4-ds.xml 8c0b2c6a8e272c1d8cbd7904c25ddc543ae1af37fe8efb6f14fa9011567551da 0 +/usr/share/xml/scap/ssg/content/ssg-rhv4-ocil.xml 0632e6196b94ed62fb41336fbf09e3217d193997d78eee77bdef0b128318b766 0 /usr/share/xml/scap/ssg/content/ssg-rhv4-oval.xml 3da8fd3ab1a6947ba24bb6442665ef46fece1c0691bea525113d0bdd21ee6b55 0 -/usr/share/xml/scap/ssg/content/ssg-rhv4-xccdf.xml 1386019cf190de261cf63fb915d3fe311691b5bff65b0870cc861614b6f3bfcf 0 -/usr/share/xml/scap/ssg/content/ssg-sl7-ds-1.2.xml fc1558a66d46890a91c7c97ab0c2ede684a1f11d87fb17f81283ccc37e9b4aaf 0 -/usr/share/xml/scap/ssg/content/ssg-sl7-ds.xml a2cf01508948b23a2a17b7bb06e7d5bf17666c6620b7ad2c8bf9ae239c8efe26 0 -/usr/share/xml/scap/ssg/content/ssg-sl7-xccdf.xml 060f4834588c8d4023757b75305c8addac37814535260b992c58e3c2b8f666ed 0 +/usr/share/xml/scap/ssg/content/ssg-rhv4-xccdf.xml 82c40e4ec462bbb1817ba09d6e6196c26b75a16a9506f26dbeb229d981f792eb 0 +/usr/share/xml/scap/ssg/content/ssg-sl7-ds-1.2.xml 39a98c788f61e3d05058a3c428263caf377f70c0558e2e80051027f9415db2e2 0 +/usr/share/xml/scap/ssg/content/ssg-sl7-ds.xml aa2083e49649c8458e3b5c4ab4fd09d40034b3f30b3cac426e7837286b5e70cf 0 +/usr/share/xml/scap/ssg/content/ssg-sl7-xccdf.xml 8bd5a78aa17420fa94aab10471dabca6708fc78f97bc34badddf47041b83616e 0 ___QF_CHECKSUM___ comparing rpmtags comparing RELEASE comparing PROVIDES comparing scripts comparing filelist comparing file checksum creating rename script RPM file checksum differs. Extracting packages /usr/share/doc/scap-security-guide/tables/table-ol7-anssirefs.html differs (HTML document, UTF-8 Unicode text) --- old//usr/share/doc/scap-security-guide/tables/table-ol7-anssirefs.html 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/tables/table-ol7-anssirefs.html 2022-04-04 00:00:00.000000000 +0000 @@ -75,38 +75,39 @@ BP28(R1) - Uninstall rsh Package + Uninstall telnet-server Package - -The rsh package contains the client commands - -for the rsh services +The telnet-server package can be removed with the following command: +
+$ sudo yum erase telnet-server
-These legacy clients contain numerous security exposures and have -been replaced with the more secure SSH package. Even if the server is removed, -it is best to ensure the clients are also removed to prevent users from -inadvertently attempting to use these commands and therefore exposing - -their credentials. Note that removing the rsh package removes - -the clients for rsh,rcp, and rlogin. +It is detrimental for operating systems to provide, or install by default, +functionality exceeding requirements or mission objectives. These +unnecessary capabilities are often overlooked and therefore may remain +unsecure. They increase the risk to the platform by providing additional +attack vectors. +
+The telnet service provides an unencrypted remote access service which does +not provide for the confidentiality and integrity of user passwords or the +remote session. If a privileged user were to login using this service, the +privileged user password could be compromised. +
+Removing the telnet-server package decreases the risk of the +telnet service's accidental (or intentional) activation. BP28(R1) - Uninstall Sendmail Package + Uninstall xinetd Package -Sendmail is not the default mail transfer agent and is -not installed by default. -The sendmail package can be removed with the following command: +The xinetd package can be removed with the following command:
-$ sudo yum erase sendmail
+$ sudo yum erase xinetd -The sendmail software was not developed with security in mind and -its design prevents it from being effectively contained by SELinux. Postfix -should be used instead. +Removing the xinetd package decreases the risk of the +xinetd service's accidental (or intentional) activation. @@ -123,6 +124,22 @@ BP28(R1) + Uninstall Sendmail Package + +Sendmail is not the default mail transfer agent and is +not installed by default. +The sendmail package can be removed with the following command: +
+$ sudo yum erase sendmail
+ + +The sendmail software was not developed with security in mind and +its design prevents it from being effectively contained by SELinux. Postfix +should be used instead. + + + + BP28(R1) Uninstall talk Package The talk package contains the client program for the @@ -140,18 +157,6 @@ - BP28(R1)
NT007(R03) - Uninstall the telnet server - -The telnet daemon should be uninstalled. - - -telnet allows clear text communications, and does not protect -any data transmission between client and server. Any confidential data -can be listened and no integrity checking is made.' - - - BP28(R1) Uninstall ypserv Package @@ -170,26 +175,34 @@ BP28(R1) - Uninstall telnet-server Package + Uninstall rsh Package -The telnet-server package can be removed with the following command: -
-$ sudo yum erase telnet-server
+ +The rsh package contains the client commands + +for the rsh services -It is detrimental for operating systems to provide, or install by default, -functionality exceeding requirements or mission objectives. These -unnecessary capabilities are often overlooked and therefore may remain -unsecure. They increase the risk to the platform by providing additional -attack vectors. -
-The telnet service provides an unencrypted remote access service which does -not provide for the confidentiality and integrity of user passwords or the -remote session. If a privileged user were to login using this service, the -privileged user password could be compromised. -
-Removing the telnet-server package decreases the risk of the -telnet service's accidental (or intentional) activation. +These legacy clients contain numerous security exposures and have +been replaced with the more secure SSH package. Even if the server is removed, +it is best to ensure the clients are also removed to prevent users from +inadvertently attempting to use these commands and therefore exposing + +their credentials. Note that removing the rsh package removes + +the clients for rsh,rcp, and rlogin. + + + + BP28(R1)
NT007(R03) + Uninstall the telnet server + +The telnet daemon should be uninstalled. + + +telnet allows clear text communications, and does not protect +any data transmission between client and server. Any confidential data +can be listened and no integrity checking is made.' @@ -208,15 +221,19 @@ BP28(R1) - Uninstall xinetd Package + Remove NIS Client -The xinetd package can be removed with the following command: -
-$ sudo yum erase xinetd
+The Network Information Service (NIS), formerly known as Yellow Pages, +is a client-server directory service protocol used to distribute system configuration +files. The NIS client (ypbind) was used to bind a system to an NIS server +and receive the distributed configuration files. -Removing the xinetd package decreases the risk of the -xinetd service's accidental (or intentional) activation. +The NIS service is inherently an insecure system that has been vulnerable +to DOS attacks, buffer overflows and has poor authentication for querying +NIS maps. NIS generally has been replaced by such protocols as Lightweight +Directory Access Protocol (LDAP). It is recommended that the service be +removed. @@ -237,23 +254,6 @@ - BP28(R1) - Remove NIS Client - -The Network Information Service (NIS), formerly known as Yellow Pages, -is a client-server directory service protocol used to distribute system configuration -files. The NIS client (ypbind) was used to bind a system to an NIS server -and receive the distributed configuration files. - - -The NIS service is inherently an insecure system that has been vulnerable -to DOS attacks, buffer overflows and has poor authentication for querying -NIS maps. NIS generally has been replaced by such protocols as Lightweight -Directory Access Protocol (LDAP). It is recommended that the service be /usr/share/doc/scap-security-guide/tables/table-ol7-cuirefs.html differs (HTML document, ASCII text, with very long lines) --- old//usr/share/doc/scap-security-guide/tables/table-ol7-cuirefs.html 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/tables/table-ol7-cuirefs.html 2022-04-04 00:00:00.000000000 +0000 @@ -42,46 +42,29 @@ Rationale - 3.1.1
3.1.5 - Disable SSH Access via Empty Passwords - -Disallow SSH login with empty passwords. -The default SSH configuration disables logins with empty passwords. The appropriate -configuration is used if no value is set for PermitEmptyPasswords. -
-To explicitly disallow SSH login from accounts with empty passwords, -add or correct the following line in - - -/etc/ssh/sshd_config: - -
-
PermitEmptyPasswords no
-Any accounts with empty passwords should be disabled immediately, and PAM configuration -should prevent users from being able to assign themselves empty passwords. - - -Configuring this setting for the SSH daemon provides additional assurance -that remote login via SSH will require a password, even in the event of -misconfiguration elsewhere. - - - - 3.1.1
3.4.5 - Require Authentication for Single User Mode + 3.1.1
3.1.6 + Direct root Logins Not Allowed -Single-user mode is intended as a system recovery -method, providing a single user root access to the system by -providing a boot option at startup. By default, no authentication -is performed if single-user mode is selected. -

-By default, single-user mode is protected by requiring a password and is set -in /usr/lib/systemd/system/rescue.service. +To further limit access to the root account, administrators +can disable root logins at the console by editing the /etc/securetty file. +This file lists all devices the root user is allowed to login to. If the file does +not exist at all, the root user can login through any communication device on the +system, whether via the console or via a raw network interface. This is dangerous +as user can login to the system as root via Telnet, which sends the password in +plain text over the network. By default, Oracle Linux 7's +/etc/securetty file only allows the root user to login at the console +physically attached to the system. To prevent root from logging in, remove the +contents of this file. To prevent direct root logins, remove the contents of this +file by typing the following command: +
+$ sudo echo > /etc/securetty
+
-This prevents attackers with physical access from trivially bypassing security -on the machine and gaining root access. Such accesses are further prevented -by configuring the bootloader password. +Disabling direct root logins ensures proper accountability and multifactor +authentication to privileged accounts. Users will first login, then escalate +to privileged (root) access via su / sudo. This is required for FISMA Low +and FISMA Moderate systems. @@ -105,34 +88,44 @@ 3.1.1
3.1.5 - Restrict Serial Port Root Logins + Disable SSH Access via Empty Passwords -To restrict root logins on serial ports, -ensure lines of this form do not appear in /etc/securetty: -
ttyS0
-ttyS1
+Disallow SSH login with empty passwords. +The default SSH configuration disables logins with empty passwords. The appropriate +configuration is used if no value is set for PermitEmptyPasswords. +
+To explicitly disallow SSH login from accounts with empty passwords, +add or correct the following line in + + +/etc/ssh/sshd_config: + +
+
PermitEmptyPasswords no
+Any accounts with empty passwords should be disabled immediately, and PAM configuration +should prevent users from being able to assign themselves empty passwords. -Preventing direct root login to serial port interfaces -helps ensure accountability for actions taken on the systems -using the root account. +Configuring this setting for the SSH daemon provides additional assurance +that remote login via SSH will require a password, even in the event of +misconfiguration elsewhere. - 3.1.1
3.4.5 - Require Authentication for Emergency Systemd Target + 3.1.1
3.1.5 + Restrict Virtual Console Root Logins -Emergency mode is intended as a system recovery -method, providing a single user root access to the system -during a failed boot sequence. -

-By default, Emergency mode is protected by requiring a password and is set -in /usr/lib/systemd/system/emergency.service. +To restrict root logins through the (deprecated) virtual console devices, +ensure lines of this form do not appear in /etc/securetty: +
vc/1
+vc/2
+vc/3
+vc/4
-This prevents attackers with physical access from trivially bypassing security -on the machine and gaining root access. Such accesses are further prevented -by configuring the bootloader password. +Preventing direct root login to virtual console devices +helps ensure accountability for actions taken on the system +using the root account. @@ -154,19 +147,40 @@ 3.1.1
3.1.5 - Restrict Virtual Console Root Logins + Verify Only Root Has UID 0 -To restrict root logins through the (deprecated) virtual console devices, -ensure lines of this form do not appear in /etc/securetty: -
vc/1
-vc/2
-vc/3
-vc/4
+If any account other than root has a UID of 0, this misconfiguration should +be investigated and the accounts other than root should be removed or have +their UID changed. +
+If the account is associated with system commands or applications the UID +should be changed to one greater than "0" but less than "1000." +Otherwise assign a UID greater than "1000" that has not already been +assigned. -Preventing direct root login to virtual console devices -helps ensure accountability for actions taken on the system -using the root account. +An account has root authority if it has a UID of 0. Multiple accounts +with a UID of 0 afford more opportunity for potential intruders to +guess a password for a privileged account. Proper configuration of +sudo is recommended to afford multiple system administrators +access to root privileges in an accountable manner. + + + + 3.1.1
3.4.5 + Require Authentication for Emergency Systemd Target + +Emergency mode is intended as a system recovery +method, providing a single user root access to the system +during a failed boot sequence. +

+By default, Emergency mode is protected by requiring a password and is set +in /usr/lib/systemd/system/emergency.service. + + +This prevents attackers with physical access from trivially bypassing security +on the machine and gaining root access. Such accesses are further prevented +by configuring the bootloader password. @@ -208,87 +222,72 @@ - 3.1.1
3.1.6 - Direct root Logins Not Allowed + 3.1.1
3.1.5 + Restrict Serial Port Root Logins -To further limit access to the root account, administrators -can disable root logins at the console by editing the /etc/securetty file. -This file lists all devices the root user is allowed to login to. If the file does -not exist at all, the root user can login through any communication device on the -system, whether via the console or via a raw network interface. This is dangerous -as user can login to the system as root via Telnet, which sends the password in -plain text over the network. By default, Oracle Linux 7's /usr/share/doc/scap-security-guide/tables/table-ol7-nistrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/tables/table-ol7-nistrefs.html 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/tables/table-ol7-nistrefs.html 2022-04-04 00:00:00.000000000 +0000 @@ -43,61 +43,22 @@ AU-2(d)
AU-12(c)
CM-6(a) - Record Unsuccessful Creation Attempts to Files - open_by_handle_at O_CREAT - -The audit system should collect unauthorized file accesses for -all users and root. The open_by_handle_at syscall can be used to create new files -when O_CREAT flag is specified. - -The following auidt rules will asure that unsuccessful attempts to create a -file via open_by_handle_at syscall are collected. - -If the auditd daemon is configured to use the augenrules -program to read audit rules during daemon startup (the default), add the -rules below to a file with suffix .rules in the directory -/etc/audit/rules.d. - -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the rules below to -/etc/audit/audit.rules file. -
--a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-
- -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-
- - -Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing -these events could serve as evidence of potential system compromise. - - - - AU-2(d)
AU-12(c)
CM-6(a) - Record Events that Modify the System's Discretionary Access Controls - removexattr + Record Events that Modify the System's Discretionary Access Controls - chown At a minimum, the audit system should collect file permission -changes for all users and root. -

-If the auditd daemon is configured to use the augenrules -program to read audit rules during daemon startup (the default), add the -following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-

+changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-

+
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-

+
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
The changing of file permissions could indicate that a user is attempting to @@ -108,165 +69,134 @@ AU-2(d)
AU-12(c)
CM-6(a) - Record Unsuccessul Permission Changes to Files - lremovexattr + Record Unsuccessful Access Attempts to Files - open -The audit system should collect unsuccessful file permission change -attempts for all users and root. -If the auditd daemon is configured +At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d. +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ +If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file. -
-a always,exit -F arch=b32 -S lremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b32 -S lremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ If the system is 64 bit then also add the following lines: -
-a always,exit -F arch=b64 -S lremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b64 -S lremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+
+-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing +Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a) - Ensure auditd Collects Information on the Use of Privileged Commands - crontab + Ensure auditd Collects Information on Exporting to Media (successful) -At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/crontab -F auid>=1000 -F auid!=unset -F key=privileged
+At a minimum, the audit system should collect media exportation +events for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/crontab -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
-Misuse of privileged functions, either intentionally or unintentionally by -authorized users, or by unauthorized external entities that have compromised system accounts, -is a serious and ongoing concern and can have significant adverse impacts on organizations. -Auditing the use of privileged functions is one way to detect such misuse and identify -the risk from insider and advanced persistent threats. -

-Privileged programs are subject to escalation-of-privilege attacks, -which attempt to subvert their normal role of providing some necessary but -limited capability. As such, motivation exists to monitor these programs for -unusual activity. +The unauthorized exportation of data to external media could result in an information leak +where classified information, Privacy Act information, and intellectual property could be lost. An audit +trail should be created each time a filesystem is mounted to help identify and guard against information +loss. AU-2(d)
AU-12(c)
CM-6(a) - Record Unsuccessful Access Attempts to Files - ftruncate + Record Unsuccessul Ownership Changes to Files - chown -At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured +The audit system should collect unsuccessful file ownership change +attempts for all users and root. +If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S ftruncate -F exiu=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- +.rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- +/etc/audit/audit.rules file. +
-a always,exit -F arch=b32 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+-a always,exit -F arch=b32 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b64 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+-a always,exit -F arch=b64 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
/usr/share/doc/scap-security-guide/tables/table-ol7-ospprefs.html differs (HTML document, ASCII text, with very long lines) --- old//usr/share/doc/scap-security-guide/tables/table-ol7-ospprefs.html 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/tables/table-ol7-ospprefs.html 2022-04-04 00:00:00.000000000 +0000 @@ -43,15 +43,16 @@ FAU_GEN.1 - Include Local Events in Audit Logs + Set number of records to cause an explicit flush to audit logs -To configure Audit daemon to include local events in Audit logs, set -local_events to yes in /etc/audit/auditd.conf. -This is the default setting. +To configure Audit daemon to issue an explicit flush to disk command +after writing 50 records, set freq to 50 +in /etc/audit/auditd.conf. -If option local_events isn't set to yes only events from -network will be aggregated. +If option freq isn't set to 50, the flush to disk +may happen after higher number of records, increasing the danger +of audit loss. @@ -77,20 +78,6 @@ FAU_GEN.1 - Set number of records to cause an explicit flush to audit logs - -To configure Audit daemon to issue an explicit flush to disk command -after writing 50 records, set freq to 50 -in /etc/audit/auditd.conf. - - -If option freq isn't set to 50, the flush to disk -may happen after higher number of records, increasing the danger -of audit loss. - - - - FAU_GEN.1 Enable auditd Service The auditd service is an essential userspace component of @@ -122,87 +109,36 @@ - FAU_GEN.1.1.c - Record Events that Modify User/Group Information - /etc/gshadow - -If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-

-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
- - -In addition to auditing new user and group accounts, these watches -will alert the system administrator(s) to any modifications. Any unexpected -users, groups, or modifications should be investigated for legitimacy. - - - - FAU_GEN.1.1.c - Record Unsuccessful Creation Attempts to Files - open_by_handle_at O_CREAT + FAU_GEN.1 + Include Local Events in Audit Logs -The audit system should collect unauthorized file accesses for -all users and root. The open_by_handle_at syscall can be used to create new files -when O_CREAT flag is specified. - -The following auidt rules will asure that unsuccessful attempts to create a -file via open_by_handle_at syscall are collected. - -If the auditd daemon is configured to use the augenrules -program to read audit rules during daemon startup (the default), add the -rules below to a file with suffix .rules in the directory -/etc/audit/rules.d. - -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the rules below to -/etc/audit/audit.rules file. -
--a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-
- -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-
+To configure Audit daemon to include local events in Audit logs, set +local_events to yes in /etc/audit/auditd.conf. +This is the default setting. -Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing -these events could serve as evidence of potential system compromise. +If option local_events isn't set to yes only events from +network will be aggregated. FAU_GEN.1.1.c - Record Events that Modify the System's Discretionary Access Controls - removexattr + Record Events that Modify the System's Discretionary Access Controls - chown At a minimum, the audit system should collect file permission -changes for all users and root. -

-If the auditd daemon is configured to use the augenrules -program to read audit rules during daemon startup (the default), add the -following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-

+changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-

+
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-

+
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
The changing of file permissions could indicate that a user is attempting to @@ -213,82 +149,57 @@ FAU_GEN.1.1.c - Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/passwd + Configure auditd to use audispd's syslog plugin -The audit system should collect write events to /etc/passwd file for all users and root. -If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify
+To configure the auditd service to use the +syslog plug-in of the audispd audit event multiplexor, set +the active line in /etc/audisp/plugins.d/syslog.conf to yes. +Restart the auditd service: +
$ sudo service auditd restart
-Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system. -Auditing these events could serve as evidence of potential system compromise. +The auditd service does not include the ability to send audit +records to a centralized server for management directly. It does, however, +include a plug-in for audit event multiplexor (audispd) to pass audit records +to the local syslog server FAU_GEN.1.1.c - Record Events that Modify User/Group Information - /etc/shadow + Record Unsuccessful Access Attempts to Files - open -If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
-

+At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon /usr/share/doc/scap-security-guide/tables/table-ol7-pcidssrefs.html differs (HTML document, ASCII text) --- old//usr/share/doc/scap-security-guide/tables/table-ol7-pcidssrefs.html 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/tables/table-ol7-pcidssrefs.html 2022-04-04 00:00:00.000000000 +0000 @@ -59,19 +59,30 @@ Req-6.2 - Ensure gpgcheck Enabled for All yum Package Repositories + Ensure gpgcheck Enabled In Main yum Configuration -To ensure signature checking is not disabled for -any repos, remove any lines from files in /etc/yum.repos.d of the form: -
gpgcheck=0
+The gpgcheck option controls whether +RPM packages' signatures are always checked prior to installation. +To configure yum to check package signatures before installing +them, ensure the following line appears in /etc/yum.conf in +the [main] section: +
gpgcheck=1
-Verifying the authenticity of the software prior to installation validates -the integrity of the patch or upgrade received from a vendor. This ensures -the software has not been tampered with and that it has been provided by a -trusted vendor. Self-signed certificates are disallowed by this -requirement. Certificates used to verify the software must be from an -approved Certificate Authority (CA)." +Changes to any software components can have significant effects on the +overall security of the operating system. This requirement ensures the +software has not been tampered with and that it has been provided by a +trusted vendor. +
+Accordingly, patches, service packs, device drivers, or operating system +components must be signed with a certificate recognized and approved by the +organization. +
Verifying the authenticity of the software prior to installation +validates the integrity of the patch or upgrade received from a vendor. +This ensures the software has not been tampered with and that it has been +provided by a trusted vendor. Self-signed certificates are disallowed by +this requirement. Certificates used to verify the software must be from an +approved Certificate Authority (CA). @@ -99,30 +110,19 @@ Req-6.2 - Ensure gpgcheck Enabled In Main yum Configuration + Ensure gpgcheck Enabled for All yum Package Repositories -The gpgcheck option controls whether -RPM packages' signatures are always checked prior to installation. -To configure yum to check package signatures before installing -them, ensure the following line appears in /etc/yum.conf in -the [main] section: -
gpgcheck=1
+To ensure signature checking is not disabled for +any repos, remove any lines from files in /etc/yum.repos.d of the form: +
gpgcheck=0
-Changes to any software components can have significant effects on the -overall security of the operating system. This requirement ensures the -software has not been tampered with and that it has been provided by a -trusted vendor. -
-Accordingly, patches, service packs, device drivers, or operating system -components must be signed with a certificate recognized and approved by the -organization. -
Verifying the authenticity of the software prior to installation -validates the integrity of the patch or upgrade received from a vendor. -This ensures the software has not been tampered with and that it has been -provided by a trusted vendor. Self-signed certificates are disallowed by -this requirement. Certificates used to verify the software must be from an -approved Certificate Authority (CA). +Verifying the authenticity of the software prior to installation validates +the integrity of the patch or upgrade received from a vendor. This ensures +the software has not been tampered with and that it has been provided by a +trusted vendor. Self-signed certificates are disallowed by this +requirement. Certificates used to verify the software must be from an +approved Certificate Authority (CA)." @@ -155,14 +155,30 @@ Req-7.1 - Verify the UEFI Boot Loader grub.cfg User Ownership + Verify the UEFI Boot Loader grub.cfg Group Ownership The file /boot/efi/EFI/redhat/grub.cfg should +be group-owned by the root group to prevent +destruction or modification of the file. + +To properly set the group owner of /boot/efi/EFI/redhat/grub.cfg, run the command: +
$ sudo chgrp root /boot/efi/EFI/redhat/grub.cfg
+ + +The root group is a highly-privileged group. Furthermore, the group-owner of this +file should not have any access privileges anyway. + + + + Req-7.1 + Verify /boot/grub2/grub.cfg User Ownership + +The file /boot/grub2/grub.cfg should be owned by the root user to prevent destruction or modification of the file. -To properly set the owner of /boot/efi/EFI/redhat/grub.cfg, run the command: -
$ sudo chown root /boot/efi/EFI/redhat/grub.cfg 
+To properly set the owner of /boot/grub2/grub.cfg, run the command: +
$ sudo chown root /boot/grub2/grub.cfg 
Only root should be able to modify important boot parameters. @@ -170,18 +186,17 @@ Req-7.1 - Verify the UEFI Boot Loader grub.cfg Group Ownership + Verify the UEFI Boot Loader grub.cfg User Ownership The file /boot/efi/EFI/redhat/grub.cfg should -be group-owned by the root group to prevent -destruction or modification of the file. +be owned by the root user to prevent destruction +or modification of the file. -To properly set the group owner of /boot/efi/EFI/redhat/grub.cfg, run the command: -
$ sudo chgrp root /boot/efi/EFI/redhat/grub.cfg
+To properly set the owner of /boot/efi/EFI/redhat/grub.cfg, run the command: +
$ sudo chown root /boot/efi/EFI/redhat/grub.cfg 
-The root group is a highly-privileged group. Furthermore, the group-owner of this -file should not have any access privileges anyway. +Only root should be able to modify important boot parameters. @@ -201,21 +216,6 @@ - Req-7.1 - Verify /boot/grub2/grub.cfg User Ownership - -The file /boot/grub2/grub.cfg should -be owned by the root user to prevent destruction -or modification of the file. - -To properly set the owner of /boot/grub2/grub.cfg, run the command: -
$ sudo chown root /boot/grub2/grub.cfg 
- - -Only root should be able to modify important boot parameters. - - - Req-8.1.1 Ensure All Accounts on the System Have Unique Names @@ -289,77 +289,50 @@ Req-8.1.8 - Enable GNOME3 Screensaver Lock After Idle Period + Set SSH Client Alive Count Max - -To activate locking of the screensaver in the GNOME3 desktop when it is activated, -add or set lock-enabled to true in -/etc/dconf/db/local.d/00-security-settings. For example: -
[org/gnome/desktop/screensaver]
-lock-enabled=true
-
-Once the settings have been added, add a lock to -/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. -For example: -
/org/gnome/desktop/screensaver/lock-enabled
-After the settings have been set, run dconf update. +The SSH server sends at most ClientAliveCountMax messages +during a SSH session and waits for a response from the SSH client. +The option ClientAliveInterval configures timeout after +each ClientAliveCountMax message. If the SSH server does not +receive a response from the client, then the connection is considered idle +and terminated. +For SSH earlier than v8.2, a ClientAliveCountMax value of 0 +causes an idle timeout precisely when the ClientAliveInterval is set. +Starting with v8.2, a value of 0 disables the timeout functionality +completely. If the option is set to a number greater than 0, then +the idle session will be disconnected after +ClientAliveInterval * ClientAliveCountMax seconds. -A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity -of the information system but does not want to logout because of the temporary nature of the absense. /usr/share/doc/scap-security-guide/tables/table-ol8-anssirefs.html differs (HTML document, UTF-8 Unicode text) --- old//usr/share/doc/scap-security-guide/tables/table-ol8-anssirefs.html 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/tables/table-ol8-anssirefs.html 2022-04-04 00:00:00.000000000 +0000 @@ -75,38 +75,39 @@ BP28(R1) - Uninstall rsh Package + Uninstall telnet-server Package - -The rsh package contains the client commands - -for the rsh services +The telnet-server package can be removed with the following command: +
+$ sudo yum erase telnet-server
-These legacy clients contain numerous security exposures and have -been replaced with the more secure SSH package. Even if the server is removed, -it is best to ensure the clients are also removed to prevent users from -inadvertently attempting to use these commands and therefore exposing - -their credentials. Note that removing the rsh package removes - -the clients for rsh,rcp, and rlogin. +It is detrimental for operating systems to provide, or install by default, +functionality exceeding requirements or mission objectives. These +unnecessary capabilities are often overlooked and therefore may remain +unsecure. They increase the risk to the platform by providing additional +attack vectors. +
+The telnet service provides an unencrypted remote access service which does +not provide for the confidentiality and integrity of user passwords or the +remote session. If a privileged user were to login using this service, the +privileged user password could be compromised. +
+Removing the telnet-server package decreases the risk of the +telnet service's accidental (or intentional) activation. BP28(R1) - Uninstall Sendmail Package + Uninstall xinetd Package -Sendmail is not the default mail transfer agent and is -not installed by default. -The sendmail package can be removed with the following command: +The xinetd package can be removed with the following command:
-$ sudo yum erase sendmail
+$ sudo yum erase xinetd -The sendmail software was not developed with security in mind and -its design prevents it from being effectively contained by SELinux. Postfix -should be used instead. +Removing the xinetd package decreases the risk of the +xinetd service's accidental (or intentional) activation. @@ -123,6 +124,22 @@ BP28(R1) + Uninstall Sendmail Package + +Sendmail is not the default mail transfer agent and is +not installed by default. +The sendmail package can be removed with the following command: +
+$ sudo yum erase sendmail
+ + +The sendmail software was not developed with security in mind and +its design prevents it from being effectively contained by SELinux. Postfix +should be used instead. + + + + BP28(R1) Uninstall talk Package The talk package contains the client program for the @@ -140,18 +157,6 @@ - BP28(R1)
NT007(R03) - Uninstall the telnet server - -The telnet daemon should be uninstalled. - - -telnet allows clear text communications, and does not protect -any data transmission between client and server. Any confidential data -can be listened and no integrity checking is made.' - - - BP28(R1) Uninstall ypserv Package @@ -170,26 +175,34 @@ BP28(R1) - Uninstall telnet-server Package + Uninstall rsh Package -The telnet-server package can be removed with the following command: -
-$ sudo yum erase telnet-server
+ +The rsh package contains the client commands + +for the rsh services -It is detrimental for operating systems to provide, or install by default, -functionality exceeding requirements or mission objectives. These -unnecessary capabilities are often overlooked and therefore may remain -unsecure. They increase the risk to the platform by providing additional -attack vectors. -
-The telnet service provides an unencrypted remote access service which does -not provide for the confidentiality and integrity of user passwords or the -remote session. If a privileged user were to login using this service, the -privileged user password could be compromised. -
-Removing the telnet-server package decreases the risk of the -telnet service's accidental (or intentional) activation. +These legacy clients contain numerous security exposures and have +been replaced with the more secure SSH package. Even if the server is removed, +it is best to ensure the clients are also removed to prevent users from +inadvertently attempting to use these commands and therefore exposing + +their credentials. Note that removing the rsh package removes + +the clients for rsh,rcp, and rlogin. + + + + BP28(R1)
NT007(R03) + Uninstall the telnet server + +The telnet daemon should be uninstalled. + + +telnet allows clear text communications, and does not protect +any data transmission between client and server. Any confidential data +can be listened and no integrity checking is made.' @@ -208,15 +221,19 @@ BP28(R1) - Uninstall xinetd Package + Remove NIS Client -The xinetd package can be removed with the following command: -
-$ sudo yum erase xinetd
+The Network Information Service (NIS), formerly known as Yellow Pages, +is a client-server directory service protocol used to distribute system configuration +files. The NIS client (ypbind) was used to bind a system to an NIS server +and receive the distributed configuration files. -Removing the xinetd package decreases the risk of the -xinetd service's accidental (or intentional) activation. +The NIS service is inherently an insecure system that has been vulnerable +to DOS attacks, buffer overflows and has poor authentication for querying +NIS maps. NIS generally has been replaced by such protocols as Lightweight +Directory Access Protocol (LDAP). It is recommended that the service be +removed. @@ -237,23 +254,6 @@ - BP28(R1) - Remove NIS Client - -The Network Information Service (NIS), formerly known as Yellow Pages, -is a client-server directory service protocol used to distribute system configuration -files. The NIS client (ypbind) was used to bind a system to an NIS server -and receive the distributed configuration files. - - -The NIS service is inherently an insecure system that has been vulnerable -to DOS attacks, buffer overflows and has poor authentication for querying -NIS maps. NIS generally has been replaced by such protocols as Lightweight -Directory Access Protocol (LDAP). It is recommended that the service be /usr/share/doc/scap-security-guide/tables/table-ol8-cuirefs.html differs (HTML document, ASCII text) --- old//usr/share/doc/scap-security-guide/tables/table-ol8-cuirefs.html 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/tables/table-ol8-cuirefs.html 2022-04-04 00:00:00.000000000 +0000 @@ -42,46 +42,29 @@ Rationale - 3.1.1
3.1.5 - Disable SSH Access via Empty Passwords - -Disallow SSH login with empty passwords. -The default SSH configuration disables logins with empty passwords. The appropriate -configuration is used if no value is set for PermitEmptyPasswords. -
-To explicitly disallow SSH login from accounts with empty passwords, -add or correct the following line in - - -/etc/ssh/sshd_config: - -
-
PermitEmptyPasswords no
-Any accounts with empty passwords should be disabled immediately, and PAM configuration -should prevent users from being able to assign themselves empty passwords. - - -Configuring this setting for the SSH daemon provides additional assurance -that remote login via SSH will require a password, even in the event of -misconfiguration elsewhere. - - - - 3.1.1
3.4.5 - Require Authentication for Single User Mode + 3.1.1
3.1.6 + Direct root Logins Not Allowed -Single-user mode is intended as a system recovery -method, providing a single user root access to the system by -providing a boot option at startup. By default, no authentication -is performed if single-user mode is selected. -

-By default, single-user mode is protected by requiring a password and is set -in /usr/lib/systemd/system/rescue.service. +To further limit access to the root account, administrators +can disable root logins at the console by editing the /etc/securetty file. +This file lists all devices the root user is allowed to login to. If the file does +not exist at all, the root user can login through any communication device on the +system, whether via the console or via a raw network interface. This is dangerous +as user can login to the system as root via Telnet, which sends the password in +plain text over the network. By default, Oracle Linux 8's +/etc/securetty file only allows the root user to login at the console +physically attached to the system. To prevent root from logging in, remove the +contents of this file. To prevent direct root logins, remove the contents of this +file by typing the following command: +
+$ sudo echo > /etc/securetty
+
-This prevents attackers with physical access from trivially bypassing security -on the machine and gaining root access. Such accesses are further prevented -by configuring the bootloader password. +Disabling direct root logins ensures proper accountability and multifactor +authentication to privileged accounts. Users will first login, then escalate +to privileged (root) access via su / sudo. This is required for FISMA Low +and FISMA Moderate systems. @@ -105,34 +88,44 @@ 3.1.1
3.1.5 - Restrict Serial Port Root Logins + Disable SSH Access via Empty Passwords -To restrict root logins on serial ports, -ensure lines of this form do not appear in /etc/securetty: -
ttyS0
-ttyS1
+Disallow SSH login with empty passwords. +The default SSH configuration disables logins with empty passwords. The appropriate +configuration is used if no value is set for PermitEmptyPasswords. +
+To explicitly disallow SSH login from accounts with empty passwords, +add or correct the following line in + + +/etc/ssh/sshd_config: + +
+
PermitEmptyPasswords no
+Any accounts with empty passwords should be disabled immediately, and PAM configuration +should prevent users from being able to assign themselves empty passwords. -Preventing direct root login to serial port interfaces -helps ensure accountability for actions taken on the systems -using the root account. +Configuring this setting for the SSH daemon provides additional assurance +that remote login via SSH will require a password, even in the event of +misconfiguration elsewhere. - 3.1.1
3.4.5 - Require Authentication for Emergency Systemd Target + 3.1.1
3.1.5 + Restrict Virtual Console Root Logins -Emergency mode is intended as a system recovery -method, providing a single user root access to the system -during a failed boot sequence. -

-By default, Emergency mode is protected by requiring a password and is set -in /usr/lib/systemd/system/emergency.service. +To restrict root logins through the (deprecated) virtual console devices, +ensure lines of this form do not appear in /etc/securetty: +
vc/1
+vc/2
+vc/3
+vc/4
-This prevents attackers with physical access from trivially bypassing security -on the machine and gaining root access. Such accesses are further prevented -by configuring the bootloader password. +Preventing direct root login to virtual console devices +helps ensure accountability for actions taken on the system +using the root account. @@ -154,19 +147,40 @@ 3.1.1
3.1.5 - Restrict Virtual Console Root Logins + Verify Only Root Has UID 0 -To restrict root logins through the (deprecated) virtual console devices, -ensure lines of this form do not appear in /etc/securetty: -
vc/1
-vc/2
-vc/3
-vc/4
+If any account other than root has a UID of 0, this misconfiguration should +be investigated and the accounts other than root should be removed or have +their UID changed. +
+If the account is associated with system commands or applications the UID +should be changed to one greater than "0" but less than "1000." +Otherwise assign a UID greater than "1000" that has not already been +assigned. -Preventing direct root login to virtual console devices -helps ensure accountability for actions taken on the system -using the root account. +An account has root authority if it has a UID of 0. Multiple accounts +with a UID of 0 afford more opportunity for potential intruders to +guess a password for a privileged account. Proper configuration of +sudo is recommended to afford multiple system administrators +access to root privileges in an accountable manner. + + + + 3.1.1
3.4.5 + Require Authentication for Emergency Systemd Target + +Emergency mode is intended as a system recovery +method, providing a single user root access to the system +during a failed boot sequence. +

+By default, Emergency mode is protected by requiring a password and is set +in /usr/lib/systemd/system/emergency.service. + + +This prevents attackers with physical access from trivially bypassing security +on the machine and gaining root access. Such accesses are further prevented +by configuring the bootloader password. @@ -208,87 +222,72 @@ - 3.1.1
3.1.6 - Direct root Logins Not Allowed + 3.1.1
3.1.5 + Restrict Serial Port Root Logins -To further limit access to the root account, administrators -can disable root logins at the console by editing the /etc/securetty file. -This file lists all devices the root user is allowed to login to. If the file does -not exist at all, the root user can login through any communication device on the -system, whether via the console or via a raw network interface. This is dangerous -as user can login to the system as root via Telnet, which sends the password in -plain text over the network. By default, Oracle Linux 8's /usr/share/doc/scap-security-guide/tables/table-ol8-nistrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/tables/table-ol8-nistrefs.html 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/tables/table-ol8-nistrefs.html 2022-04-04 00:00:00.000000000 +0000 @@ -42,21 +42,113 @@ Rationale + AU-2(d)
AU-12(c)
CM-6(a) + Record Events that Modify the System's Discretionary Access Controls - chown + +At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ + +The changing of file permissions could indicate that a user is attempting to +gain access to information that would otherwise be disallowed. Auditing DAC modifications +can facilitate the identification of patterns of abuse among both authorized and +unauthorized users. + + + + AU-2(d)
AU-12(c)
CM-6(a) + Record Unsuccessful Access Attempts to Files - open + +At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ +If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ +If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ + +Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + + + AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a) + Ensure auditd Collects Information on Exporting to Media (successful) + +At a minimum, the audit system should collect media exportation +events for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
+ + +The unauthorized exportation of data to external media could result in an information leak +where classified information, Privacy Act information, and intellectual property could be lost. An audit +trail should be created each time a filesystem is mounted to help identify and guard against information +loss. + + + AU-2(a) - Configure auditing of successful file accesses + Configure auditing of unsuccessful file creations -Ensure that successful attempts to access a file are audited. +Ensure that unsuccessful attempts to create a file are audited. The following rules configure audit as described above: -
## Successful file access (any other opens) This has to go last.
-## These next two are likely to result in a whole lot of events
--a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
--a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access    
+
## Unsuccessful file creation (open with O_CREAT)
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create    
-The Audit package provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42-3-access-success.rules. +The Audit package provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42-1-create-failed.rules. To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory:
-cp /usr/share/audit/sample-rules/30-ospp-v42-3-access-success.rules /etc/audit/rules.d/
+cp /usr/share/audit/sample-rules/30-ospp-v42-1-create-failed.rules /etc/audit/rules.d/
 
Load new Audit rules into kernel by running: @@ -65,66 +157,82 @@ Note: This rule utilizes a file provided by Audit package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. -Auditing of successful attempts to access a file helps in investigation of activities performed on the system. +Unsuccessful file creations might be a sign of a malicious action being performed on the system. Keeping log of such events helps in monitoring and investigation of such actions. AU-2(d)
AU-12(c)
CM-6(a) - Record Unsuccessful Creation Attempts to Files - open_by_handle_at O_CREAT + Record Unsuccessul Ownership Changes to Files - chown -The audit system should collect unauthorized file accesses for -all users and root. The open_by_handle_at syscall can be used to create new files -when O_CREAT flag is specified. - -The following auidt rules will asure that unsuccessful attempts to create a -file via open_by_handle_at syscall are collected. +The audit system should collect unsuccessful file ownership change +attempts for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d. +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file. +
-a always,exit -F arch=b32 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+-a always,exit -F arch=b32 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+If the system is 64 bit then also add the following lines: +
-a always,exit -F arch=b64 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+-a always,exit -F arch=b64 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+ + +Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + + + AU-2(d)
AU-12(c)
CM-6(a) + Record Unsuccessul Ownership Changes to Files - lchown + +The audit system should collect unsuccessful file ownership change +attempts for all users and root. -If the auditd daemon is configured to use the augenrules -program to read audit rules during daemon startup (the default), add the -rules below to a file with suffix .rules in the directory -/etc/audit/rules.d. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the rules below to +utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file. -
--a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-
+ +
-a always,exit -F arch=b32 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+-a always,exit -F arch=b32 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-
+
-a always,exit -F arch=b64 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+-a always,exit -F arch=b64 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
/usr/share/doc/scap-security-guide/tables/table-ol8-pcidssrefs.html differs (HTML document, ASCII text) --- old//usr/share/doc/scap-security-guide/tables/table-ol8-pcidssrefs.html 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/tables/table-ol8-pcidssrefs.html 2022-04-04 00:00:00.000000000 +0000 @@ -59,19 +59,30 @@ Req-6.2 - Ensure gpgcheck Enabled for All yum Package Repositories + Ensure gpgcheck Enabled In Main yum Configuration -To ensure signature checking is not disabled for -any repos, remove any lines from files in /etc/yum.repos.d of the form: -
gpgcheck=0
+The gpgcheck option controls whether +RPM packages' signatures are always checked prior to installation. +To configure yum to check package signatures before installing +them, ensure the following line appears in /etc/yum.conf in +the [main] section: +
gpgcheck=1
-Verifying the authenticity of the software prior to installation validates -the integrity of the patch or upgrade received from a vendor. This ensures -the software has not been tampered with and that it has been provided by a -trusted vendor. Self-signed certificates are disallowed by this -requirement. Certificates used to verify the software must be from an -approved Certificate Authority (CA)." +Changes to any software components can have significant effects on the +overall security of the operating system. This requirement ensures the +software has not been tampered with and that it has been provided by a +trusted vendor. +
+Accordingly, patches, service packs, device drivers, or operating system +components must be signed with a certificate recognized and approved by the +organization. +
Verifying the authenticity of the software prior to installation +validates the integrity of the patch or upgrade received from a vendor. +This ensures the software has not been tampered with and that it has been +provided by a trusted vendor. Self-signed certificates are disallowed by +this requirement. Certificates used to verify the software must be from an +approved Certificate Authority (CA). @@ -99,30 +110,19 @@ Req-6.2 - Ensure gpgcheck Enabled In Main yum Configuration + Ensure gpgcheck Enabled for All yum Package Repositories -The gpgcheck option controls whether -RPM packages' signatures are always checked prior to installation. -To configure yum to check package signatures before installing -them, ensure the following line appears in /etc/yum.conf in -the [main] section: -
gpgcheck=1
+To ensure signature checking is not disabled for +any repos, remove any lines from files in /etc/yum.repos.d of the form: +
gpgcheck=0
-Changes to any software components can have significant effects on the -overall security of the operating system. This requirement ensures the -software has not been tampered with and that it has been provided by a -trusted vendor. -
-Accordingly, patches, service packs, device drivers, or operating system -components must be signed with a certificate recognized and approved by the -organization. -
Verifying the authenticity of the software prior to installation -validates the integrity of the patch or upgrade received from a vendor. -This ensures the software has not been tampered with and that it has been -provided by a trusted vendor. Self-signed certificates are disallowed by -this requirement. Certificates used to verify the software must be from an -approved Certificate Authority (CA). +Verifying the authenticity of the software prior to installation validates +the integrity of the patch or upgrade received from a vendor. This ensures +the software has not been tampered with and that it has been provided by a +trusted vendor. Self-signed certificates are disallowed by this +requirement. Certificates used to verify the software must be from an +approved Certificate Authority (CA)." @@ -155,14 +155,30 @@ Req-7.1 - Verify the UEFI Boot Loader grub.cfg User Ownership + Verify the UEFI Boot Loader grub.cfg Group Ownership The file /boot/efi/EFI/redhat/grub.cfg should +be group-owned by the root group to prevent +destruction or modification of the file. + +To properly set the group owner of /boot/efi/EFI/redhat/grub.cfg, run the command: +
$ sudo chgrp root /boot/efi/EFI/redhat/grub.cfg
+ + +The root group is a highly-privileged group. Furthermore, the group-owner of this +file should not have any access privileges anyway. + + + + Req-7.1 + Verify /boot/grub2/grub.cfg User Ownership + +The file /boot/grub2/grub.cfg should be owned by the root user to prevent destruction or modification of the file. -To properly set the owner of /boot/efi/EFI/redhat/grub.cfg, run the command: -
$ sudo chown root /boot/efi/EFI/redhat/grub.cfg 
+To properly set the owner of /boot/grub2/grub.cfg, run the command: +
$ sudo chown root /boot/grub2/grub.cfg 
Only root should be able to modify important boot parameters. @@ -170,18 +186,17 @@ Req-7.1 - Verify the UEFI Boot Loader grub.cfg Group Ownership + Verify the UEFI Boot Loader grub.cfg User Ownership The file /boot/efi/EFI/redhat/grub.cfg should -be group-owned by the root group to prevent -destruction or modification of the file. +be owned by the root user to prevent destruction +or modification of the file. -To properly set the group owner of /boot/efi/EFI/redhat/grub.cfg, run the command: -
$ sudo chgrp root /boot/efi/EFI/redhat/grub.cfg
+To properly set the owner of /boot/efi/EFI/redhat/grub.cfg, run the command: +
$ sudo chown root /boot/efi/EFI/redhat/grub.cfg 
-The root group is a highly-privileged group. Furthermore, the group-owner of this -file should not have any access privileges anyway. +Only root should be able to modify important boot parameters. @@ -201,21 +216,6 @@ - Req-7.1 - Verify /boot/grub2/grub.cfg User Ownership - -The file /boot/grub2/grub.cfg should -be owned by the root user to prevent destruction -or modification of the file. - -To properly set the owner of /boot/grub2/grub.cfg, run the command: -
$ sudo chown root /boot/grub2/grub.cfg 
- - -Only root should be able to modify important boot parameters. - - - Req-8.1.1 Ensure All Accounts on the System Have Unique Names @@ -289,77 +289,50 @@ Req-8.1.8 - Enable GNOME3 Screensaver Lock After Idle Period + Set SSH Client Alive Count Max - -To activate locking of the screensaver in the GNOME3 desktop when it is activated, -add or set lock-enabled to true in -/etc/dconf/db/local.d/00-security-settings. For example: -
[org/gnome/desktop/screensaver]
-lock-enabled=true
-
-Once the settings have been added, add a lock to -/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. -For example: -
/org/gnome/desktop/screensaver/lock-enabled
-After the settings have been set, run dconf update. +The SSH server sends at most ClientAliveCountMax messages +during a SSH session and waits for a response from the SSH client. +The option ClientAliveInterval configures timeout after +each ClientAliveCountMax message. If the SSH server does not +receive a response from the client, then the connection is considered idle +and terminated. +For SSH earlier than v8.2, a ClientAliveCountMax value of 0 +causes an idle timeout precisely when the ClientAliveInterval is set. +Starting with v8.2, a value of 0 disables the timeout functionality +completely. If the option is set to a number greater than 0, then +the idle session will be disconnected after +ClientAliveInterval * ClientAliveCountMax seconds. -A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity -of the information system but does not want to logout because of the temporary nature of the absense. /usr/share/doc/scap-security-guide/tables/table-rhcos4-nistrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/tables/table-rhcos4-nistrefs.html 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/tables/table-rhcos4-nistrefs.html 2022-04-04 00:00:00.000000000 +0000 @@ -42,21 +42,113 @@ Rationale + AU-2(d)
AU-12(c)
CM-6(a) + Record Events that Modify the System's Discretionary Access Controls - chown + +At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ + +The changing of file permissions could indicate that a user is attempting to +gain access to information that would otherwise be disallowed. Auditing DAC modifications +can facilitate the identification of patterns of abuse among both authorized and +unauthorized users. + + + + AU-2(d)
AU-12(c)
CM-6(a) + Record Unsuccessful Access Attempts to Files - open + +At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ +If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ +If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ + +Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + + + AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a) + Ensure auditd Collects Information on Exporting to Media (successful) + +At a minimum, the audit system should collect media exportation +events for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
+ + +The unauthorized exportation of data to external media could result in an information leak +where classified information, Privacy Act information, and intellectual property could be lost. An audit +trail should be created each time a filesystem is mounted to help identify and guard against information +loss. + + + AU-2(a) - Configure auditing of successful file accesses + Configure auditing of unsuccessful file creations -Ensure that successful attempts to access a file are audited. +Ensure that unsuccessful attempts to create a file are audited. The following rules configure audit as described above: -
## Successful file access (any other opens) This has to go last.
-## These next two are likely to result in a whole lot of events
--a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
--a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access    
+
## Unsuccessful file creation (open with O_CREAT)
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create    
-The Audit package provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42-3-access-success.rules. +The Audit package provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42-1-create-failed.rules. To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory:
-cp /usr/share/audit/sample-rules/30-ospp-v42-3-access-success.rules /etc/audit/rules.d/
+cp /usr/share/audit/sample-rules/30-ospp-v42-1-create-failed.rules /etc/audit/rules.d/
 
Load new Audit rules into kernel by running: @@ -65,66 +157,82 @@ Note: This rule utilizes a file provided by Audit package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. -Auditing of successful attempts to access a file helps in investigation of activities performed on the system. +Unsuccessful file creations might be a sign of a malicious action being performed on the system. Keeping log of such events helps in monitoring and investigation of such actions. AU-2(d)
AU-12(c)
CM-6(a) - Record Unsuccessful Creation Attempts to Files - open_by_handle_at O_CREAT + Record Unsuccessul Ownership Changes to Files - chown -The audit system should collect unauthorized file accesses for -all users and root. The open_by_handle_at syscall can be used to create new files -when O_CREAT flag is specified. - -The following auidt rules will asure that unsuccessful attempts to create a -file via open_by_handle_at syscall are collected. +The audit system should collect unsuccessful file ownership change +attempts for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d. +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file. +
-a always,exit -F arch=b32 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+-a always,exit -F arch=b32 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+If the system is 64 bit then also add the following lines: +
-a always,exit -F arch=b64 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+-a always,exit -F arch=b64 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+ + +Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + + + AU-2(d)
AU-12(c)
CM-6(a) + Record Unsuccessul Ownership Changes to Files - lchown + +The audit system should collect unsuccessful file ownership change +attempts for all users and root. -If the auditd daemon is configured to use the augenrules -program to read audit rules during daemon startup (the default), add the -rules below to a file with suffix .rules in the directory -/etc/audit/rules.d. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the rules below to +utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file. -
--a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-
+ +
-a always,exit -F arch=b32 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+-a always,exit -F arch=b32 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-
+
-a always,exit -F arch=b64 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+-a always,exit -F arch=b64 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
/usr/share/doc/scap-security-guide/tables/table-rhel7-anssirefs.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/tables/table-rhel7-anssirefs.html 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/tables/table-rhel7-anssirefs.html 2022-04-04 00:00:00.000000000 +0000 @@ -75,22 +75,51 @@ BP28(R1) - Uninstall rsh Package + Uninstall telnet-server Package - -The rsh package contains the client commands - -for the rsh services +The telnet-server package can be removed with the following command: +
+$ sudo yum erase telnet-server
-These legacy clients contain numerous security exposures and have -been replaced with the more secure SSH package. Even if the server is removed, -it is best to ensure the clients are also removed to prevent users from -inadvertently attempting to use these commands and therefore exposing - -their credentials. Note that removing the rsh package removes - -the clients for rsh,rcp, and rlogin. +It is detrimental for operating systems to provide, or install by default, +functionality exceeding requirements or mission objectives. These +unnecessary capabilities are often overlooked and therefore may remain +unsecure. They increase the risk to the platform by providing additional +attack vectors. +
+The telnet service provides an unencrypted remote access service which does +not provide for the confidentiality and integrity of user passwords or the +remote session. If a privileged user were to login using this service, the +privileged user password could be compromised. +
+Removing the telnet-server package decreases the risk of the +telnet service's accidental (or intentional) activation. + + + + BP28(R1) + Uninstall xinetd Package + +The xinetd package can be removed with the following command: +
+$ sudo yum erase xinetd
+ + +Removing the xinetd package decreases the risk of the +xinetd service's accidental (or intentional) activation. + + + + BP28(R1) + Uninstall talk-server Package + +The talk-server package can be removed with the following command:
 $ sudo yum erase talk-server
+ + +The talk software presents a security risk as it uses unencrypted protocols +for communications. Removing the talk-server package decreases the +risk of the accidental (or intentional) activation of talk services. @@ -111,14 +140,17 @@ BP28(R1) - Uninstall talk-server Package + Remove tftp Daemon -The talk-server package can be removed with the following command:
 $ sudo yum erase talk-server
+Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, +typically used to automatically transfer configuration or boot files between systems. +TFTP does not support authentication and can be easily hacked. The package +tftp is a client program that allows for connections to a tftp server. -The talk software presents a security risk as it uses unencrypted protocols -for communications. Removing the talk-server package decreases the -risk of the accidental (or intentional) activation of talk services. +It is recommended that TFTP be removed, unless there is a specific need +for TFTP (such as a boot server). In that case, use extreme caution when configuring +the services. @@ -140,18 +172,6 @@ - BP28(R1)
NT007(R03) - Uninstall the telnet server - -The telnet daemon should be uninstalled. - - -telnet allows clear text communications, and does not protect -any data transmission between client and server. Any confidential data -can be listened and no integrity checking is made.' - - - BP28(R1) Uninstall ypserv Package @@ -170,41 +190,34 @@ BP28(R1) - Remove tftp Daemon + Uninstall rsh Package -Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, -typically used to automatically transfer configuration or boot files between systems. -TFTP does not support authentication and can be easily hacked. The package -tftp is a client program that allows for connections to a tftp server. + +The rsh package contains the client commands + +for the rsh services -It is recommended that TFTP be removed, unless there is a specific need -for TFTP (such as a boot server). In that case, use extreme caution when configuring -the services. +These legacy clients contain numerous security exposures and have +been replaced with the more secure SSH package. Even if the server is removed, +it is best to ensure the clients are also removed to prevent users from +inadvertently attempting to use these commands and therefore exposing + +their credentials. Note that removing the rsh package removes + +the clients for rsh,rcp, and rlogin. - BP28(R1) - Uninstall telnet-server Package + BP28(R1)
NT007(R03) + Uninstall the telnet server -The telnet-server package can be removed with the following command: -
-$ sudo yum erase telnet-server
+The telnet daemon should be uninstalled. -It is detrimental for operating systems to provide, or install by default, -functionality exceeding requirements or mission objectives. These -unnecessary capabilities are often overlooked and therefore may remain -unsecure. They increase the risk to the platform by providing additional -attack vectors. -
-The telnet service provides an unencrypted remote access service which does -not provide for the confidentiality and integrity of user passwords or the -remote session. If a privileged user were to login using this service, the -privileged user password could be compromised. -
-Removing the telnet-server package decreases the risk of the -telnet service's accidental (or intentional) activation. +telnet allows clear text communications, and does not protect +any data transmission between client and server. Any confidential data +can be listened and no integrity checking is made.' @@ -223,15 +236,19 @@ BP28(R1) - Uninstall xinetd Package + Remove NIS Client -The xinetd package can be removed with the following command: -
-$ sudo yum erase xinetd
+The Network Information Service (NIS), formerly known as Yellow Pages, +is a client-server directory service protocol used to distribute system configuration +files. The NIS client (ypbind) was used to bind a system to an NIS server +and receive the distributed configuration files. -Removing the xinetd package decreases the risk of the -xinetd service's accidental (or intentional) activation. +The NIS service is inherently an insecure system that has been vulnerable +to DOS attacks, buffer overflows and has poor authentication for querying +NIS maps. NIS generally has been replaced by such protocols as Lightweight +Directory Access Protocol (LDAP). It is recommended that the service be +removed. @@ -252,23 +269,6 @@ /usr/share/doc/scap-security-guide/tables/table-rhel7-cisrefs.html differs (HTML document, UTF-8 Unicode text) --- old//usr/share/doc/scap-security-guide/tables/table-rhel7-cisrefs.html 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/tables/table-rhel7-cisrefs.html 2022-04-04 00:00:00.000000000 +0000 @@ -63,21 +63,6 @@ 1.1.1.2 - Disable Mounting of freevxfs - - -To configure the system to prevent the freevxfs -kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d: -
install freevxfs /bin/true
-This effectively prevents usage of this uncommon filesystem. - - -Linux kernel modules which implement filesystems that are not needed by the -local system should be disabled. - - - - 1.1.1.2 Disable Mounting of squashfs @@ -97,6 +82,21 @@ + 1.1.1.2 + Disable Mounting of freevxfs + + +To configure the system to prevent the freevxfs +kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d: +
install freevxfs /bin/true
+This effectively prevents usage of this uncommon filesystem. + + +Linux kernel modules which implement filesystems that are not needed by the +local system should be disabled. + + + 1.1.1.3 Disable Mounting of udf @@ -553,23 +553,6 @@ 1.2.3 - Ensure gpgcheck Enabled for All yum Package Repositories - -To ensure signature checking is not disabled for -any repos, remove any lines from files in /etc/yum.repos.d of the form: -
gpgcheck=0
- - -Verifying the authenticity of the software prior to installation validates -the integrity of the patch or upgrade received from a vendor. This ensures -the software has not been tampered with and that it has been provided by a -trusted vendor. Self-signed certificates are disallowed by this -requirement. Certificates used to verify the software must be from an -approved Certificate Authority (CA)." - - - - 1.2.3 Ensure gpgcheck Enabled In Main yum Configuration The gpgcheck option controls whether @@ -626,6 +609,23 @@ + 1.2.3 + Ensure gpgcheck Enabled for All yum Package Repositories + +To ensure signature checking is not disabled for +any repos, remove any lines from files in /etc/yum.repos.d of the form: +
gpgcheck=0
+ + +Verifying the authenticity of the software prior to installation validates +the integrity of the patch or upgrade received from a vendor. This ensures +the software has not been tampered with and that it has been provided by a +trusted vendor. Self-signed certificates are disallowed by this +requirement. Certificates used to verify the software must be from an +approved Certificate Authority (CA)." + + + 1.2.5 Disable Red Hat Network Service (rhnsd) @@ -763,21 +763,6 @@ 1.4.2 - Verify the UEFI Boot Loader grub.cfg User Ownership - -The file /boot/efi/EFI/redhat/grub.cfg should -be owned by the root user to prevent destruction -or modification of the file. - -To properly set the owner of /boot/efi/EFI/redhat/grub.cfg, run the command: -
$ sudo chown root /boot/efi/EFI/redhat/grub.cfg 
- - -Only root should be able to modify important boot parameters. - - - - 1.4.2 Verify the UEFI Boot Loader grub.cfg Permissions File permissions for /boot/efi/EFI/redhat/grub.cfg should be set to 700. @@ -822,6 +807,36 @@ 1.4.2 + Verify /boot/grub2/grub.cfg User Ownership + +The file /boot/grub2/grub.cfg should +be owned by the root user to prevent destruction +or modification of the file. + +To properly set the owner of /boot/grub2/grub.cfg, run the command: +
$ sudo chown root /boot/grub2/grub.cfg 
+ + +Only root should be able to modify important boot parameters. + + + + 1.4.2 + Verify the UEFI Boot Loader grub.cfg User Ownership + +The file /boot/efi/EFI/redhat/grub.cfg should +be owned by the root user to prevent destruction +or modification of the file. + +To properly set the owner of /boot/efi/EFI/redhat/grub.cfg, run the command: +
$ sudo chown root /boot/efi/EFI/redhat/grub.cfg 
+ + +Only root should be able to modify important boot parameters. + + + + 1.4.2 Verify /boot/grub2/grub.cfg Group Ownership The file /boot/grub2/grub.cfg should @@ -837,18 +852,20 @@ - 1.4.2 - Verify /boot/grub2/grub.cfg User Ownership + 1.4.3 + Require Authentication for Emergency Systemd Target -The file /boot/grub2/grub.cfg should -be owned by the root user to prevent destruction -or modification of the file. - -To properly set the owner of /boot/grub2/grub.cfg, run the command: -
$ sudo chown root /boot/grub2/grub.cfg 
+Emergency mode is intended as a system recovery +method, providing a single user root access to the system +during a failed boot sequence. +

+By default, Emergency mode is protected by requiring a password and is set +in /usr/lib/systemd/system/emergency.service. -Only root should be able to modify important boot parameters. +This prevents attackers with physical access from trivially bypassing security +on the machine and gaining root access. Such accesses are further prevented +by configuring the bootloader password. @@ -870,20 +887,18 @@ - 1.4.3 - Require Authentication for Emergency Systemd Target + 1.5.1 + Disable Core Dumps for All Users -Emergency mode is intended as a system recovery -method, providing a single user root access to the system -during a failed boot sequence. -

-By default, Emergency mode is protected by requiring a password and is set -in /usr/lib/systemd/system/emergency.service. +To disable core dumps for all users, add the following line to +/etc/security/limits.conf, or to a file within the /usr/share/doc/scap-security-guide/tables/table-rhel7-cuirefs.html differs (HTML document, ASCII text, with very long lines) --- old//usr/share/doc/scap-security-guide/tables/table-rhel7-cuirefs.html 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/tables/table-rhel7-cuirefs.html 2022-04-04 00:00:00.000000000 +0000 @@ -42,46 +42,29 @@ Rationale - 3.1.1
3.1.5 - Disable SSH Access via Empty Passwords - -Disallow SSH login with empty passwords. -The default SSH configuration disables logins with empty passwords. The appropriate -configuration is used if no value is set for PermitEmptyPasswords. -
-To explicitly disallow SSH login from accounts with empty passwords, -add or correct the following line in - - -/etc/ssh/sshd_config: - -
-
PermitEmptyPasswords no
-Any accounts with empty passwords should be disabled immediately, and PAM configuration -should prevent users from being able to assign themselves empty passwords. - - -Configuring this setting for the SSH daemon provides additional assurance -that remote login via SSH will require a password, even in the event of -misconfiguration elsewhere. - - - - 3.1.1
3.4.5 - Require Authentication for Single User Mode + 3.1.1
3.1.6 + Direct root Logins Not Allowed -Single-user mode is intended as a system recovery -method, providing a single user root access to the system by -providing a boot option at startup. By default, no authentication -is performed if single-user mode is selected. -

-By default, single-user mode is protected by requiring a password and is set -in /usr/lib/systemd/system/rescue.service. +To further limit access to the root account, administrators +can disable root logins at the console by editing the /etc/securetty file. +This file lists all devices the root user is allowed to login to. If the file does +not exist at all, the root user can login through any communication device on the +system, whether via the console or via a raw network interface. This is dangerous +as user can login to the system as root via Telnet, which sends the password in +plain text over the network. By default, Red Hat Enterprise Linux 7's +/etc/securetty file only allows the root user to login at the console +physically attached to the system. To prevent root from logging in, remove the +contents of this file. To prevent direct root logins, remove the contents of this +file by typing the following command: +
+$ sudo echo > /etc/securetty
+
-This prevents attackers with physical access from trivially bypassing security -on the machine and gaining root access. Such accesses are further prevented -by configuring the bootloader password. +Disabling direct root logins ensures proper accountability and multifactor +authentication to privileged accounts. Users will first login, then escalate +to privileged (root) access via su / sudo. This is required for FISMA Low +and FISMA Moderate systems. @@ -105,34 +88,44 @@ 3.1.1
3.1.5 - Restrict Serial Port Root Logins + Disable SSH Access via Empty Passwords -To restrict root logins on serial ports, -ensure lines of this form do not appear in /etc/securetty: -
ttyS0
-ttyS1
+Disallow SSH login with empty passwords. +The default SSH configuration disables logins with empty passwords. The appropriate +configuration is used if no value is set for PermitEmptyPasswords. +
+To explicitly disallow SSH login from accounts with empty passwords, +add or correct the following line in + + +/etc/ssh/sshd_config: + +
+
PermitEmptyPasswords no
+Any accounts with empty passwords should be disabled immediately, and PAM configuration +should prevent users from being able to assign themselves empty passwords. -Preventing direct root login to serial port interfaces -helps ensure accountability for actions taken on the systems -using the root account. +Configuring this setting for the SSH daemon provides additional assurance +that remote login via SSH will require a password, even in the event of +misconfiguration elsewhere. - 3.1.1
3.4.5 - Require Authentication for Emergency Systemd Target + 3.1.1
3.1.5 + Restrict Virtual Console Root Logins -Emergency mode is intended as a system recovery -method, providing a single user root access to the system -during a failed boot sequence. -

-By default, Emergency mode is protected by requiring a password and is set -in /usr/lib/systemd/system/emergency.service. +To restrict root logins through the (deprecated) virtual console devices, +ensure lines of this form do not appear in /etc/securetty: +
vc/1
+vc/2
+vc/3
+vc/4
-This prevents attackers with physical access from trivially bypassing security -on the machine and gaining root access. Such accesses are further prevented -by configuring the bootloader password. +Preventing direct root login to virtual console devices +helps ensure accountability for actions taken on the system +using the root account. @@ -154,19 +147,40 @@ 3.1.1
3.1.5 - Restrict Virtual Console Root Logins + Verify Only Root Has UID 0 -To restrict root logins through the (deprecated) virtual console devices, -ensure lines of this form do not appear in /etc/securetty: -
vc/1
-vc/2
-vc/3
-vc/4
+If any account other than root has a UID of 0, this misconfiguration should +be investigated and the accounts other than root should be removed or have +their UID changed. +
+If the account is associated with system commands or applications the UID +should be changed to one greater than "0" but less than "1000." +Otherwise assign a UID greater than "1000" that has not already been +assigned. -Preventing direct root login to virtual console devices -helps ensure accountability for actions taken on the system -using the root account. +An account has root authority if it has a UID of 0. Multiple accounts +with a UID of 0 afford more opportunity for potential intruders to +guess a password for a privileged account. Proper configuration of +sudo is recommended to afford multiple system administrators +access to root privileges in an accountable manner. + + + + 3.1.1
3.4.5 + Require Authentication for Emergency Systemd Target + +Emergency mode is intended as a system recovery +method, providing a single user root access to the system +during a failed boot sequence. +

+By default, Emergency mode is protected by requiring a password and is set +in /usr/lib/systemd/system/emergency.service. + + +This prevents attackers with physical access from trivially bypassing security +on the machine and gaining root access. Such accesses are further prevented +by configuring the bootloader password. @@ -208,87 +222,72 @@ - 3.1.1
3.1.6 - Direct root Logins Not Allowed + 3.1.1
3.1.5 + Restrict Serial Port Root Logins -To further limit access to the root account, administrators -can disable root logins at the console by editing the /etc/securetty file. -This file lists all devices the root user is allowed to login to. If the file does -not exist at all, the root user can login through any communication device on the -system, whether via the console or via a raw network interface. This is dangerous -as user can login to the system as root via Telnet, which sends the password in -plain text over the network. By default, Red Hat Enterprise Linux 7's /usr/share/doc/scap-security-guide/tables/table-rhel7-nistrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/tables/table-rhel7-nistrefs.html 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/tables/table-rhel7-nistrefs.html 2022-04-04 00:00:00.000000000 +0000 @@ -43,61 +43,22 @@ AU-2(d)
AU-12(c)
CM-6(a) - Record Unsuccessful Creation Attempts to Files - open_by_handle_at O_CREAT - -The audit system should collect unauthorized file accesses for -all users and root. The open_by_handle_at syscall can be used to create new files -when O_CREAT flag is specified. - -The following auidt rules will asure that unsuccessful attempts to create a -file via open_by_handle_at syscall are collected. - -If the auditd daemon is configured to use the augenrules -program to read audit rules during daemon startup (the default), add the -rules below to a file with suffix .rules in the directory -/etc/audit/rules.d. - -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the rules below to -/etc/audit/audit.rules file. -
--a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-
- -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-
- - -Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing -these events could serve as evidence of potential system compromise. - - - - AU-2(d)
AU-12(c)
CM-6(a) - Record Events that Modify the System's Discretionary Access Controls - removexattr + Record Events that Modify the System's Discretionary Access Controls - chown At a minimum, the audit system should collect file permission -changes for all users and root. -

-If the auditd daemon is configured to use the augenrules -program to read audit rules during daemon startup (the default), add the -following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-

+changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-

+
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-

+
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
The changing of file permissions could indicate that a user is attempting to @@ -108,165 +69,134 @@ AU-2(d)
AU-12(c)
CM-6(a) - Record Unsuccessul Permission Changes to Files - lremovexattr + Record Unsuccessful Access Attempts to Files - open -The audit system should collect unsuccessful file permission change -attempts for all users and root. -If the auditd daemon is configured +At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d. +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ +If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file. -
-a always,exit -F arch=b32 -S lremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b32 -S lremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ If the system is 64 bit then also add the following lines: -
-a always,exit -F arch=b64 -S lremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b64 -S lremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+
+-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing +Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a) - Ensure auditd Collects Information on the Use of Privileged Commands - crontab + Ensure auditd Collects Information on Exporting to Media (successful) -At a minimum, the audit system should collect the execution of -privileged commands for all users and root. If the auditd daemon is -configured to use the augenrules program to read audit rules during -daemon startup (the default), add a line of the following form to a file with -suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/bin/crontab -F auid>=1000 -F auid!=unset -F key=privileged
+At a minimum, the audit system should collect media exportation +events for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add a line of the following -form to /etc/audit/audit.rules: -
-a always,exit -F path=/usr/bin/crontab -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
-Misuse of privileged functions, either intentionally or unintentionally by -authorized users, or by unauthorized external entities that have compromised system accounts, -is a serious and ongoing concern and can have significant adverse impacts on organizations. -Auditing the use of privileged functions is one way to detect such misuse and identify -the risk from insider and advanced persistent threats. -

-Privileged programs are subject to escalation-of-privilege attacks, -which attempt to subvert their normal role of providing some necessary but -limited capability. As such, motivation exists to monitor these programs for -unusual activity. +The unauthorized exportation of data to external media could result in an information leak +where classified information, Privacy Act information, and intellectual property could be lost. An audit +trail should be created each time a filesystem is mounted to help identify and guard against information +loss. AU-2(d)
AU-12(c)
CM-6(a) - Record Unsuccessful Access Attempts to Files - ftruncate + Record Unsuccessul Ownership Changes to Files - chown -At a minimum, the audit system should collect unauthorized file -accesses for all users and root. If the auditd daemon is configured +The audit system should collect unsuccessful file ownership change +attempts for all users and root. +If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S ftruncate -F exiu=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- +.rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- +/etc/audit/audit.rules file. +
-a always,exit -F arch=b32 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+-a always,exit -F arch=b32 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
-a always,exit -F arch=b64 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+-a always,exit -F arch=b64 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
/usr/share/doc/scap-security-guide/tables/table-rhel7-ospprefs.html differs (HTML document, ASCII text, with very long lines) --- old//usr/share/doc/scap-security-guide/tables/table-rhel7-ospprefs.html 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/tables/table-rhel7-ospprefs.html 2022-04-04 00:00:00.000000000 +0000 @@ -43,15 +43,16 @@ FAU_GEN.1 - Include Local Events in Audit Logs + Set number of records to cause an explicit flush to audit logs -To configure Audit daemon to include local events in Audit logs, set -local_events to yes in /etc/audit/auditd.conf. -This is the default setting. +To configure Audit daemon to issue an explicit flush to disk command +after writing 50 records, set freq to 50 +in /etc/audit/auditd.conf. -If option local_events isn't set to yes only events from -network will be aggregated. +If option freq isn't set to 50, the flush to disk +may happen after higher number of records, increasing the danger +of audit loss. @@ -77,20 +78,6 @@ FAU_GEN.1 - Set number of records to cause an explicit flush to audit logs - -To configure Audit daemon to issue an explicit flush to disk command -after writing 50 records, set freq to 50 -in /etc/audit/auditd.conf. - - -If option freq isn't set to 50, the flush to disk -may happen after higher number of records, increasing the danger -of audit loss. - - - - FAU_GEN.1 Enable auditd Service The auditd service is an essential userspace component of @@ -122,87 +109,36 @@ - FAU_GEN.1.1.c - Record Events that Modify User/Group Information - /etc/gshadow - -If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-

-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file, in order to capture events that modify -account changes: -

-
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
- - -In addition to auditing new user and group accounts, these watches -will alert the system administrator(s) to any modifications. Any unexpected -users, groups, or modifications should be investigated for legitimacy. - - - - FAU_GEN.1.1.c - Record Unsuccessful Creation Attempts to Files - open_by_handle_at O_CREAT + FAU_GEN.1 + Include Local Events in Audit Logs -The audit system should collect unauthorized file accesses for -all users and root. The open_by_handle_at syscall can be used to create new files -when O_CREAT flag is specified. - -The following auidt rules will asure that unsuccessful attempts to create a -file via open_by_handle_at syscall are collected. - -If the auditd daemon is configured to use the augenrules -program to read audit rules during daemon startup (the default), add the -rules below to a file with suffix .rules in the directory -/etc/audit/rules.d. - -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the rules below to -/etc/audit/audit.rules file. -
--a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-
- -If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-
+To configure Audit daemon to include local events in Audit logs, set +local_events to yes in /etc/audit/auditd.conf. +This is the default setting. -Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing -these events could serve as evidence of potential system compromise. +If option local_events isn't set to yes only events from +network will be aggregated. FAU_GEN.1.1.c - Record Events that Modify the System's Discretionary Access Controls - removexattr + Record Events that Modify the System's Discretionary Access Controls - chown At a minimum, the audit system should collect file permission -changes for all users and root. -

-If the auditd daemon is configured to use the augenrules -program to read audit rules during daemon startup (the default), add the -following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-

+changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-

+
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-

+
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
The changing of file permissions could indicate that a user is attempting to @@ -213,82 +149,57 @@ FAU_GEN.1.1.c - Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/passwd + Configure auditd to use audispd's syslog plugin -The audit system should collect write events to /etc/passwd file for all users and root. -If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify
+To configure the auditd service to use the +syslog plug-in of the audispd audit event multiplexor, set +the active line in /etc/audisp/plugins.d/syslog.conf to yes. +Restart the auditd service: +
$ sudo service auditd restart
-Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system. -Auditing these events could serve as evidence of potential system compromise. +The auditd service does not include the ability to send audit +records to a centralized server for management directly. It does, however, +include a plug-in for audit event multiplexor (audispd) to pass audit records +to the local syslog server FAU_GEN.1.1.c - Record Events that Modify User/Group Information - /etc/shadow + Record Unsuccessful Access Attempts to Files - open -If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the -default), add the following lines to a file with suffix .rules in the -directory /etc/audit/rules.d, in order to capture events that modify -account changes: -

-
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
-

+At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon /usr/share/doc/scap-security-guide/tables/table-rhel7-pcidssrefs.html differs (HTML document, ASCII text, with very long lines) --- old//usr/share/doc/scap-security-guide/tables/table-rhel7-pcidssrefs.html 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/tables/table-rhel7-pcidssrefs.html 2022-04-04 00:00:00.000000000 +0000 @@ -59,19 +59,30 @@ Req-6.2 - Ensure gpgcheck Enabled for All yum Package Repositories + Ensure gpgcheck Enabled In Main yum Configuration -To ensure signature checking is not disabled for -any repos, remove any lines from files in /etc/yum.repos.d of the form: -
gpgcheck=0
+The gpgcheck option controls whether +RPM packages' signatures are always checked prior to installation. +To configure yum to check package signatures before installing +them, ensure the following line appears in /etc/yum.conf in +the [main] section: +
gpgcheck=1
-Verifying the authenticity of the software prior to installation validates -the integrity of the patch or upgrade received from a vendor. This ensures -the software has not been tampered with and that it has been provided by a -trusted vendor. Self-signed certificates are disallowed by this -requirement. Certificates used to verify the software must be from an -approved Certificate Authority (CA)." +Changes to any software components can have significant effects on the +overall security of the operating system. This requirement ensures the +software has not been tampered with and that it has been provided by a +trusted vendor. +
+Accordingly, patches, service packs, device drivers, or operating system +components must be signed with a certificate recognized and approved by the +organization. +
Verifying the authenticity of the software prior to installation +validates the integrity of the patch or upgrade received from a vendor. +This ensures the software has not been tampered with and that it has been +provided by a trusted vendor. Self-signed certificates are disallowed by +this requirement. Certificates used to verify the software must be from an +approved Certificate Authority (CA). @@ -99,34 +110,6 @@ Req-6.2 - Ensure gpgcheck Enabled In Main yum Configuration - -The gpgcheck option controls whether -RPM packages' signatures are always checked prior to installation. -To configure yum to check package signatures before installing -them, ensure the following line appears in /etc/yum.conf in -the [main] section: -
gpgcheck=1
- - -Changes to any software components can have significant effects on the -overall security of the operating system. This requirement ensures the -software has not been tampered with and that it has been provided by a -trusted vendor. -
-Accordingly, patches, service packs, device drivers, or operating system -components must be signed with a certificate recognized and approved by the -organization. -
Verifying the authenticity of the software prior to installation -validates the integrity of the patch or upgrade received from a vendor. -This ensures the software has not been tampered with and that it has been -provided by a trusted vendor. Self-signed certificates are disallowed by -this requirement. Certificates used to verify the software must be from an -approved Certificate Authority (CA). - - - - Req-6.2 Ensure Red Hat GPG Key Installed To ensure the system can cryptographically verify base software packages @@ -155,18 +138,20 @@ - Req-7.1 - Verify the UEFI Boot Loader grub.cfg User Ownership + Req-6.2 + Ensure gpgcheck Enabled for All yum Package Repositories -The file /boot/efi/EFI/redhat/grub.cfg should -be owned by the root user to prevent destruction -or modification of the file. - -To properly set the owner of /boot/efi/EFI/redhat/grub.cfg, run the command: -
$ sudo chown root /boot/efi/EFI/redhat/grub.cfg 
+To ensure signature checking is not disabled for +any repos, remove any lines from files in /etc/yum.repos.d of the form: +
gpgcheck=0
-Only root should be able to modify important boot parameters. +Verifying the authenticity of the software prior to installation validates +the integrity of the patch or upgrade received from a vendor. This ensures +the software has not been tampered with and that it has been provided by a +trusted vendor. Self-signed certificates are disallowed by this +requirement. Certificates used to verify the software must be from an +approved Certificate Authority (CA)." @@ -187,36 +172,51 @@ Req-7.1 - Verify /boot/grub2/grub.cfg Group Ownership + Verify /boot/grub2/grub.cfg User Ownership The file /boot/grub2/grub.cfg should -be group-owned by the root group to prevent -destruction or modification of the file. +be owned by the root user to prevent destruction +or modification of the file. -To properly set the group owner of /boot/grub2/grub.cfg, run the command: -
$ sudo chgrp root /boot/grub2/grub.cfg
+To properly set the owner of /boot/grub2/grub.cfg, run the command: +
$ sudo chown root /boot/grub2/grub.cfg 
-The root group is a highly-privileged group. Furthermore, the group-owner of this -file should not have any access privileges anyway. +Only root should be able to modify important boot parameters. Req-7.1 - Verify /boot/grub2/grub.cfg User Ownership + Verify the UEFI Boot Loader grub.cfg User Ownership -The file /boot/grub2/grub.cfg should +The file /boot/efi/EFI/redhat/grub.cfg should be owned by the root user to prevent destruction or modification of the file. -To properly set the owner of /boot/grub2/grub.cfg, run the command: -
$ sudo chown root /boot/grub2/grub.cfg 
+To properly set the owner of /boot/efi/EFI/redhat/grub.cfg, run the command: +
$ sudo chown root /boot/efi/EFI/redhat/grub.cfg 
Only root should be able to modify important boot parameters. + Req-7.1 + Verify /boot/grub2/grub.cfg Group Ownership + +The file /boot/grub2/grub.cfg should +be group-owned by the root group to prevent +destruction or modification of the file. + +To properly set the group owner of /boot/grub2/grub.cfg, run the command: +
$ sudo chgrp root /boot/grub2/grub.cfg
+ + +The root group is a highly-privileged group. Furthermore, the group-owner of this +file should not have any access privileges anyway. + + + Req-8.1.1 Ensure All Accounts on the System Have Unique Names @@ -290,77 +290,50 @@ Req-8.1.8 - Enable GNOME3 Screensaver Lock After Idle Period + Set SSH Client Alive Count Max - -To activate locking of the screensaver in the GNOME3 desktop when it is activated, -add or set lock-enabled to true in -/etc/dconf/db/local.d/00-security-settings. For example: -
[org/gnome/desktop/screensaver]
-lock-enabled=true
-
-Once the settings have been added, add a lock to -/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. -For example: -
/org/gnome/desktop/screensaver/lock-enabled
-After the settings have been set, run dconf update. +The SSH server sends at most ClientAliveCountMax messages +during a SSH session and waits for a response from the SSH client. +The option ClientAliveInterval configures timeout after +each ClientAliveCountMax message. If the SSH server does not +receive a response from the client, then the connection is considered idle +and terminated. +For SSH earlier than v8.2, a ClientAliveCountMax value of 0 +causes an idle timeout precisely when the ClientAliveInterval is set. +Starting with v8.2, a value of 0 disables the timeout functionality +completely. If the option is set to a number greater than 0, then /usr/share/doc/scap-security-guide/tables/table-rhel8-anssirefs.html differs (HTML document, UTF-8 Unicode text) --- old//usr/share/doc/scap-security-guide/tables/table-rhel8-anssirefs.html 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/tables/table-rhel8-anssirefs.html 2022-04-04 00:00:00.000000000 +0000 @@ -75,22 +75,51 @@ BP28(R1) - Uninstall rsh Package + Uninstall telnet-server Package - -The rsh package contains the client commands - -for the rsh services +The telnet-server package can be removed with the following command: +
+$ sudo yum erase telnet-server
-These legacy clients contain numerous security exposures and have -been replaced with the more secure SSH package. Even if the server is removed, -it is best to ensure the clients are also removed to prevent users from -inadvertently attempting to use these commands and therefore exposing - -their credentials. Note that removing the rsh package removes - -the clients for rsh,rcp, and rlogin. +It is detrimental for operating systems to provide, or install by default, +functionality exceeding requirements or mission objectives. These +unnecessary capabilities are often overlooked and therefore may remain +unsecure. They increase the risk to the platform by providing additional +attack vectors. +
+The telnet service provides an unencrypted remote access service which does +not provide for the confidentiality and integrity of user passwords or the +remote session. If a privileged user were to login using this service, the +privileged user password could be compromised. +
+Removing the telnet-server package decreases the risk of the +telnet service's accidental (or intentional) activation. + + + + BP28(R1) + Uninstall xinetd Package + +The xinetd package can be removed with the following command: +
+$ sudo yum erase xinetd
+ + +Removing the xinetd package decreases the risk of the +xinetd service's accidental (or intentional) activation. + + + + BP28(R1) + Uninstall talk-server Package + +The talk-server package can be removed with the following command:
 $ sudo yum erase talk-server
+ + +The talk software presents a security risk as it uses unencrypted protocols +for communications. Removing the talk-server package decreases the +risk of the accidental (or intentional) activation of talk services. @@ -111,14 +140,17 @@ BP28(R1) - Uninstall talk-server Package + Remove tftp Daemon -The talk-server package can be removed with the following command:
 $ sudo yum erase talk-server
+Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, +typically used to automatically transfer configuration or boot files between systems. +TFTP does not support authentication and can be easily hacked. The package +tftp is a client program that allows for connections to a tftp server. -The talk software presents a security risk as it uses unencrypted protocols -for communications. Removing the talk-server package decreases the -risk of the accidental (or intentional) activation of talk services. +It is recommended that TFTP be removed, unless there is a specific need +for TFTP (such as a boot server). In that case, use extreme caution when configuring +the services. @@ -140,18 +172,6 @@ - BP28(R1)
NT007(R03) - Uninstall the telnet server - -The telnet daemon should be uninstalled. - - -telnet allows clear text communications, and does not protect -any data transmission between client and server. Any confidential data -can be listened and no integrity checking is made.' - - - BP28(R1) Uninstall ypserv Package @@ -170,41 +190,34 @@ BP28(R1) - Remove tftp Daemon + Uninstall rsh Package -Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, -typically used to automatically transfer configuration or boot files between systems. -TFTP does not support authentication and can be easily hacked. The package -tftp is a client program that allows for connections to a tftp server. + +The rsh package contains the client commands + +for the rsh services -It is recommended that TFTP be removed, unless there is a specific need -for TFTP (such as a boot server). In that case, use extreme caution when configuring -the services. +These legacy clients contain numerous security exposures and have +been replaced with the more secure SSH package. Even if the server is removed, +it is best to ensure the clients are also removed to prevent users from +inadvertently attempting to use these commands and therefore exposing + +their credentials. Note that removing the rsh package removes + +the clients for rsh,rcp, and rlogin. - BP28(R1) - Uninstall telnet-server Package + BP28(R1)
NT007(R03) + Uninstall the telnet server -The telnet-server package can be removed with the following command: -
-$ sudo yum erase telnet-server
+The telnet daemon should be uninstalled. -It is detrimental for operating systems to provide, or install by default, -functionality exceeding requirements or mission objectives. These -unnecessary capabilities are often overlooked and therefore may remain -unsecure. They increase the risk to the platform by providing additional -attack vectors. -
-The telnet service provides an unencrypted remote access service which does -not provide for the confidentiality and integrity of user passwords or the -remote session. If a privileged user were to login using this service, the -privileged user password could be compromised. -
-Removing the telnet-server package decreases the risk of the -telnet service's accidental (or intentional) activation. +telnet allows clear text communications, and does not protect +any data transmission between client and server. Any confidential data +can be listened and no integrity checking is made.' @@ -223,15 +236,19 @@ BP28(R1) - Uninstall xinetd Package + Remove NIS Client -The xinetd package can be removed with the following command: -
-$ sudo yum erase xinetd
+The Network Information Service (NIS), formerly known as Yellow Pages, +is a client-server directory service protocol used to distribute system configuration +files. The NIS client (ypbind) was used to bind a system to an NIS server +and receive the distributed configuration files. -Removing the xinetd package decreases the risk of the -xinetd service's accidental (or intentional) activation. +The NIS service is inherently an insecure system that has been vulnerable +to DOS attacks, buffer overflows and has poor authentication for querying +NIS maps. NIS generally has been replaced by such protocols as Lightweight +Directory Access Protocol (LDAP). It is recommended that the service be +removed. @@ -252,23 +269,6 @@ /usr/share/doc/scap-security-guide/tables/table-rhel8-cisrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/tables/table-rhel8-cisrefs.html 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/tables/table-rhel8-cisrefs.html 2022-04-04 00:00:00.000000000 +0000 @@ -672,21 +672,6 @@ 1.5.1 - Verify the UEFI Boot Loader grub.cfg User Ownership - -The file /boot/efi/EFI/redhat/grub.cfg should -be owned by the root user to prevent destruction -or modification of the file. - -To properly set the owner of /boot/efi/EFI/redhat/grub.cfg, run the command: -
$ sudo chown root /boot/efi/EFI/redhat/grub.cfg 
- - -Only root should be able to modify important boot parameters. - - - - 1.5.1 Verify the UEFI Boot Loader grub.cfg Permissions File permissions for /boot/efi/EFI/redhat/grub.cfg should be set to 700. @@ -731,36 +716,51 @@ 1.5.1 - Verify /boot/grub2/grub.cfg Group Ownership + Verify /boot/grub2/grub.cfg User Ownership The file /boot/grub2/grub.cfg should -be group-owned by the root group to prevent -destruction or modification of the file. +be owned by the root user to prevent destruction +or modification of the file. -To properly set the group owner of /boot/grub2/grub.cfg, run the command: -
$ sudo chgrp root /boot/grub2/grub.cfg
+To properly set the owner of /boot/grub2/grub.cfg, run the command: +
$ sudo chown root /boot/grub2/grub.cfg 
-The root group is a highly-privileged group. Furthermore, the group-owner of this -file should not have any access privileges anyway. +Only root should be able to modify important boot parameters. 1.5.1 - Verify /boot/grub2/grub.cfg User Ownership + Verify the UEFI Boot Loader grub.cfg User Ownership -The file /boot/grub2/grub.cfg should +The file /boot/efi/EFI/redhat/grub.cfg should be owned by the root user to prevent destruction or modification of the file. -To properly set the owner of /boot/grub2/grub.cfg, run the command: -
$ sudo chown root /boot/grub2/grub.cfg 
+To properly set the owner of /boot/efi/EFI/redhat/grub.cfg, run the command: +
$ sudo chown root /boot/efi/EFI/redhat/grub.cfg 
Only root should be able to modify important boot parameters. + 1.5.1 + Verify /boot/grub2/grub.cfg Group Ownership + +The file /boot/grub2/grub.cfg should +be group-owned by the root group to prevent +destruction or modification of the file. + +To properly set the group owner of /boot/grub2/grub.cfg, run the command: +
$ sudo chgrp root /boot/grub2/grub.cfg
+ + +The root group is a highly-privileged group. Furthermore, the group-owner of this +file should not have any access privileges anyway. + + + 1.5.2 Set the UEFI Boot Loader Password @@ -806,6 +806,23 @@ 1.5.3 + Require Authentication for Emergency Systemd Target + +Emergency mode is intended as a system recovery +method, providing a single user root access to the system +during a failed boot sequence. +

+By default, Emergency mode is protected by requiring a password and is set +in /usr/lib/systemd/system/emergency.service. + + +This prevents attackers with physical access from trivially bypassing security +on the machine and gaining root access. Such accesses are further prevented +by configuring the bootloader password. + + + + 1.5.3 Require Authentication for Single User Mode Single-user mode is intended as a system recovery @@ -823,20 +840,18 @@ - 1.5.3 - Require Authentication for Emergency Systemd Target + 1.6.1 + Disable Core Dumps for All Users -Emergency mode is intended as a system recovery -method, providing a single user root access to the system -during a failed boot sequence. -

-By default, Emergency mode is protected by requiring a password and is set -in /usr/lib/systemd/system/emergency.service. +To disable core dumps for all users, add the following line to +/etc/security/limits.conf, or to a file within the +/etc/security/limits.d/ directory: +
*     hard   core    0
-This prevents attackers with physical access from trivially bypassing security -on the machine and gaining root access. Such accesses are further prevented -by configuring the bootloader password. +A core dump includes a memory image taken at the time the operating system +terminates an application. The memory image could contain sensitive data and is generally useful +only for developers trying to debug problems. @@ -859,6 +874,21 @@ 1.6.1 + Disable Core Dumps for SUID programs + +To set the runtime status of the fs.suid_dumpable kernel parameter, run the following command:
$ sudo sysctl -w fs.suid_dumpable=0
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
fs.suid_dumpable = 0
+ + +The core dump of a setuid program is more likely to contain +sensitive data, as the program itself runs with greater privileges than the +user who initiated execution of the program. Disabling the ability for any +setuid program to write a core file decreases the risk of unauthorized access +of such data. + + + + 1.6.1 Disable core dump backtraces The ProcessSizeMax option in [Coredump] section @@ -880,36 +910,6 @@ - 1.6.1 - Disable Core Dumps for All Users - -To disable core dumps for all users, add the following line to -/etc/security/limits.conf, or to a file within the -/etc/security/limits.d/ directory: -
*     hard   core    0
- - -A core dump includes a memory image taken at the time the operating system -terminates an application. The memory image could contain sensitive data and is generally useful -only for developers trying to debug problems. - - - - 1.6.1 - Disable Core Dumps for SUID programs - -To set the runtime status of the fs.suid_dumpable kernel parameter, run the following command:
$ sudo sysctl -w fs.suid_dumpable=0
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
fs.suid_dumpable = 0
- - -The core dump of a setuid program is more likely to contain -sensitive data, as the program itself runs with greater privileges than the -user who initiated execution of the program. Disabling the ability for any -setuid program to write a core file decreases the risk of unauthorized access -of such data. - - - 1.6.2 Enable Randomized Layout of Virtual Address Space /usr/share/doc/scap-security-guide/tables/table-rhel8-cuirefs.html differs (HTML document, ASCII text, with very long lines) --- old//usr/share/doc/scap-security-guide/tables/table-rhel8-cuirefs.html 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/tables/table-rhel8-cuirefs.html 2022-04-04 00:00:00.000000000 +0000 @@ -42,46 +42,29 @@ Rationale - 3.1.1
3.1.5 - Disable SSH Access via Empty Passwords - -Disallow SSH login with empty passwords. -The default SSH configuration disables logins with empty passwords. The appropriate -configuration is used if no value is set for PermitEmptyPasswords. -
-To explicitly disallow SSH login from accounts with empty passwords, -add or correct the following line in - - -/etc/ssh/sshd_config: - -
-
PermitEmptyPasswords no
-Any accounts with empty passwords should be disabled immediately, and PAM configuration -should prevent users from being able to assign themselves empty passwords. - - -Configuring this setting for the SSH daemon provides additional assurance -that remote login via SSH will require a password, even in the event of -misconfiguration elsewhere. - - - - 3.1.1
3.4.5 - Require Authentication for Single User Mode + 3.1.1
3.1.6 + Direct root Logins Not Allowed -Single-user mode is intended as a system recovery -method, providing a single user root access to the system by -providing a boot option at startup. By default, no authentication -is performed if single-user mode is selected. -

-By default, single-user mode is protected by requiring a password and is set -in /usr/lib/systemd/system/rescue.service. +To further limit access to the root account, administrators +can disable root logins at the console by editing the /etc/securetty file. +This file lists all devices the root user is allowed to login to. If the file does +not exist at all, the root user can login through any communication device on the +system, whether via the console or via a raw network interface. This is dangerous +as user can login to the system as root via Telnet, which sends the password in +plain text over the network. By default, Red Hat Enterprise Linux 8's +/etc/securetty file only allows the root user to login at the console +physically attached to the system. To prevent root from logging in, remove the +contents of this file. To prevent direct root logins, remove the contents of this +file by typing the following command: +
+$ sudo echo > /etc/securetty
+
-This prevents attackers with physical access from trivially bypassing security -on the machine and gaining root access. Such accesses are further prevented -by configuring the bootloader password. +Disabling direct root logins ensures proper accountability and multifactor +authentication to privileged accounts. Users will first login, then escalate +to privileged (root) access via su / sudo. This is required for FISMA Low +and FISMA Moderate systems. @@ -105,34 +88,44 @@ 3.1.1
3.1.5 - Restrict Serial Port Root Logins + Disable SSH Access via Empty Passwords -To restrict root logins on serial ports, -ensure lines of this form do not appear in /etc/securetty: -
ttyS0
-ttyS1
+Disallow SSH login with empty passwords. +The default SSH configuration disables logins with empty passwords. The appropriate +configuration is used if no value is set for PermitEmptyPasswords. +
+To explicitly disallow SSH login from accounts with empty passwords, +add or correct the following line in + + +/etc/ssh/sshd_config: + +
+
PermitEmptyPasswords no
+Any accounts with empty passwords should be disabled immediately, and PAM configuration +should prevent users from being able to assign themselves empty passwords. -Preventing direct root login to serial port interfaces -helps ensure accountability for actions taken on the systems -using the root account. +Configuring this setting for the SSH daemon provides additional assurance +that remote login via SSH will require a password, even in the event of +misconfiguration elsewhere. - 3.1.1
3.4.5 - Require Authentication for Emergency Systemd Target + 3.1.1
3.1.5 + Restrict Virtual Console Root Logins -Emergency mode is intended as a system recovery -method, providing a single user root access to the system -during a failed boot sequence. -

-By default, Emergency mode is protected by requiring a password and is set -in /usr/lib/systemd/system/emergency.service. +To restrict root logins through the (deprecated) virtual console devices, +ensure lines of this form do not appear in /etc/securetty: +
vc/1
+vc/2
+vc/3
+vc/4
-This prevents attackers with physical access from trivially bypassing security -on the machine and gaining root access. Such accesses are further prevented -by configuring the bootloader password. +Preventing direct root login to virtual console devices +helps ensure accountability for actions taken on the system +using the root account. @@ -154,19 +147,40 @@ 3.1.1
3.1.5 - Restrict Virtual Console Root Logins + Verify Only Root Has UID 0 -To restrict root logins through the (deprecated) virtual console devices, -ensure lines of this form do not appear in /etc/securetty: -
vc/1
-vc/2
-vc/3
-vc/4
+If any account other than root has a UID of 0, this misconfiguration should +be investigated and the accounts other than root should be removed or have +their UID changed. +
+If the account is associated with system commands or applications the UID +should be changed to one greater than "0" but less than "1000." +Otherwise assign a UID greater than "1000" that has not already been +assigned. -Preventing direct root login to virtual console devices -helps ensure accountability for actions taken on the system -using the root account. +An account has root authority if it has a UID of 0. Multiple accounts +with a UID of 0 afford more opportunity for potential intruders to +guess a password for a privileged account. Proper configuration of +sudo is recommended to afford multiple system administrators +access to root privileges in an accountable manner. + + + + 3.1.1
3.4.5 + Require Authentication for Emergency Systemd Target + +Emergency mode is intended as a system recovery +method, providing a single user root access to the system +during a failed boot sequence. +

+By default, Emergency mode is protected by requiring a password and is set +in /usr/lib/systemd/system/emergency.service. + + +This prevents attackers with physical access from trivially bypassing security +on the machine and gaining root access. Such accesses are further prevented +by configuring the bootloader password. @@ -208,87 +222,72 @@ - 3.1.1
3.1.6 - Direct root Logins Not Allowed + 3.1.1
3.1.5 + Restrict Serial Port Root Logins -To further limit access to the root account, administrators -can disable root logins at the console by editing the /etc/securetty file. -This file lists all devices the root user is allowed to login to. If the file does -not exist at all, the root user can login through any communication device on the -system, whether via the console or via a raw network interface. This is dangerous -as user can login to the system as root via Telnet, which sends the password in -plain text over the network. By default, Red Hat Enterprise Linux 8's /usr/share/doc/scap-security-guide/tables/table-rhel8-nistrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/tables/table-rhel8-nistrefs.html 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/tables/table-rhel8-nistrefs.html 2022-04-04 00:00:00.000000000 +0000 @@ -42,21 +42,113 @@ Rationale + AU-2(d)
AU-12(c)
CM-6(a) + Record Events that Modify the System's Discretionary Access Controls - chown + +At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ + +The changing of file permissions could indicate that a user is attempting to +gain access to information that would otherwise be disallowed. Auditing DAC modifications +can facilitate the identification of patterns of abuse among both authorized and +unauthorized users. + + + + AU-2(d)
AU-12(c)
CM-6(a) + Record Unsuccessful Access Attempts to Files - open + +At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ +If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ +If the system is 64 bit then also add the following lines: +
+-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ + +Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + + + AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a) + Ensure auditd Collects Information on Exporting to Media (successful) + +At a minimum, the audit system should collect media exportation +events for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
+ + +The unauthorized exportation of data to external media could result in an information leak +where classified information, Privacy Act information, and intellectual property could be lost. An audit +trail should be created each time a filesystem is mounted to help identify and guard against information +loss. + + + AU-2(a) - Configure auditing of successful file accesses + Configure auditing of unsuccessful file creations -Ensure that successful attempts to access a file are audited. +Ensure that unsuccessful attempts to create a file are audited. The following rules configure audit as described above: -
## Successful file access (any other opens) This has to go last.
-## These next two are likely to result in a whole lot of events
--a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
--a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access    
+
## Unsuccessful file creation (open with O_CREAT)
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create    
-The Audit package provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42-3-access-success.rules. +The Audit package provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42-1-create-failed.rules. To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory:
-cp /usr/share/audit/sample-rules/30-ospp-v42-3-access-success.rules /etc/audit/rules.d/
+cp /usr/share/audit/sample-rules/30-ospp-v42-1-create-failed.rules /etc/audit/rules.d/
 
Load new Audit rules into kernel by running: @@ -65,70 +157,82 @@ Note: This rule utilizes a file provided by Audit package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. -Auditing of successful attempts to access a file helps in investigation of activities performed on the system. +Unsuccessful file creations might be a sign of a malicious action being performed on the system. Keeping log of such events helps in monitoring and investigation of such actions. AU-2(d)
AU-12(c)
CM-6(a) - Record Unsuccessful Creation Attempts to Files - open_by_handle_at O_CREAT + Record Unsuccessul Ownership Changes to Files - chown -The audit system should collect unauthorized file accesses for -all users and root. The open_by_handle_at syscall can be used to create new files -when O_CREAT flag is specified. - -The following auidt rules will asure that unsuccessful attempts to create a -file via open_by_handle_at syscall are collected. +The audit system should collect unsuccessful file ownership change +attempts for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d. +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file. +
-a always,exit -F arch=b32 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+-a always,exit -F arch=b32 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+If the system is 64 bit then also add the following lines: +
-a always,exit -F arch=b64 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+-a always,exit -F arch=b64 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+ + +Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + + + AU-2(d)
AU-12(c)
CM-6(a) + Record Unsuccessul Ownership Changes to Files - lchown + +The audit system should collect unsuccessful file ownership change +attempts for all users and root. -If the auditd daemon is configured to use the augenrules -program to read audit rules during daemon startup (the default), add the -rules below to a file with suffix .rules in the directory -/etc/audit/rules.d. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the rules below to +utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file. -
--a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-
+ +
-a always,exit -F arch=b32 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+-a always,exit -F arch=b32 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
If the system is 64 bit then also add the following lines: -
--a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-
+
-a always,exit -F arch=b64 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+-a always,exit -F arch=b64 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
/usr/share/doc/scap-security-guide/tables/table-rhel8-pcidssrefs.html differs (HTML document, ASCII text, with very long lines) --- old//usr/share/doc/scap-security-guide/tables/table-rhel8-pcidssrefs.html 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/tables/table-rhel8-pcidssrefs.html 2022-04-04 00:00:00.000000000 +0000 @@ -59,19 +59,30 @@ Req-6.2 - Ensure gpgcheck Enabled for All yum Package Repositories + Ensure gpgcheck Enabled In Main yum Configuration -To ensure signature checking is not disabled for -any repos, remove any lines from files in /etc/yum.repos.d of the form: -
gpgcheck=0
+The gpgcheck option controls whether +RPM packages' signatures are always checked prior to installation. +To configure yum to check package signatures before installing +them, ensure the following line appears in /etc/yum.conf in +the [main] section: +
gpgcheck=1
-Verifying the authenticity of the software prior to installation validates -the integrity of the patch or upgrade received from a vendor. This ensures -the software has not been tampered with and that it has been provided by a -trusted vendor. Self-signed certificates are disallowed by this -requirement. Certificates used to verify the software must be from an -approved Certificate Authority (CA)." +Changes to any software components can have significant effects on the +overall security of the operating system. This requirement ensures the +software has not been tampered with and that it has been provided by a +trusted vendor. +
+Accordingly, patches, service packs, device drivers, or operating system +components must be signed with a certificate recognized and approved by the +organization. +
Verifying the authenticity of the software prior to installation +validates the integrity of the patch or upgrade received from a vendor. +This ensures the software has not been tampered with and that it has been +provided by a trusted vendor. Self-signed certificates are disallowed by +this requirement. Certificates used to verify the software must be from an +approved Certificate Authority (CA). @@ -99,34 +110,6 @@ Req-6.2 - Ensure gpgcheck Enabled In Main yum Configuration - -The gpgcheck option controls whether -RPM packages' signatures are always checked prior to installation. -To configure yum to check package signatures before installing -them, ensure the following line appears in /etc/yum.conf in -the [main] section: -
gpgcheck=1
- - -Changes to any software components can have significant effects on the -overall security of the operating system. This requirement ensures the -software has not been tampered with and that it has been provided by a -trusted vendor. -
-Accordingly, patches, service packs, device drivers, or operating system -components must be signed with a certificate recognized and approved by the -organization. -
Verifying the authenticity of the software prior to installation -validates the integrity of the patch or upgrade received from a vendor. -This ensures the software has not been tampered with and that it has been -provided by a trusted vendor. Self-signed certificates are disallowed by -this requirement. Certificates used to verify the software must be from an -approved Certificate Authority (CA). - - - - Req-6.2 Ensure Red Hat GPG Key Installed To ensure the system can cryptographically verify base software packages @@ -155,18 +138,20 @@ - Req-7.1 - Verify the UEFI Boot Loader grub.cfg User Ownership + Req-6.2 + Ensure gpgcheck Enabled for All yum Package Repositories -The file /boot/efi/EFI/redhat/grub.cfg should -be owned by the root user to prevent destruction -or modification of the file. - -To properly set the owner of /boot/efi/EFI/redhat/grub.cfg, run the command: -
$ sudo chown root /boot/efi/EFI/redhat/grub.cfg 
+To ensure signature checking is not disabled for +any repos, remove any lines from files in /etc/yum.repos.d of the form: +
gpgcheck=0
-Only root should be able to modify important boot parameters. +Verifying the authenticity of the software prior to installation validates +the integrity of the patch or upgrade received from a vendor. This ensures +the software has not been tampered with and that it has been provided by a +trusted vendor. Self-signed certificates are disallowed by this +requirement. Certificates used to verify the software must be from an +approved Certificate Authority (CA)." @@ -187,36 +172,51 @@ Req-7.1 - Verify /boot/grub2/grub.cfg Group Ownership + Verify /boot/grub2/grub.cfg User Ownership The file /boot/grub2/grub.cfg should -be group-owned by the root group to prevent -destruction or modification of the file. +be owned by the root user to prevent destruction +or modification of the file. -To properly set the group owner of /boot/grub2/grub.cfg, run the command: -
$ sudo chgrp root /boot/grub2/grub.cfg
+To properly set the owner of /boot/grub2/grub.cfg, run the command: +
$ sudo chown root /boot/grub2/grub.cfg 
-The root group is a highly-privileged group. Furthermore, the group-owner of this -file should not have any access privileges anyway. +Only root should be able to modify important boot parameters. Req-7.1 - Verify /boot/grub2/grub.cfg User Ownership + Verify the UEFI Boot Loader grub.cfg User Ownership -The file /boot/grub2/grub.cfg should +The file /boot/efi/EFI/redhat/grub.cfg should be owned by the root user to prevent destruction or modification of the file. -To properly set the owner of /boot/grub2/grub.cfg, run the command: -
$ sudo chown root /boot/grub2/grub.cfg 
+To properly set the owner of /boot/efi/EFI/redhat/grub.cfg, run the command: +
$ sudo chown root /boot/efi/EFI/redhat/grub.cfg 
Only root should be able to modify important boot parameters. + Req-7.1 + Verify /boot/grub2/grub.cfg Group Ownership + +The file /boot/grub2/grub.cfg should +be group-owned by the root group to prevent +destruction or modification of the file. + +To properly set the group owner of /boot/grub2/grub.cfg, run the command: +
$ sudo chgrp root /boot/grub2/grub.cfg
+ + +The root group is a highly-privileged group. Furthermore, the group-owner of this +file should not have any access privileges anyway. + + + Req-8.1.1 Ensure All Accounts on the System Have Unique Names @@ -290,77 +290,50 @@ Req-8.1.8 - Enable GNOME3 Screensaver Lock After Idle Period + Set SSH Client Alive Count Max - -To activate locking of the screensaver in the GNOME3 desktop when it is activated, -add or set lock-enabled to true in -/etc/dconf/db/local.d/00-security-settings. For example: -
[org/gnome/desktop/screensaver]
-lock-enabled=true
-
-Once the settings have been added, add a lock to -/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. -For example: -
/org/gnome/desktop/screensaver/lock-enabled
-After the settings have been set, run dconf update. +The SSH server sends at most ClientAliveCountMax messages +during a SSH session and waits for a response from the SSH client. +The option ClientAliveInterval configures timeout after +each ClientAliveCountMax message. If the SSH server does not +receive a response from the client, then the connection is considered idle +and terminated. +For SSH earlier than v8.2, a ClientAliveCountMax value of 0 +causes an idle timeout precisely when the ClientAliveInterval is set. +Starting with v8.2, a value of 0 disables the timeout functionality +completely. If the option is set to a number greater than 0, then /usr/share/scap-security-guide/tailoring/rhel7_stig_delta_tailoring.xml differs (ASCII text, with very long lines) --- old//usr/share/scap-security-guide/tailoring/rhel7_stig_delta_tailoring.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/scap-security-guide/tailoring/rhel7_stig_delta_tailoring.xml 2022-04-04 00:00:00.000000000 +0000 @@ -1,4 +1,4 @@ -1DISA STIG for Red Hat Enterprise Linux 7 +1DISA STIG for Red Hat Enterprise Linux 7 This profile contains configuration checks that align to the DISA STIG for Red Hat Enterprise Linux V3R6. /usr/share/scap-security-guide/tailoring/rhel8_stig_delta_tailoring.xml differs (ASCII text, with very long lines) --- old//usr/share/scap-security-guide/tailoring/rhel8_stig_delta_tailoring.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/scap-security-guide/tailoring/rhel8_stig_delta_tailoring.xml 2022-04-04 00:00:00.000000000 +0000 @@ -1,4 +1,4 @@ -1DISA STIG for Red Hat Enterprise Linux 8 +1DISA STIG for Red Hat Enterprise Linux 8 This profile contains configuration checks that align to the DISA STIG for Red Hat Enterprise Linux 8 V1R5. /usr/share/xml/scap/ssg/content/ssg-centos7-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-centos7-ds-1.2.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-centos7-ds-1.2.xml 2022-04-04 00:00:00.000000000 +0000 @@ -51009,844 +51009,844 @@ 2022-04-04T00:00:00 - - Uninstall geolite2-country Package + + Ensure SMAP is not disabled during boot - ocil:ssg-package_geolite2-country_removed_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Add noauto Option to /boot + + Record Successful Permission Changes to Files - setxattr - ocil:ssg-mount_option_boot_noauto_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_setxattr_action:testaction:1 - - Disable PubkeyAuthentication Authentication + + Disable the samba_export_all_rw SELinux Boolean - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 + ocil:ssg-sebool_samba_export_all_rw_action:testaction:1 - - Record Events that Modify User/Group Information - /etc/gshadow + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments + + Ensure '/etc/system-fips' exists - ocil:ssg-sysctl_net_ipv4_tcp_invalid_ratelimit_action:testaction:1 + ocil:ssg-etc_system_fips_exists_action:testaction:1 - - Verify User Who Owns /etc/cron.allow file + + Configure auditd to use audispd's syslog plugin - ocil:ssg-file_owner_cron_allow_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Disable the use_fusefs_home_dirs SELinux Boolean + + Disable the virt_sandbox_use_sys_admin SELinux Boolean - ocil:ssg-sebool_use_fusefs_home_dirs_action:testaction:1 + ocil:ssg-sebool_virt_sandbox_use_sys_admin_action:testaction:1 - - Verify Permissions on Backup group File + + Configure Error Log Format - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 + ocil:ssg-httpd_configure_log_format_action:testaction:1 - - Add nodev Option to Non-Root Local Partitions + + Disable anacron Service - ocil:ssg-mount_option_nodev_nonroot_local_partitions_action:testaction:1 + ocil:ssg-disable_anacron_action:testaction:1 - - Enable rsyslog Service + + Configure Notification of Post-AIDE Scan Details - ocil:ssg-service_rsyslog_enabled_action:testaction:1 + ocil:ssg-aide_scan_notification_action:testaction:1 - - Disable storing core dump + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Install policycoreutils Package + + Disable Client Dynamic DNS Updates - ocil:ssg-package_policycoreutils_installed_action:testaction:1 + ocil:ssg-network_disable_ddns_interfaces_action:testaction:1 - - Verify Group Who Owns group File + + Record Unsuccessful Access Attempts to Files - open - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1 - - Resolve information before writing to audit logs + + Verify User Who Owns group File - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Configure AIDE to Verify Extended Attributes + + Ensure the Default C Shell Umask is Set Correctly - ocil:ssg-aide_verify_ext_attributes_action:testaction:1 + ocil:ssg-accounts_umask_etc_csh_cshrc_action:testaction:1 - - Disable the named_tcp_bind_http_port SELinux Boolean + + Disable the cluster_can_network_connect SELinux Boolean - ocil:ssg-sebool_named_tcp_bind_http_port_action:testaction:1 + ocil:ssg-sebool_cluster_can_network_connect_action:testaction:1 - - Disable the polyinstantiation_enabled SELinux Boolean + + Use Only FIPS 140-2 Validated MACs - ocil:ssg-sebool_polyinstantiation_enabled_action:testaction:1 + ocil:ssg-sshd_use_approved_macs_ordered_stig_action:testaction:1 - - Prevent non-Privileged Users from Modifying Network Interfaces using nmcli + + Only Authorized Local User Accounts Exist on Operating System - ocil:ssg-network_nmcli_permissions_action:testaction:1 + ocil:ssg-accounts_authorized_local_users_action:testaction:1 - - Uninstall tftp-server Package + + Disable the irssi_use_full_network SELinux Boolean - ocil:ssg-package_tftp-server_removed_action:testaction:1 + ocil:ssg-sebool_irssi_use_full_network_action:testaction:1 - - Enable GNOME3 Screensaver Lock After Idle Period + + Verify Root Has A Primary GID 0 - ocil:ssg-dconf_gnome_screensaver_lock_enabled_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Verify Group Who Owns SSH Server config file + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-file_groupowner_sshd_config_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Enable the sysadm_exec_content SELinux Boolean + + Install the docker Package /usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml 2022-04-04 00:00:00.000000000 +0000 @@ -51011,844 +51011,844 @@ 2022-04-04T00:00:00 - - Uninstall geolite2-country Package + + Ensure SMAP is not disabled during boot - ocil:ssg-package_geolite2-country_removed_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Add noauto Option to /boot + + Record Successful Permission Changes to Files - setxattr - ocil:ssg-mount_option_boot_noauto_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_setxattr_action:testaction:1 - - Disable PubkeyAuthentication Authentication + + Disable the samba_export_all_rw SELinux Boolean - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 + ocil:ssg-sebool_samba_export_all_rw_action:testaction:1 - - Record Events that Modify User/Group Information - /etc/gshadow + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments + + Ensure '/etc/system-fips' exists - ocil:ssg-sysctl_net_ipv4_tcp_invalid_ratelimit_action:testaction:1 + ocil:ssg-etc_system_fips_exists_action:testaction:1 - - Verify User Who Owns /etc/cron.allow file + + Configure auditd to use audispd's syslog plugin - ocil:ssg-file_owner_cron_allow_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Disable the use_fusefs_home_dirs SELinux Boolean + + Disable the virt_sandbox_use_sys_admin SELinux Boolean - ocil:ssg-sebool_use_fusefs_home_dirs_action:testaction:1 + ocil:ssg-sebool_virt_sandbox_use_sys_admin_action:testaction:1 - - Verify Permissions on Backup group File + + Configure Error Log Format - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 + ocil:ssg-httpd_configure_log_format_action:testaction:1 - - Add nodev Option to Non-Root Local Partitions + + Disable anacron Service - ocil:ssg-mount_option_nodev_nonroot_local_partitions_action:testaction:1 + ocil:ssg-disable_anacron_action:testaction:1 - - Enable rsyslog Service + + Configure Notification of Post-AIDE Scan Details - ocil:ssg-service_rsyslog_enabled_action:testaction:1 + ocil:ssg-aide_scan_notification_action:testaction:1 - - Disable storing core dump + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Install policycoreutils Package + + Disable Client Dynamic DNS Updates - ocil:ssg-package_policycoreutils_installed_action:testaction:1 + ocil:ssg-network_disable_ddns_interfaces_action:testaction:1 - - Verify Group Who Owns group File + + Record Unsuccessful Access Attempts to Files - open - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1 - - Resolve information before writing to audit logs + + Verify User Who Owns group File - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Configure AIDE to Verify Extended Attributes + + Ensure the Default C Shell Umask is Set Correctly - ocil:ssg-aide_verify_ext_attributes_action:testaction:1 + ocil:ssg-accounts_umask_etc_csh_cshrc_action:testaction:1 - - Disable the named_tcp_bind_http_port SELinux Boolean + + Disable the cluster_can_network_connect SELinux Boolean - ocil:ssg-sebool_named_tcp_bind_http_port_action:testaction:1 + ocil:ssg-sebool_cluster_can_network_connect_action:testaction:1 - - Disable the polyinstantiation_enabled SELinux Boolean + + Use Only FIPS 140-2 Validated MACs - ocil:ssg-sebool_polyinstantiation_enabled_action:testaction:1 + ocil:ssg-sshd_use_approved_macs_ordered_stig_action:testaction:1 - - Prevent non-Privileged Users from Modifying Network Interfaces using nmcli + + Only Authorized Local User Accounts Exist on Operating System - ocil:ssg-network_nmcli_permissions_action:testaction:1 + ocil:ssg-accounts_authorized_local_users_action:testaction:1 - - Uninstall tftp-server Package + + Disable the irssi_use_full_network SELinux Boolean - ocil:ssg-package_tftp-server_removed_action:testaction:1 + ocil:ssg-sebool_irssi_use_full_network_action:testaction:1 - - Enable GNOME3 Screensaver Lock After Idle Period + + Verify Root Has A Primary GID 0 - ocil:ssg-dconf_gnome_screensaver_lock_enabled_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Verify Group Who Owns SSH Server config file + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-file_groupowner_sshd_config_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Enable the sysadm_exec_content SELinux Boolean + + Install the docker Package /usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml differs (ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml 2022-04-04 00:00:00.000000000 +0000 @@ -51,134 +51,134 @@ countries. All other names are registered trademarks or trademarks of their respective companies. - + - + - + - + - + - + - + - + - + - + - + - - - - - + - + - + - + - + - + - + - + - + + + + + - + - + - + - + - + - - - - - - - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + + + + + + + - + - + - + /usr/share/xml/scap/ssg/content/ssg-centos8-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-centos8-ds-1.2.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-centos8-ds-1.2.xml 2022-04-04 00:00:00.000000000 +0000 @@ -53886,6365 +53886,6359 @@ 2022-04-04T00:00:00 - - Uninstall geolite2-country Package + + Ensure SMAP is not disabled during boot - ocil:ssg-package_geolite2-country_removed_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Add noauto Option to /boot + + Record Successful Permission Changes to Files - setxattr - ocil:ssg-mount_option_boot_noauto_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_setxattr_action:testaction:1 - - Disable PubkeyAuthentication Authentication + + Disable the samba_export_all_rw SELinux Boolean - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 + ocil:ssg-sebool_samba_export_all_rw_action:testaction:1 - - Record Events that Modify User/Group Information - /etc/gshadow + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments + + Ensure '/etc/system-fips' exists - ocil:ssg-sysctl_net_ipv4_tcp_invalid_ratelimit_action:testaction:1 + ocil:ssg-etc_system_fips_exists_action:testaction:1 - - Verify User Who Owns /etc/cron.allow file + + Configure auditd to use audispd's syslog plugin - ocil:ssg-file_owner_cron_allow_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Disable the use_fusefs_home_dirs SELinux Boolean + + Disable the virt_sandbox_use_sys_admin SELinux Boolean - ocil:ssg-sebool_use_fusefs_home_dirs_action:testaction:1 + ocil:ssg-sebool_virt_sandbox_use_sys_admin_action:testaction:1 - - Verify Permissions on Backup group File + + Configure Error Log Format - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 + ocil:ssg-httpd_configure_log_format_action:testaction:1 - - Add nodev Option to Non-Root Local Partitions + + Disable anacron Service - ocil:ssg-mount_option_nodev_nonroot_local_partitions_action:testaction:1 + ocil:ssg-disable_anacron_action:testaction:1 - - Enable rsyslog Service + + Configure Notification of Post-AIDE Scan Details - ocil:ssg-service_rsyslog_enabled_action:testaction:1 + ocil:ssg-aide_scan_notification_action:testaction:1 - - Disable storing core dump + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Install policycoreutils Package + + Disable Client Dynamic DNS Updates - ocil:ssg-package_policycoreutils_installed_action:testaction:1 + ocil:ssg-network_disable_ddns_interfaces_action:testaction:1 - - Verify Group Who Owns group File + + Record Unsuccessful Access Attempts to Files - open - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1 - - Resolve information before writing to audit logs + + Verify User Who Owns group File - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Configure AIDE to Verify Extended Attributes + + Ensure the Default C Shell Umask is Set Correctly - ocil:ssg-aide_verify_ext_attributes_action:testaction:1 + ocil:ssg-accounts_umask_etc_csh_cshrc_action:testaction:1 - - Configure auditing of successful file accesses + + Disable the cluster_can_network_connect SELinux Boolean - ocil:ssg-audit_access_success_action:testaction:1 + ocil:ssg-sebool_cluster_can_network_connect_action:testaction:1 - - Disable the named_tcp_bind_http_port SELinux Boolean + + Only Authorized Local User Accounts Exist on Operating System - ocil:ssg-sebool_named_tcp_bind_http_port_action:testaction:1 + ocil:ssg-accounts_authorized_local_users_action:testaction:1 - - Disable the polyinstantiation_enabled SELinux Boolean + + Disable the irssi_use_full_network SELinux Boolean - ocil:ssg-sebool_polyinstantiation_enabled_action:testaction:1 + ocil:ssg-sebool_irssi_use_full_network_action:testaction:1 - - Prevent non-Privileged Users from Modifying Network Interfaces using nmcli + + Verify Root Has A Primary GID 0 - ocil:ssg-network_nmcli_permissions_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Uninstall tftp-server Package + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-package_tftp-server_removed_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Enable GNOME3 Screensaver Lock After Idle Period + + Disable the xen_use_nfs SELinux Boolean - ocil:ssg-dconf_gnome_screensaver_lock_enabled_action:testaction:1 + ocil:ssg-sebool_xen_use_nfs_action:testaction:1 - - Verify Group Who Owns SSH Server config file + + Disable the use of user namespaces /usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml 2022-04-04 00:00:00.000000000 +0000 @@ -53888,6365 +53888,6359 @@ 2022-04-04T00:00:00 - - Uninstall geolite2-country Package + + Ensure SMAP is not disabled during boot - ocil:ssg-package_geolite2-country_removed_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Add noauto Option to /boot + + Record Successful Permission Changes to Files - setxattr - ocil:ssg-mount_option_boot_noauto_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_setxattr_action:testaction:1 - - Disable PubkeyAuthentication Authentication + + Disable the samba_export_all_rw SELinux Boolean - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 + ocil:ssg-sebool_samba_export_all_rw_action:testaction:1 - - Record Events that Modify User/Group Information - /etc/gshadow + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments + + Ensure '/etc/system-fips' exists - ocil:ssg-sysctl_net_ipv4_tcp_invalid_ratelimit_action:testaction:1 + ocil:ssg-etc_system_fips_exists_action:testaction:1 - - Verify User Who Owns /etc/cron.allow file + + Configure auditd to use audispd's syslog plugin - ocil:ssg-file_owner_cron_allow_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Disable the use_fusefs_home_dirs SELinux Boolean + + Disable the virt_sandbox_use_sys_admin SELinux Boolean - ocil:ssg-sebool_use_fusefs_home_dirs_action:testaction:1 + ocil:ssg-sebool_virt_sandbox_use_sys_admin_action:testaction:1 - - Verify Permissions on Backup group File + + Configure Error Log Format - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 + ocil:ssg-httpd_configure_log_format_action:testaction:1 - - Add nodev Option to Non-Root Local Partitions + + Disable anacron Service - ocil:ssg-mount_option_nodev_nonroot_local_partitions_action:testaction:1 + ocil:ssg-disable_anacron_action:testaction:1 - - Enable rsyslog Service + + Configure Notification of Post-AIDE Scan Details - ocil:ssg-service_rsyslog_enabled_action:testaction:1 + ocil:ssg-aide_scan_notification_action:testaction:1 - - Disable storing core dump + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Install policycoreutils Package + + Disable Client Dynamic DNS Updates - ocil:ssg-package_policycoreutils_installed_action:testaction:1 + ocil:ssg-network_disable_ddns_interfaces_action:testaction:1 - - Verify Group Who Owns group File + + Record Unsuccessful Access Attempts to Files - open - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1 - - Resolve information before writing to audit logs + + Verify User Who Owns group File - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Configure AIDE to Verify Extended Attributes + + Ensure the Default C Shell Umask is Set Correctly - ocil:ssg-aide_verify_ext_attributes_action:testaction:1 + ocil:ssg-accounts_umask_etc_csh_cshrc_action:testaction:1 - - Configure auditing of successful file accesses + + Disable the cluster_can_network_connect SELinux Boolean - ocil:ssg-audit_access_success_action:testaction:1 + ocil:ssg-sebool_cluster_can_network_connect_action:testaction:1 - - Disable the named_tcp_bind_http_port SELinux Boolean + + Only Authorized Local User Accounts Exist on Operating System - ocil:ssg-sebool_named_tcp_bind_http_port_action:testaction:1 + ocil:ssg-accounts_authorized_local_users_action:testaction:1 - - Disable the polyinstantiation_enabled SELinux Boolean + + Disable the irssi_use_full_network SELinux Boolean - ocil:ssg-sebool_polyinstantiation_enabled_action:testaction:1 + ocil:ssg-sebool_irssi_use_full_network_action:testaction:1 - - Prevent non-Privileged Users from Modifying Network Interfaces using nmcli + + Verify Root Has A Primary GID 0 - ocil:ssg-network_nmcli_permissions_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Uninstall tftp-server Package + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-package_tftp-server_removed_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Enable GNOME3 Screensaver Lock After Idle Period + + Disable the xen_use_nfs SELinux Boolean - ocil:ssg-dconf_gnome_screensaver_lock_enabled_action:testaction:1 + ocil:ssg-sebool_xen_use_nfs_action:testaction:1 - - Verify Group Who Owns SSH Server config file + + Disable the use of user namespaces /usr/share/xml/scap/ssg/content/ssg-centos8-xccdf.xml differs (ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-centos8-xccdf.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-centos8-xccdf.xml 2022-04-04 00:00:00.000000000 +0000 @@ -51,139 +51,139 @@ countries. All other names are registered trademarks or trademarks of their respective companies. - + - + - + - + - + - + - + - + - + - + - + - - - - - + - + - + - + - + - + - + - + - + - + - + + + + + - + - + - + - + - - + + - - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - - - + + + + - + - + - + - + /usr/share/xml/scap/ssg/content/ssg-cs9-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-cs9-ds-1.2.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-cs9-ds-1.2.xml 2022-04-04 00:00:00.000000000 +0000 @@ -50334,244 +50334,244 @@ 2022-04-04T00:00:00 - - Uninstall geolite2-country Package + + Ensure SMAP is not disabled during boot - ocil:ssg-package_geolite2-country_removed_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Add noauto Option to /boot + + Record Successful Permission Changes to Files - setxattr - ocil:ssg-mount_option_boot_noauto_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_setxattr_action:testaction:1 - - Disable PubkeyAuthentication Authentication + + Disable the samba_export_all_rw SELinux Boolean - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 + ocil:ssg-sebool_samba_export_all_rw_action:testaction:1 - - Record Events that Modify User/Group Information - /etc/gshadow + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments + + Ensure '/etc/system-fips' exists - ocil:ssg-sysctl_net_ipv4_tcp_invalid_ratelimit_action:testaction:1 + ocil:ssg-etc_system_fips_exists_action:testaction:1 - - Verify User Who Owns /etc/cron.allow file + + Configure auditd to use audispd's syslog plugin - ocil:ssg-file_owner_cron_allow_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Disable the use_fusefs_home_dirs SELinux Boolean + + Disable the virt_sandbox_use_sys_admin SELinux Boolean - ocil:ssg-sebool_use_fusefs_home_dirs_action:testaction:1 + ocil:ssg-sebool_virt_sandbox_use_sys_admin_action:testaction:1 - - Verify Permissions on Backup group File + + Configure Notification of Post-AIDE Scan Details - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 + ocil:ssg-aide_scan_notification_action:testaction:1 - - Add nodev Option to Non-Root Local Partitions + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-mount_option_nodev_nonroot_local_partitions_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Enable rsyslog Service + + Record Unsuccessful Access Attempts to Files - open - ocil:ssg-service_rsyslog_enabled_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1 - - Disable storing core dump + + Verify User Who Owns group File - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Install policycoreutils Package + + Ensure the Default C Shell Umask is Set Correctly - ocil:ssg-package_policycoreutils_installed_action:testaction:1 + ocil:ssg-accounts_umask_etc_csh_cshrc_action:testaction:1 - - Verify Group Who Owns group File + + Disable the cluster_can_network_connect SELinux Boolean - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-sebool_cluster_can_network_connect_action:testaction:1 - - Resolve information before writing to audit logs + + Only Authorized Local User Accounts Exist on Operating System - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-accounts_authorized_local_users_action:testaction:1 - - Configure AIDE to Verify Extended Attributes + + Disable the irssi_use_full_network SELinux Boolean - ocil:ssg-aide_verify_ext_attributes_action:testaction:1 + ocil:ssg-sebool_irssi_use_full_network_action:testaction:1 - - Configure auditing of successful file accesses + + Verify Root Has A Primary GID 0 - ocil:ssg-audit_access_success_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Disable the named_tcp_bind_http_port SELinux Boolean + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-sebool_named_tcp_bind_http_port_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Disable the polyinstantiation_enabled SELinux Boolean + + Disable the xen_use_nfs SELinux Boolean - ocil:ssg-sebool_polyinstantiation_enabled_action:testaction:1 + ocil:ssg-sebool_xen_use_nfs_action:testaction:1 - - Prevent non-Privileged Users from Modifying Network Interfaces using nmcli + + Disable the use of user namespaces - ocil:ssg-network_nmcli_permissions_action:testaction:1 + ocil:ssg-sysctl_user_max_user_namespaces_action:testaction:1 - - Uninstall tftp-server Package + + Enforce usage of pam_wheel for su authentication - ocil:ssg-package_tftp-server_removed_action:testaction:1 + ocil:ssg-use_pam_wheel_for_su_action:testaction:1 - - Enable GNOME3 Screensaver Lock After Idle Period + + Ensure auditd Collects Information on Exporting to Media (successful) - ocil:ssg-dconf_gnome_screensaver_lock_enabled_action:testaction:1 + ocil:ssg-audit_rules_media_export_action:testaction:1 - - Verify Group Who Owns SSH Server config file + + Configure auditing of unsuccessful file creations /usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml 2022-04-04 00:00:00.000000000 +0000 @@ -50336,244 +50336,244 @@ 2022-04-04T00:00:00 - - Uninstall geolite2-country Package + + Ensure SMAP is not disabled during boot - ocil:ssg-package_geolite2-country_removed_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Add noauto Option to /boot + + Record Successful Permission Changes to Files - setxattr - ocil:ssg-mount_option_boot_noauto_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_setxattr_action:testaction:1 - - Disable PubkeyAuthentication Authentication + + Disable the samba_export_all_rw SELinux Boolean - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 + ocil:ssg-sebool_samba_export_all_rw_action:testaction:1 - - Record Events that Modify User/Group Information - /etc/gshadow + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments + + Ensure '/etc/system-fips' exists - ocil:ssg-sysctl_net_ipv4_tcp_invalid_ratelimit_action:testaction:1 + ocil:ssg-etc_system_fips_exists_action:testaction:1 - - Verify User Who Owns /etc/cron.allow file + + Configure auditd to use audispd's syslog plugin - ocil:ssg-file_owner_cron_allow_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Disable the use_fusefs_home_dirs SELinux Boolean + + Disable the virt_sandbox_use_sys_admin SELinux Boolean - ocil:ssg-sebool_use_fusefs_home_dirs_action:testaction:1 + ocil:ssg-sebool_virt_sandbox_use_sys_admin_action:testaction:1 - - Verify Permissions on Backup group File + + Configure Notification of Post-AIDE Scan Details - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 + ocil:ssg-aide_scan_notification_action:testaction:1 - - Add nodev Option to Non-Root Local Partitions + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-mount_option_nodev_nonroot_local_partitions_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Enable rsyslog Service + + Record Unsuccessful Access Attempts to Files - open - ocil:ssg-service_rsyslog_enabled_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1 - - Disable storing core dump + + Verify User Who Owns group File - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Install policycoreutils Package + + Ensure the Default C Shell Umask is Set Correctly - ocil:ssg-package_policycoreutils_installed_action:testaction:1 + ocil:ssg-accounts_umask_etc_csh_cshrc_action:testaction:1 - - Verify Group Who Owns group File + + Disable the cluster_can_network_connect SELinux Boolean - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-sebool_cluster_can_network_connect_action:testaction:1 - - Resolve information before writing to audit logs + + Only Authorized Local User Accounts Exist on Operating System - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-accounts_authorized_local_users_action:testaction:1 - - Configure AIDE to Verify Extended Attributes + + Disable the irssi_use_full_network SELinux Boolean - ocil:ssg-aide_verify_ext_attributes_action:testaction:1 + ocil:ssg-sebool_irssi_use_full_network_action:testaction:1 - - Configure auditing of successful file accesses + + Verify Root Has A Primary GID 0 - ocil:ssg-audit_access_success_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Disable the named_tcp_bind_http_port SELinux Boolean + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-sebool_named_tcp_bind_http_port_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Disable the polyinstantiation_enabled SELinux Boolean + + Disable the xen_use_nfs SELinux Boolean - ocil:ssg-sebool_polyinstantiation_enabled_action:testaction:1 + ocil:ssg-sebool_xen_use_nfs_action:testaction:1 - - Prevent non-Privileged Users from Modifying Network Interfaces using nmcli + + Disable the use of user namespaces - ocil:ssg-network_nmcli_permissions_action:testaction:1 + ocil:ssg-sysctl_user_max_user_namespaces_action:testaction:1 - - Uninstall tftp-server Package + + Enforce usage of pam_wheel for su authentication - ocil:ssg-package_tftp-server_removed_action:testaction:1 + ocil:ssg-use_pam_wheel_for_su_action:testaction:1 - - Enable GNOME3 Screensaver Lock After Idle Period + + Ensure auditd Collects Information on Exporting to Media (successful) - ocil:ssg-dconf_gnome_screensaver_lock_enabled_action:testaction:1 + ocil:ssg-audit_rules_media_export_action:testaction:1 - - Verify Group Who Owns SSH Server config file + + Configure auditing of unsuccessful file creations /usr/share/xml/scap/ssg/content/ssg-cs9-xccdf.xml differs (ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-cs9-xccdf.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-cs9-xccdf.xml 2022-04-04 00:00:00.000000000 +0000 @@ -51,49 +51,54 @@ countries. All other names are registered trademarks or trademarks of their respective companies. - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + + + + + + @@ -101,9 +106,9 @@ - + - + @@ -111,60 +116,55 @@ - - - - - - - + - + - + - + - + - + - + - + - + - + - + - + - + - + - - - + + + + - + - + - + - + /usr/share/xml/scap/ssg/content/ssg-fedora-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-fedora-ds-1.2.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-fedora-ds-1.2.xml 2022-04-04 00:00:00.000000000 +0000 @@ -37114,2081 +37114,2080 @@ 2022-04-04T00:00:00 - - Uninstall geolite2-country Package + + Ensure SMAP is not disabled during boot - ocil:ssg-package_geolite2-country_removed_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Add noauto Option to /boot + + Record Successful Permission Changes to Files - setxattr - ocil:ssg-mount_option_boot_noauto_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_setxattr_action:testaction:1 - - Disable PubkeyAuthentication Authentication + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Record Events that Modify User/Group Information - /etc/gshadow + + Ensure '/etc/system-fips' exists - ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 + ocil:ssg-etc_system_fips_exists_action:testaction:1 - - Verify Permissions on Backup group File + + Configure auditd to use audispd's syslog plugin - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Add nodev Option to Non-Root Local Partitions + + Disable anacron Service - ocil:ssg-mount_option_nodev_nonroot_local_partitions_action:testaction:1 + ocil:ssg-disable_anacron_action:testaction:1 - - Enable rsyslog Service + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-service_rsyslog_enabled_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Disable storing core dump + + Record Unsuccessful Access Attempts to Files - open - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1 - - Install policycoreutils Package + + Verify User Who Owns group File - ocil:ssg-package_policycoreutils_installed_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Verify Group Who Owns group File + + Only Authorized Local User Accounts Exist on Operating System - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-accounts_authorized_local_users_action:testaction:1 - - Resolve information before writing to audit logs + + Verify Root Has A Primary GID 0 - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Prevent non-Privileged Users from Modifying Network Interfaces using nmcli + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-network_nmcli_permissions_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Enable GNOME3 Screensaver Lock After Idle Period + + Disable the use of user namespaces - ocil:ssg-dconf_gnome_screensaver_lock_enabled_action:testaction:1 + ocil:ssg-sysctl_user_max_user_namespaces_action:testaction:1 - - Record Successful Access Attempts to Files - open + + Enforce usage of pam_wheel for su authentication - ocil:ssg-audit_rules_successful_file_modification_open_action:testaction:1 + ocil:ssg-use_pam_wheel_for_su_action:testaction:1 - - Verify that Interactive Boot is Disabled + + Install iptables Package - ocil:ssg-grub2_disable_interactive_boot_action:testaction:1 + ocil:ssg-package_iptables_installed_action:testaction:1 - - Configure Kerberos to use System Crypto Policy + + Ensure auditd Collects Information on Exporting to Media (successful) - ocil:ssg-configure_kerberos_crypto_policy_action:testaction:1 + ocil:ssg-audit_rules_media_export_action:testaction:1 - - Record Unsuccessful Creation Attempts to Files - open_by_handle_at O_CREAT + + Ensure PAM Enforces Password Requirements - Minimum Different Characters - ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat_action:testaction:1 + ocil:ssg-accounts_password_pam_difok_action:testaction:1 - - Verify User Who Owns /var/log/messages File + + Verify that local System.map file (if exists) is readable only by root - ocil:ssg-file_owner_var_log_messages_action:testaction:1 + ocil:ssg-file_permissions_systemmap_action:testaction:1 - - Record Successful Permission Changes to Files - fsetxattr + + Enable the NTP Daemon - ocil:ssg-audit_rules_successful_file_modification_fsetxattr_action:testaction:1 + ocil:ssg-service_ntp_enabled_action:testaction:1 - - Disable Kerberos by removing host keytab + + The Chronyd service is enabled - ocil:ssg-kerberos_disable_no_keytab_action:testaction:1 + ocil:ssg-service_chronyd_enabled_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - removexattr + + Disable acquiring, saving, and processing core dumps - ocil:ssg-audit_rules_dac_modification_removexattr_action:testaction:1 + ocil:ssg-service_systemd-coredump_disabled_action:testaction:1 - - Enable Certmap in SSSD + + Record Events that Modify User/Group Information - /etc/gshadow /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml 2022-04-04 00:00:00.000000000 +0000 @@ -37114,2081 +37114,2080 @@ 2022-04-04T00:00:00 - - Uninstall geolite2-country Package + + Ensure SMAP is not disabled during boot - ocil:ssg-package_geolite2-country_removed_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Add noauto Option to /boot + + Record Successful Permission Changes to Files - setxattr - ocil:ssg-mount_option_boot_noauto_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_setxattr_action:testaction:1 - - Disable PubkeyAuthentication Authentication + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Record Events that Modify User/Group Information - /etc/gshadow + + Ensure '/etc/system-fips' exists - ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 + ocil:ssg-etc_system_fips_exists_action:testaction:1 - - Verify Permissions on Backup group File + + Configure auditd to use audispd's syslog plugin - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Add nodev Option to Non-Root Local Partitions + + Disable anacron Service - ocil:ssg-mount_option_nodev_nonroot_local_partitions_action:testaction:1 + ocil:ssg-disable_anacron_action:testaction:1 - - Enable rsyslog Service + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-service_rsyslog_enabled_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Disable storing core dump + + Record Unsuccessful Access Attempts to Files - open - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1 - - Install policycoreutils Package + + Verify User Who Owns group File - ocil:ssg-package_policycoreutils_installed_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Verify Group Who Owns group File + + Only Authorized Local User Accounts Exist on Operating System - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-accounts_authorized_local_users_action:testaction:1 - - Resolve information before writing to audit logs + + Verify Root Has A Primary GID 0 - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Prevent non-Privileged Users from Modifying Network Interfaces using nmcli + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-network_nmcli_permissions_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Enable GNOME3 Screensaver Lock After Idle Period + + Disable the use of user namespaces - ocil:ssg-dconf_gnome_screensaver_lock_enabled_action:testaction:1 + ocil:ssg-sysctl_user_max_user_namespaces_action:testaction:1 - - Record Successful Access Attempts to Files - open + + Enforce usage of pam_wheel for su authentication - ocil:ssg-audit_rules_successful_file_modification_open_action:testaction:1 + ocil:ssg-use_pam_wheel_for_su_action:testaction:1 - - Verify that Interactive Boot is Disabled + + Install iptables Package - ocil:ssg-grub2_disable_interactive_boot_action:testaction:1 + ocil:ssg-package_iptables_installed_action:testaction:1 - - Configure Kerberos to use System Crypto Policy + + Ensure auditd Collects Information on Exporting to Media (successful) - ocil:ssg-configure_kerberos_crypto_policy_action:testaction:1 + ocil:ssg-audit_rules_media_export_action:testaction:1 - - Record Unsuccessful Creation Attempts to Files - open_by_handle_at O_CREAT + + Ensure PAM Enforces Password Requirements - Minimum Different Characters - ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat_action:testaction:1 + ocil:ssg-accounts_password_pam_difok_action:testaction:1 - - Verify User Who Owns /var/log/messages File + + Verify that local System.map file (if exists) is readable only by root - ocil:ssg-file_owner_var_log_messages_action:testaction:1 + ocil:ssg-file_permissions_systemmap_action:testaction:1 - - Record Successful Permission Changes to Files - fsetxattr + + Enable the NTP Daemon - ocil:ssg-audit_rules_successful_file_modification_fsetxattr_action:testaction:1 + ocil:ssg-service_ntp_enabled_action:testaction:1 - - Disable Kerberos by removing host keytab + + The Chronyd service is enabled - ocil:ssg-kerberos_disable_no_keytab_action:testaction:1 + ocil:ssg-service_chronyd_enabled_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - removexattr + + Disable acquiring, saving, and processing core dumps - ocil:ssg-audit_rules_dac_modification_removexattr_action:testaction:1 + ocil:ssg-service_systemd-coredump_disabled_action:testaction:1 - - Enable Certmap in SSSD + + Record Events that Modify User/Group Information - /etc/gshadow /usr/share/xml/scap/ssg/content/ssg-fedora-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-fedora-ocil.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-fedora-ocil.xml 2022-04-04 00:00:00.000000000 +0000 @@ -7,2081 +7,2080 @@ 2022-04-04T00:00:00 - - Uninstall geolite2-country Package + + Ensure SMAP is not disabled during boot - ocil:ssg-package_geolite2-country_removed_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Add noauto Option to /boot + + Record Successful Permission Changes to Files - setxattr - ocil:ssg-mount_option_boot_noauto_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_setxattr_action:testaction:1 - - Disable PubkeyAuthentication Authentication + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Record Events that Modify User/Group Information - /etc/gshadow + + Ensure '/etc/system-fips' exists - ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 + ocil:ssg-etc_system_fips_exists_action:testaction:1 - - Verify Permissions on Backup group File + + Configure auditd to use audispd's syslog plugin - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Add nodev Option to Non-Root Local Partitions + + Disable anacron Service - ocil:ssg-mount_option_nodev_nonroot_local_partitions_action:testaction:1 + ocil:ssg-disable_anacron_action:testaction:1 - - Enable rsyslog Service + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-service_rsyslog_enabled_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Disable storing core dump + + Record Unsuccessful Access Attempts to Files - open - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1 - - Install policycoreutils Package + + Verify User Who Owns group File - ocil:ssg-package_policycoreutils_installed_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Verify Group Who Owns group File + + Only Authorized Local User Accounts Exist on Operating System - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-accounts_authorized_local_users_action:testaction:1 - - Resolve information before writing to audit logs + + Verify Root Has A Primary GID 0 - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Prevent non-Privileged Users from Modifying Network Interfaces using nmcli + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-network_nmcli_permissions_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Enable GNOME3 Screensaver Lock After Idle Period + + Disable the use of user namespaces - ocil:ssg-dconf_gnome_screensaver_lock_enabled_action:testaction:1 + ocil:ssg-sysctl_user_max_user_namespaces_action:testaction:1 - - Record Successful Access Attempts to Files - open + + Enforce usage of pam_wheel for su authentication - ocil:ssg-audit_rules_successful_file_modification_open_action:testaction:1 + ocil:ssg-use_pam_wheel_for_su_action:testaction:1 - - Verify that Interactive Boot is Disabled + + Install iptables Package - ocil:ssg-grub2_disable_interactive_boot_action:testaction:1 + ocil:ssg-package_iptables_installed_action:testaction:1 - - Configure Kerberos to use System Crypto Policy + + Ensure auditd Collects Information on Exporting to Media (successful) - ocil:ssg-configure_kerberos_crypto_policy_action:testaction:1 + ocil:ssg-audit_rules_media_export_action:testaction:1 - - Record Unsuccessful Creation Attempts to Files - open_by_handle_at O_CREAT + + Ensure PAM Enforces Password Requirements - Minimum Different Characters - ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat_action:testaction:1 + ocil:ssg-accounts_password_pam_difok_action:testaction:1 - - Verify User Who Owns /var/log/messages File + + Verify that local System.map file (if exists) is readable only by root - ocil:ssg-file_owner_var_log_messages_action:testaction:1 + ocil:ssg-file_permissions_systemmap_action:testaction:1 - - Record Successful Permission Changes to Files - fsetxattr + + Enable the NTP Daemon - ocil:ssg-audit_rules_successful_file_modification_fsetxattr_action:testaction:1 + ocil:ssg-service_ntp_enabled_action:testaction:1 - - Disable Kerberos by removing host keytab + + The Chronyd service is enabled - ocil:ssg-kerberos_disable_no_keytab_action:testaction:1 + ocil:ssg-service_chronyd_enabled_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - removexattr + + Disable acquiring, saving, and processing core dumps - ocil:ssg-audit_rules_dac_modification_removexattr_action:testaction:1 + ocil:ssg-service_systemd-coredump_disabled_action:testaction:1 - - Enable Certmap in SSSD + + Record Events that Modify User/Group Information - /etc/gshadow /usr/share/xml/scap/ssg/content/ssg-fedora-xccdf.xml differs (XML 1.0 document, UTF-8 Unicode text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-fedora-xccdf.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-fedora-xccdf.xml 2022-04-04 00:00:00.000000000 +0000 @@ -43,58 +43,63 @@ countries. All other names are registered trademarks or trademarks of their respective companies. - + - + - + - + - + - + - + - + - + - + - + + + + + + - - - - - + - + - + - + + + + + - + - + - + - + @@ -102,9 +107,9 @@ - + - + @@ -112,50 +117,45 @@ - - - - - - - + - + - + - + - + - + - + - + - + - + - - - + + + + - + - + - + - + /usr/share/xml/scap/ssg/content/ssg-ol7-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-ol7-ds-1.2.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-ol7-ds-1.2.xml 2022-04-04 00:00:00.000000000 +0000 @@ -38300,184 +38300,178 @@ 2022-04-04T00:00:00 - - Uninstall geolite2-country Package - - ocil:ssg-package_geolite2-country_removed_action:testaction:1 - - - - Add noauto Option to /boot + + Ensure SMAP is not disabled during boot - ocil:ssg-mount_option_boot_noauto_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Disable PubkeyAuthentication Authentication + + Record Successful Permission Changes to Files - setxattr - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_setxattr_action:testaction:1 - - Record Events that Modify User/Group Information - /etc/gshadow + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments + + Ensure '/etc/system-fips' exists - ocil:ssg-sysctl_net_ipv4_tcp_invalid_ratelimit_action:testaction:1 + ocil:ssg-etc_system_fips_exists_action:testaction:1 - - Verify User Who Owns /etc/cron.allow file + + Configure auditd to use audispd's syslog plugin - ocil:ssg-file_owner_cron_allow_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Verify Permissions on Backup group File + + Configure Notification of Post-AIDE Scan Details - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 + ocil:ssg-aide_scan_notification_action:testaction:1 - - Add nodev Option to Non-Root Local Partitions + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-mount_option_nodev_nonroot_local_partitions_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Enable rsyslog Service + + Record Unsuccessful Access Attempts to Files - open - ocil:ssg-service_rsyslog_enabled_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1 - - Disable storing core dump + + Verify User Who Owns group File - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Install policycoreutils Package + + Ensure the Default C Shell Umask is Set Correctly - ocil:ssg-package_policycoreutils_installed_action:testaction:1 + ocil:ssg-accounts_umask_etc_csh_cshrc_action:testaction:1 - - Verify Group Who Owns group File + + Use Only FIPS 140-2 Validated MACs - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-sshd_use_approved_macs_ordered_stig_action:testaction:1 - - Resolve information before writing to audit logs + + Only Authorized Local User Accounts Exist on Operating System - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-accounts_authorized_local_users_action:testaction:1 - - Configure AIDE to Verify Extended Attributes + + Verify Root Has A Primary GID 0 - ocil:ssg-aide_verify_ext_attributes_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Disable the polyinstantiation_enabled SELinux Boolean + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-sebool_polyinstantiation_enabled_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Uninstall tftp-server Package + + Enforce usage of pam_wheel for su authentication - ocil:ssg-package_tftp-server_removed_action:testaction:1 + ocil:ssg-use_pam_wheel_for_su_action:testaction:1 - - Enable GNOME3 Screensaver Lock After Idle Period + + Install iptables Package - ocil:ssg-dconf_gnome_screensaver_lock_enabled_action:testaction:1 + ocil:ssg-package_iptables_installed_action:testaction:1 - - Record Successful Access Attempts to Files - open + + Ensure auditd Collects Information on Exporting to Media (successful) - ocil:ssg-audit_rules_successful_file_modification_open_action:testaction:1 + ocil:ssg-audit_rules_media_export_action:testaction:1 - - Verify that Interactive Boot is Disabled + + Ensure PAM Enforces Password Requirements - Minimum Different Characters - ocil:ssg-grub2_disable_interactive_boot_action:testaction:1 + ocil:ssg-accounts_password_pam_difok_action:testaction:1 - - Uninstall quagga Package + + Verify that local System.map file (if exists) is readable only by root - ocil:ssg-package_quagga_removed_action:testaction:1 + ocil:ssg-file_permissions_systemmap_action:testaction:1 - - Ensure sudo passwd_timeout is appropriate - sudo passwd_timeout + + Enable the NTP Daemon - ocil:ssg-sudo_add_passwd_timeout_action:testaction:1 + ocil:ssg-service_ntp_enabled_action:testaction:1 - - Record Unsuccessful Creation Attempts to Files - open_by_handle_at O_CREAT + + The Chronyd service is enabled - ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat_action:testaction:1 + ocil:ssg-service_chronyd_enabled_action:testaction:1 /usr/share/xml/scap/ssg/content/ssg-ol7-ds.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-ol7-ds.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-ol7-ds.xml 2022-04-04 00:00:00.000000000 +0000 @@ -38302,184 +38302,178 @@ 2022-04-04T00:00:00 - - Uninstall geolite2-country Package - - ocil:ssg-package_geolite2-country_removed_action:testaction:1 - - - - Add noauto Option to /boot + + Ensure SMAP is not disabled during boot - ocil:ssg-mount_option_boot_noauto_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Disable PubkeyAuthentication Authentication + + Record Successful Permission Changes to Files - setxattr - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_setxattr_action:testaction:1 - - Record Events that Modify User/Group Information - /etc/gshadow + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments + + Ensure '/etc/system-fips' exists - ocil:ssg-sysctl_net_ipv4_tcp_invalid_ratelimit_action:testaction:1 + ocil:ssg-etc_system_fips_exists_action:testaction:1 - - Verify User Who Owns /etc/cron.allow file + + Configure auditd to use audispd's syslog plugin - ocil:ssg-file_owner_cron_allow_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Verify Permissions on Backup group File + + Configure Notification of Post-AIDE Scan Details - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 + ocil:ssg-aide_scan_notification_action:testaction:1 - - Add nodev Option to Non-Root Local Partitions + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-mount_option_nodev_nonroot_local_partitions_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Enable rsyslog Service + + Record Unsuccessful Access Attempts to Files - open - ocil:ssg-service_rsyslog_enabled_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1 - - Disable storing core dump + + Verify User Who Owns group File - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Install policycoreutils Package + + Ensure the Default C Shell Umask is Set Correctly - ocil:ssg-package_policycoreutils_installed_action:testaction:1 + ocil:ssg-accounts_umask_etc_csh_cshrc_action:testaction:1 - - Verify Group Who Owns group File + + Use Only FIPS 140-2 Validated MACs - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-sshd_use_approved_macs_ordered_stig_action:testaction:1 - - Resolve information before writing to audit logs + + Only Authorized Local User Accounts Exist on Operating System - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-accounts_authorized_local_users_action:testaction:1 - - Configure AIDE to Verify Extended Attributes + + Verify Root Has A Primary GID 0 - ocil:ssg-aide_verify_ext_attributes_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Disable the polyinstantiation_enabled SELinux Boolean + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-sebool_polyinstantiation_enabled_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Uninstall tftp-server Package + + Enforce usage of pam_wheel for su authentication - ocil:ssg-package_tftp-server_removed_action:testaction:1 + ocil:ssg-use_pam_wheel_for_su_action:testaction:1 - - Enable GNOME3 Screensaver Lock After Idle Period + + Install iptables Package - ocil:ssg-dconf_gnome_screensaver_lock_enabled_action:testaction:1 + ocil:ssg-package_iptables_installed_action:testaction:1 - - Record Successful Access Attempts to Files - open + + Ensure auditd Collects Information on Exporting to Media (successful) - ocil:ssg-audit_rules_successful_file_modification_open_action:testaction:1 + ocil:ssg-audit_rules_media_export_action:testaction:1 - - Verify that Interactive Boot is Disabled + + Ensure PAM Enforces Password Requirements - Minimum Different Characters - ocil:ssg-grub2_disable_interactive_boot_action:testaction:1 + ocil:ssg-accounts_password_pam_difok_action:testaction:1 - - Uninstall quagga Package + + Verify that local System.map file (if exists) is readable only by root - ocil:ssg-package_quagga_removed_action:testaction:1 + ocil:ssg-file_permissions_systemmap_action:testaction:1 - - Ensure sudo passwd_timeout is appropriate - sudo passwd_timeout + + Enable the NTP Daemon - ocil:ssg-sudo_add_passwd_timeout_action:testaction:1 + ocil:ssg-service_ntp_enabled_action:testaction:1 - - Record Unsuccessful Creation Attempts to Files - open_by_handle_at O_CREAT + + The Chronyd service is enabled - ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat_action:testaction:1 + ocil:ssg-service_chronyd_enabled_action:testaction:1 /usr/share/xml/scap/ssg/content/ssg-ol7-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-ol7-ocil.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-ol7-ocil.xml 2022-04-04 00:00:00.000000000 +0000 @@ -7,184 +7,178 @@ 2022-04-04T00:00:00 - - Uninstall geolite2-country Package - - ocil:ssg-package_geolite2-country_removed_action:testaction:1 - - - - Add noauto Option to /boot + + Ensure SMAP is not disabled during boot - ocil:ssg-mount_option_boot_noauto_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Disable PubkeyAuthentication Authentication + + Record Successful Permission Changes to Files - setxattr - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_setxattr_action:testaction:1 - - Record Events that Modify User/Group Information - /etc/gshadow + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments + + Ensure '/etc/system-fips' exists - ocil:ssg-sysctl_net_ipv4_tcp_invalid_ratelimit_action:testaction:1 + ocil:ssg-etc_system_fips_exists_action:testaction:1 - - Verify User Who Owns /etc/cron.allow file + + Configure auditd to use audispd's syslog plugin - ocil:ssg-file_owner_cron_allow_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Verify Permissions on Backup group File + + Configure Notification of Post-AIDE Scan Details - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 + ocil:ssg-aide_scan_notification_action:testaction:1 - - Add nodev Option to Non-Root Local Partitions + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-mount_option_nodev_nonroot_local_partitions_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Enable rsyslog Service + + Record Unsuccessful Access Attempts to Files - open - ocil:ssg-service_rsyslog_enabled_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1 - - Disable storing core dump + + Verify User Who Owns group File - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Install policycoreutils Package + + Ensure the Default C Shell Umask is Set Correctly - ocil:ssg-package_policycoreutils_installed_action:testaction:1 + ocil:ssg-accounts_umask_etc_csh_cshrc_action:testaction:1 - - Verify Group Who Owns group File + + Use Only FIPS 140-2 Validated MACs - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-sshd_use_approved_macs_ordered_stig_action:testaction:1 - - Resolve information before writing to audit logs + + Only Authorized Local User Accounts Exist on Operating System - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-accounts_authorized_local_users_action:testaction:1 - - Configure AIDE to Verify Extended Attributes + + Verify Root Has A Primary GID 0 - ocil:ssg-aide_verify_ext_attributes_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Disable the polyinstantiation_enabled SELinux Boolean + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-sebool_polyinstantiation_enabled_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Uninstall tftp-server Package + + Enforce usage of pam_wheel for su authentication - ocil:ssg-package_tftp-server_removed_action:testaction:1 + ocil:ssg-use_pam_wheel_for_su_action:testaction:1 - - Enable GNOME3 Screensaver Lock After Idle Period + + Install iptables Package - ocil:ssg-dconf_gnome_screensaver_lock_enabled_action:testaction:1 + ocil:ssg-package_iptables_installed_action:testaction:1 - - Record Successful Access Attempts to Files - open + + Ensure auditd Collects Information on Exporting to Media (successful) - ocil:ssg-audit_rules_successful_file_modification_open_action:testaction:1 + ocil:ssg-audit_rules_media_export_action:testaction:1 - - Verify that Interactive Boot is Disabled + + Ensure PAM Enforces Password Requirements - Minimum Different Characters - ocil:ssg-grub2_disable_interactive_boot_action:testaction:1 + ocil:ssg-accounts_password_pam_difok_action:testaction:1 - - Uninstall quagga Package + + Verify that local System.map file (if exists) is readable only by root - ocil:ssg-package_quagga_removed_action:testaction:1 + ocil:ssg-file_permissions_systemmap_action:testaction:1 - - Ensure sudo passwd_timeout is appropriate - sudo passwd_timeout + + Enable the NTP Daemon - ocil:ssg-sudo_add_passwd_timeout_action:testaction:1 + ocil:ssg-service_ntp_enabled_action:testaction:1 - - Record Unsuccessful Creation Attempts to Files - open_by_handle_at O_CREAT + + The Chronyd service is enabled - ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat_action:testaction:1 + ocil:ssg-service_chronyd_enabled_action:testaction:1 /usr/share/xml/scap/ssg/content/ssg-ol7-xccdf.xml differs (XML 1.0 document, UTF-8 Unicode text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-ol7-xccdf.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-ol7-xccdf.xml 2022-04-04 00:00:00.000000000 +0000 @@ -43,58 +43,63 @@ countries. All other names are registered trademarks or trademarks of their respective companies. - + - + - + - + - + - + - + - + - + - + - + + + + + + - - - - - + - + - + - + + + + + - + - + - + - + @@ -102,65 +107,60 @@ - + - - - - - - - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - - - + + + + - + - + - + - + /usr/share/xml/scap/ssg/content/ssg-ol8-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-ol8-ds-1.2.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-ol8-ds-1.2.xml 2022-04-04 00:00:00.000000000 +0000 @@ -40887,196 +40887,196 @@ 2022-04-04T00:00:00 - - Uninstall geolite2-country Package + + Ensure SMAP is not disabled during boot - ocil:ssg-package_geolite2-country_removed_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Add noauto Option to /boot + + Record Successful Permission Changes to Files - setxattr - ocil:ssg-mount_option_boot_noauto_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_setxattr_action:testaction:1 - - Disable PubkeyAuthentication Authentication + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Record Events that Modify User/Group Information - /etc/gshadow + + Ensure '/etc/system-fips' exists - ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 + ocil:ssg-etc_system_fips_exists_action:testaction:1 - - Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments + + Configure auditd to use audispd's syslog plugin - ocil:ssg-sysctl_net_ipv4_tcp_invalid_ratelimit_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Verify User Who Owns /etc/cron.allow file + + Configure Notification of Post-AIDE Scan Details - ocil:ssg-file_owner_cron_allow_action:testaction:1 + ocil:ssg-aide_scan_notification_action:testaction:1 - - Verify Permissions on Backup group File + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Add nodev Option to Non-Root Local Partitions + + Record Unsuccessful Access Attempts to Files - open - ocil:ssg-mount_option_nodev_nonroot_local_partitions_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1 - - Enable rsyslog Service + + Verify User Who Owns group File - ocil:ssg-service_rsyslog_enabled_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Disable storing core dump + + Ensure the Default C Shell Umask is Set Correctly - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-accounts_umask_etc_csh_cshrc_action:testaction:1 - - Install policycoreutils Package + + Only Authorized Local User Accounts Exist on Operating System - ocil:ssg-package_policycoreutils_installed_action:testaction:1 + ocil:ssg-accounts_authorized_local_users_action:testaction:1 - - Verify Group Who Owns group File + + Verify Root Has A Primary GID 0 - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Resolve information before writing to audit logs + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Configure AIDE to Verify Extended Attributes + + Disable the use of user namespaces - ocil:ssg-aide_verify_ext_attributes_action:testaction:1 + ocil:ssg-sysctl_user_max_user_namespaces_action:testaction:1 - - Configure auditing of successful file accesses + + Enforce usage of pam_wheel for su authentication - ocil:ssg-audit_access_success_action:testaction:1 + ocil:ssg-use_pam_wheel_for_su_action:testaction:1 - - Disable the polyinstantiation_enabled SELinux Boolean + + Install iptables Package - ocil:ssg-sebool_polyinstantiation_enabled_action:testaction:1 + ocil:ssg-package_iptables_installed_action:testaction:1 - - Uninstall tftp-server Package + + Ensure auditd Collects Information on Exporting to Media (successful) - ocil:ssg-package_tftp-server_removed_action:testaction:1 + ocil:ssg-audit_rules_media_export_action:testaction:1 - - Enable GNOME3 Screensaver Lock After Idle Period + + Configure auditing of unsuccessful file creations - ocil:ssg-dconf_gnome_screensaver_lock_enabled_action:testaction:1 + ocil:ssg-audit_create_failed_action:testaction:1 - - Record Successful Access Attempts to Files - open + + Ensure PAM Enforces Password Requirements - Minimum Different Characters - ocil:ssg-audit_rules_successful_file_modification_open_action:testaction:1 + ocil:ssg-accounts_password_pam_difok_action:testaction:1 - - Verify that Interactive Boot is Disabled + + Verify that local System.map file (if exists) is readable only by root - ocil:ssg-grub2_disable_interactive_boot_action:testaction:1 + ocil:ssg-file_permissions_systemmap_action:testaction:1 - - Uninstall quagga Package + + Enable the NTP Daemon - ocil:ssg-package_quagga_removed_action:testaction:1 + ocil:ssg-service_ntp_enabled_action:testaction:1 - - Ensure sudo passwd_timeout is appropriate - sudo passwd_timeout + + The Chronyd service is enabled /usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml 2022-04-04 00:00:00.000000000 +0000 @@ -40889,196 +40889,196 @@ 2022-04-04T00:00:00 - - Uninstall geolite2-country Package + + Ensure SMAP is not disabled during boot - ocil:ssg-package_geolite2-country_removed_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Add noauto Option to /boot + + Record Successful Permission Changes to Files - setxattr - ocil:ssg-mount_option_boot_noauto_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_setxattr_action:testaction:1 - - Disable PubkeyAuthentication Authentication + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Record Events that Modify User/Group Information - /etc/gshadow + + Ensure '/etc/system-fips' exists - ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 + ocil:ssg-etc_system_fips_exists_action:testaction:1 - - Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments + + Configure auditd to use audispd's syslog plugin - ocil:ssg-sysctl_net_ipv4_tcp_invalid_ratelimit_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Verify User Who Owns /etc/cron.allow file + + Configure Notification of Post-AIDE Scan Details - ocil:ssg-file_owner_cron_allow_action:testaction:1 + ocil:ssg-aide_scan_notification_action:testaction:1 - - Verify Permissions on Backup group File + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Add nodev Option to Non-Root Local Partitions + + Record Unsuccessful Access Attempts to Files - open - ocil:ssg-mount_option_nodev_nonroot_local_partitions_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1 - - Enable rsyslog Service + + Verify User Who Owns group File - ocil:ssg-service_rsyslog_enabled_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Disable storing core dump + + Ensure the Default C Shell Umask is Set Correctly - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-accounts_umask_etc_csh_cshrc_action:testaction:1 - - Install policycoreutils Package + + Only Authorized Local User Accounts Exist on Operating System - ocil:ssg-package_policycoreutils_installed_action:testaction:1 + ocil:ssg-accounts_authorized_local_users_action:testaction:1 - - Verify Group Who Owns group File + + Verify Root Has A Primary GID 0 - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Resolve information before writing to audit logs + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Configure AIDE to Verify Extended Attributes + + Disable the use of user namespaces - ocil:ssg-aide_verify_ext_attributes_action:testaction:1 + ocil:ssg-sysctl_user_max_user_namespaces_action:testaction:1 - - Configure auditing of successful file accesses + + Enforce usage of pam_wheel for su authentication - ocil:ssg-audit_access_success_action:testaction:1 + ocil:ssg-use_pam_wheel_for_su_action:testaction:1 - - Disable the polyinstantiation_enabled SELinux Boolean + + Install iptables Package - ocil:ssg-sebool_polyinstantiation_enabled_action:testaction:1 + ocil:ssg-package_iptables_installed_action:testaction:1 - - Uninstall tftp-server Package + + Ensure auditd Collects Information on Exporting to Media (successful) - ocil:ssg-package_tftp-server_removed_action:testaction:1 + ocil:ssg-audit_rules_media_export_action:testaction:1 - - Enable GNOME3 Screensaver Lock After Idle Period + + Configure auditing of unsuccessful file creations - ocil:ssg-dconf_gnome_screensaver_lock_enabled_action:testaction:1 + ocil:ssg-audit_create_failed_action:testaction:1 - - Record Successful Access Attempts to Files - open + + Ensure PAM Enforces Password Requirements - Minimum Different Characters - ocil:ssg-audit_rules_successful_file_modification_open_action:testaction:1 + ocil:ssg-accounts_password_pam_difok_action:testaction:1 - - Verify that Interactive Boot is Disabled + + Verify that local System.map file (if exists) is readable only by root - ocil:ssg-grub2_disable_interactive_boot_action:testaction:1 + ocil:ssg-file_permissions_systemmap_action:testaction:1 - - Uninstall quagga Package + + Enable the NTP Daemon - ocil:ssg-package_quagga_removed_action:testaction:1 + ocil:ssg-service_ntp_enabled_action:testaction:1 - - Ensure sudo passwd_timeout is appropriate - sudo passwd_timeout + + The Chronyd service is enabled /usr/share/xml/scap/ssg/content/ssg-ol8-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-ol8-ocil.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-ol8-ocil.xml 2022-04-04 00:00:00.000000000 +0000 @@ -7,196 +7,196 @@ 2022-04-04T00:00:00 - - Uninstall geolite2-country Package + + Ensure SMAP is not disabled during boot - ocil:ssg-package_geolite2-country_removed_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Add noauto Option to /boot + + Record Successful Permission Changes to Files - setxattr - ocil:ssg-mount_option_boot_noauto_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_setxattr_action:testaction:1 - - Disable PubkeyAuthentication Authentication + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Record Events that Modify User/Group Information - /etc/gshadow + + Ensure '/etc/system-fips' exists - ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 + ocil:ssg-etc_system_fips_exists_action:testaction:1 - - Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments + + Configure auditd to use audispd's syslog plugin - ocil:ssg-sysctl_net_ipv4_tcp_invalid_ratelimit_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Verify User Who Owns /etc/cron.allow file + + Configure Notification of Post-AIDE Scan Details - ocil:ssg-file_owner_cron_allow_action:testaction:1 + ocil:ssg-aide_scan_notification_action:testaction:1 - - Verify Permissions on Backup group File + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Add nodev Option to Non-Root Local Partitions + + Record Unsuccessful Access Attempts to Files - open - ocil:ssg-mount_option_nodev_nonroot_local_partitions_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1 - - Enable rsyslog Service + + Verify User Who Owns group File - ocil:ssg-service_rsyslog_enabled_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Disable storing core dump + + Ensure the Default C Shell Umask is Set Correctly - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-accounts_umask_etc_csh_cshrc_action:testaction:1 - - Install policycoreutils Package + + Only Authorized Local User Accounts Exist on Operating System - ocil:ssg-package_policycoreutils_installed_action:testaction:1 + ocil:ssg-accounts_authorized_local_users_action:testaction:1 - - Verify Group Who Owns group File + + Verify Root Has A Primary GID 0 - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Resolve information before writing to audit logs + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Configure AIDE to Verify Extended Attributes + + Disable the use of user namespaces - ocil:ssg-aide_verify_ext_attributes_action:testaction:1 + ocil:ssg-sysctl_user_max_user_namespaces_action:testaction:1 - - Configure auditing of successful file accesses + + Enforce usage of pam_wheel for su authentication - ocil:ssg-audit_access_success_action:testaction:1 + ocil:ssg-use_pam_wheel_for_su_action:testaction:1 - - Disable the polyinstantiation_enabled SELinux Boolean + + Install iptables Package - ocil:ssg-sebool_polyinstantiation_enabled_action:testaction:1 + ocil:ssg-package_iptables_installed_action:testaction:1 - - Uninstall tftp-server Package + + Ensure auditd Collects Information on Exporting to Media (successful) - ocil:ssg-package_tftp-server_removed_action:testaction:1 + ocil:ssg-audit_rules_media_export_action:testaction:1 - - Enable GNOME3 Screensaver Lock After Idle Period + + Configure auditing of unsuccessful file creations - ocil:ssg-dconf_gnome_screensaver_lock_enabled_action:testaction:1 + ocil:ssg-audit_create_failed_action:testaction:1 - - Record Successful Access Attempts to Files - open + + Ensure PAM Enforces Password Requirements - Minimum Different Characters - ocil:ssg-audit_rules_successful_file_modification_open_action:testaction:1 + ocil:ssg-accounts_password_pam_difok_action:testaction:1 - - Verify that Interactive Boot is Disabled + + Verify that local System.map file (if exists) is readable only by root - ocil:ssg-grub2_disable_interactive_boot_action:testaction:1 + ocil:ssg-file_permissions_systemmap_action:testaction:1 - - Uninstall quagga Package + + Enable the NTP Daemon - ocil:ssg-package_quagga_removed_action:testaction:1 + ocil:ssg-service_ntp_enabled_action:testaction:1 - - Ensure sudo passwd_timeout is appropriate - sudo passwd_timeout + + The Chronyd service is enabled /usr/share/xml/scap/ssg/content/ssg-ol8-xccdf.xml differs (XML 1.0 document, UTF-8 Unicode text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-ol8-xccdf.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-ol8-xccdf.xml 2022-04-04 00:00:00.000000000 +0000 @@ -43,58 +43,63 @@ countries. All other names are registered trademarks or trademarks of their respective companies. - + - + - + - + - + - + - + - + - + - + - + + + + + + - - - - - + - + - + - + + + + + - + - + - + - + @@ -102,65 +107,60 @@ - + - - - - - - - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - - - + + + + - + - + - + - + /usr/share/xml/scap/ssg/content/ssg-ol9-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-ol9-ds-1.2.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-ol9-ds-1.2.xml 2022-04-04 00:00:00.000000000 +0000 @@ -16052,520 +16052,520 @@ 2022-04-04T00:00:00 - - Disable PubkeyAuthentication Authentication + + Ensure SMAP is not disabled during boot - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Verify Permissions on Backup group File + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Enable rsyslog Service + + Configure auditd to use audispd's syslog plugin - ocil:ssg-service_rsyslog_enabled_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Disable storing core dump + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Verify Group Who Owns group File + + Record Unsuccessful Access Attempts to Files - open - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1 - - Resolve information before writing to audit logs + + Verify User Who Owns group File - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Configure Kerberos to use System Crypto Policy + + Verify Root Has A Primary GID 0 - ocil:ssg-configure_kerberos_crypto_policy_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Verify User Who Owns /var/log/messages File + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-file_owner_var_log_messages_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Disable Kerberos by removing host keytab + + Ensure auditd Collects Information on Exporting to Media (successful) - ocil:ssg-kerberos_disable_no_keytab_action:testaction:1 + ocil:ssg-audit_rules_media_export_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - removexattr + + Verify that local System.map file (if exists) is readable only by root - ocil:ssg-audit_rules_dac_modification_removexattr_action:testaction:1 + ocil:ssg-file_permissions_systemmap_action:testaction:1 - - Verify that System Executable Have Root Ownership + + Enable the NTP Daemon - ocil:ssg-dir_ownership_binary_dirs_action:testaction:1 + ocil:ssg-service_ntp_enabled_action:testaction:1 - - Verify Permissions on gshadow File + + The Chronyd service is enabled - ocil:ssg-file_permissions_etc_gshadow_action:testaction:1 + ocil:ssg-service_chronyd_enabled_action:testaction:1 - - Ensure No World-Writable Files Exist + + Don't define allowed commands in sudoers by means of exclusion - ocil:ssg-file_permissions_unauthorized_world_writable_action:testaction:1 + ocil:ssg-sudoers_no_command_negation_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - passwd + + Ensure rsyslog is Installed - ocil:ssg-audit_rules_privileged_commands_passwd_action:testaction:1 + ocil:ssg-package_rsyslog_installed_action:testaction:1 - - Enable syslog-ng Service + + Only the VDSM User Can Use sudo NOPASSWD - ocil:ssg-service_syslogng_enabled_action:testaction:1 + ocil:ssg-sudo_vdsm_nopasswd_action:testaction:1 - - Configure Polyinstantiation of /tmp Directories + + Disable Host-Based Authentication - ocil:ssg-accounts_polyinstantiated_tmp_action:testaction:1 + ocil:ssg-disable_host_auth_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - crontab + + Ensure Log Files Are Owned By Appropriate Group - ocil:ssg-audit_rules_privileged_commands_crontab_action:testaction:1 + ocil:ssg-rsyslog_files_groupownership_action:testaction:1 - - Record Unsuccessful Access Attempts to Files - ftruncate + + Record Events that Modify the System's Discretionary Access Controls - fchown - ocil:ssg-audit_rules_unsuccessful_file_modification_ftruncate_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_fchown_action:testaction:1 - - Ensure auditd Collects Information on Kernel Module Loading and Unloading + + Ensure syslog-ng is Installed - ocil:ssg-audit_rules_kernel_module_loading_action:testaction:1 + ocil:ssg-package_syslogng_installed_action:testaction:1 - - Restrict Exposed Kernel Pointer Addresses Access + + Set SSH Client Alive Count Max - ocil:ssg-sysctl_kernel_kptr_restrict_action:testaction:1 + ocil:ssg-sshd_set_keepalive_action:testaction:1 - - Force frequent session key renegotiation + + Record Unsuccessful Access Attempts to Files - openat - ocil:ssg-sshd_rekey_limit_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_openat_action:testaction:1 - - Configure auditd mail_acct Action on Low Disk Space + + Ensure auditd Collects Information on the Use of Privileged Commands - chage /usr/share/xml/scap/ssg/content/ssg-ol9-ds.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-ol9-ds.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-ol9-ds.xml 2022-04-04 00:00:00.000000000 +0000 @@ -16054,520 +16054,520 @@ 2022-04-04T00:00:00 - - Disable PubkeyAuthentication Authentication + + Ensure SMAP is not disabled during boot - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Verify Permissions on Backup group File + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Enable rsyslog Service + + Configure auditd to use audispd's syslog plugin - ocil:ssg-service_rsyslog_enabled_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Disable storing core dump + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Verify Group Who Owns group File + + Record Unsuccessful Access Attempts to Files - open - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1 - - Resolve information before writing to audit logs + + Verify User Who Owns group File - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Configure Kerberos to use System Crypto Policy + + Verify Root Has A Primary GID 0 - ocil:ssg-configure_kerberos_crypto_policy_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Verify User Who Owns /var/log/messages File + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-file_owner_var_log_messages_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Disable Kerberos by removing host keytab + + Ensure auditd Collects Information on Exporting to Media (successful) - ocil:ssg-kerberos_disable_no_keytab_action:testaction:1 + ocil:ssg-audit_rules_media_export_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - removexattr + + Verify that local System.map file (if exists) is readable only by root - ocil:ssg-audit_rules_dac_modification_removexattr_action:testaction:1 + ocil:ssg-file_permissions_systemmap_action:testaction:1 - - Verify that System Executable Have Root Ownership + + Enable the NTP Daemon - ocil:ssg-dir_ownership_binary_dirs_action:testaction:1 + ocil:ssg-service_ntp_enabled_action:testaction:1 - - Verify Permissions on gshadow File + + The Chronyd service is enabled - ocil:ssg-file_permissions_etc_gshadow_action:testaction:1 + ocil:ssg-service_chronyd_enabled_action:testaction:1 - - Ensure No World-Writable Files Exist + + Don't define allowed commands in sudoers by means of exclusion - ocil:ssg-file_permissions_unauthorized_world_writable_action:testaction:1 + ocil:ssg-sudoers_no_command_negation_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - passwd + + Ensure rsyslog is Installed - ocil:ssg-audit_rules_privileged_commands_passwd_action:testaction:1 + ocil:ssg-package_rsyslog_installed_action:testaction:1 - - Enable syslog-ng Service + + Only the VDSM User Can Use sudo NOPASSWD - ocil:ssg-service_syslogng_enabled_action:testaction:1 + ocil:ssg-sudo_vdsm_nopasswd_action:testaction:1 - - Configure Polyinstantiation of /tmp Directories + + Disable Host-Based Authentication - ocil:ssg-accounts_polyinstantiated_tmp_action:testaction:1 + ocil:ssg-disable_host_auth_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - crontab + + Ensure Log Files Are Owned By Appropriate Group - ocil:ssg-audit_rules_privileged_commands_crontab_action:testaction:1 + ocil:ssg-rsyslog_files_groupownership_action:testaction:1 - - Record Unsuccessful Access Attempts to Files - ftruncate + + Record Events that Modify the System's Discretionary Access Controls - fchown - ocil:ssg-audit_rules_unsuccessful_file_modification_ftruncate_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_fchown_action:testaction:1 - - Ensure auditd Collects Information on Kernel Module Loading and Unloading + + Ensure syslog-ng is Installed - ocil:ssg-audit_rules_kernel_module_loading_action:testaction:1 + ocil:ssg-package_syslogng_installed_action:testaction:1 - - Restrict Exposed Kernel Pointer Addresses Access + + Set SSH Client Alive Count Max - ocil:ssg-sysctl_kernel_kptr_restrict_action:testaction:1 + ocil:ssg-sshd_set_keepalive_action:testaction:1 - - Force frequent session key renegotiation + + Record Unsuccessful Access Attempts to Files - openat - ocil:ssg-sshd_rekey_limit_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_openat_action:testaction:1 - - Configure auditd mail_acct Action on Low Disk Space + + Ensure auditd Collects Information on the Use of Privileged Commands - chage /usr/share/xml/scap/ssg/content/ssg-ol9-ocil.xml differs (XML 1.0 document, ASCII text) --- old//usr/share/xml/scap/ssg/content/ssg-ol9-ocil.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-ol9-ocil.xml 2022-04-04 00:00:00.000000000 +0000 @@ -7,520 +7,520 @@ 2022-04-04T00:00:00 - - Disable PubkeyAuthentication Authentication + + Ensure SMAP is not disabled during boot - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Verify Permissions on Backup group File + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Enable rsyslog Service + + Configure auditd to use audispd's syslog plugin - ocil:ssg-service_rsyslog_enabled_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Disable storing core dump + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Verify Group Who Owns group File + + Record Unsuccessful Access Attempts to Files - open - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1 - - Resolve information before writing to audit logs + + Verify User Who Owns group File - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Configure Kerberos to use System Crypto Policy + + Verify Root Has A Primary GID 0 - ocil:ssg-configure_kerberos_crypto_policy_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Verify User Who Owns /var/log/messages File + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-file_owner_var_log_messages_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Disable Kerberos by removing host keytab + + Ensure auditd Collects Information on Exporting to Media (successful) - ocil:ssg-kerberos_disable_no_keytab_action:testaction:1 + ocil:ssg-audit_rules_media_export_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - removexattr + + Verify that local System.map file (if exists) is readable only by root - ocil:ssg-audit_rules_dac_modification_removexattr_action:testaction:1 + ocil:ssg-file_permissions_systemmap_action:testaction:1 - - Verify that System Executable Have Root Ownership + + Enable the NTP Daemon - ocil:ssg-dir_ownership_binary_dirs_action:testaction:1 + ocil:ssg-service_ntp_enabled_action:testaction:1 - - Verify Permissions on gshadow File + + The Chronyd service is enabled - ocil:ssg-file_permissions_etc_gshadow_action:testaction:1 + ocil:ssg-service_chronyd_enabled_action:testaction:1 - - Ensure No World-Writable Files Exist + + Don't define allowed commands in sudoers by means of exclusion - ocil:ssg-file_permissions_unauthorized_world_writable_action:testaction:1 + ocil:ssg-sudoers_no_command_negation_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - passwd + + Ensure rsyslog is Installed - ocil:ssg-audit_rules_privileged_commands_passwd_action:testaction:1 + ocil:ssg-package_rsyslog_installed_action:testaction:1 - - Enable syslog-ng Service + + Only the VDSM User Can Use sudo NOPASSWD - ocil:ssg-service_syslogng_enabled_action:testaction:1 + ocil:ssg-sudo_vdsm_nopasswd_action:testaction:1 - - Configure Polyinstantiation of /tmp Directories + + Disable Host-Based Authentication - ocil:ssg-accounts_polyinstantiated_tmp_action:testaction:1 + ocil:ssg-disable_host_auth_action:testaction:1 - - Ensure auditd Collects Information on the Use of Privileged Commands - crontab + + Ensure Log Files Are Owned By Appropriate Group - ocil:ssg-audit_rules_privileged_commands_crontab_action:testaction:1 + ocil:ssg-rsyslog_files_groupownership_action:testaction:1 - - Record Unsuccessful Access Attempts to Files - ftruncate + + Record Events that Modify the System's Discretionary Access Controls - fchown - ocil:ssg-audit_rules_unsuccessful_file_modification_ftruncate_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_fchown_action:testaction:1 - - Ensure auditd Collects Information on Kernel Module Loading and Unloading + + Ensure syslog-ng is Installed - ocil:ssg-audit_rules_kernel_module_loading_action:testaction:1 + ocil:ssg-package_syslogng_installed_action:testaction:1 - - Restrict Exposed Kernel Pointer Addresses Access + + Set SSH Client Alive Count Max - ocil:ssg-sysctl_kernel_kptr_restrict_action:testaction:1 + ocil:ssg-sshd_set_keepalive_action:testaction:1 - - Force frequent session key renegotiation + + Record Unsuccessful Access Attempts to Files - openat - ocil:ssg-sshd_rekey_limit_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_openat_action:testaction:1 - - Configure auditd mail_acct Action on Low Disk Space + + Ensure auditd Collects Information on the Use of Privileged Commands - chage /usr/share/xml/scap/ssg/content/ssg-ol9-xccdf.xml differs (XML 1.0 document, UTF-8 Unicode text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-ol9-xccdf.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-ol9-xccdf.xml 2022-04-04 00:00:00.000000000 +0000 @@ -43,24 +43,24 @@ countries. All other names are registered trademarks or trademarks of their respective companies. - + - + - + - + - + - + - + - + @@ -68,39 +68,39 @@ - + - + - + - + - + - + - + - + - + - + - + - + - + - + @@ -108,19 +108,19 @@ - + - + - + - + - + - + /usr/share/xml/scap/ssg/content/ssg-rhcos4-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-rhcos4-ds-1.2.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-rhcos4-ds-1.2.xml 2022-04-04 00:00:00.000000000 +0000 @@ -30829,1720 +30829,1720 @@ 2022-04-04T00:00:00 - - Disable PubkeyAuthentication Authentication + + Ensure SMAP is not disabled during boot - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Record Events that Modify User/Group Information - /etc/gshadow + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments + + Ensure '/etc/system-fips' exists - ocil:ssg-sysctl_net_ipv4_tcp_invalid_ratelimit_action:testaction:1 + ocil:ssg-etc_system_fips_exists_action:testaction:1 - - Enable Auditing for Processes Which Start Prior to the Audit Daemon + + Configure auditd to use audispd's syslog plugin - ocil:ssg-coreos_audit_option_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Verify Permissions on Backup group File + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Add nodev Option to Non-Root Local Partitions + + Record Unsuccessful Access Attempts to Files - open - ocil:ssg-mount_option_nodev_nonroot_local_partitions_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1 - - Enable rsyslog Service + + Verify User Who Owns group File - ocil:ssg-service_rsyslog_enabled_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Disable storing core dump + + Ensure the Default C Shell Umask is Set Correctly - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-accounts_umask_etc_csh_cshrc_action:testaction:1 - - Verify Group Who Owns group File + + Verify Root Has A Primary GID 0 - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Resolve information before writing to audit logs + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Configure auditing of successful file accesses + + Disable the use of user namespaces - ocil:ssg-audit_access_success_action:testaction:1 + ocil:ssg-sysctl_user_max_user_namespaces_action:testaction:1 - - Prevent non-Privileged Users from Modifying Network Interfaces using nmcli + + Install iptables Package - ocil:ssg-network_nmcli_permissions_action:testaction:1 + ocil:ssg-package_iptables_installed_action:testaction:1 - - Verify that Interactive Boot is Disabled + + Ensure auditd Collects Information on Exporting to Media (successful) - ocil:ssg-coreos_disable_interactive_boot_action:testaction:1 + ocil:ssg-audit_rules_media_export_action:testaction:1 - - Verify Group Who Owns SSH Server config file + + Configure auditing of unsuccessful file creations - ocil:ssg-file_groupowner_sshd_config_action:testaction:1 + ocil:ssg-audit_create_failed_action:testaction:1 - - Verify that Interactive Boot is Disabled + + Enable Kernel Page-Table Isolation (KPTI) - ocil:ssg-grub2_disable_interactive_boot_action:testaction:1 + ocil:ssg-coreos_pti_kernel_argument_action:testaction:1 - - Configure Kerberos to use System Crypto Policy + + Verify that local System.map file (if exists) is readable only by root - ocil:ssg-configure_kerberos_crypto_policy_action:testaction:1 + ocil:ssg-file_permissions_systemmap_action:testaction:1 - - Record Unsuccessful Creation Attempts to Files - open_by_handle_at O_CREAT + + Enable the NTP Daemon - ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat_action:testaction:1 + ocil:ssg-service_ntp_enabled_action:testaction:1 - - Verify User Who Owns /var/log/messages File + + The Chronyd service is enabled - ocil:ssg-file_owner_var_log_messages_action:testaction:1 + ocil:ssg-service_chronyd_enabled_action:testaction:1 - - Disable Kerberos by removing host keytab + + Disable acquiring, saving, and processing core dumps - ocil:ssg-kerberos_disable_no_keytab_action:testaction:1 + ocil:ssg-service_systemd-coredump_disabled_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - removexattr + + Record Events that Modify User/Group Information - /etc/gshadow - ocil:ssg-audit_rules_dac_modification_removexattr_action:testaction:1 + ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 - - Verify that System Executable Have Root Ownership + + Don't define allowed commands in sudoers by means of exclusion - ocil:ssg-dir_ownership_binary_dirs_action:testaction:1 + ocil:ssg-sudoers_no_command_negation_action:testaction:1 - - Verify Permissions on gshadow File + + Ensure rsyslog is Installed /usr/share/xml/scap/ssg/content/ssg-rhcos4-ds.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-rhcos4-ds.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-rhcos4-ds.xml 2022-04-04 00:00:00.000000000 +0000 @@ -30829,1720 +30829,1720 @@ 2022-04-04T00:00:00 - - Disable PubkeyAuthentication Authentication + + Ensure SMAP is not disabled during boot - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Record Events that Modify User/Group Information - /etc/gshadow + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments + + Ensure '/etc/system-fips' exists - ocil:ssg-sysctl_net_ipv4_tcp_invalid_ratelimit_action:testaction:1 + ocil:ssg-etc_system_fips_exists_action:testaction:1 - - Enable Auditing for Processes Which Start Prior to the Audit Daemon + + Configure auditd to use audispd's syslog plugin - ocil:ssg-coreos_audit_option_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Verify Permissions on Backup group File + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Add nodev Option to Non-Root Local Partitions + + Record Unsuccessful Access Attempts to Files - open - ocil:ssg-mount_option_nodev_nonroot_local_partitions_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1 - - Enable rsyslog Service + + Verify User Who Owns group File - ocil:ssg-service_rsyslog_enabled_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Disable storing core dump + + Ensure the Default C Shell Umask is Set Correctly - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-accounts_umask_etc_csh_cshrc_action:testaction:1 - - Verify Group Who Owns group File + + Verify Root Has A Primary GID 0 - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Resolve information before writing to audit logs + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Configure auditing of successful file accesses + + Disable the use of user namespaces - ocil:ssg-audit_access_success_action:testaction:1 + ocil:ssg-sysctl_user_max_user_namespaces_action:testaction:1 - - Prevent non-Privileged Users from Modifying Network Interfaces using nmcli + + Install iptables Package - ocil:ssg-network_nmcli_permissions_action:testaction:1 + ocil:ssg-package_iptables_installed_action:testaction:1 - - Verify that Interactive Boot is Disabled + + Ensure auditd Collects Information on Exporting to Media (successful) - ocil:ssg-coreos_disable_interactive_boot_action:testaction:1 + ocil:ssg-audit_rules_media_export_action:testaction:1 - - Verify Group Who Owns SSH Server config file + + Configure auditing of unsuccessful file creations - ocil:ssg-file_groupowner_sshd_config_action:testaction:1 + ocil:ssg-audit_create_failed_action:testaction:1 - - Verify that Interactive Boot is Disabled + + Enable Kernel Page-Table Isolation (KPTI) - ocil:ssg-grub2_disable_interactive_boot_action:testaction:1 + ocil:ssg-coreos_pti_kernel_argument_action:testaction:1 - - Configure Kerberos to use System Crypto Policy + + Verify that local System.map file (if exists) is readable only by root - ocil:ssg-configure_kerberos_crypto_policy_action:testaction:1 + ocil:ssg-file_permissions_systemmap_action:testaction:1 - - Record Unsuccessful Creation Attempts to Files - open_by_handle_at O_CREAT + + Enable the NTP Daemon - ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat_action:testaction:1 + ocil:ssg-service_ntp_enabled_action:testaction:1 - - Verify User Who Owns /var/log/messages File + + The Chronyd service is enabled - ocil:ssg-file_owner_var_log_messages_action:testaction:1 + ocil:ssg-service_chronyd_enabled_action:testaction:1 - - Disable Kerberos by removing host keytab + + Disable acquiring, saving, and processing core dumps - ocil:ssg-kerberos_disable_no_keytab_action:testaction:1 + ocil:ssg-service_systemd-coredump_disabled_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - removexattr + + Record Events that Modify User/Group Information - /etc/gshadow - ocil:ssg-audit_rules_dac_modification_removexattr_action:testaction:1 + ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 - - Verify that System Executable Have Root Ownership + + Don't define allowed commands in sudoers by means of exclusion - ocil:ssg-dir_ownership_binary_dirs_action:testaction:1 + ocil:ssg-sudoers_no_command_negation_action:testaction:1 - - Verify Permissions on gshadow File + + Ensure rsyslog is Installed /usr/share/xml/scap/ssg/content/ssg-rhcos4-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-rhcos4-ocil.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-rhcos4-ocil.xml 2022-04-04 00:00:00.000000000 +0000 @@ -7,1720 +7,1720 @@ 2022-04-04T00:00:00 - - Disable PubkeyAuthentication Authentication + + Ensure SMAP is not disabled during boot - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Record Events that Modify User/Group Information - /etc/gshadow + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments + + Ensure '/etc/system-fips' exists - ocil:ssg-sysctl_net_ipv4_tcp_invalid_ratelimit_action:testaction:1 + ocil:ssg-etc_system_fips_exists_action:testaction:1 - - Enable Auditing for Processes Which Start Prior to the Audit Daemon + + Configure auditd to use audispd's syslog plugin - ocil:ssg-coreos_audit_option_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Verify Permissions on Backup group File + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Add nodev Option to Non-Root Local Partitions + + Record Unsuccessful Access Attempts to Files - open - ocil:ssg-mount_option_nodev_nonroot_local_partitions_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1 - - Enable rsyslog Service + + Verify User Who Owns group File - ocil:ssg-service_rsyslog_enabled_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Disable storing core dump + + Ensure the Default C Shell Umask is Set Correctly - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-accounts_umask_etc_csh_cshrc_action:testaction:1 - - Verify Group Who Owns group File + + Verify Root Has A Primary GID 0 - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Resolve information before writing to audit logs + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Configure auditing of successful file accesses + + Disable the use of user namespaces - ocil:ssg-audit_access_success_action:testaction:1 + ocil:ssg-sysctl_user_max_user_namespaces_action:testaction:1 - - Prevent non-Privileged Users from Modifying Network Interfaces using nmcli + + Install iptables Package - ocil:ssg-network_nmcli_permissions_action:testaction:1 + ocil:ssg-package_iptables_installed_action:testaction:1 - - Verify that Interactive Boot is Disabled + + Ensure auditd Collects Information on Exporting to Media (successful) - ocil:ssg-coreos_disable_interactive_boot_action:testaction:1 + ocil:ssg-audit_rules_media_export_action:testaction:1 - - Verify Group Who Owns SSH Server config file + + Configure auditing of unsuccessful file creations - ocil:ssg-file_groupowner_sshd_config_action:testaction:1 + ocil:ssg-audit_create_failed_action:testaction:1 - - Verify that Interactive Boot is Disabled + + Enable Kernel Page-Table Isolation (KPTI) - ocil:ssg-grub2_disable_interactive_boot_action:testaction:1 + ocil:ssg-coreos_pti_kernel_argument_action:testaction:1 - - Configure Kerberos to use System Crypto Policy + + Verify that local System.map file (if exists) is readable only by root - ocil:ssg-configure_kerberos_crypto_policy_action:testaction:1 + ocil:ssg-file_permissions_systemmap_action:testaction:1 - - Record Unsuccessful Creation Attempts to Files - open_by_handle_at O_CREAT + + Enable the NTP Daemon - ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat_action:testaction:1 + ocil:ssg-service_ntp_enabled_action:testaction:1 - - Verify User Who Owns /var/log/messages File + + The Chronyd service is enabled - ocil:ssg-file_owner_var_log_messages_action:testaction:1 + ocil:ssg-service_chronyd_enabled_action:testaction:1 - - Disable Kerberos by removing host keytab + + Disable acquiring, saving, and processing core dumps - ocil:ssg-kerberos_disable_no_keytab_action:testaction:1 + ocil:ssg-service_systemd-coredump_disabled_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - removexattr + + Record Events that Modify User/Group Information - /etc/gshadow - ocil:ssg-audit_rules_dac_modification_removexattr_action:testaction:1 + ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 - - Verify that System Executable Have Root Ownership + + Don't define allowed commands in sudoers by means of exclusion - ocil:ssg-dir_ownership_binary_dirs_action:testaction:1 + ocil:ssg-sudoers_no_command_negation_action:testaction:1 - - Verify Permissions on gshadow File + + Ensure rsyslog is Installed /usr/share/xml/scap/ssg/content/ssg-rhcos4-xccdf.xml differs (XML 1.0 document, UTF-8 Unicode text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-rhcos4-xccdf.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-rhcos4-xccdf.xml 2022-04-04 00:00:00.000000000 +0000 @@ -43,58 +43,63 @@ countries. All other names are registered trademarks or trademarks of their respective companies. - + - + - + - + - + - + - + - + - + - + - + + + + + + - - - - - + - + - + - + + + + + - + - + - + - + @@ -102,9 +107,9 @@ - + - + @@ -112,15 +117,14 @@ - - - - + + + - + - + @@ -128,24 +132,20 @@ - - - - - - - - + + + + - + - + - + - + /usr/share/xml/scap/ssg/content/ssg-rhel7-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-rhel7-ds-1.2.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-rhel7-ds-1.2.xml 2022-04-04 00:00:00.000000000 +0000 @@ -51874,844 +51874,844 @@ 2022-04-04T00:00:00 - - Uninstall geolite2-country Package + + Ensure SMAP is not disabled during boot - ocil:ssg-package_geolite2-country_removed_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Add noauto Option to /boot + + Record Successful Permission Changes to Files - setxattr - ocil:ssg-mount_option_boot_noauto_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_setxattr_action:testaction:1 - - Disable PubkeyAuthentication Authentication + + Disable the samba_export_all_rw SELinux Boolean - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 + ocil:ssg-sebool_samba_export_all_rw_action:testaction:1 - - Record Events that Modify User/Group Information - /etc/gshadow + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments + + Ensure '/etc/system-fips' exists - ocil:ssg-sysctl_net_ipv4_tcp_invalid_ratelimit_action:testaction:1 + ocil:ssg-etc_system_fips_exists_action:testaction:1 - - Verify User Who Owns /etc/cron.allow file + + Configure auditd to use audispd's syslog plugin - ocil:ssg-file_owner_cron_allow_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Disable the use_fusefs_home_dirs SELinux Boolean + + Disable the virt_sandbox_use_sys_admin SELinux Boolean - ocil:ssg-sebool_use_fusefs_home_dirs_action:testaction:1 + ocil:ssg-sebool_virt_sandbox_use_sys_admin_action:testaction:1 - - Verify Permissions on Backup group File + + Configure Error Log Format - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 + ocil:ssg-httpd_configure_log_format_action:testaction:1 - - Add nodev Option to Non-Root Local Partitions + + Disable anacron Service - ocil:ssg-mount_option_nodev_nonroot_local_partitions_action:testaction:1 + ocil:ssg-disable_anacron_action:testaction:1 - - Enable rsyslog Service + + Configure Notification of Post-AIDE Scan Details - ocil:ssg-service_rsyslog_enabled_action:testaction:1 + ocil:ssg-aide_scan_notification_action:testaction:1 - - Disable storing core dump + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Install policycoreutils Package + + Disable Client Dynamic DNS Updates - ocil:ssg-package_policycoreutils_installed_action:testaction:1 + ocil:ssg-network_disable_ddns_interfaces_action:testaction:1 - - Verify Group Who Owns group File + + Record Unsuccessful Access Attempts to Files - open - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1 - - Resolve information before writing to audit logs + + Verify User Who Owns group File - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Configure AIDE to Verify Extended Attributes + + Ensure the Default C Shell Umask is Set Correctly - ocil:ssg-aide_verify_ext_attributes_action:testaction:1 + ocil:ssg-accounts_umask_etc_csh_cshrc_action:testaction:1 - - Disable the named_tcp_bind_http_port SELinux Boolean + + Disable the cluster_can_network_connect SELinux Boolean - ocil:ssg-sebool_named_tcp_bind_http_port_action:testaction:1 + ocil:ssg-sebool_cluster_can_network_connect_action:testaction:1 - - Disable the polyinstantiation_enabled SELinux Boolean + + Use Only FIPS 140-2 Validated MACs - ocil:ssg-sebool_polyinstantiation_enabled_action:testaction:1 + ocil:ssg-sshd_use_approved_macs_ordered_stig_action:testaction:1 - - Prevent non-Privileged Users from Modifying Network Interfaces using nmcli + + Only Authorized Local User Accounts Exist on Operating System - ocil:ssg-network_nmcli_permissions_action:testaction:1 + ocil:ssg-accounts_authorized_local_users_action:testaction:1 - - Uninstall tftp-server Package + + Disable the irssi_use_full_network SELinux Boolean - ocil:ssg-package_tftp-server_removed_action:testaction:1 + ocil:ssg-sebool_irssi_use_full_network_action:testaction:1 - - Enable GNOME3 Screensaver Lock After Idle Period + + Verify Root Has A Primary GID 0 - ocil:ssg-dconf_gnome_screensaver_lock_enabled_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Verify Group Who Owns SSH Server config file + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-file_groupowner_sshd_config_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Enable the sysadm_exec_content SELinux Boolean + + Install the docker Package /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml 2022-04-04 00:00:00.000000000 +0000 @@ -51876,844 +51876,844 @@ 2022-04-04T00:00:00 - - Uninstall geolite2-country Package + + Ensure SMAP is not disabled during boot - ocil:ssg-package_geolite2-country_removed_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Add noauto Option to /boot + + Record Successful Permission Changes to Files - setxattr - ocil:ssg-mount_option_boot_noauto_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_setxattr_action:testaction:1 - - Disable PubkeyAuthentication Authentication + + Disable the samba_export_all_rw SELinux Boolean - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 + ocil:ssg-sebool_samba_export_all_rw_action:testaction:1 - - Record Events that Modify User/Group Information - /etc/gshadow + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments + + Ensure '/etc/system-fips' exists - ocil:ssg-sysctl_net_ipv4_tcp_invalid_ratelimit_action:testaction:1 + ocil:ssg-etc_system_fips_exists_action:testaction:1 - - Verify User Who Owns /etc/cron.allow file + + Configure auditd to use audispd's syslog plugin - ocil:ssg-file_owner_cron_allow_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Disable the use_fusefs_home_dirs SELinux Boolean + + Disable the virt_sandbox_use_sys_admin SELinux Boolean - ocil:ssg-sebool_use_fusefs_home_dirs_action:testaction:1 + ocil:ssg-sebool_virt_sandbox_use_sys_admin_action:testaction:1 - - Verify Permissions on Backup group File + + Configure Error Log Format - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 + ocil:ssg-httpd_configure_log_format_action:testaction:1 - - Add nodev Option to Non-Root Local Partitions + + Disable anacron Service - ocil:ssg-mount_option_nodev_nonroot_local_partitions_action:testaction:1 + ocil:ssg-disable_anacron_action:testaction:1 - - Enable rsyslog Service + + Configure Notification of Post-AIDE Scan Details - ocil:ssg-service_rsyslog_enabled_action:testaction:1 + ocil:ssg-aide_scan_notification_action:testaction:1 - - Disable storing core dump + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Install policycoreutils Package + + Disable Client Dynamic DNS Updates - ocil:ssg-package_policycoreutils_installed_action:testaction:1 + ocil:ssg-network_disable_ddns_interfaces_action:testaction:1 - - Verify Group Who Owns group File + + Record Unsuccessful Access Attempts to Files - open - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1 - - Resolve information before writing to audit logs + + Verify User Who Owns group File - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Configure AIDE to Verify Extended Attributes + + Ensure the Default C Shell Umask is Set Correctly - ocil:ssg-aide_verify_ext_attributes_action:testaction:1 + ocil:ssg-accounts_umask_etc_csh_cshrc_action:testaction:1 - - Disable the named_tcp_bind_http_port SELinux Boolean + + Disable the cluster_can_network_connect SELinux Boolean - ocil:ssg-sebool_named_tcp_bind_http_port_action:testaction:1 + ocil:ssg-sebool_cluster_can_network_connect_action:testaction:1 - - Disable the polyinstantiation_enabled SELinux Boolean + + Use Only FIPS 140-2 Validated MACs - ocil:ssg-sebool_polyinstantiation_enabled_action:testaction:1 + ocil:ssg-sshd_use_approved_macs_ordered_stig_action:testaction:1 - - Prevent non-Privileged Users from Modifying Network Interfaces using nmcli + + Only Authorized Local User Accounts Exist on Operating System - ocil:ssg-network_nmcli_permissions_action:testaction:1 + ocil:ssg-accounts_authorized_local_users_action:testaction:1 - - Uninstall tftp-server Package + + Disable the irssi_use_full_network SELinux Boolean - ocil:ssg-package_tftp-server_removed_action:testaction:1 + ocil:ssg-sebool_irssi_use_full_network_action:testaction:1 - - Enable GNOME3 Screensaver Lock After Idle Period + + Verify Root Has A Primary GID 0 - ocil:ssg-dconf_gnome_screensaver_lock_enabled_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Verify Group Who Owns SSH Server config file + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-file_groupowner_sshd_config_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Enable the sysadm_exec_content SELinux Boolean + + Install the docker Package /usr/share/xml/scap/ssg/content/ssg-rhel7-ocil.xml differs (XML 1.0 document, ASCII text) --- old//usr/share/xml/scap/ssg/content/ssg-rhel7-ocil.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-rhel7-ocil.xml 2022-04-04 00:00:00.000000000 +0000 @@ -7,844 +7,844 @@ 2022-04-04T00:00:00 - - Uninstall geolite2-country Package + + Ensure SMAP is not disabled during boot - ocil:ssg-package_geolite2-country_removed_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Add noauto Option to /boot + + Record Successful Permission Changes to Files - setxattr - ocil:ssg-mount_option_boot_noauto_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_setxattr_action:testaction:1 - - Disable PubkeyAuthentication Authentication + + Disable the samba_export_all_rw SELinux Boolean - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 + ocil:ssg-sebool_samba_export_all_rw_action:testaction:1 - - Record Events that Modify User/Group Information - /etc/gshadow + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments + + Ensure '/etc/system-fips' exists - ocil:ssg-sysctl_net_ipv4_tcp_invalid_ratelimit_action:testaction:1 + ocil:ssg-etc_system_fips_exists_action:testaction:1 - - Verify User Who Owns /etc/cron.allow file + + Configure auditd to use audispd's syslog plugin - ocil:ssg-file_owner_cron_allow_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Disable the use_fusefs_home_dirs SELinux Boolean + + Disable the virt_sandbox_use_sys_admin SELinux Boolean - ocil:ssg-sebool_use_fusefs_home_dirs_action:testaction:1 + ocil:ssg-sebool_virt_sandbox_use_sys_admin_action:testaction:1 - - Verify Permissions on Backup group File + + Configure Error Log Format - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 + ocil:ssg-httpd_configure_log_format_action:testaction:1 - - Add nodev Option to Non-Root Local Partitions + + Disable anacron Service - ocil:ssg-mount_option_nodev_nonroot_local_partitions_action:testaction:1 + ocil:ssg-disable_anacron_action:testaction:1 - - Enable rsyslog Service + + Configure Notification of Post-AIDE Scan Details - ocil:ssg-service_rsyslog_enabled_action:testaction:1 + ocil:ssg-aide_scan_notification_action:testaction:1 - - Disable storing core dump + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Install policycoreutils Package + + Disable Client Dynamic DNS Updates - ocil:ssg-package_policycoreutils_installed_action:testaction:1 + ocil:ssg-network_disable_ddns_interfaces_action:testaction:1 - - Verify Group Who Owns group File + + Record Unsuccessful Access Attempts to Files - open - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1 - - Resolve information before writing to audit logs + + Verify User Who Owns group File - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Configure AIDE to Verify Extended Attributes + + Ensure the Default C Shell Umask is Set Correctly - ocil:ssg-aide_verify_ext_attributes_action:testaction:1 + ocil:ssg-accounts_umask_etc_csh_cshrc_action:testaction:1 - - Disable the named_tcp_bind_http_port SELinux Boolean + + Disable the cluster_can_network_connect SELinux Boolean - ocil:ssg-sebool_named_tcp_bind_http_port_action:testaction:1 + ocil:ssg-sebool_cluster_can_network_connect_action:testaction:1 - - Disable the polyinstantiation_enabled SELinux Boolean + + Use Only FIPS 140-2 Validated MACs - ocil:ssg-sebool_polyinstantiation_enabled_action:testaction:1 + ocil:ssg-sshd_use_approved_macs_ordered_stig_action:testaction:1 - - Prevent non-Privileged Users from Modifying Network Interfaces using nmcli + + Only Authorized Local User Accounts Exist on Operating System - ocil:ssg-network_nmcli_permissions_action:testaction:1 + ocil:ssg-accounts_authorized_local_users_action:testaction:1 - - Uninstall tftp-server Package + + Disable the irssi_use_full_network SELinux Boolean - ocil:ssg-package_tftp-server_removed_action:testaction:1 + ocil:ssg-sebool_irssi_use_full_network_action:testaction:1 - - Enable GNOME3 Screensaver Lock After Idle Period + + Verify Root Has A Primary GID 0 - ocil:ssg-dconf_gnome_screensaver_lock_enabled_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Verify Group Who Owns SSH Server config file + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-file_groupowner_sshd_config_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Enable the sysadm_exec_content SELinux Boolean + + Install the docker Package /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml differs (XML 1.0 document, UTF-8 Unicode text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml 2022-04-04 00:00:00.000000000 +0000 @@ -43,134 +43,134 @@ countries. All other names are registered trademarks or trademarks of their respective companies. - + - + - + - + - + - + - + - + - + - + - + - - - - - + - + - + - + - + - + - + - + - + + + + + - + - + - + - + - + - - - - - - - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + + + + + + + - + - + - + /usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml 2022-04-04 00:00:00.000000000 +0000 @@ -54741,6365 +54741,6359 @@ 2022-04-04T00:00:00 - - Uninstall geolite2-country Package + + Ensure SMAP is not disabled during boot - ocil:ssg-package_geolite2-country_removed_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Add noauto Option to /boot + + Record Successful Permission Changes to Files - setxattr - ocil:ssg-mount_option_boot_noauto_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_setxattr_action:testaction:1 - - Disable PubkeyAuthentication Authentication + + Disable the samba_export_all_rw SELinux Boolean - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 + ocil:ssg-sebool_samba_export_all_rw_action:testaction:1 - - Record Events that Modify User/Group Information - /etc/gshadow + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments + + Ensure '/etc/system-fips' exists - ocil:ssg-sysctl_net_ipv4_tcp_invalid_ratelimit_action:testaction:1 + ocil:ssg-etc_system_fips_exists_action:testaction:1 - - Verify User Who Owns /etc/cron.allow file + + Configure auditd to use audispd's syslog plugin - ocil:ssg-file_owner_cron_allow_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Disable the use_fusefs_home_dirs SELinux Boolean + + Disable the virt_sandbox_use_sys_admin SELinux Boolean - ocil:ssg-sebool_use_fusefs_home_dirs_action:testaction:1 + ocil:ssg-sebool_virt_sandbox_use_sys_admin_action:testaction:1 - - Verify Permissions on Backup group File + + Configure Error Log Format - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 + ocil:ssg-httpd_configure_log_format_action:testaction:1 - - Add nodev Option to Non-Root Local Partitions + + Disable anacron Service - ocil:ssg-mount_option_nodev_nonroot_local_partitions_action:testaction:1 + ocil:ssg-disable_anacron_action:testaction:1 - - Enable rsyslog Service + + Configure Notification of Post-AIDE Scan Details - ocil:ssg-service_rsyslog_enabled_action:testaction:1 + ocil:ssg-aide_scan_notification_action:testaction:1 - - Disable storing core dump + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Install policycoreutils Package + + Disable Client Dynamic DNS Updates - ocil:ssg-package_policycoreutils_installed_action:testaction:1 + ocil:ssg-network_disable_ddns_interfaces_action:testaction:1 - - Verify Group Who Owns group File + + Record Unsuccessful Access Attempts to Files - open - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1 - - Resolve information before writing to audit logs + + Verify User Who Owns group File - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Configure AIDE to Verify Extended Attributes + + Ensure the Default C Shell Umask is Set Correctly - ocil:ssg-aide_verify_ext_attributes_action:testaction:1 + ocil:ssg-accounts_umask_etc_csh_cshrc_action:testaction:1 - - Configure auditing of successful file accesses + + Disable the cluster_can_network_connect SELinux Boolean - ocil:ssg-audit_access_success_action:testaction:1 + ocil:ssg-sebool_cluster_can_network_connect_action:testaction:1 - - Disable the named_tcp_bind_http_port SELinux Boolean + + Only Authorized Local User Accounts Exist on Operating System - ocil:ssg-sebool_named_tcp_bind_http_port_action:testaction:1 + ocil:ssg-accounts_authorized_local_users_action:testaction:1 - - Disable the polyinstantiation_enabled SELinux Boolean + + Disable the irssi_use_full_network SELinux Boolean - ocil:ssg-sebool_polyinstantiation_enabled_action:testaction:1 + ocil:ssg-sebool_irssi_use_full_network_action:testaction:1 - - Prevent non-Privileged Users from Modifying Network Interfaces using nmcli + + Verify Root Has A Primary GID 0 - ocil:ssg-network_nmcli_permissions_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Uninstall tftp-server Package + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-package_tftp-server_removed_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Enable GNOME3 Screensaver Lock After Idle Period + + Disable the xen_use_nfs SELinux Boolean - ocil:ssg-dconf_gnome_screensaver_lock_enabled_action:testaction:1 + ocil:ssg-sebool_xen_use_nfs_action:testaction:1 - - Verify Group Who Owns SSH Server config file + + Disable the use of user namespaces /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml 2022-04-04 00:00:00.000000000 +0000 @@ -54743,6365 +54743,6359 @@ 2022-04-04T00:00:00 - - Uninstall geolite2-country Package + + Ensure SMAP is not disabled during boot - ocil:ssg-package_geolite2-country_removed_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Add noauto Option to /boot + + Record Successful Permission Changes to Files - setxattr - ocil:ssg-mount_option_boot_noauto_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_setxattr_action:testaction:1 - - Disable PubkeyAuthentication Authentication + + Disable the samba_export_all_rw SELinux Boolean - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 + ocil:ssg-sebool_samba_export_all_rw_action:testaction:1 - - Record Events that Modify User/Group Information - /etc/gshadow + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments + + Ensure '/etc/system-fips' exists - ocil:ssg-sysctl_net_ipv4_tcp_invalid_ratelimit_action:testaction:1 + ocil:ssg-etc_system_fips_exists_action:testaction:1 - - Verify User Who Owns /etc/cron.allow file + + Configure auditd to use audispd's syslog plugin - ocil:ssg-file_owner_cron_allow_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Disable the use_fusefs_home_dirs SELinux Boolean + + Disable the virt_sandbox_use_sys_admin SELinux Boolean - ocil:ssg-sebool_use_fusefs_home_dirs_action:testaction:1 + ocil:ssg-sebool_virt_sandbox_use_sys_admin_action:testaction:1 - - Verify Permissions on Backup group File + + Configure Error Log Format - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 + ocil:ssg-httpd_configure_log_format_action:testaction:1 - - Add nodev Option to Non-Root Local Partitions + + Disable anacron Service - ocil:ssg-mount_option_nodev_nonroot_local_partitions_action:testaction:1 + ocil:ssg-disable_anacron_action:testaction:1 - - Enable rsyslog Service + + Configure Notification of Post-AIDE Scan Details - ocil:ssg-service_rsyslog_enabled_action:testaction:1 + ocil:ssg-aide_scan_notification_action:testaction:1 - - Disable storing core dump + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Install policycoreutils Package + + Disable Client Dynamic DNS Updates - ocil:ssg-package_policycoreutils_installed_action:testaction:1 + ocil:ssg-network_disable_ddns_interfaces_action:testaction:1 - - Verify Group Who Owns group File + + Record Unsuccessful Access Attempts to Files - open - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1 - - Resolve information before writing to audit logs + + Verify User Who Owns group File - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Configure AIDE to Verify Extended Attributes + + Ensure the Default C Shell Umask is Set Correctly - ocil:ssg-aide_verify_ext_attributes_action:testaction:1 + ocil:ssg-accounts_umask_etc_csh_cshrc_action:testaction:1 - - Configure auditing of successful file accesses + + Disable the cluster_can_network_connect SELinux Boolean - ocil:ssg-audit_access_success_action:testaction:1 + ocil:ssg-sebool_cluster_can_network_connect_action:testaction:1 - - Disable the named_tcp_bind_http_port SELinux Boolean + + Only Authorized Local User Accounts Exist on Operating System - ocil:ssg-sebool_named_tcp_bind_http_port_action:testaction:1 + ocil:ssg-accounts_authorized_local_users_action:testaction:1 - - Disable the polyinstantiation_enabled SELinux Boolean + + Disable the irssi_use_full_network SELinux Boolean - ocil:ssg-sebool_polyinstantiation_enabled_action:testaction:1 + ocil:ssg-sebool_irssi_use_full_network_action:testaction:1 - - Prevent non-Privileged Users from Modifying Network Interfaces using nmcli + + Verify Root Has A Primary GID 0 - ocil:ssg-network_nmcli_permissions_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Uninstall tftp-server Package + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-package_tftp-server_removed_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Enable GNOME3 Screensaver Lock After Idle Period + + Disable the xen_use_nfs SELinux Boolean - ocil:ssg-dconf_gnome_screensaver_lock_enabled_action:testaction:1 + ocil:ssg-sebool_xen_use_nfs_action:testaction:1 - - Verify Group Who Owns SSH Server config file + + Disable the use of user namespaces /usr/share/xml/scap/ssg/content/ssg-rhel8-ocil.xml differs (XML 1.0 document, ASCII text) --- old//usr/share/xml/scap/ssg/content/ssg-rhel8-ocil.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-rhel8-ocil.xml 2022-04-04 00:00:00.000000000 +0000 @@ -7,6365 +7,6359 @@ 2022-04-04T00:00:00 - - Uninstall geolite2-country Package + + Ensure SMAP is not disabled during boot - ocil:ssg-package_geolite2-country_removed_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Add noauto Option to /boot + + Record Successful Permission Changes to Files - setxattr - ocil:ssg-mount_option_boot_noauto_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_setxattr_action:testaction:1 - - Disable PubkeyAuthentication Authentication + + Disable the samba_export_all_rw SELinux Boolean - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 + ocil:ssg-sebool_samba_export_all_rw_action:testaction:1 - - Record Events that Modify User/Group Information - /etc/gshadow + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments + + Ensure '/etc/system-fips' exists - ocil:ssg-sysctl_net_ipv4_tcp_invalid_ratelimit_action:testaction:1 + ocil:ssg-etc_system_fips_exists_action:testaction:1 - - Verify User Who Owns /etc/cron.allow file + + Configure auditd to use audispd's syslog plugin - ocil:ssg-file_owner_cron_allow_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Disable the use_fusefs_home_dirs SELinux Boolean + + Disable the virt_sandbox_use_sys_admin SELinux Boolean - ocil:ssg-sebool_use_fusefs_home_dirs_action:testaction:1 + ocil:ssg-sebool_virt_sandbox_use_sys_admin_action:testaction:1 - - Verify Permissions on Backup group File + + Configure Error Log Format - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 + ocil:ssg-httpd_configure_log_format_action:testaction:1 - - Add nodev Option to Non-Root Local Partitions + + Disable anacron Service - ocil:ssg-mount_option_nodev_nonroot_local_partitions_action:testaction:1 + ocil:ssg-disable_anacron_action:testaction:1 - - Enable rsyslog Service + + Configure Notification of Post-AIDE Scan Details - ocil:ssg-service_rsyslog_enabled_action:testaction:1 + ocil:ssg-aide_scan_notification_action:testaction:1 - - Disable storing core dump + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Install policycoreutils Package + + Disable Client Dynamic DNS Updates - ocil:ssg-package_policycoreutils_installed_action:testaction:1 + ocil:ssg-network_disable_ddns_interfaces_action:testaction:1 - - Verify Group Who Owns group File + + Record Unsuccessful Access Attempts to Files - open - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1 - - Resolve information before writing to audit logs + + Verify User Who Owns group File - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Configure AIDE to Verify Extended Attributes + + Ensure the Default C Shell Umask is Set Correctly - ocil:ssg-aide_verify_ext_attributes_action:testaction:1 + ocil:ssg-accounts_umask_etc_csh_cshrc_action:testaction:1 - - Configure auditing of successful file accesses + + Disable the cluster_can_network_connect SELinux Boolean - ocil:ssg-audit_access_success_action:testaction:1 + ocil:ssg-sebool_cluster_can_network_connect_action:testaction:1 - - Disable the named_tcp_bind_http_port SELinux Boolean + + Only Authorized Local User Accounts Exist on Operating System - ocil:ssg-sebool_named_tcp_bind_http_port_action:testaction:1 + ocil:ssg-accounts_authorized_local_users_action:testaction:1 - - Disable the polyinstantiation_enabled SELinux Boolean + + Disable the irssi_use_full_network SELinux Boolean - ocil:ssg-sebool_polyinstantiation_enabled_action:testaction:1 + ocil:ssg-sebool_irssi_use_full_network_action:testaction:1 - - Prevent non-Privileged Users from Modifying Network Interfaces using nmcli + + Verify Root Has A Primary GID 0 - ocil:ssg-network_nmcli_permissions_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Uninstall tftp-server Package + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-package_tftp-server_removed_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Enable GNOME3 Screensaver Lock After Idle Period + + Disable the xen_use_nfs SELinux Boolean - ocil:ssg-dconf_gnome_screensaver_lock_enabled_action:testaction:1 + ocil:ssg-sebool_xen_use_nfs_action:testaction:1 - - Verify Group Who Owns SSH Server config file + + Disable the use of user namespaces /usr/share/xml/scap/ssg/content/ssg-rhel8-xccdf.xml differs (XML 1.0 document, UTF-8 Unicode text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-rhel8-xccdf.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-rhel8-xccdf.xml 2022-04-04 00:00:00.000000000 +0000 @@ -43,139 +43,139 @@ countries. All other names are registered trademarks or trademarks of their respective companies. - + - + - + - + - + - + - + - + - + - + - + - - - - - + - + - + - + - + - + - + - + - + - + - + + + + + - + - + - + - + - - + + - - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - - - + + + + - + - + - + - + /usr/share/xml/scap/ssg/content/ssg-rhel9-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-rhel9-ds-1.2.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-rhel9-ds-1.2.xml 2022-04-04 00:00:00.000000000 +0000 @@ -51040,244 +51040,244 @@ 2022-04-04T00:00:00 - - Uninstall geolite2-country Package + + Ensure SMAP is not disabled during boot - ocil:ssg-package_geolite2-country_removed_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Add noauto Option to /boot + + Record Successful Permission Changes to Files - setxattr - ocil:ssg-mount_option_boot_noauto_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_setxattr_action:testaction:1 - - Disable PubkeyAuthentication Authentication + + Disable the samba_export_all_rw SELinux Boolean - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 + ocil:ssg-sebool_samba_export_all_rw_action:testaction:1 - - Record Events that Modify User/Group Information - /etc/gshadow + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments + + Ensure '/etc/system-fips' exists - ocil:ssg-sysctl_net_ipv4_tcp_invalid_ratelimit_action:testaction:1 + ocil:ssg-etc_system_fips_exists_action:testaction:1 - - Verify User Who Owns /etc/cron.allow file + + Configure auditd to use audispd's syslog plugin - ocil:ssg-file_owner_cron_allow_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Disable the use_fusefs_home_dirs SELinux Boolean + + Disable the virt_sandbox_use_sys_admin SELinux Boolean - ocil:ssg-sebool_use_fusefs_home_dirs_action:testaction:1 + ocil:ssg-sebool_virt_sandbox_use_sys_admin_action:testaction:1 - - Verify Permissions on Backup group File + + Configure Notification of Post-AIDE Scan Details - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 + ocil:ssg-aide_scan_notification_action:testaction:1 - - Add nodev Option to Non-Root Local Partitions + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-mount_option_nodev_nonroot_local_partitions_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Enable rsyslog Service + + Record Unsuccessful Access Attempts to Files - open - ocil:ssg-service_rsyslog_enabled_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1 - - Disable storing core dump + + Verify User Who Owns group File - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Install policycoreutils Package + + Ensure the Default C Shell Umask is Set Correctly - ocil:ssg-package_policycoreutils_installed_action:testaction:1 + ocil:ssg-accounts_umask_etc_csh_cshrc_action:testaction:1 - - Verify Group Who Owns group File + + Disable the cluster_can_network_connect SELinux Boolean - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-sebool_cluster_can_network_connect_action:testaction:1 - - Resolve information before writing to audit logs + + Only Authorized Local User Accounts Exist on Operating System - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-accounts_authorized_local_users_action:testaction:1 - - Configure AIDE to Verify Extended Attributes + + Disable the irssi_use_full_network SELinux Boolean - ocil:ssg-aide_verify_ext_attributes_action:testaction:1 + ocil:ssg-sebool_irssi_use_full_network_action:testaction:1 - - Configure auditing of successful file accesses + + Verify Root Has A Primary GID 0 - ocil:ssg-audit_access_success_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Disable the named_tcp_bind_http_port SELinux Boolean + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-sebool_named_tcp_bind_http_port_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Disable the polyinstantiation_enabled SELinux Boolean + + Disable the xen_use_nfs SELinux Boolean - ocil:ssg-sebool_polyinstantiation_enabled_action:testaction:1 + ocil:ssg-sebool_xen_use_nfs_action:testaction:1 - - Prevent non-Privileged Users from Modifying Network Interfaces using nmcli + + Disable the use of user namespaces - ocil:ssg-network_nmcli_permissions_action:testaction:1 + ocil:ssg-sysctl_user_max_user_namespaces_action:testaction:1 - - Uninstall tftp-server Package + + Enforce usage of pam_wheel for su authentication - ocil:ssg-package_tftp-server_removed_action:testaction:1 + ocil:ssg-use_pam_wheel_for_su_action:testaction:1 - - Enable GNOME3 Screensaver Lock After Idle Period + + Ensure auditd Collects Information on Exporting to Media (successful) - ocil:ssg-dconf_gnome_screensaver_lock_enabled_action:testaction:1 + ocil:ssg-audit_rules_media_export_action:testaction:1 - - Verify Group Who Owns SSH Server config file + + Configure auditing of unsuccessful file creations /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml 2022-04-04 00:00:00.000000000 +0000 @@ -51042,244 +51042,244 @@ 2022-04-04T00:00:00 - - Uninstall geolite2-country Package + + Ensure SMAP is not disabled during boot - ocil:ssg-package_geolite2-country_removed_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Add noauto Option to /boot + + Record Successful Permission Changes to Files - setxattr - ocil:ssg-mount_option_boot_noauto_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_setxattr_action:testaction:1 - - Disable PubkeyAuthentication Authentication + + Disable the samba_export_all_rw SELinux Boolean - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 + ocil:ssg-sebool_samba_export_all_rw_action:testaction:1 - - Record Events that Modify User/Group Information - /etc/gshadow + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments + + Ensure '/etc/system-fips' exists - ocil:ssg-sysctl_net_ipv4_tcp_invalid_ratelimit_action:testaction:1 + ocil:ssg-etc_system_fips_exists_action:testaction:1 - - Verify User Who Owns /etc/cron.allow file + + Configure auditd to use audispd's syslog plugin - ocil:ssg-file_owner_cron_allow_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Disable the use_fusefs_home_dirs SELinux Boolean + + Disable the virt_sandbox_use_sys_admin SELinux Boolean - ocil:ssg-sebool_use_fusefs_home_dirs_action:testaction:1 + ocil:ssg-sebool_virt_sandbox_use_sys_admin_action:testaction:1 - - Verify Permissions on Backup group File + + Configure Notification of Post-AIDE Scan Details - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 + ocil:ssg-aide_scan_notification_action:testaction:1 - - Add nodev Option to Non-Root Local Partitions + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-mount_option_nodev_nonroot_local_partitions_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Enable rsyslog Service + + Record Unsuccessful Access Attempts to Files - open - ocil:ssg-service_rsyslog_enabled_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1 - - Disable storing core dump + + Verify User Who Owns group File - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Install policycoreutils Package + + Ensure the Default C Shell Umask is Set Correctly - ocil:ssg-package_policycoreutils_installed_action:testaction:1 + ocil:ssg-accounts_umask_etc_csh_cshrc_action:testaction:1 - - Verify Group Who Owns group File + + Disable the cluster_can_network_connect SELinux Boolean - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-sebool_cluster_can_network_connect_action:testaction:1 - - Resolve information before writing to audit logs + + Only Authorized Local User Accounts Exist on Operating System - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-accounts_authorized_local_users_action:testaction:1 - - Configure AIDE to Verify Extended Attributes + + Disable the irssi_use_full_network SELinux Boolean - ocil:ssg-aide_verify_ext_attributes_action:testaction:1 + ocil:ssg-sebool_irssi_use_full_network_action:testaction:1 - - Configure auditing of successful file accesses + + Verify Root Has A Primary GID 0 - ocil:ssg-audit_access_success_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Disable the named_tcp_bind_http_port SELinux Boolean + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-sebool_named_tcp_bind_http_port_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Disable the polyinstantiation_enabled SELinux Boolean + + Disable the xen_use_nfs SELinux Boolean - ocil:ssg-sebool_polyinstantiation_enabled_action:testaction:1 + ocil:ssg-sebool_xen_use_nfs_action:testaction:1 - - Prevent non-Privileged Users from Modifying Network Interfaces using nmcli + + Disable the use of user namespaces - ocil:ssg-network_nmcli_permissions_action:testaction:1 + ocil:ssg-sysctl_user_max_user_namespaces_action:testaction:1 - - Uninstall tftp-server Package + + Enforce usage of pam_wheel for su authentication - ocil:ssg-package_tftp-server_removed_action:testaction:1 + ocil:ssg-use_pam_wheel_for_su_action:testaction:1 - - Enable GNOME3 Screensaver Lock After Idle Period + + Ensure auditd Collects Information on Exporting to Media (successful) - ocil:ssg-dconf_gnome_screensaver_lock_enabled_action:testaction:1 + ocil:ssg-audit_rules_media_export_action:testaction:1 - - Verify Group Who Owns SSH Server config file + + Configure auditing of unsuccessful file creations /usr/share/xml/scap/ssg/content/ssg-rhel9-ocil.xml differs (XML 1.0 document, ASCII text) --- old//usr/share/xml/scap/ssg/content/ssg-rhel9-ocil.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-rhel9-ocil.xml 2022-04-04 00:00:00.000000000 +0000 @@ -7,244 +7,244 @@ 2022-04-04T00:00:00 - - Uninstall geolite2-country Package + + Ensure SMAP is not disabled during boot - ocil:ssg-package_geolite2-country_removed_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Add noauto Option to /boot + + Record Successful Permission Changes to Files - setxattr - ocil:ssg-mount_option_boot_noauto_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_setxattr_action:testaction:1 - - Disable PubkeyAuthentication Authentication + + Disable the samba_export_all_rw SELinux Boolean - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 + ocil:ssg-sebool_samba_export_all_rw_action:testaction:1 - - Record Events that Modify User/Group Information - /etc/gshadow + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments + + Ensure '/etc/system-fips' exists - ocil:ssg-sysctl_net_ipv4_tcp_invalid_ratelimit_action:testaction:1 + ocil:ssg-etc_system_fips_exists_action:testaction:1 - - Verify User Who Owns /etc/cron.allow file + + Configure auditd to use audispd's syslog plugin - ocil:ssg-file_owner_cron_allow_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Disable the use_fusefs_home_dirs SELinux Boolean + + Disable the virt_sandbox_use_sys_admin SELinux Boolean - ocil:ssg-sebool_use_fusefs_home_dirs_action:testaction:1 + ocil:ssg-sebool_virt_sandbox_use_sys_admin_action:testaction:1 - - Verify Permissions on Backup group File + + Configure Notification of Post-AIDE Scan Details - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 + ocil:ssg-aide_scan_notification_action:testaction:1 - - Add nodev Option to Non-Root Local Partitions + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-mount_option_nodev_nonroot_local_partitions_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Enable rsyslog Service + + Record Unsuccessful Access Attempts to Files - open - ocil:ssg-service_rsyslog_enabled_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1 - - Disable storing core dump + + Verify User Who Owns group File - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Install policycoreutils Package + + Ensure the Default C Shell Umask is Set Correctly - ocil:ssg-package_policycoreutils_installed_action:testaction:1 + ocil:ssg-accounts_umask_etc_csh_cshrc_action:testaction:1 - - Verify Group Who Owns group File + + Disable the cluster_can_network_connect SELinux Boolean - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-sebool_cluster_can_network_connect_action:testaction:1 - - Resolve information before writing to audit logs + + Only Authorized Local User Accounts Exist on Operating System - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-accounts_authorized_local_users_action:testaction:1 - - Configure AIDE to Verify Extended Attributes + + Disable the irssi_use_full_network SELinux Boolean - ocil:ssg-aide_verify_ext_attributes_action:testaction:1 + ocil:ssg-sebool_irssi_use_full_network_action:testaction:1 - - Configure auditing of successful file accesses + + Verify Root Has A Primary GID 0 - ocil:ssg-audit_access_success_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Disable the named_tcp_bind_http_port SELinux Boolean + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-sebool_named_tcp_bind_http_port_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Disable the polyinstantiation_enabled SELinux Boolean + + Disable the xen_use_nfs SELinux Boolean - ocil:ssg-sebool_polyinstantiation_enabled_action:testaction:1 + ocil:ssg-sebool_xen_use_nfs_action:testaction:1 - - Prevent non-Privileged Users from Modifying Network Interfaces using nmcli + + Disable the use of user namespaces - ocil:ssg-network_nmcli_permissions_action:testaction:1 + ocil:ssg-sysctl_user_max_user_namespaces_action:testaction:1 - - Uninstall tftp-server Package + + Enforce usage of pam_wheel for su authentication - ocil:ssg-package_tftp-server_removed_action:testaction:1 + ocil:ssg-use_pam_wheel_for_su_action:testaction:1 - - Enable GNOME3 Screensaver Lock After Idle Period + + Ensure auditd Collects Information on Exporting to Media (successful) - ocil:ssg-dconf_gnome_screensaver_lock_enabled_action:testaction:1 + ocil:ssg-audit_rules_media_export_action:testaction:1 - - Verify Group Who Owns SSH Server config file + + Configure auditing of unsuccessful file creations /usr/share/xml/scap/ssg/content/ssg-rhel9-xccdf.xml differs (XML 1.0 document, UTF-8 Unicode text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-rhel9-xccdf.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-rhel9-xccdf.xml 2022-04-04 00:00:00.000000000 +0000 @@ -43,49 +43,54 @@ countries. All other names are registered trademarks or trademarks of their respective companies. - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + + + + + + @@ -93,9 +98,9 @@ - + - + @@ -103,60 +108,55 @@ - - - - - - - + - + - + - + - + - + - + - + - + - + - + - + - + - + - - - + + + + - + - + - + - + /usr/share/xml/scap/ssg/content/ssg-rhv4-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-rhv4-ds-1.2.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-rhv4-ds-1.2.xml 2022-04-04 00:00:00.000000000 +0000 @@ -28085,946 +28085,958 @@ 2022-04-04T00:00:00 - - Add noauto Option to /boot + + Ensure SMAP is not disabled during boot - ocil:ssg-mount_option_boot_noauto_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Disable PubkeyAuthentication Authentication + + Record Successful Permission Changes to Files - setxattr - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_setxattr_action:testaction:1 - - Record Events that Modify User/Group Information - /etc/gshadow + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Verify User Who Owns /etc/cron.allow file + + Ensure '/etc/system-fips' exists - ocil:ssg-file_owner_cron_allow_action:testaction:1 + ocil:ssg-etc_system_fips_exists_action:testaction:1 - - Verify Permissions on Backup group File + + Configure auditd to use audispd's syslog plugin - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Enable rsyslog Service + + Configure Notification of Post-AIDE Scan Details - ocil:ssg-service_rsyslog_enabled_action:testaction:1 + ocil:ssg-aide_scan_notification_action:testaction:1 - - Disable storing core dump + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Install policycoreutils Package + + Record Unsuccessful Access Attempts to Files - open - ocil:ssg-package_policycoreutils_installed_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1 - - Verify Group Who Owns group File + + Verify User Who Owns group File - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Resolve information before writing to audit logs + + Verify Root Has A Primary GID 0 - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Configure AIDE to Verify Extended Attributes + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-aide_verify_ext_attributes_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Disable the polyinstantiation_enabled SELinux Boolean + + Enforce usage of pam_wheel for su authentication - ocil:ssg-sebool_polyinstantiation_enabled_action:testaction:1 + ocil:ssg-use_pam_wheel_for_su_action:testaction:1 - - Prevent non-Privileged Users from Modifying Network Interfaces using nmcli + + Install iptables Package - ocil:ssg-network_nmcli_permissions_action:testaction:1 + ocil:ssg-package_iptables_installed_action:testaction:1 - - Uninstall tftp-server Package + + Ensure auditd Collects Information on Exporting to Media (successful) - ocil:ssg-package_tftp-server_removed_action:testaction:1 + ocil:ssg-audit_rules_media_export_action:testaction:1 - - Verify Group Who Owns SSH Server config file + + Ensure PAM Enforces Password Requirements - Minimum Different Characters - ocil:ssg-file_groupowner_sshd_config_action:testaction:1 + ocil:ssg-accounts_password_pam_difok_action:testaction:1 - - Enable the sysadm_exec_content SELinux Boolean + + Verify that local System.map file (if exists) is readable only by root - ocil:ssg-sebool_sysadm_exec_content_action:testaction:1 + ocil:ssg-file_permissions_systemmap_action:testaction:1 - - Record Successful Access Attempts to Files - open + + Enable the NTP Daemon - ocil:ssg-audit_rules_successful_file_modification_open_action:testaction:1 + ocil:ssg-service_ntp_enabled_action:testaction:1 - - Verify that Interactive Boot is Disabled + + The Chronyd service is enabled - ocil:ssg-grub2_disable_interactive_boot_action:testaction:1 + ocil:ssg-service_chronyd_enabled_action:testaction:1 - - Configure Kerberos to use System Crypto Policy + + Record Events that Modify User/Group Information - /etc/gshadow - ocil:ssg-configure_kerberos_crypto_policy_action:testaction:1 + ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 - - Verify User Who Owns /var/log/messages File + + Don't define allowed commands in sudoers by means of exclusion - ocil:ssg-file_owner_var_log_messages_action:testaction:1 + ocil:ssg-sudoers_no_command_negation_action:testaction:1 - - Record Successful Permission Changes to Files - fsetxattr + + Ensure rsyslog is Installed - ocil:ssg-audit_rules_successful_file_modification_fsetxattr_action:testaction:1 + ocil:ssg-package_rsyslog_installed_action:testaction:1 - - Disable Kerberos by removing host keytab + + Remove User Host-Based Authentication Files /usr/share/xml/scap/ssg/content/ssg-rhv4-ds.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-rhv4-ds.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-rhv4-ds.xml 2022-04-04 00:00:00.000000000 +0000 @@ -28085,946 +28085,958 @@ 2022-04-04T00:00:00 - - Add noauto Option to /boot + + Ensure SMAP is not disabled during boot - ocil:ssg-mount_option_boot_noauto_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Disable PubkeyAuthentication Authentication + + Record Successful Permission Changes to Files - setxattr - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_setxattr_action:testaction:1 - - Record Events that Modify User/Group Information - /etc/gshadow + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Verify User Who Owns /etc/cron.allow file + + Ensure '/etc/system-fips' exists - ocil:ssg-file_owner_cron_allow_action:testaction:1 + ocil:ssg-etc_system_fips_exists_action:testaction:1 - - Verify Permissions on Backup group File + + Configure auditd to use audispd's syslog plugin - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Enable rsyslog Service + + Configure Notification of Post-AIDE Scan Details - ocil:ssg-service_rsyslog_enabled_action:testaction:1 + ocil:ssg-aide_scan_notification_action:testaction:1 - - Disable storing core dump + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Install policycoreutils Package + + Record Unsuccessful Access Attempts to Files - open - ocil:ssg-package_policycoreutils_installed_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1 - - Verify Group Who Owns group File + + Verify User Who Owns group File - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Resolve information before writing to audit logs + + Verify Root Has A Primary GID 0 - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Configure AIDE to Verify Extended Attributes + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-aide_verify_ext_attributes_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Disable the polyinstantiation_enabled SELinux Boolean + + Enforce usage of pam_wheel for su authentication - ocil:ssg-sebool_polyinstantiation_enabled_action:testaction:1 + ocil:ssg-use_pam_wheel_for_su_action:testaction:1 - - Prevent non-Privileged Users from Modifying Network Interfaces using nmcli + + Install iptables Package - ocil:ssg-network_nmcli_permissions_action:testaction:1 + ocil:ssg-package_iptables_installed_action:testaction:1 - - Uninstall tftp-server Package + + Ensure auditd Collects Information on Exporting to Media (successful) - ocil:ssg-package_tftp-server_removed_action:testaction:1 + ocil:ssg-audit_rules_media_export_action:testaction:1 - - Verify Group Who Owns SSH Server config file + + Ensure PAM Enforces Password Requirements - Minimum Different Characters - ocil:ssg-file_groupowner_sshd_config_action:testaction:1 + ocil:ssg-accounts_password_pam_difok_action:testaction:1 - - Enable the sysadm_exec_content SELinux Boolean + + Verify that local System.map file (if exists) is readable only by root - ocil:ssg-sebool_sysadm_exec_content_action:testaction:1 + ocil:ssg-file_permissions_systemmap_action:testaction:1 - - Record Successful Access Attempts to Files - open + + Enable the NTP Daemon - ocil:ssg-audit_rules_successful_file_modification_open_action:testaction:1 + ocil:ssg-service_ntp_enabled_action:testaction:1 - - Verify that Interactive Boot is Disabled + + The Chronyd service is enabled - ocil:ssg-grub2_disable_interactive_boot_action:testaction:1 + ocil:ssg-service_chronyd_enabled_action:testaction:1 - - Configure Kerberos to use System Crypto Policy + + Record Events that Modify User/Group Information - /etc/gshadow - ocil:ssg-configure_kerberos_crypto_policy_action:testaction:1 + ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 - - Verify User Who Owns /var/log/messages File + + Don't define allowed commands in sudoers by means of exclusion - ocil:ssg-file_owner_var_log_messages_action:testaction:1 + ocil:ssg-sudoers_no_command_negation_action:testaction:1 - - Record Successful Permission Changes to Files - fsetxattr + + Ensure rsyslog is Installed - ocil:ssg-audit_rules_successful_file_modification_fsetxattr_action:testaction:1 + ocil:ssg-package_rsyslog_installed_action:testaction:1 - - Disable Kerberos by removing host keytab + + Remove User Host-Based Authentication Files /usr/share/xml/scap/ssg/content/ssg-rhv4-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-rhv4-ocil.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-rhv4-ocil.xml 2022-04-04 00:00:00.000000000 +0000 @@ -7,946 +7,958 @@ 2022-04-04T00:00:00 - - Add noauto Option to /boot + + Ensure SMAP is not disabled during boot - ocil:ssg-mount_option_boot_noauto_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Disable PubkeyAuthentication Authentication + + Record Successful Permission Changes to Files - setxattr - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_setxattr_action:testaction:1 - - Record Events that Modify User/Group Information - /etc/gshadow + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Verify User Who Owns /etc/cron.allow file + + Ensure '/etc/system-fips' exists - ocil:ssg-file_owner_cron_allow_action:testaction:1 + ocil:ssg-etc_system_fips_exists_action:testaction:1 - - Verify Permissions on Backup group File + + Configure auditd to use audispd's syslog plugin - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Enable rsyslog Service + + Configure Notification of Post-AIDE Scan Details - ocil:ssg-service_rsyslog_enabled_action:testaction:1 + ocil:ssg-aide_scan_notification_action:testaction:1 - - Disable storing core dump + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Install policycoreutils Package + + Record Unsuccessful Access Attempts to Files - open - ocil:ssg-package_policycoreutils_installed_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1 - - Verify Group Who Owns group File + + Verify User Who Owns group File - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Resolve information before writing to audit logs + + Verify Root Has A Primary GID 0 - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Configure AIDE to Verify Extended Attributes + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-aide_verify_ext_attributes_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Disable the polyinstantiation_enabled SELinux Boolean + + Enforce usage of pam_wheel for su authentication - ocil:ssg-sebool_polyinstantiation_enabled_action:testaction:1 + ocil:ssg-use_pam_wheel_for_su_action:testaction:1 - - Prevent non-Privileged Users from Modifying Network Interfaces using nmcli + + Install iptables Package - ocil:ssg-network_nmcli_permissions_action:testaction:1 + ocil:ssg-package_iptables_installed_action:testaction:1 - - Uninstall tftp-server Package + + Ensure auditd Collects Information on Exporting to Media (successful) - ocil:ssg-package_tftp-server_removed_action:testaction:1 + ocil:ssg-audit_rules_media_export_action:testaction:1 - - Verify Group Who Owns SSH Server config file + + Ensure PAM Enforces Password Requirements - Minimum Different Characters - ocil:ssg-file_groupowner_sshd_config_action:testaction:1 + ocil:ssg-accounts_password_pam_difok_action:testaction:1 - - Enable the sysadm_exec_content SELinux Boolean + + Verify that local System.map file (if exists) is readable only by root - ocil:ssg-sebool_sysadm_exec_content_action:testaction:1 + ocil:ssg-file_permissions_systemmap_action:testaction:1 - - Record Successful Access Attempts to Files - open + + Enable the NTP Daemon - ocil:ssg-audit_rules_successful_file_modification_open_action:testaction:1 + ocil:ssg-service_ntp_enabled_action:testaction:1 - - Verify that Interactive Boot is Disabled + + The Chronyd service is enabled - ocil:ssg-grub2_disable_interactive_boot_action:testaction:1 + ocil:ssg-service_chronyd_enabled_action:testaction:1 - - Configure Kerberos to use System Crypto Policy + + Record Events that Modify User/Group Information - /etc/gshadow - ocil:ssg-configure_kerberos_crypto_policy_action:testaction:1 + ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 - - Verify User Who Owns /var/log/messages File + + Don't define allowed commands in sudoers by means of exclusion - ocil:ssg-file_owner_var_log_messages_action:testaction:1 + ocil:ssg-sudoers_no_command_negation_action:testaction:1 - - Record Successful Permission Changes to Files - fsetxattr + + Ensure rsyslog is Installed - ocil:ssg-audit_rules_successful_file_modification_fsetxattr_action:testaction:1 + ocil:ssg-package_rsyslog_installed_action:testaction:1 - - Disable Kerberos by removing host keytab + + Remove User Host-Based Authentication Files /usr/share/xml/scap/ssg/content/ssg-rhv4-xccdf.xml differs (XML 1.0 document, UTF-8 Unicode text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-rhv4-xccdf.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-rhv4-xccdf.xml 2022-04-04 00:00:00.000000000 +0000 @@ -43,124 +43,124 @@ countries. All other names are registered trademarks or trademarks of their respective companies. - + - + - + - + - + - + - + - + - + - + - + - - - - - + - + - + - + - + - + - + - + - + + + + + - + - + - + - + - + - - - - - - - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + + + + + + + - + - + - + /usr/share/xml/scap/ssg/content/ssg-sl7-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-sl7-ds-1.2.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-sl7-ds-1.2.xml 2022-04-04 00:00:00.000000000 +0000 @@ -51009,844 +51009,844 @@ 2022-04-04T00:00:00 - - Uninstall geolite2-country Package + + Ensure SMAP is not disabled during boot - ocil:ssg-package_geolite2-country_removed_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Add noauto Option to /boot + + Record Successful Permission Changes to Files - setxattr - ocil:ssg-mount_option_boot_noauto_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_setxattr_action:testaction:1 - - Disable PubkeyAuthentication Authentication + + Disable the samba_export_all_rw SELinux Boolean - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 + ocil:ssg-sebool_samba_export_all_rw_action:testaction:1 - - Record Events that Modify User/Group Information - /etc/gshadow + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments + + Ensure '/etc/system-fips' exists - ocil:ssg-sysctl_net_ipv4_tcp_invalid_ratelimit_action:testaction:1 + ocil:ssg-etc_system_fips_exists_action:testaction:1 - - Verify User Who Owns /etc/cron.allow file + + Configure auditd to use audispd's syslog plugin - ocil:ssg-file_owner_cron_allow_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Disable the use_fusefs_home_dirs SELinux Boolean + + Disable the virt_sandbox_use_sys_admin SELinux Boolean - ocil:ssg-sebool_use_fusefs_home_dirs_action:testaction:1 + ocil:ssg-sebool_virt_sandbox_use_sys_admin_action:testaction:1 - - Verify Permissions on Backup group File + + Configure Error Log Format - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 + ocil:ssg-httpd_configure_log_format_action:testaction:1 - - Add nodev Option to Non-Root Local Partitions + + Disable anacron Service - ocil:ssg-mount_option_nodev_nonroot_local_partitions_action:testaction:1 + ocil:ssg-disable_anacron_action:testaction:1 - - Enable rsyslog Service + + Configure Notification of Post-AIDE Scan Details - ocil:ssg-service_rsyslog_enabled_action:testaction:1 + ocil:ssg-aide_scan_notification_action:testaction:1 - - Disable storing core dump + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Install policycoreutils Package + + Disable Client Dynamic DNS Updates - ocil:ssg-package_policycoreutils_installed_action:testaction:1 + ocil:ssg-network_disable_ddns_interfaces_action:testaction:1 - - Verify Group Who Owns group File + + Record Unsuccessful Access Attempts to Files - open - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1 - - Resolve information before writing to audit logs + + Verify User Who Owns group File - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Configure AIDE to Verify Extended Attributes + + Ensure the Default C Shell Umask is Set Correctly - ocil:ssg-aide_verify_ext_attributes_action:testaction:1 + ocil:ssg-accounts_umask_etc_csh_cshrc_action:testaction:1 - - Disable the named_tcp_bind_http_port SELinux Boolean + + Disable the cluster_can_network_connect SELinux Boolean - ocil:ssg-sebool_named_tcp_bind_http_port_action:testaction:1 + ocil:ssg-sebool_cluster_can_network_connect_action:testaction:1 - - Disable the polyinstantiation_enabled SELinux Boolean + + Use Only FIPS 140-2 Validated MACs - ocil:ssg-sebool_polyinstantiation_enabled_action:testaction:1 + ocil:ssg-sshd_use_approved_macs_ordered_stig_action:testaction:1 - - Prevent non-Privileged Users from Modifying Network Interfaces using nmcli + + Only Authorized Local User Accounts Exist on Operating System - ocil:ssg-network_nmcli_permissions_action:testaction:1 + ocil:ssg-accounts_authorized_local_users_action:testaction:1 - - Uninstall tftp-server Package + + Disable the irssi_use_full_network SELinux Boolean - ocil:ssg-package_tftp-server_removed_action:testaction:1 + ocil:ssg-sebool_irssi_use_full_network_action:testaction:1 - - Enable GNOME3 Screensaver Lock After Idle Period + + Verify Root Has A Primary GID 0 - ocil:ssg-dconf_gnome_screensaver_lock_enabled_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Verify Group Who Owns SSH Server config file + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-file_groupowner_sshd_config_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Enable the sysadm_exec_content SELinux Boolean + + Install the docker Package /usr/share/xml/scap/ssg/content/ssg-sl7-ds.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-sl7-ds.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-sl7-ds.xml 2022-04-04 00:00:00.000000000 +0000 @@ -51011,844 +51011,844 @@ 2022-04-04T00:00:00 - - Uninstall geolite2-country Package + + Ensure SMAP is not disabled during boot - ocil:ssg-package_geolite2-country_removed_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Add noauto Option to /boot + + Record Successful Permission Changes to Files - setxattr - ocil:ssg-mount_option_boot_noauto_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_setxattr_action:testaction:1 - - Disable PubkeyAuthentication Authentication + + Disable the samba_export_all_rw SELinux Boolean - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 + ocil:ssg-sebool_samba_export_all_rw_action:testaction:1 - - Record Events that Modify User/Group Information - /etc/gshadow + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments + + Ensure '/etc/system-fips' exists - ocil:ssg-sysctl_net_ipv4_tcp_invalid_ratelimit_action:testaction:1 + ocil:ssg-etc_system_fips_exists_action:testaction:1 - - Verify User Who Owns /etc/cron.allow file + + Configure auditd to use audispd's syslog plugin - ocil:ssg-file_owner_cron_allow_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Disable the use_fusefs_home_dirs SELinux Boolean + + Disable the virt_sandbox_use_sys_admin SELinux Boolean - ocil:ssg-sebool_use_fusefs_home_dirs_action:testaction:1 + ocil:ssg-sebool_virt_sandbox_use_sys_admin_action:testaction:1 - - Verify Permissions on Backup group File + + Configure Error Log Format - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 + ocil:ssg-httpd_configure_log_format_action:testaction:1 - - Add nodev Option to Non-Root Local Partitions + + Disable anacron Service - ocil:ssg-mount_option_nodev_nonroot_local_partitions_action:testaction:1 + ocil:ssg-disable_anacron_action:testaction:1 - - Enable rsyslog Service + + Configure Notification of Post-AIDE Scan Details - ocil:ssg-service_rsyslog_enabled_action:testaction:1 + ocil:ssg-aide_scan_notification_action:testaction:1 - - Disable storing core dump + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Install policycoreutils Package + + Disable Client Dynamic DNS Updates - ocil:ssg-package_policycoreutils_installed_action:testaction:1 + ocil:ssg-network_disable_ddns_interfaces_action:testaction:1 - - Verify Group Who Owns group File + + Record Unsuccessful Access Attempts to Files - open - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1 - - Resolve information before writing to audit logs + + Verify User Who Owns group File - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Configure AIDE to Verify Extended Attributes + + Ensure the Default C Shell Umask is Set Correctly - ocil:ssg-aide_verify_ext_attributes_action:testaction:1 + ocil:ssg-accounts_umask_etc_csh_cshrc_action:testaction:1 - - Disable the named_tcp_bind_http_port SELinux Boolean + + Disable the cluster_can_network_connect SELinux Boolean - ocil:ssg-sebool_named_tcp_bind_http_port_action:testaction:1 + ocil:ssg-sebool_cluster_can_network_connect_action:testaction:1 - - Disable the polyinstantiation_enabled SELinux Boolean + + Use Only FIPS 140-2 Validated MACs - ocil:ssg-sebool_polyinstantiation_enabled_action:testaction:1 + ocil:ssg-sshd_use_approved_macs_ordered_stig_action:testaction:1 - - Prevent non-Privileged Users from Modifying Network Interfaces using nmcli + + Only Authorized Local User Accounts Exist on Operating System - ocil:ssg-network_nmcli_permissions_action:testaction:1 + ocil:ssg-accounts_authorized_local_users_action:testaction:1 - - Uninstall tftp-server Package + + Disable the irssi_use_full_network SELinux Boolean - ocil:ssg-package_tftp-server_removed_action:testaction:1 + ocil:ssg-sebool_irssi_use_full_network_action:testaction:1 - - Enable GNOME3 Screensaver Lock After Idle Period + + Verify Root Has A Primary GID 0 - ocil:ssg-dconf_gnome_screensaver_lock_enabled_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Verify Group Who Owns SSH Server config file + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-file_groupowner_sshd_config_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Enable the sysadm_exec_content SELinux Boolean + + Install the docker Package /usr/share/xml/scap/ssg/content/ssg-sl7-xccdf.xml differs (ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-sl7-xccdf.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-sl7-xccdf.xml 2022-04-04 00:00:00.000000000 +0000 @@ -51,134 +51,134 @@ countries. All other names are registered trademarks or trademarks of their respective companies. - + - + - + - + - + - + - + - + - + - + - + - - - - - + - + - + - + - + - + - + - + - + + + + + - + - + - + - + - + - - - - - - - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + + + + + + + - + - + - + RPMS.2017/scap-security-guide-ubuntu-0.1.61-0.0.noarch.rpm RPMS/scap-security-guide-ubuntu-0.1.61-0.0.noarch.rpm differ: byte 225, line 1 Comparing scap-security-guide-ubuntu-0.1.61-0.0.noarch.rpm to scap-security-guide-ubuntu-0.1.61-0.0.noarch.rpm comparing the rpm tags of scap-security-guide-ubuntu --- old-rpm-tags +++ new-rpm-tags @@ -236,25 +236,25 @@ /usr/share/xml/scap/ssg/content 0 /usr/share/xml/scap/ssg/content/ssg-ubuntu1604-cpe-dictionary.xml 2471d6ff7a0c2de16b8760b16b5c721e691c7a3c0604f25d4d189d74873682c4 0 /usr/share/xml/scap/ssg/content/ssg-ubuntu1604-cpe-oval.xml d68cb47a04c12745a1fd634a51bc818e3b80e7182436741aa00c65693196c4bb 0 -/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds-1.2.xml 78d1b5b19b63c48b5d21f07193017705812ef0d631ba5d129dac7b67914b7502 0 -/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds.xml 70e9647eb2e7cd93ac4861d34bc7794cb60aa9356eaefca7ff9b344137bd5a49 0 -/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ocil.xml 360beb8f5333d408a295ea99897efa57e16dc0eb90fb93bcd9fdaf70457e3603 0 +/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds-1.2.xml 1c1a60eeac3b208800a4679ebe0d910283c5bfd430e3dd4d454eea37e0947376 0 +/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds.xml d1e9881b53e1174683e91f988f91fadbf6754a8e8a708ceda4646dfeff142c4f 0 +/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ocil.xml 33bc3c41a9fd2b06741cb28cbd2ed4549f8c560cd83309c07a92d13aaa913870 0 /usr/share/xml/scap/ssg/content/ssg-ubuntu1604-oval.xml bc0c95f72b15c9ae11d1c314aaee66b4b63d696d3630894fa20234048e46452d 0 -/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-xccdf.xml bf340d6201460d45d65dca5bcdd8c817787588d87c47fcb274d0366f966fe743 0 +/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-xccdf.xml 28a1637084f54bfbcb2fa2b6065e770caa9c376aea01655ae1e15d88214f23cf 0 /usr/share/xml/scap/ssg/content/ssg-ubuntu1804-cpe-dictionary.xml 86672355f727e3abf517b1937b1e91f6719e0cc993ef2c25939b282424a304b4 0 /usr/share/xml/scap/ssg/content/ssg-ubuntu1804-cpe-oval.xml 7ac6ee22c3790082916809fc9f6d8cc017a982b003d1a21818a80f9538d553e0 0 -/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds-1.2.xml d1e365d74423d885165d51680cdbcfb3462e983967dd919a948844ec38f02ea8 0 -/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds.xml 14a7df3025b06449b7a2c9a173f84228179e195779c21fa18a5b776418b9e5d0 0 -/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ocil.xml f904a76726802dc40f1ead26f37b9a00292eaca3f6bedc9cddbe67e455f1ed45 0 +/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds-1.2.xml 689e095efa3a5d0001b130869dcaa1fcfd28b728a796e06ad02012326eb46004 0 +/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds.xml dcf6f8318609b7aefccbb7a1a5e0d77cd9b72eb87190e52b238d00c687e529e8 0 +/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ocil.xml feab49f416c79b7803280dabc60ae0b331f0d4e9f996931bf9a1da21c9eb00bc 0 /usr/share/xml/scap/ssg/content/ssg-ubuntu1804-oval.xml 68a0adc3c657e439c288889585cd2c0c17b8300011411bf8485d8e451ac3549b 0 -/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-xccdf.xml 1f95a5cd4b5ebc3901e52e6ba47418cbaedf527e638cb1702fb1bd6d37ab7dcf 0 +/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-xccdf.xml 2513ceb15d52286f0fe4cc99ec9e14ad909118c0846006eb389abd8dc4a4c964 0 /usr/share/xml/scap/ssg/content/ssg-ubuntu2004-cpe-dictionary.xml 01f8c5a1a04774c11ecea74f61afba2b0881238f658a9419e635dfc3150653e5 0 /usr/share/xml/scap/ssg/content/ssg-ubuntu2004-cpe-oval.xml 08ffce26d93bdd53b8305b5d9c41d4b9cc37f02ccb1b5d9ceb2d5fa89ec1a1d8 0 -/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds-1.2.xml 0a0f17309e4825f7a8ab1ff2edf582b723a202c9bd7c6f00f1233899c2d0cd64 0 -/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds.xml 414f223e0c8d404efcfbc7495ce8a57e2656853bea68e7a3e31506cfcc5b079d 0 -/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ocil.xml 35f94e3b6688477aaefed1da18ff185311bcd058567c490c8baba16d6987699d 0 +/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds-1.2.xml 474d691b5ad84953f1efe259d373038d7a84e0543b3b9e0f0cf1125717153988 0 +/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds.xml 18b6abca49d2d6b02d940e6e73ba590f3b34fd6690e0973368e4cf8d7631c78e 0 +/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ocil.xml bcbaffdfb4cd14e575d37d049ebcaf47a11bdc1fd9b1af2f53652891d87a8269 0 /usr/share/xml/scap/ssg/content/ssg-ubuntu2004-oval.xml c959d12f078eaaf536440a39fa568996cb92e84e025fb3c3a86979b725f928f5 0 -/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-xccdf.xml e6b6b0a3653fa5525bb6e223e8e6b4dacdf9139da7b8aa899041f3f79ff6220e 0 +/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-xccdf.xml c32cdf00d9b8cfcf087163dfd8f8e3b0c47ef643fcdb4e66ba514e2a4a034143 0 ___QF_CHECKSUM___ comparing rpmtags comparing RELEASE comparing PROVIDES comparing scripts comparing filelist comparing file checksum creating rename script RPM file checksum differs. Extracting packages /usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds-1.2.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds-1.2.xml 2022-04-04 00:00:00.000000000 +0000 @@ -13777,256 +13777,250 @@ 2022-04-04T00:00:00 - - Disable PubkeyAuthentication Authentication - - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 - - - - Verify Permissions on Backup group File + + Ensure SMAP is not disabled during boot - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Enable rsyslog Service + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-service_rsyslog_enabled_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Disable storing core dump + + Configure auditd to use audispd's syslog plugin - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Verify Group Who Owns group File + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Resolve information before writing to audit logs + + Verify User Who Owns group File - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Verify User Who Owns /var/log/messages File + + Verify Root Has A Primary GID 0 - ocil:ssg-file_owner_var_log_messages_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Disable Kerberos by removing host keytab + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-kerberos_disable_no_keytab_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - removexattr + + Ensure auditd Collects Information on Exporting to Media (successful) - ocil:ssg-audit_rules_dac_modification_removexattr_action:testaction:1 + ocil:ssg-audit_rules_media_export_action:testaction:1 - - Verify that System Executable Have Root Ownership + + Verify that local System.map file (if exists) is readable only by root - ocil:ssg-dir_ownership_binary_dirs_action:testaction:1 + ocil:ssg-file_permissions_systemmap_action:testaction:1 - - Verify Permissions on gshadow File + + Enable the NTP Daemon - ocil:ssg-file_permissions_etc_gshadow_action:testaction:1 + ocil:ssg-service_ntp_enabled_action:testaction:1 - - Ensure No World-Writable Files Exist + + The Chronyd service is enabled - ocil:ssg-file_permissions_unauthorized_world_writable_action:testaction:1 + ocil:ssg-service_chronyd_enabled_action:testaction:1 - - Enable syslog-ng Service + + Don't define allowed commands in sudoers by means of exclusion - ocil:ssg-service_syslogng_enabled_action:testaction:1 + ocil:ssg-sudoers_no_command_negation_action:testaction:1 - - Configure Polyinstantiation of /tmp Directories + + Ensure rsyslog is Installed - ocil:ssg-accounts_polyinstantiated_tmp_action:testaction:1 + ocil:ssg-package_rsyslog_installed_action:testaction:1 - - Restrict Exposed Kernel Pointer Addresses Access + + Only the VDSM User Can Use sudo NOPASSWD - ocil:ssg-sysctl_kernel_kptr_restrict_action:testaction:1 + ocil:ssg-sudo_vdsm_nopasswd_action:testaction:1 - - Force frequent session key renegotiation + + Enable systemd_timesyncd Service - ocil:ssg-sshd_rekey_limit_action:testaction:1 + ocil:ssg-service_timesyncd_enabled_action:testaction:1 - - Configure auditd mail_acct Action on Low Disk Space + + Disable Host-Based Authentication - ocil:ssg-auditd_data_retention_action_mail_acct_action:testaction:1 + ocil:ssg-disable_host_auth_action:testaction:1 - - Ensure that System Accounts Are Locked + + Ensure Log Files Are Owned By Appropriate Group - ocil:ssg-no_password_auth_for_systemaccounts_action:testaction:1 + ocil:ssg-rsyslog_files_groupownership_action:testaction:1 - - Disable SSH Access via Empty Passwords + + Record Events that Modify the System's Discretionary Access Controls - fchown - ocil:ssg-sshd_disable_empty_passwords_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_fchown_action:testaction:1 - - Don't define allowed commands in sudoers by means of exclusion + + Ensure syslog-ng is Installed - ocil:ssg-sudoers_no_command_negation_action:testaction:1 + ocil:ssg-package_syslogng_installed_action:testaction:1 - - Verify Permissions on Backup passwd File + + Set SSH Client Alive Count Max - ocil:ssg-file_permissions_backup_etc_passwd_action:testaction:1 + ocil:ssg-sshd_set_keepalive_action:testaction:1 - - Only the VDSM User Can Use sudo NOPASSWD + + Explicit arguments in sudo specifications - ocil:ssg-sudo_vdsm_nopasswd_action:testaction:1 + ocil:ssg-sudoers_explicit_command_args_action:testaction:1 /usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds.xml 2022-04-04 00:00:00.000000000 +0000 @@ -13779,256 +13779,250 @@ 2022-04-04T00:00:00 - - Disable PubkeyAuthentication Authentication - - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 - - - - Verify Permissions on Backup group File + + Ensure SMAP is not disabled during boot - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Enable rsyslog Service + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-service_rsyslog_enabled_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Disable storing core dump + + Configure auditd to use audispd's syslog plugin - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Verify Group Who Owns group File + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Resolve information before writing to audit logs + + Verify User Who Owns group File - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Verify User Who Owns /var/log/messages File + + Verify Root Has A Primary GID 0 - ocil:ssg-file_owner_var_log_messages_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Disable Kerberos by removing host keytab + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-kerberos_disable_no_keytab_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - removexattr + + Ensure auditd Collects Information on Exporting to Media (successful) - ocil:ssg-audit_rules_dac_modification_removexattr_action:testaction:1 + ocil:ssg-audit_rules_media_export_action:testaction:1 - - Verify that System Executable Have Root Ownership + + Verify that local System.map file (if exists) is readable only by root - ocil:ssg-dir_ownership_binary_dirs_action:testaction:1 + ocil:ssg-file_permissions_systemmap_action:testaction:1 - - Verify Permissions on gshadow File + + Enable the NTP Daemon - ocil:ssg-file_permissions_etc_gshadow_action:testaction:1 + ocil:ssg-service_ntp_enabled_action:testaction:1 - - Ensure No World-Writable Files Exist + + The Chronyd service is enabled - ocil:ssg-file_permissions_unauthorized_world_writable_action:testaction:1 + ocil:ssg-service_chronyd_enabled_action:testaction:1 - - Enable syslog-ng Service + + Don't define allowed commands in sudoers by means of exclusion - ocil:ssg-service_syslogng_enabled_action:testaction:1 + ocil:ssg-sudoers_no_command_negation_action:testaction:1 - - Configure Polyinstantiation of /tmp Directories + + Ensure rsyslog is Installed - ocil:ssg-accounts_polyinstantiated_tmp_action:testaction:1 + ocil:ssg-package_rsyslog_installed_action:testaction:1 - - Restrict Exposed Kernel Pointer Addresses Access + + Only the VDSM User Can Use sudo NOPASSWD - ocil:ssg-sysctl_kernel_kptr_restrict_action:testaction:1 + ocil:ssg-sudo_vdsm_nopasswd_action:testaction:1 - - Force frequent session key renegotiation + + Enable systemd_timesyncd Service - ocil:ssg-sshd_rekey_limit_action:testaction:1 + ocil:ssg-service_timesyncd_enabled_action:testaction:1 - - Configure auditd mail_acct Action on Low Disk Space + + Disable Host-Based Authentication - ocil:ssg-auditd_data_retention_action_mail_acct_action:testaction:1 + ocil:ssg-disable_host_auth_action:testaction:1 - - Ensure that System Accounts Are Locked + + Ensure Log Files Are Owned By Appropriate Group - ocil:ssg-no_password_auth_for_systemaccounts_action:testaction:1 + ocil:ssg-rsyslog_files_groupownership_action:testaction:1 - - Disable SSH Access via Empty Passwords + + Record Events that Modify the System's Discretionary Access Controls - fchown - ocil:ssg-sshd_disable_empty_passwords_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_fchown_action:testaction:1 - - Don't define allowed commands in sudoers by means of exclusion + + Ensure syslog-ng is Installed - ocil:ssg-sudoers_no_command_negation_action:testaction:1 + ocil:ssg-package_syslogng_installed_action:testaction:1 - - Verify Permissions on Backup passwd File + + Set SSH Client Alive Count Max - ocil:ssg-file_permissions_backup_etc_passwd_action:testaction:1 + ocil:ssg-sshd_set_keepalive_action:testaction:1 - - Only the VDSM User Can Use sudo NOPASSWD + + Explicit arguments in sudo specifications - ocil:ssg-sudo_vdsm_nopasswd_action:testaction:1 + ocil:ssg-sudoers_explicit_command_args_action:testaction:1 /usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ocil.xml differs (XML 1.0 document, ASCII text) --- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ocil.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ocil.xml 2022-04-04 00:00:00.000000000 +0000 @@ -7,256 +7,250 @@ 2022-04-04T00:00:00 - - Disable PubkeyAuthentication Authentication - - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 - - - - Verify Permissions on Backup group File + + Ensure SMAP is not disabled during boot - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Enable rsyslog Service + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-service_rsyslog_enabled_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Disable storing core dump + + Configure auditd to use audispd's syslog plugin - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Verify Group Who Owns group File + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Resolve information before writing to audit logs + + Verify User Who Owns group File - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Verify User Who Owns /var/log/messages File + + Verify Root Has A Primary GID 0 - ocil:ssg-file_owner_var_log_messages_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Disable Kerberos by removing host keytab + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-kerberos_disable_no_keytab_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - removexattr + + Ensure auditd Collects Information on Exporting to Media (successful) - ocil:ssg-audit_rules_dac_modification_removexattr_action:testaction:1 + ocil:ssg-audit_rules_media_export_action:testaction:1 - - Verify that System Executable Have Root Ownership + + Verify that local System.map file (if exists) is readable only by root - ocil:ssg-dir_ownership_binary_dirs_action:testaction:1 + ocil:ssg-file_permissions_systemmap_action:testaction:1 - - Verify Permissions on gshadow File + + Enable the NTP Daemon - ocil:ssg-file_permissions_etc_gshadow_action:testaction:1 + ocil:ssg-service_ntp_enabled_action:testaction:1 - - Ensure No World-Writable Files Exist + + The Chronyd service is enabled - ocil:ssg-file_permissions_unauthorized_world_writable_action:testaction:1 + ocil:ssg-service_chronyd_enabled_action:testaction:1 - - Enable syslog-ng Service + + Don't define allowed commands in sudoers by means of exclusion - ocil:ssg-service_syslogng_enabled_action:testaction:1 + ocil:ssg-sudoers_no_command_negation_action:testaction:1 - - Configure Polyinstantiation of /tmp Directories + + Ensure rsyslog is Installed - ocil:ssg-accounts_polyinstantiated_tmp_action:testaction:1 + ocil:ssg-package_rsyslog_installed_action:testaction:1 - - Restrict Exposed Kernel Pointer Addresses Access + + Only the VDSM User Can Use sudo NOPASSWD - ocil:ssg-sysctl_kernel_kptr_restrict_action:testaction:1 + ocil:ssg-sudo_vdsm_nopasswd_action:testaction:1 - - Force frequent session key renegotiation + + Enable systemd_timesyncd Service - ocil:ssg-sshd_rekey_limit_action:testaction:1 + ocil:ssg-service_timesyncd_enabled_action:testaction:1 - - Configure auditd mail_acct Action on Low Disk Space + + Disable Host-Based Authentication - ocil:ssg-auditd_data_retention_action_mail_acct_action:testaction:1 + ocil:ssg-disable_host_auth_action:testaction:1 - - Ensure that System Accounts Are Locked + + Ensure Log Files Are Owned By Appropriate Group - ocil:ssg-no_password_auth_for_systemaccounts_action:testaction:1 + ocil:ssg-rsyslog_files_groupownership_action:testaction:1 - - Disable SSH Access via Empty Passwords + + Record Events that Modify the System's Discretionary Access Controls - fchown - ocil:ssg-sshd_disable_empty_passwords_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_fchown_action:testaction:1 - - Don't define allowed commands in sudoers by means of exclusion + + Ensure syslog-ng is Installed - ocil:ssg-sudoers_no_command_negation_action:testaction:1 + ocil:ssg-package_syslogng_installed_action:testaction:1 - - Verify Permissions on Backup passwd File + + Set SSH Client Alive Count Max - ocil:ssg-file_permissions_backup_etc_passwd_action:testaction:1 + ocil:ssg-sshd_set_keepalive_action:testaction:1 - - Only the VDSM User Can Use sudo NOPASSWD + + Explicit arguments in sudo specifications - ocil:ssg-sudo_vdsm_nopasswd_action:testaction:1 + ocil:ssg-sudoers_explicit_command_args_action:testaction:1 /usr/share/xml/scap/ssg/content/ssg-ubuntu1604-xccdf.xml differs (XML 1.0 document, UTF-8 Unicode text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-xccdf.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-xccdf.xml 2022-04-04 00:00:00.000000000 +0000 @@ -43,24 +43,24 @@ countries. All other names are registered trademarks or trademarks of their respective companies. - + - + - + - + - + - + - + - + @@ -68,54 +68,54 @@ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + /usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds-1.2.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds-1.2.xml 2022-04-04 00:00:00.000000000 +0000 @@ -14684,172 +14684,166 @@ 2022-04-04T00:00:00 - - Disable PubkeyAuthentication Authentication - - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 - - - - Verify Permissions on Backup group File + + Ensure SMAP is not disabled during boot - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Enable rsyslog Service + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-service_rsyslog_enabled_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Disable storing core dump + + Configure auditd to use audispd's syslog plugin - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Verify Group Who Owns group File + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Resolve information before writing to audit logs + + Verify User Who Owns group File - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Verify User Who Owns /var/log/messages File + + Verify Root Has A Primary GID 0 - ocil:ssg-file_owner_var_log_messages_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Disable Kerberos by removing host keytab + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-kerberos_disable_no_keytab_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - removexattr + + Ensure auditd Collects Information on Exporting to Media (successful) - ocil:ssg-audit_rules_dac_modification_removexattr_action:testaction:1 + ocil:ssg-audit_rules_media_export_action:testaction:1 - - Verify that System Executable Have Root Ownership + + Verify that local System.map file (if exists) is readable only by root - ocil:ssg-dir_ownership_binary_dirs_action:testaction:1 + ocil:ssg-file_permissions_systemmap_action:testaction:1 - - Verify Permissions on gshadow File + + Enable the NTP Daemon - ocil:ssg-file_permissions_etc_gshadow_action:testaction:1 + ocil:ssg-service_ntp_enabled_action:testaction:1 - - Ensure No World-Writable Files Exist + + The Chronyd service is enabled - ocil:ssg-file_permissions_unauthorized_world_writable_action:testaction:1 + ocil:ssg-service_chronyd_enabled_action:testaction:1 - - Add noexec Option to /var/tmp + + Don't define allowed commands in sudoers by means of exclusion - ocil:ssg-mount_option_var_tmp_noexec_action:testaction:1 + ocil:ssg-sudoers_no_command_negation_action:testaction:1 - - Enable syslog-ng Service + + Ensure rsyslog is Installed - ocil:ssg-service_syslogng_enabled_action:testaction:1 + ocil:ssg-package_rsyslog_installed_action:testaction:1 - - Configure Polyinstantiation of /tmp Directories + + Only the VDSM User Can Use sudo NOPASSWD - ocil:ssg-accounts_polyinstantiated_tmp_action:testaction:1 + ocil:ssg-sudo_vdsm_nopasswd_action:testaction:1 - - Restrict Exposed Kernel Pointer Addresses Access + + Enable systemd_timesyncd Service - ocil:ssg-sysctl_kernel_kptr_restrict_action:testaction:1 + ocil:ssg-service_timesyncd_enabled_action:testaction:1 - - Force frequent session key renegotiation + + Disable Host-Based Authentication - ocil:ssg-sshd_rekey_limit_action:testaction:1 + ocil:ssg-disable_host_auth_action:testaction:1 - - Configure auditd mail_acct Action on Low Disk Space + + Ensure Log Files Are Owned By Appropriate Group - ocil:ssg-auditd_data_retention_action_mail_acct_action:testaction:1 + ocil:ssg-rsyslog_files_groupownership_action:testaction:1 - - Ensure that System Accounts Are Locked + + Record Events that Modify the System's Discretionary Access Controls - fchown - ocil:ssg-no_password_auth_for_systemaccounts_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_fchown_action:testaction:1 - - Disable SSH Access via Empty Passwords + + Add nosuid Option to /tmp - ocil:ssg-sshd_disable_empty_passwords_action:testaction:1 + ocil:ssg-mount_option_tmp_nosuid_action:testaction:1 - - Don't define allowed commands in sudoers by means of exclusion + + Ensure syslog-ng is Installed - ocil:ssg-sudoers_no_command_negation_action:testaction:1 + ocil:ssg-package_syslogng_installed_action:testaction:1 - - Verify Permissions on Backup passwd File + + Set SSH Client Alive Count Max - ocil:ssg-file_permissions_backup_etc_passwd_action:testaction:1 + ocil:ssg-sshd_set_keepalive_action:testaction:1 /usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds.xml 2022-04-04 00:00:00.000000000 +0000 @@ -14684,172 +14684,166 @@ 2022-04-04T00:00:00 - - Disable PubkeyAuthentication Authentication - - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 - - - - Verify Permissions on Backup group File + + Ensure SMAP is not disabled during boot - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Enable rsyslog Service + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-service_rsyslog_enabled_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Disable storing core dump + + Configure auditd to use audispd's syslog plugin - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Verify Group Who Owns group File + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Resolve information before writing to audit logs + + Verify User Who Owns group File - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Verify User Who Owns /var/log/messages File + + Verify Root Has A Primary GID 0 - ocil:ssg-file_owner_var_log_messages_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Disable Kerberos by removing host keytab + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-kerberos_disable_no_keytab_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - removexattr + + Ensure auditd Collects Information on Exporting to Media (successful) - ocil:ssg-audit_rules_dac_modification_removexattr_action:testaction:1 + ocil:ssg-audit_rules_media_export_action:testaction:1 - - Verify that System Executable Have Root Ownership + + Verify that local System.map file (if exists) is readable only by root - ocil:ssg-dir_ownership_binary_dirs_action:testaction:1 + ocil:ssg-file_permissions_systemmap_action:testaction:1 - - Verify Permissions on gshadow File + + Enable the NTP Daemon - ocil:ssg-file_permissions_etc_gshadow_action:testaction:1 + ocil:ssg-service_ntp_enabled_action:testaction:1 - - Ensure No World-Writable Files Exist + + The Chronyd service is enabled - ocil:ssg-file_permissions_unauthorized_world_writable_action:testaction:1 + ocil:ssg-service_chronyd_enabled_action:testaction:1 - - Add noexec Option to /var/tmp + + Don't define allowed commands in sudoers by means of exclusion - ocil:ssg-mount_option_var_tmp_noexec_action:testaction:1 + ocil:ssg-sudoers_no_command_negation_action:testaction:1 - - Enable syslog-ng Service + + Ensure rsyslog is Installed - ocil:ssg-service_syslogng_enabled_action:testaction:1 + ocil:ssg-package_rsyslog_installed_action:testaction:1 - - Configure Polyinstantiation of /tmp Directories + + Only the VDSM User Can Use sudo NOPASSWD - ocil:ssg-accounts_polyinstantiated_tmp_action:testaction:1 + ocil:ssg-sudo_vdsm_nopasswd_action:testaction:1 - - Restrict Exposed Kernel Pointer Addresses Access + + Enable systemd_timesyncd Service - ocil:ssg-sysctl_kernel_kptr_restrict_action:testaction:1 + ocil:ssg-service_timesyncd_enabled_action:testaction:1 - - Force frequent session key renegotiation + + Disable Host-Based Authentication - ocil:ssg-sshd_rekey_limit_action:testaction:1 + ocil:ssg-disable_host_auth_action:testaction:1 - - Configure auditd mail_acct Action on Low Disk Space + + Ensure Log Files Are Owned By Appropriate Group - ocil:ssg-auditd_data_retention_action_mail_acct_action:testaction:1 + ocil:ssg-rsyslog_files_groupownership_action:testaction:1 - - Ensure that System Accounts Are Locked + + Record Events that Modify the System's Discretionary Access Controls - fchown - ocil:ssg-no_password_auth_for_systemaccounts_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_fchown_action:testaction:1 - - Disable SSH Access via Empty Passwords + + Add nosuid Option to /tmp - ocil:ssg-sshd_disable_empty_passwords_action:testaction:1 + ocil:ssg-mount_option_tmp_nosuid_action:testaction:1 - - Don't define allowed commands in sudoers by means of exclusion + + Ensure syslog-ng is Installed - ocil:ssg-sudoers_no_command_negation_action:testaction:1 + ocil:ssg-package_syslogng_installed_action:testaction:1 - - Verify Permissions on Backup passwd File + + Set SSH Client Alive Count Max - ocil:ssg-file_permissions_backup_etc_passwd_action:testaction:1 + ocil:ssg-sshd_set_keepalive_action:testaction:1 /usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ocil.xml differs (XML 1.0 document, ASCII text) --- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ocil.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ocil.xml 2022-04-04 00:00:00.000000000 +0000 @@ -7,172 +7,166 @@ 2022-04-04T00:00:00 - - Disable PubkeyAuthentication Authentication - - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 - - - - Verify Permissions on Backup group File + + Ensure SMAP is not disabled during boot - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Enable rsyslog Service + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-service_rsyslog_enabled_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Disable storing core dump + + Configure auditd to use audispd's syslog plugin - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Verify Group Who Owns group File + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Resolve information before writing to audit logs + + Verify User Who Owns group File - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Verify User Who Owns /var/log/messages File + + Verify Root Has A Primary GID 0 - ocil:ssg-file_owner_var_log_messages_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Disable Kerberos by removing host keytab + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-kerberos_disable_no_keytab_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - removexattr + + Ensure auditd Collects Information on Exporting to Media (successful) - ocil:ssg-audit_rules_dac_modification_removexattr_action:testaction:1 + ocil:ssg-audit_rules_media_export_action:testaction:1 - - Verify that System Executable Have Root Ownership + + Verify that local System.map file (if exists) is readable only by root - ocil:ssg-dir_ownership_binary_dirs_action:testaction:1 + ocil:ssg-file_permissions_systemmap_action:testaction:1 - - Verify Permissions on gshadow File + + Enable the NTP Daemon - ocil:ssg-file_permissions_etc_gshadow_action:testaction:1 + ocil:ssg-service_ntp_enabled_action:testaction:1 - - Ensure No World-Writable Files Exist + + The Chronyd service is enabled - ocil:ssg-file_permissions_unauthorized_world_writable_action:testaction:1 + ocil:ssg-service_chronyd_enabled_action:testaction:1 - - Add noexec Option to /var/tmp + + Don't define allowed commands in sudoers by means of exclusion - ocil:ssg-mount_option_var_tmp_noexec_action:testaction:1 + ocil:ssg-sudoers_no_command_negation_action:testaction:1 - - Enable syslog-ng Service + + Ensure rsyslog is Installed - ocil:ssg-service_syslogng_enabled_action:testaction:1 + ocil:ssg-package_rsyslog_installed_action:testaction:1 - - Configure Polyinstantiation of /tmp Directories + + Only the VDSM User Can Use sudo NOPASSWD - ocil:ssg-accounts_polyinstantiated_tmp_action:testaction:1 + ocil:ssg-sudo_vdsm_nopasswd_action:testaction:1 - - Restrict Exposed Kernel Pointer Addresses Access + + Enable systemd_timesyncd Service - ocil:ssg-sysctl_kernel_kptr_restrict_action:testaction:1 + ocil:ssg-service_timesyncd_enabled_action:testaction:1 - - Force frequent session key renegotiation + + Disable Host-Based Authentication - ocil:ssg-sshd_rekey_limit_action:testaction:1 + ocil:ssg-disable_host_auth_action:testaction:1 - - Configure auditd mail_acct Action on Low Disk Space + + Ensure Log Files Are Owned By Appropriate Group - ocil:ssg-auditd_data_retention_action_mail_acct_action:testaction:1 + ocil:ssg-rsyslog_files_groupownership_action:testaction:1 - - Ensure that System Accounts Are Locked + + Record Events that Modify the System's Discretionary Access Controls - fchown - ocil:ssg-no_password_auth_for_systemaccounts_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_fchown_action:testaction:1 - - Disable SSH Access via Empty Passwords + + Add nosuid Option to /tmp - ocil:ssg-sshd_disable_empty_passwords_action:testaction:1 + ocil:ssg-mount_option_tmp_nosuid_action:testaction:1 - - Don't define allowed commands in sudoers by means of exclusion + + Ensure syslog-ng is Installed - ocil:ssg-sudoers_no_command_negation_action:testaction:1 + ocil:ssg-package_syslogng_installed_action:testaction:1 - - Verify Permissions on Backup passwd File + + Set SSH Client Alive Count Max - ocil:ssg-file_permissions_backup_etc_passwd_action:testaction:1 + ocil:ssg-sshd_set_keepalive_action:testaction:1 /usr/share/xml/scap/ssg/content/ssg-ubuntu1804-xccdf.xml differs (XML 1.0 document, UTF-8 Unicode text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-xccdf.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-xccdf.xml 2022-04-04 00:00:00.000000000 +0000 @@ -43,24 +43,24 @@ countries. All other names are registered trademarks or trademarks of their respective companies. - + - + - + - + - + - + - + - + @@ -68,54 +68,54 @@ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + /usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds-1.2.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds-1.2.xml 2022-04-04 00:00:00.000000000 +0000 @@ -25004,1619 +25004,1618 @@ 2022-04-04T00:00:00 - - Disable PubkeyAuthentication Authentication + + Ensure SMAP is not disabled during boot - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Record Events that Modify User/Group Information - /etc/gshadow + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Verify User Who Owns /etc/cron.allow file + + Configure auditd to use audispd's syslog plugin - ocil:ssg-file_owner_cron_allow_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Verify Permissions on Backup group File + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Enable rsyslog Service + + Record Unsuccessful Access Attempts to Files - open - ocil:ssg-service_rsyslog_enabled_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1 - - Disable storing core dump + + Verify User Who Owns group File - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Verify Group Who Owns group File + + Ensure the Default C Shell Umask is Set Correctly - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-accounts_umask_etc_csh_cshrc_action:testaction:1 - - Resolve information before writing to audit logs + + Use Only FIPS 140-2 Validated MACs - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-sshd_use_approved_macs_ordered_stig_action:testaction:1 - - Record Attempts to Alter Process and Session Initiation Information wtmp + + Verify Root Has A Primary GID 0 - ocil:ssg-audit_rules_session_events_wtmp_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Enable GNOME3 Screensaver Lock After Idle Period + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-dconf_gnome_screensaver_lock_enabled_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Verify Group Who Owns SSH Server config file + + Set Deny For Failed Password Attempts - ocil:ssg-file_groupowner_sshd_config_action:testaction:1 + ocil:ssg-accounts_passwords_pam_tally2_action:testaction:1 - - Offload audit Logs to External Media + + Enforce usage of pam_wheel for su authentication - ocil:ssg-auditd_offload_logs_action:testaction:1 + ocil:ssg-use_pam_wheel_for_su_action:testaction:1 - - Verify User Who Owns /var/log/messages File + + Install iptables Package - ocil:ssg-file_owner_var_log_messages_action:testaction:1 + ocil:ssg-package_iptables_installed_action:testaction:1 - - Disable Kerberos by removing host keytab + + Ensure auditd Collects Information on Exporting to Media (successful) - ocil:ssg-kerberos_disable_no_keytab_action:testaction:1 + ocil:ssg-audit_rules_media_export_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - removexattr + + Ensure PAM Enforces Password Requirements - Minimum Different Characters - ocil:ssg-audit_rules_dac_modification_removexattr_action:testaction:1 + ocil:ssg-accounts_password_pam_difok_action:testaction:1 - - Verify Group Who Owns cron.hourly + + Verify that local System.map file (if exists) is readable only by root - ocil:ssg-file_groupowner_cron_hourly_action:testaction:1 + ocil:ssg-file_permissions_systemmap_action:testaction:1 - - Verify that System Executable Have Root Ownership + + Enable the NTP Daemon - ocil:ssg-dir_ownership_binary_dirs_action:testaction:1 + ocil:ssg-service_ntp_enabled_action:testaction:1 - - System Audit Logs Must Be Group Owned By Root + + The Chronyd service is enabled - ocil:ssg-file_group_ownership_var_log_audit_action:testaction:1 + ocil:ssg-service_chronyd_enabled_action:testaction:1 - - Verify Permissions on gshadow File + + Ensure auditd Collects Information on the Use of Privileged Commands - rmmod - ocil:ssg-file_permissions_etc_gshadow_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_rmmod_action:testaction:1 - - Policy Requires Immediate Change of Temporary Passwords + + Record Events that Modify User/Group Information - /etc/gshadow - ocil:ssg-policy_temp_passwords_immediate_change_action:testaction:1 + ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 - - Ensure No World-Writable Files Exist + + Don't define allowed commands in sudoers by means of exclusion - ocil:ssg-file_permissions_unauthorized_world_writable_action:testaction:1 + ocil:ssg-sudoers_no_command_negation_action:testaction:1 - - Record Events that Modify User/Group Information - /etc/shadow + + Ensure rsyslog is Installed /usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds.xml 2022-04-04 00:00:00.000000000 +0000 @@ -25004,1619 +25004,1618 @@ 2022-04-04T00:00:00 - - Disable PubkeyAuthentication Authentication + + Ensure SMAP is not disabled during boot - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Record Events that Modify User/Group Information - /etc/gshadow + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Verify User Who Owns /etc/cron.allow file + + Configure auditd to use audispd's syslog plugin - ocil:ssg-file_owner_cron_allow_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Verify Permissions on Backup group File + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Enable rsyslog Service + + Record Unsuccessful Access Attempts to Files - open - ocil:ssg-service_rsyslog_enabled_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1 - - Disable storing core dump + + Verify User Who Owns group File - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Verify Group Who Owns group File + + Ensure the Default C Shell Umask is Set Correctly - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-accounts_umask_etc_csh_cshrc_action:testaction:1 - - Resolve information before writing to audit logs + + Use Only FIPS 140-2 Validated MACs - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-sshd_use_approved_macs_ordered_stig_action:testaction:1 - - Record Attempts to Alter Process and Session Initiation Information wtmp + + Verify Root Has A Primary GID 0 - ocil:ssg-audit_rules_session_events_wtmp_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Enable GNOME3 Screensaver Lock After Idle Period + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-dconf_gnome_screensaver_lock_enabled_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Verify Group Who Owns SSH Server config file + + Set Deny For Failed Password Attempts - ocil:ssg-file_groupowner_sshd_config_action:testaction:1 + ocil:ssg-accounts_passwords_pam_tally2_action:testaction:1 - - Offload audit Logs to External Media + + Enforce usage of pam_wheel for su authentication - ocil:ssg-auditd_offload_logs_action:testaction:1 + ocil:ssg-use_pam_wheel_for_su_action:testaction:1 - - Verify User Who Owns /var/log/messages File + + Install iptables Package - ocil:ssg-file_owner_var_log_messages_action:testaction:1 + ocil:ssg-package_iptables_installed_action:testaction:1 - - Disable Kerberos by removing host keytab + + Ensure auditd Collects Information on Exporting to Media (successful) - ocil:ssg-kerberos_disable_no_keytab_action:testaction:1 + ocil:ssg-audit_rules_media_export_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - removexattr + + Ensure PAM Enforces Password Requirements - Minimum Different Characters - ocil:ssg-audit_rules_dac_modification_removexattr_action:testaction:1 + ocil:ssg-accounts_password_pam_difok_action:testaction:1 - - Verify Group Who Owns cron.hourly + + Verify that local System.map file (if exists) is readable only by root - ocil:ssg-file_groupowner_cron_hourly_action:testaction:1 + ocil:ssg-file_permissions_systemmap_action:testaction:1 - - Verify that System Executable Have Root Ownership + + Enable the NTP Daemon - ocil:ssg-dir_ownership_binary_dirs_action:testaction:1 + ocil:ssg-service_ntp_enabled_action:testaction:1 - - System Audit Logs Must Be Group Owned By Root + + The Chronyd service is enabled - ocil:ssg-file_group_ownership_var_log_audit_action:testaction:1 + ocil:ssg-service_chronyd_enabled_action:testaction:1 - - Verify Permissions on gshadow File + + Ensure auditd Collects Information on the Use of Privileged Commands - rmmod - ocil:ssg-file_permissions_etc_gshadow_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_rmmod_action:testaction:1 - - Policy Requires Immediate Change of Temporary Passwords + + Record Events that Modify User/Group Information - /etc/gshadow - ocil:ssg-policy_temp_passwords_immediate_change_action:testaction:1 + ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 - - Ensure No World-Writable Files Exist + + Don't define allowed commands in sudoers by means of exclusion - ocil:ssg-file_permissions_unauthorized_world_writable_action:testaction:1 + ocil:ssg-sudoers_no_command_negation_action:testaction:1 - - Record Events that Modify User/Group Information - /etc/shadow + + Ensure rsyslog is Installed /usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ocil.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ocil.xml 2022-04-04 00:00:00.000000000 +0000 @@ -7,1619 +7,1618 @@ 2022-04-04T00:00:00 - - Disable PubkeyAuthentication Authentication + + Ensure SMAP is not disabled during boot - ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 + ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1 - - Record Events that Modify User/Group Information - /etc/gshadow + + Record Events that Modify the System's Discretionary Access Controls - chown - ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 - - Verify User Who Owns /etc/cron.allow file + + Configure auditd to use audispd's syslog plugin - ocil:ssg-file_owner_cron_allow_action:testaction:1 + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 - - Verify Permissions on Backup group File + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 - - Enable rsyslog Service + + Record Unsuccessful Access Attempts to Files - open - ocil:ssg-service_rsyslog_enabled_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1 - - Disable storing core dump + + Verify User Who Owns group File - ocil:ssg-coredump_disable_storage_action:testaction:1 + ocil:ssg-file_owner_etc_group_action:testaction:1 - - Verify Group Who Owns group File + + Ensure the Default C Shell Umask is Set Correctly - ocil:ssg-file_groupowner_etc_group_action:testaction:1 + ocil:ssg-accounts_umask_etc_csh_cshrc_action:testaction:1 - - Resolve information before writing to audit logs + + Use Only FIPS 140-2 Validated MACs - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-sshd_use_approved_macs_ordered_stig_action:testaction:1 - - Record Attempts to Alter Process and Session Initiation Information wtmp + + Verify Root Has A Primary GID 0 - ocil:ssg-audit_rules_session_events_wtmp_action:testaction:1 + ocil:ssg-accounts_root_gid_zero_action:testaction:1 - - Enable GNOME3 Screensaver Lock After Idle Period + + Record Events that Modify the System's Discretionary Access Controls - umount2 - ocil:ssg-dconf_gnome_screensaver_lock_enabled_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 - - Verify Group Who Owns SSH Server config file + + Set Deny For Failed Password Attempts - ocil:ssg-file_groupowner_sshd_config_action:testaction:1 + ocil:ssg-accounts_passwords_pam_tally2_action:testaction:1 - - Offload audit Logs to External Media + + Enforce usage of pam_wheel for su authentication - ocil:ssg-auditd_offload_logs_action:testaction:1 + ocil:ssg-use_pam_wheel_for_su_action:testaction:1 - - Verify User Who Owns /var/log/messages File + + Install iptables Package - ocil:ssg-file_owner_var_log_messages_action:testaction:1 + ocil:ssg-package_iptables_installed_action:testaction:1 - - Disable Kerberos by removing host keytab + + Ensure auditd Collects Information on Exporting to Media (successful) - ocil:ssg-kerberos_disable_no_keytab_action:testaction:1 + ocil:ssg-audit_rules_media_export_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - removexattr + + Ensure PAM Enforces Password Requirements - Minimum Different Characters - ocil:ssg-audit_rules_dac_modification_removexattr_action:testaction:1 + ocil:ssg-accounts_password_pam_difok_action:testaction:1 - - Verify Group Who Owns cron.hourly + + Verify that local System.map file (if exists) is readable only by root - ocil:ssg-file_groupowner_cron_hourly_action:testaction:1 + ocil:ssg-file_permissions_systemmap_action:testaction:1 - - Verify that System Executable Have Root Ownership + + Enable the NTP Daemon - ocil:ssg-dir_ownership_binary_dirs_action:testaction:1 + ocil:ssg-service_ntp_enabled_action:testaction:1 - - System Audit Logs Must Be Group Owned By Root + + The Chronyd service is enabled - ocil:ssg-file_group_ownership_var_log_audit_action:testaction:1 + ocil:ssg-service_chronyd_enabled_action:testaction:1 - - Verify Permissions on gshadow File + + Ensure auditd Collects Information on the Use of Privileged Commands - rmmod - ocil:ssg-file_permissions_etc_gshadow_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_rmmod_action:testaction:1 - - Policy Requires Immediate Change of Temporary Passwords + + Record Events that Modify User/Group Information - /etc/gshadow - ocil:ssg-policy_temp_passwords_immediate_change_action:testaction:1 + ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 - - Ensure No World-Writable Files Exist + + Don't define allowed commands in sudoers by means of exclusion - ocil:ssg-file_permissions_unauthorized_world_writable_action:testaction:1 + ocil:ssg-sudoers_no_command_negation_action:testaction:1 - - Record Events that Modify User/Group Information - /etc/shadow + + Ensure rsyslog is Installed /usr/share/xml/scap/ssg/content/ssg-ubuntu2004-xccdf.xml differs (XML 1.0 document, UTF-8 Unicode text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-xccdf.xml 2022-04-04 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-xccdf.xml 2022-04-04 00:00:00.000000000 +0000 @@ -43,29 +43,24 @@ countries. All other names are registered trademarks or trademarks of their respective companies. - - - - - - + - + - + - + - + - + - + - + @@ -73,65 +68,70 @@ - + - + - + - + - + - + - + - + - + - + - - + + - - + - + - + - + - + - + - + - + - + + + + + + + - + - + - + overalldiffered=4 (not bit-by-bit identical) overall=1