StigData/Processed/OracleLinux-8-2.1.xml
|
<DISASTIG version="2" classification="UNCLASSIFIED" customname="" stigid="OracleLinux_8_STIG" description="This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil." filename="U_OracleLinux_8_STIG_V2R1_Manual-xccdf.xml" releaseinfo="Release: 1 Benchmark Date: 24 Jul 2024 3.5 1.10.0" title="Oracle Linux 8 Security Technical Implementation Guide" notice="terms-of-use" source="STIG.DOD.MIL" fullversion="2.1" created="7/22/2024">
<DocumentRule dscresourcemodule="None"> <Rule id="V-248900" severity="medium" conversionstatus="pass" title="SRG-OS-000480-GPOS-00227" dscresource="None"> <Description><VulnDiscussion>The security risk of using X11 forwarding is that the client's X11 display server may be exposed to attack when the SSH client requests forwarding. A System Administrator may have a stance in which they want to protect clients that may expose themselves to attack by unwittingly requesting X11 forwarding, which can warrant a "no" setting. X11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the user's X11 authorization database) can access the local X11 display through the forwarded connection. An attacker may then be able to perform activities such as keystroke monitoring if the "ForwardX11Trusted" option is also enabled. If X11 services are not required for the system's intended function, they should be disabled or restricted as appropriate to the system’s needs.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DuplicateOf /> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify "X11Forwarding" is disabled with the following command: $ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*x11forwarding' X11Forwarding no If the "X11Forwarding" keyword is set to "yes" and is not documented with the information system security officer (ISSO) as an operational requirement or is missing, this is a finding. If conflicting results are returned, this is a finding.</RawString> </Rule> </DocumentRule> <nxFileLineRule dscresourcemodule="nx"> <Rule id="V-248524" severity="high" conversionstatus="pass" title="SRG-OS-000033-GPOS-00014" dscresource="nxFileLine"> <ContainsLine>1</ContainsLine> <Description><VulnDiscussion>Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. OL 8 uses GRUB 2 as the default bootloader. Note that GRUB 2 command-line parameters are defined in the "kernelopts" variable of the "/boot/grub2/grubenv" file for all kernel boot entries. The command "fips-mode-setup" modifies the "kernelopts" variable, which in turn updates all kernel boot entries. The fips=1 kernel option needs to be added to the kernel command line during system installation so that key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. Users must also ensure the system has plenty of entropy during the installation process by moving the mouse around, or if no mouse is available, ensuring that many keystrokes are typed. The recommended amount of keystrokes is 256 and more. Less than 256 keystrokes may generate a nonunique key. Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000423-GPOS-00187</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*1</DoesNotContainPattern> <DuplicateOf /> <FilePath>/proc/sys/crypto/fips_enabled</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the operating system implements DOD-approved encryption to protect the confidentiality of remote access sessions. Check to see if FIPS mode is enabled with the following command: $ fips-mode-setup --check FIPS mode is enabled If FIPS mode is "enabled", check to see if the kernel boot parameter is configured for FIPS mode with the following command: $ sudo grub2-editenv list | grep fips kernelopts=root=/dev/mapper/ol-root ro resume=/dev/mapper/ol-swap rd.lvm.lv=ol/root rd.lvm.lv=ol/swap rhgb quiet fips=1 boot=UUID=25856928-386b-4205-9a0e-a2953ae2712d audit=1 audit_backlog_limit=8192 pti=on random.trust_cpu=on slub_debug=P page_poison=1 If the kernel boot parameter is configured to use FIPS mode, check to see if the system is in FIPS mode with the following command: $ sudo cat /proc/sys/crypto/fips_enabled 1 If FIPS mode is not "enabled", the kernel boot parameter is not configured for FIPS mode, or the system does not have a value of "1" for "fips_enabled" in "/proc/sys/crypto", this is a finding.</RawString> </Rule> <Rule id="V-248527" severity="medium" conversionstatus="pass" title="SRG-OS-000023-GPOS-00006" dscresource="nxFileLine"> <ContainsLine>banner-message-enable=true</ContainsLine> <Description><VulnDiscussion>Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*banner-message-enable\s*=\s*true</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/dconf/db/local.d/</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Note: This requirement assumes the use of the OL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable. Verify OL 8 displays a banner before granting access to the operating system via a graphical user logon. Determine if the operating system displays a banner at the logon screen with the following command: $ sudo grep banner-message-enable /etc/dconf/db/local.d/* banner-message-enable=true If "banner-message-enable" is set to "false" or is missing, this is a finding.</RawString> </Rule> <Rule id="V-248533" severity="medium" conversionstatus="pass" title="SRG-OS-000073-GPOS-00041" dscresource="nxFileLine"> <ContainsLine> </ContainsLine> <Description><VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied on to provide confidentiality or integrity, and DOD data may be compromised. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules use authentication that meets DOD requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern> </DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/login.defs</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If "ENCRYPT_METHOD" does not equal SHA512 or greater, this is a finding." </OrganizationValueTestString> <RawString>Verify that the shadow password suite configuration is set to encrypt passwords with a FIPS 140-2 approved cryptographic hashing algorithm. Check the hashing algorithm that is being used to hash passwords with the following command: $ sudo cat /etc/login.defs | grep -i crypt ENCRYPT_METHOD SHA512 If "ENCRYPT_METHOD" does not equal SHA512 or greater, this is a finding.</RawString> </Rule> <Rule id="V-248535" severity="medium" conversionstatus="pass" title="SRG-OS-000073-GPOS-00041" dscresource="nxFileLine"> <ContainsLine>If only one of "SHA_CRYPT_MIN_ROUNDS" or "SHA_CRYPT_MAX_ROUNDS" is set, and this value is below "5000", this is a finding.</ContainsLine> <Description><VulnDiscussion>The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy. Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*If\s*only\s*one\s*of\s*"SHA_CRYPT_MIN_ROUNDS"\s*or\s*"SHA_CRYPT_MAX_ROUNDS"\s*is\s*set,\s*and\s*this\s*value\s*is\s*below\s*"5000",\s*this\s*is\s*a\s*finding.</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/login.defs</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Check that a minimum number of hash rounds is configured by running the following command: $ sudo grep -E "^SHA_CRYPT_" /etc/login.defs If only one of "SHA_CRYPT_MIN_ROUNDS" or "SHA_CRYPT_MAX_ROUNDS" is set, and this value is below "5000", this is a finding. If both "SHA_CRYPT_MIN_ROUNDS" and "SHA_CRYPT_MAX_ROUNDS" are set, and the value for either is below "5000", this is a finding.</RawString> </Rule> <Rule id="V-248538.a" severity="medium" conversionstatus="pass" title="SRG-OS-000080-GPOS-00048" dscresource="nxFileLine"> <ContainsLine>set superusers="[someuniqueUserNamehere]"</ContainsLine> <Description><VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for OL 8 and is designed to require a password to boot into single-user mode or modify the boot menu. The GRUB 2 superuser account is an account of last resort. Establishing a unique username for this account hardens the boot loader against brute force attacks. Due to the nature of the superuser account database being distinct from the OS account database, this allows the use of a username that is not among those within the OS account database. Examples of non-unique superusers names are (root, superuser, unlock, etc.)</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*set\s*superusers\s*=\s*"[someuniqueUserNamehere]"</DoesNotContainPattern> <DuplicateOf /> <FilePath>/boot/efi/EFI/redhat/grub.cfg</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>For systems that use BIOS, this is Not Applicable. Verify that a unique name is set as the "superusers" account: $ sudo grep -iw "superusers" /boot/efi/EFI/redhat/grub.cfg set superusers="[someuniqueUserNamehere]" If "superusers" is identical to any OS account name or is missing a name, this is a finding. </RawString> </Rule> <Rule id="V-248538.b" severity="medium" conversionstatus="pass" title="SRG-OS-000080-GPOS-00048" dscresource="nxFileLine"> <ContainsLine>export superusers</ContainsLine> <Description><VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for OL 8 and is designed to require a password to boot into single-user mode or modify the boot menu. The GRUB 2 superuser account is an account of last resort. Establishing a unique username for this account hardens the boot loader against brute force attacks. Due to the nature of the superuser account database being distinct from the OS account database, this allows the use of a username that is not among those within the OS account database. Examples of non-unique superusers names are (root, superuser, unlock, etc.)</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*export\s*superusers</DoesNotContainPattern> <DuplicateOf /> <FilePath>/boot/efi/EFI/redhat/grub.cfg</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>For systems that use BIOS, this is Not Applicable. Verify that a unique name is set as the "superusers" account: $ sudo grep -iw "superusers" /boot/efi/EFI/redhat/grub.cfg export superusers If "superusers" is identical to any OS account name or is missing a name, this is a finding. </RawString> </Rule> <Rule id="V-248539.a" severity="medium" conversionstatus="pass" title="SRG-OS-000080-GPOS-00048" dscresource="nxFileLine"> <ContainsLine>set superusers="[someuniqueUserNamehere]"</ContainsLine> <Description><VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for OL 8 and is designed to require a password to boot into single-user mode or modify the boot menu. The GRUB 2 superuser account is an account of last resort. Establishing a unique username for this account hardens the boot loader against brute force attacks. Due to the nature of the superuser account database being distinct from the OS account database, this allows the use of a username that is not among those within the OS account database. Examples of non-unique superusers names are (root, superuser, unlock, etc.)</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*set\s*superusers\s*=\s*"[someuniqueUserNamehere]"</DoesNotContainPattern> <DuplicateOf /> <FilePath>/boot/grub2/grub.cfg</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>For systems that use UEFI, this is Not Applicable. Verify that a unique name is set as the "superusers" account: $ sudo grep -iw "superusers" /boot/grub2/grub.cfg set superusers="[someuniqueUserNamehere]" If "superusers" is identical to any OS account name or is missing a name, this is a finding. </RawString> </Rule> <Rule id="V-248539.b" severity="medium" conversionstatus="pass" title="SRG-OS-000080-GPOS-00048" dscresource="nxFileLine"> <ContainsLine>export superusers</ContainsLine> <Description><VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for OL 8 and is designed to require a password to boot into single-user mode or modify the boot menu. The GRUB 2 superuser account is an account of last resort. Establishing a unique username for this account hardens the boot loader against brute force attacks. Due to the nature of the superuser account database being distinct from the OS account database, this allows the use of a username that is not among those within the OS account database. Examples of non-unique superusers names are (root, superuser, unlock, etc.)</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*export\s*superusers</DoesNotContainPattern> <DuplicateOf /> <FilePath>/boot/grub2/grub.cfg</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>For systems that use UEFI, this is Not Applicable. Verify that a unique name is set as the "superusers" account: $ sudo grep -iw "superusers" /boot/grub2/grub.cfg export superusers If "superusers" is identical to any OS account name or is missing a name, this is a finding. </RawString> </Rule> <Rule id="V-248541" severity="medium" conversionstatus="pass" title="SRG-OS-000080-GPOS-00048" dscresource="nxFileLine"> <ContainsLine>ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue</ContainsLine> <Description><VulnDiscussion>If the system does not require valid root authentication before it boots into emergency or rescue mode, anyone who invokes emergency or rescue mode is granted privileged access to all files on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*ExecStart\s*=\s*-/usr/lib/systemd/systemd-sulogin-shell\s*rescue</DoesNotContainPattern> <DuplicateOf /> <FilePath>/usr/lib/systemd/system/rescue.service</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Determine if the system requires authentication for rescue mode with the following command: $ sudo grep sulogin-shell /usr/lib/systemd/system/rescue.service ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue If the "ExecStart" line is configured for anything other than "/usr/lib/systemd/systemd-sulogin-shell rescue" or is commented out or missing, this is a finding.</RawString> </Rule> <Rule id="V-248542" severity="medium" conversionstatus="pass" title="SRG-OS-000080-GPOS-00048" dscresource="nxFileLine"> <ContainsLine>ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency</ContainsLine> <Description><VulnDiscussion>If the system does not require valid root authentication before it boots into emergency or rescue mode, anyone who invokes emergency or rescue mode is granted privileged access to all files on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*ExecStart\s*=\s*-/usr/lib/systemd/systemd-sulogin-shell\s*emergency</DoesNotContainPattern> <DuplicateOf /> <FilePath>/usr/lib/systemd/system/emergency.service</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Determine if the system requires authentication for emergency mode with the following command: $ sudo grep sulogin-shell /usr/lib/systemd/system/emergency.service ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency If the "ExecStart" line is configured for anything other than "/usr/lib/systemd/systemd-sulogin-shell emergency" or is commented out or missing, this is a finding.</RawString> </Rule> <Rule id="V-248544" severity="medium" conversionstatus="pass" title="SRG-OS-000120-GPOS-00061" dscresource="nxFileLine"> <ContainsLine>password sufficient pam_unix.so sha512</ContainsLine> <Description><VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied on to provide confidentiality or integrity, and DoD data may be compromised. OL 8 systems using encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules use authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*password\s*sufficient\s*pam_unix.so\s*sha512</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/pam.d/password-auth</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify that the "pam_unix.so" module is configured to use sha512 in "/etc/pam.d/password-auth" with the following command: $ sudo grep password /etc/pam.d/password-auth | grep pam_unix password sufficient pam_unix.so sha512 If "sha512" is missing, or is commented out, this is a finding.</RawString> </Rule> <Rule id="V-248560" severity="medium" conversionstatus="pass" title="SRG-OS-000250-GPOS-00093" dscresource="nxFileLine"> <ContainsLine># CRYPTO_POLICY=</ContainsLine> <Description><VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. OL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/ directory.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*#\s*CRYPTO_POLICY\s*=\s*</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/sysconfig/sshd</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify that system-wide crypto policies are in effect: $ sudo grep -i CRYPTO_POLICY /etc/sysconfig/sshd # CRYPTO_POLICY= If the "CRYPTO_POLICY" is uncommented, this is a finding.</RawString> </Rule> <Rule id="V-248561" severity="medium" conversionstatus="pass" title="SRG-OS-000125-GPOS-00065" dscresource="nxFileLine"> <ContainsLine>-oMACS=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com</ContainsLine> <Description><VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography, enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. OL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the "/etc/sysconfig/sshd" file. The employed algorithms can be viewed in the "/etc/crypto-policies/back-ends/opensshserver.config" file. The system will attempt to use the first hash presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest hash available to secure the SSH connection.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*-oMACS\s*=\s*hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/crypto-policies/back-ends/opensshserver.config</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the SSH server is configured to use only MACs employing FIPS 140-2-approved algorithms with the following command: $ sudo grep -i macs /etc/crypto-policies/back-ends/opensshserver.config -oMACS=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com If the MACs entries in the "opensshserver.config" file have any hashes other than shown here, the order differs from the example above, or they are missing or commented out, this is a finding.</RawString> </Rule> <Rule id="V-248562" severity="medium" conversionstatus="pass" title="SRG-OS-000125-GPOS-00065" dscresource="nxFileLine"> <ContainsLine>CRYPTO_POLICY='-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com'</ContainsLine> <Description><VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied on to provide confidentiality or integrity, and DoD data may be compromised. Operating systems using encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules use authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system. The system will attempt to use the first hash presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest cipher available to secure the SSH connection.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*CRYPTO_POLICY\s*=\s*'-oCiphers\s*=\s*aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com'</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/crypto-policies/back-ends/opensshserver.config</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the OL 8 SSH server is configured to use only ciphers employing FIPS 140-2 approved algorithms with the following command: $ sudo grep -i ciphers /etc/crypto-policies/back-ends/opensshserver.config CRYPTO_POLICY='-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com' If the cipher entries in the "opensshserver.config" file have any ciphers other than shown here, the order differs from the example above, or they are missing or commented out, this is a finding.</RawString> </Rule> <Rule id="V-248563" severity="low" conversionstatus="pass" title="SRG-OS-000480-GPOS-00232" dscresource="nxFileLine"> <ContainsLine>SSH_USE_STRONG_RNG=32</ContainsLine> <Description><VulnDiscussion>The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. The SSH implementation in OL 8 uses the OPENSSL library, which does not use high-entropy sources by default. By using the SSH_USE_STRONG_RNG environment variable, the OPENSSL random generator is reseeded from "/dev/random". This setting is not recommended on computers without the hardware random generator because insufficient entropy causes the connection to be blocked until enough entropy is available.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*SSH_USE_STRONG_RNG\s*=\s*32</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/sysconfig/sshd</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the operating system SSH server uses strong entropy with the following command: $ sudo grep -i ssh_use_strong_rng /etc/sysconfig/sshd SSH_USE_STRONG_RNG=32 If the "SSH_USE_STRONG_RNG" line does not equal "32" or is commented out or missing, this is a finding.</RawString> </Rule> <Rule id="V-248564" severity="medium" conversionstatus="pass" title="SRG-OS-000250-GPOS-00093" dscresource="nxFileLine"> <ContainsLine>.include /etc/crypto-policies/back-ends/opensslcnf.config</ContainsLine> <Description><VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography, enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. OL 8 incorporates system-wide crypto policies by default. The employed algorithms can be viewed in the "/etc/crypto-policies/back-ends/openssl.config" file.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*.include\s*/etc/crypto-policies/back-ends/opensslcnf.config</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/crypto-policies/back-ends/opensslcnf.config</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the OpenSSL library is configured to use only ciphers employing FIPS 140-2-approved algorithms: Verify that system-wide crypto policies are in effect: $ sudo grep -i opensslcnf.config /etc/pki/tls/openssl.cnf .include /etc/crypto-policies/back-ends/opensslcnf.config If the "opensslcnf.config" is not defined in the "/etc/pki/tls/openssl.cnf" file, this is a finding. Verify which system-wide crypto policy is in use: $ sudo update-crypto-policies --show FIPS If the system-wide crypto policy is set to anything other than "FIPS", this is a finding.</RawString> </Rule> <Rule id="V-248565.a" severity="medium" conversionstatus="pass" title="SRG-OS-000250-GPOS-00093" dscresource="nxFileLine"> <ContainsLine>MinProtocol = TLSv1.2</ContainsLine> <Description><VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography, enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. OL 8 incorporates system-wide crypto policies by default. The employed algorithms can be viewed in the "/etc/crypto-policies/back-ends/openssl.config" file. Satisfies: SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000125-GPOS-00065</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*MinProtocol\s*=\s*TLSv1.2</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/crypto-policies/back-ends/opensslcnf.config</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the OpenSSL library is configured to use only DoD-approved TLS encryption: For versions prior to crypto-policies-20210617-1.gitc776d3e.el8.noarch: $ sudo grep -i MinProtocol /etc/crypto-policies/back-ends/opensslcnf.config MinProtocol = TLSv1.2 If the "MinProtocol" is set to anything older than "TLSv1.2", this is a finding. For version crypto-policies-20210617-1.gitc776d3e.el8.noarch and newer: If the "TLS.MinProtocol" is set to anything older than "TLSv1.2" or the "DTLS.MinProtocol" is set to anything older than "DTLSv1.2", this is a finding. </RawString> </Rule> <Rule id="V-248565.b" severity="medium" conversionstatus="pass" title="SRG-OS-000250-GPOS-00093" dscresource="nxFileLine"> <ContainsLine>TLS.MinProtocol = TLSv1.2</ContainsLine> <Description><VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography, enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. OL 8 incorporates system-wide crypto policies by default. The employed algorithms can be viewed in the "/etc/crypto-policies/back-ends/openssl.config" file. Satisfies: SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000125-GPOS-00065</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*TLS.MinProtocol\s*=\s*TLSv1.2</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/crypto-policies/back-ends/opensslcnf.config</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the OpenSSL library is configured to use only DoD-approved TLS encryption: For versions prior to crypto-policies-20210617-1.gitc776d3e.el8.noarch: $ sudo grep -i MinProtocol /etc/crypto-policies/back-ends/opensslcnf.config TLS.MinProtocol = TLSv1.2 If the "TLS.MinProtocol" is set to anything older than "TLSv1.2" or the "DTLS.MinProtocol" is set to anything older than "DTLSv1.2", this is a finding. </RawString> </Rule> <Rule id="V-248565.c" severity="medium" conversionstatus="pass" title="SRG-OS-000250-GPOS-00093" dscresource="nxFileLine"> <ContainsLine>DTLS.MinProtocol = DTLSv1.2</ContainsLine> <Description><VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography, enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. OL 8 incorporates system-wide crypto policies by default. The employed algorithms can be viewed in the "/etc/crypto-policies/back-ends/openssl.config" file. Satisfies: SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000125-GPOS-00065</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*DTLS.MinProtocol\s*=\s*DTLSv1.2</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/crypto-policies/back-ends/opensslcnf.config</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the OpenSSL library is configured to use only DoD-approved TLS encryption: For versions prior to crypto-policies-20210617-1.gitc776d3e.el8.noarch: $ sudo grep -i MinProtocol /etc/crypto-policies/back-ends/opensslcnf.config DTLS.MinProtocol = DTLSv1.2 If the "TLS.MinProtocol" is set to anything older than "TLSv1.2" or the "DTLS.MinProtocol" is set to anything older than "DTLSv1.2", this is a finding. </RawString> </Rule> <Rule id="V-248574" severity="high" conversionstatus="pass" title="SRG-OS-000366-GPOS-00153" dscresource="nxFileLine"> <ContainsLine>gpgcheck=1</ContainsLine> <Description><VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DOD certificates for this purpose; however, the certificate used to verify the software must be from an approved Certificate Authority (CA).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*gpgcheck\s*=\s*1</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/yum.repos.d/</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Check that YUM verifies the signature of packages from a repository prior to install with the following command: $ sudo grep gpgcheck /etc/yum.repos.d/*.repo gpgcheck=1 If "gpgcheck" is not set to "1", or if options are missing or commented out, ask the system administrator (SA) how the certificates for patches and other operating system components are verified. If there is no process to validate certificates that is approved by the organization, this is a finding.</RawString> </Rule> <Rule id="V-248575" severity="high" conversionstatus="pass" title="SRG-OS-000366-GPOS-00153" dscresource="nxFileLine"> <ContainsLine>localpkg_gpgcheck =True</ContainsLine> <Description><VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DOD certificates for this purpose; however, the certificate used to verify the software must be from an approved Certificate Authority (CA).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*localpkg_gpgcheck\s*=\s*True</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/dnf/dnf.conf</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the operating system prevents the installation of patches, service packs, device drivers, or operating system components from a repository without verification that they have been digitally signed using a certificate that is recognized and approved by the organization. Check if YUM is configured to perform a signature check on local packages with the following command: $ sudo grep -i localpkg_gpgcheck /etc/dnf/dnf.conf localpkg_gpgcheck =True If "localpkg_gpgcheck" is not set to either "1", "True", or "yes", commented out, or is missing from "/etc/dnf/dnf.conf", this is a finding.</RawString> </Rule> <Rule id="V-248581" severity="medium" conversionstatus="pass" title="SRG-OS-000373-GPOS-00156" dscresource="nxFileLine"> <ContainsLine>%admin ALL=(ALL) NOPASSWD: ALL</ContainsLine> <Description><VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate. Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*%admin\s*ALL\s*=\s*(ALL)\s*NOPASSWD:\s*ALL</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/sudoers.d</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify that "/etc/sudoers" has no occurrences of "NOPASSWD". Check that the "/etc/sudoers" file has no occurrences of "NOPASSWD" by running the following command: $ sudo grep -ir nopasswd /etc/sudoers /etc/sudoers.d %admin ALL=(ALL) NOPASSWD: ALL If any occurrences of "NOPASSWD" are returned from the command and have not been documented with the information system security officer (ISSO) as an organizationally defined administrative group using multifactor authentication (MFA), this is a finding.</RawString> </Rule> <Rule id="V-248590" severity="medium" conversionstatus="pass" title="SRG-OS-000134-GPOS-00068" dscresource="nxFileLine"> <ContainsLine>GRUB_CMDLINE_LINUX="page_poison=1"</ContainsLine> <Description><VulnDiscussion>Adversaries may launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*GRUB_CMDLINE_LINUX\s*=\s*"page_poison\s*=\s*1"</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/default/grub</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify that GRUB 2 is configured to enable page poisoning to mitigate use-after-free vulnerabilities with the following commands: $ sudo grub2-editenv list | grep page_poison kernelopts=root=/dev/mapper/ol-root ro crashkernel=auto resume=/dev/mapper/ol-swap rd.lvm.lv=ol/root rd.lvm.lv=ol/swap rhgb quiet fips=1 page_poison=1 vsyscall=none audit=1 audit_backlog_limit=8192 boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82 If "page_poison" is not set to "1" or is missing, this is a finding. Check that page poisoning is enabled by default to persist in kernel updates: $ sudo grep page_poison /etc/default/grub GRUB_CMDLINE_LINUX="page_poison=1" If "page_poison" is not set to "1" or is missing or commented out, this is a finding.</RawString> </Rule> <Rule id="V-248591" severity="medium" conversionstatus="pass" title="SRG-OS-000134-GPOS-00068" dscresource="nxFileLine"> <ContainsLine>GRUB_CMDLINE_LINUX="vsyscall=none"</ContainsLine> <Description><VulnDiscussion>Syscalls are special routines in the Linux kernel, which userspace applications ask to do privileged tasks. Invoking a system call is an expensive operation because the processor must interrupt the currently executing task and switch context to kernel mode and then back to userspace after the system call completes. Virtual syscalls map into user space a page that contains some variables and the implementation of some system calls. This allows the system calls to be executed in userspace to alleviate the context switching expense. Virtual syscalls provide an opportunity of attack for a user who has control of the return instruction pointer. Disabling vsyscalls help to prevent return-oriented programming (ROP) attacks via buffer overflows and overruns. If the system intends to run containers based on OL 6 components, then virtual syscalls will need enabled so the components function properly.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*GRUB_CMDLINE_LINUX\s*=\s*"vsyscall\s*=\s*none"</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/default/grub</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify that GRUB 2 is configured to disable vsyscalls with the following commands: $ sudo grub2-editenv list | grep vsyscall kernelopts=root=/dev/mapper/ol-root ro crashkernel=auto resume=/dev/mapper/ol-swap rd.lvm.lv=ol/root rd.lvm.lv=ol/swap rhgb quiet fips=1 page_poison=1 vsyscall=none audit=1 audit_backlog_limit=8192 boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82 If "vsyscall" is not set to "none" or is missing, this is a finding. Check that vsyscalls are disabled by default to persist in kernel updates: $ sudo grep vsyscall /etc/default/grub GRUB_CMDLINE_LINUX="vsyscall=none" If "vsyscall" is not set to "none", is missing or commented out and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.</RawString> </Rule> <Rule id="V-248592" severity="medium" conversionstatus="pass" title="SRG-OS-000134-GPOS-00068" dscresource="nxFileLine"> <ContainsLine>GRUB_CMDLINE_LINUX="slub_debug=P"</ContainsLine> <Description><VulnDiscussion>Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory. SLAB objects are blocks of physically contiguous memory. SLUB is the unqueued SLAB allocator.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*GRUB_CMDLINE_LINUX\s*=\s*"slub_debug\s*=\s*P"</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/default/grub</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify that GRUB 2 is configured to enable poisoning of SLUB/SLAB objects to mitigate use-after-free vulnerabilities with the following commands: Check that the current GRUB 2 configuration has poisoning of SLUB/SLAB objects enabled: $ sudo grub2-editenv list | grep slub_debug kernelopts=root=/dev/mapper/ol-root ro crashkernel=auto resume=/dev/mapper/ol-swap rd.lvm.lv=ol/root rd.lvm.lv=ol/swap rhgb quiet fips=1 slub_debug=P page_poison=1 vsyscall=none audit=1 audit_backlog_limit=8192 boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82 If "slub_debug" does not contain "P" or is missing, this is a finding. Check that poisoning of SLUB/SLAB objects is enabled by default to persist in kernel updates: $ sudo grep slub_debug /etc/default/grub GRUB_CMDLINE_LINUX="slub_debug=P" If "slub_debug" does not contain "P", is missing, or is commented out, this is a finding.</RawString> </Rule> <Rule id="V-248595" severity="low" conversionstatus="pass" title="SRG-OS-000437-GPOS-00194" dscresource="nxFileLine"> <ContainsLine>clean_requirements_on_remove=True</ContainsLine> <Description><VulnDiscussion>Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*clean_requirements_on_remove\s*=\s*True</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/yum.conf</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the operating system removes all software components after updated versions have been installed. Check if YUM is configured to remove unneeded packages with the following command: $ sudo grep -i clean_requirements_on_remove /etc/yum.conf clean_requirements_on_remove=True If "clean_requirements_on_remove" is not set to "True", commented out, or missing from "/etc/yum.conf", this is a finding.</RawString> </Rule> <Rule id="V-248596" severity="medium" conversionstatus="pass" title="SRG-OS-000445-GPOS-00199" dscresource="nxFileLine"> <ContainsLine>SELINUXTYPE = targeted</ContainsLine> <Description><VulnDiscussion>Without verification of the security functions, they may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes but is not limited to establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*SELINUXTYPE\s*=\s*targeted</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/selinux/config</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Ensure the operating system verifies correct operation of all security functions. Verify that "SELinux" is active and is enforcing the targeted policy with the following command: $ sudo sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 31 If the "Loaded policy name" is not set to "targeted", this is a finding. Verify that the "/etc/selinux/config" file is configured to the "SELINUXTYPE" as "targeted": $ sudo grep -i "selinuxtype" /etc/selinux/config | grep -v '^#' SELINUXTYPE = targeted If no results are returned or "SELINUXTYPE" is not set to "targeted", this is a finding.</RawString> </Rule> <Rule id="V-248621" severity="medium" conversionstatus="pass" title="SRG-OS-000480-GPOS-00227" dscresource="nxFileLine"> <ContainsLine>UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid,nodev,noexec 0 0</ContainsLine> <Description><VulnDiscussion>The "nodev" mount option causes the system not to interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*UUID\s*=\s*2bc871e4-e2a3-4f29-9ece-3be60c835222\s*/mnt/usbflash\s*vfat\s*noauto,owner,ro,nosuid,nodev,noexec\s*0\s*0</DoesNotContainPattern> <DuplicateOf /> <FilePath>/mnt/usbflash</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify that file systems used for removable media are mounted with the "nodev" option with the following command: $ sudo more /etc/fstab UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid,nodev,noexec 0 0 If a file system found in "/etc/fstab" refers to removable media and it does not have the "nodev" option set, this is a finding.</RawString> </Rule> <Rule id="V-248624" severity="medium" conversionstatus="pass" title="SRG-OS-000480-GPOS-00227" dscresource="nxFileLine"> <ContainsLine>UUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,nosuid,nodev,noexec 0 0</ContainsLine> <Description><VulnDiscussion>The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*UUID\s*=\s*e06097bb-cfcd-437b-9e4d-a691f5662a7d\s*/store\s*nfs\s*rw,nosuid,nodev,noexec\s*0\s*0</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/fstab</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify that file systems being imported via NFS are mounted with the "noexec" option with the following command: $ sudo grep nfs /etc/fstab | grep noexec UUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,nosuid,nodev,noexec 0 0 If a file system found in "/etc/fstab" refers to NFS and it does not have the "noexec" option set, this is a finding.</RawString> </Rule> <Rule id="V-248631.a" severity="medium" conversionstatus="pass" title="SRG-OS-000480-GPOS-00227" dscresource="nxFileLine"> <ContainsLine>* hard core 0</ContainsLine> <Description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s**\s*hard\s*core\s*0</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/security/limits.d/</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the operating system disables core dumps for all users with the following command: $ sudo grep -r -s '^[^#].*core' /etc/security/limits.conf /etc/security/limits.d/*.conf * hard core 0 If the "core" item is missing or commented out or the value is anything other than "0", and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement for all domains that have the "core" item assigned, this is a finding. </RawString> </Rule> <Rule id="V-248631.b" severity="medium" conversionstatus="pass" title="SRG-OS-000480-GPOS-00227" dscresource="nxFileLine"> <ContainsLine>This can be set as a global domain (with the * wildcard) but may be set differently for multiple domains.</ContainsLine> <Description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*This\s*can\s*be\s*set\s*as\s*a\s*global\s*domain\s*(with\s*the\s**\s*wildcard)\s*but\s*may\s*be\s*set\s*differently\s*for\s*multiple\s*domains.</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/security/limits.d/</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the operating system disables core dumps for all users with the following command: $ sudo grep -r -s '^[^#].*core' /etc/security/limits.conf /etc/security/limits.d/*.conf This can be set as a global domain (with the * wildcard) but may be set differently for multiple domains. If the "core" item is missing or commented out or the value is anything other than "0", and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement for all domains that have the "core" item assigned, this is a finding. </RawString> </Rule> <Rule id="V-248632" severity="medium" conversionstatus="pass" title="SRG-OS-000480-GPOS-00227" dscresource="nxFileLine"> <ContainsLine>Storage=none</ContainsLine> <Description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*Storage\s*=\s*none</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/systemd/coredump.conf</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the operating system disables storing core dumps for all users with the following command: $ sudo grep -i storage /etc/systemd/coredump.conf Storage=none If the "Storage" item is missing or commented out or the value is anything other than "none", and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement for all domains that have the "core" item assigned, this is a finding.</RawString> </Rule> <Rule id="V-248633" severity="medium" conversionstatus="pass" title="SRG-OS-000480-GPOS-00227" dscresource="nxFileLine"> <ContainsLine>ProcessSizeMax=0</ContainsLine> <Description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*ProcessSizeMax\s*=\s*0</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/systemd/coredump.conf</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the operating system disables core dump backtraces by issuing the following command: $ sudo grep -i ProcessSizeMax /etc/systemd/coredump.conf ProcessSizeMax=0 If the "ProcessSizeMax" item is missing or commented out or the value is anything other than "0", and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement for all domains that have the "core" item assigned, this is a finding.</RawString> </Rule> <Rule id="V-248644" severity="medium" conversionstatus="pass" title="SRG-OS-000480-GPOS-00227" dscresource="nxFileLine"> <ContainsLine>CREATE_HOME yes</ContainsLine> <Description><VulnDiscussion>If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>^#\s*CREATE_HOME.*$|^CREATE_HOME\s*(?!yes\b)\w*$|^CREATE_HOME\t.*</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/login.defs</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify all local interactive users on OL 8 are assigned a home directory upon creation with the following command: $ sudo grep -i create_home /etc/login.defs CREATE_HOME yes If the value for "CREATE_HOME" parameter is not set to "yes", the line is missing, or the line is commented out, this is a finding.</RawString> </Rule> <Rule id="V-248649" severity="high" conversionstatus="pass" title="SRG-OS-000480-GPOS-00229" dscresource="nxFileLine"> <ContainsLine>AutomaticLoginEnable=false</ContainsLine> <Description><VulnDiscussion>Failure to restrict system access to authenticated users negatively impacts operating system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*AutomaticLoginEnable\s*=\s*false</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/gdm/custom.conf</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Note: This requirement assumes the use of the OL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable. Verify the operating system does not allow an unattended or automatic logon to the system via a graphical user interface. Check for the value of "AutomaticLoginEnable" in the "/etc/gdm/custom.conf" file with the following command: $ sudo grep -i automaticloginenable /etc/gdm/custom.conf AutomaticLoginEnable=false If the value of "AutomaticLoginEnable" is not set to "false", this is a finding.</RawString> </Rule> <Rule id="V-248652.a" severity="medium" conversionstatus="pass" title="SRG-OS-000021-GPOS-00005" dscresource="nxFileLine"> <ContainsLine> </ContainsLine> <Description><VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. OL 8 can use the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable, a different tally directory must be set with the "dir" option. Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern> </DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/pam.d/password-auth</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the "deny" option is not set to "3" or less (but not "0") on the "preauth" line with the "pam_faillock.so" module or is missing from this line, this is a finding." </OrganizationValueTestString> <RawString>Verify the system locks an account after three unsuccessful logon attempts with the following commands. Note: If the System Administrator demonstrates the use of an approved centralized account management method that locks an account after three unsuccessful logon attempts within a period of 15 minutes, this requirement is not applicable. Note: This check applies to OL versions 8.0 and 8.1. If the system is OL version 8.2 or newer, this check is not applicable. $ sudo grep pam_faillock.so /etc/pam.d/password-auth auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny=3 even_deny_root fail_interval=900 unlock_time=0 If the "deny" option is not set to "3" or less (but not "0") on the "preauth" line with the "pam_faillock.so" module or is missing from this line, this is a finding. If any line referencing the "pam_faillock.so" module is commented out, this is a finding. If any line referencing the "pam_faillock.so" module is commented out, this is a finding. </RawString> </Rule> <Rule id="V-248652.b" severity="medium" conversionstatus="pass" title="SRG-OS-000021-GPOS-00005" dscresource="nxFileLine"> <ContainsLine> </ContainsLine> <Description><VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. OL 8 can use the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable, a different tally directory must be set with the "dir" option. Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern> </DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/pam.d/password-auth</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the "deny" option is not set to "3" or less (but not "0") on the "preauth" line with the "pam_faillock.so" module or is missing from this line, this is a finding." </OrganizationValueTestString> <RawString>Verify the system locks an account after three unsuccessful logon attempts with the following commands. Note: If the System Administrator demonstrates the use of an approved centralized account management method that locks an account after three unsuccessful logon attempts within a period of 15 minutes, this requirement is not applicable. Note: This check applies to OL versions 8.0 and 8.1. If the system is OL version 8.2 or newer, this check is not applicable. $ sudo grep pam_faillock.so /etc/pam.d/password-auth auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0 If the "deny" option is not set to "3" or less (but not "0") on the "preauth" line with the "pam_faillock.so" module or is missing from this line, this is a finding. If any line referencing the "pam_faillock.so" module is commented out, this is a finding. If any line referencing the "pam_faillock.so" module is commented out, this is a finding. </RawString> </Rule> <Rule id="V-248652.c" severity="medium" conversionstatus="pass" title="SRG-OS-000021-GPOS-00005" dscresource="nxFileLine"> <ContainsLine> </ContainsLine> <Description><VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. OL 8 can use the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable, a different tally directory must be set with the "dir" option. Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern> </DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/pam.d/password-auth</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the "deny" option is not set to "3" or less (but not "0") on the "preauth" line with the "pam_faillock.so" module or is missing from this line, this is a finding." </OrganizationValueTestString> <RawString>Verify the system locks an account after three unsuccessful logon attempts with the following commands. Note: If the System Administrator demonstrates the use of an approved centralized account management method that locks an account after three unsuccessful logon attempts within a period of 15 minutes, this requirement is not applicable. Note: This check applies to OL versions 8.0 and 8.1. If the system is OL version 8.2 or newer, this check is not applicable. $ sudo grep pam_faillock.so /etc/pam.d/password-auth account required pam_faillock.so If the "deny" option is not set to "3" or less (but not "0") on the "preauth" line with the "pam_faillock.so" module or is missing from this line, this is a finding. If any line referencing the "pam_faillock.so" module is commented out, this is a finding. If any line referencing the "pam_faillock.so" module is commented out, this is a finding. </RawString> </Rule> <Rule id="V-248652.d" severity="medium" conversionstatus="pass" title="SRG-OS-000021-GPOS-00005" dscresource="nxFileLine"> <ContainsLine> </ContainsLine> <Description><VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. OL 8 can use the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable, a different tally directory must be set with the "dir" option. Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern> </DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/pam.d/system-auth</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the "deny" option is not set to "3" or less (but not "0") on the "preauth" line with the "pam_faillock.so" module or is missing from this line, this is a finding." </OrganizationValueTestString> <RawString>Verify the system locks an account after three unsuccessful logon attempts with the following commands. Note: If the System Administrator demonstrates the use of an approved centralized account management method that locks an account after three unsuccessful logon attempts within a period of 15 minutes, this requirement is not applicable. Note: This check applies to OL versions 8.0 and 8.1. If the system is OL version 8.2 or newer, this check is not applicable. $ sudo grep pam_faillock.so /etc/pam.d/system-auth auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny=3 even_deny_root fail_interval=900 unlock_time=0 If the "deny" option is not set to "3" or less (but not "0") on the "preauth" line with the "pam_faillock.so" module or is missing from this line, this is a finding. If any line referencing the "pam_faillock.so" module is commented out, this is a finding. </RawString> </Rule> <Rule id="V-248652.e" severity="medium" conversionstatus="pass" title="SRG-OS-000021-GPOS-00005" dscresource="nxFileLine"> <ContainsLine> </ContainsLine> <Description><VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. OL 8 can use the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable, a different tally directory must be set with the "dir" option. Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern> </DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/pam.d/system-auth</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the "deny" option is not set to "3" or less (but not "0") on the "preauth" line with the "pam_faillock.so" module or is missing from this line, this is a finding." </OrganizationValueTestString> <RawString>Verify the system locks an account after three unsuccessful logon attempts with the following commands. Note: If the System Administrator demonstrates the use of an approved centralized account management method that locks an account after three unsuccessful logon attempts within a period of 15 minutes, this requirement is not applicable. Note: This check applies to OL versions 8.0 and 8.1. If the system is OL version 8.2 or newer, this check is not applicable. $ sudo grep pam_faillock.so /etc/pam.d/system-auth auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0 If the "deny" option is not set to "3" or less (but not "0") on the "preauth" line with the "pam_faillock.so" module or is missing from this line, this is a finding. If any line referencing the "pam_faillock.so" module is commented out, this is a finding. </RawString> </Rule> <Rule id="V-248652.f" severity="medium" conversionstatus="pass" title="SRG-OS-000021-GPOS-00005" dscresource="nxFileLine"> <ContainsLine> </ContainsLine> <Description><VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. OL 8 can use the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program. From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable, a different tally directory must be set with the "dir" option. Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern> </DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/pam.d/system-auth</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the "deny" option is not set to "3" or less (but not "0") on the "preauth" line with the "pam_faillock.so" module or is missing from this line, this is a finding." </OrganizationValueTestString> <RawString>Verify the system locks an account after three unsuccessful logon attempts with the following commands. Note: If the System Administrator demonstrates the use of an approved centralized account management method that locks an account after three unsuccessful logon attempts within a period of 15 minutes, this requirement is not applicable. Note: This check applies to OL versions 8.0 and 8.1. If the system is OL version 8.2 or newer, this check is not applicable. $ sudo grep pam_faillock.so /etc/pam.d/system-auth account required pam_faillock.so If the "deny" option is not set to "3" or less (but not "0") on the "preauth" line with the "pam_faillock.so" module or is missing from this line, this is a finding. If any line referencing the "pam_faillock.so" module is commented out, this is a finding. </RawString> </Rule> <Rule id="V-248653" severity="medium" conversionstatus="pass" title="SRG-OS-000021-GPOS-00005" dscresource="nxFileLine"> <ContainsLine> </ContainsLine> <Description><VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. In OL 8.2, the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the "pam_faillock.so" module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in "/etc/passwd" and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable, a different tally directory must be set with the "dir" option. Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern> </DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/security/faillock.conf</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the "deny" option is not set to "3" or less (but not "0") or is missing or commented out, this is a finding." </OrganizationValueTestString> <RawString>Note: This check applies to OL versions 8.2 or newer. If the system is OL version 8.0 or 8.1, this check is not applicable. Verify the "/etc/security/faillock.conf" file is configured to lock an account after three unsuccessful logon attempts: $ sudo grep 'deny =' /etc/security/faillock.conf deny = 3 If the "deny" option is not set to "3" or less (but not "0") or is missing or commented out, this is a finding.</RawString> </Rule> <Rule id="V-248655" severity="medium" conversionstatus="pass" title="SRG-OS-000021-GPOS-00005" dscresource="nxFileLine"> <ContainsLine>fail_interval = 900</ContainsLine> <Description><VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. In OL 8.2, the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the "pam_faillock.so" module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in "/etc/passwd" and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable, a different tally directory must be set with the "dir" option. Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*fail_interval\s*=\s*900</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/security/faillock.conf</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Note: This check applies to OL versions 8.2 or newer. If the system is OL version 8.0 or 8.1, this check is not applicable. Verify the "/etc/security/faillock.conf" file is configured to lock an account after three unsuccessful logon attempts within 15 minutes: $ sudo grep 'fail_interval =' /etc/security/faillock.conf fail_interval = 900 If the "fail_interval" option is not set to "900" or more or is missing or commented out, this is a finding.</RawString> </Rule> <Rule id="V-248657" severity="medium" conversionstatus="pass" title="SRG-OS-000021-GPOS-00005" dscresource="nxFileLine"> <ContainsLine>unlock_time = 0</ContainsLine> <Description><VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. In OL 8.2, the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the "pam_faillock.so" module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in "/etc/passwd" and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable, a different tally directory must be set with the "dir" option. Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*unlock_time\s*=\s*0</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/security/faillock.conf</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Note: This check applies to OL versions 8.2 or newer. If the system is OL version 8.0 or 8.1, this check is not applicable. Verify the "/etc/security/faillock.conf" file is configured to lock an account until released by an administrator after three unsuccessful logon attempts: $ sudo grep 'unlock_time =' /etc/security/faillock.conf unlock_time = 0 If the "unlock_time" option is not set to "0" or is missing or commented out, this is a finding.</RawString> </Rule> <Rule id="V-248659" severity="medium" conversionstatus="pass" title="SRG-OS-000021-GPOS-00005" dscresource="nxFileLine"> <ContainsLine>dir = /var/log/faillock</ContainsLine> <Description><VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. In OL 8.2, the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the "pam_faillock.so" module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in "/etc/passwd" and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable, a different tally directory must be set with the "dir" option. Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*dir\s*=\s*/var/log/faillock</DoesNotContainPattern> <DuplicateOf /> <FilePath>/var/log/faillock</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Note: This check applies to OL versions 8.2 or newer. If the system is OL version 8.0 or 8.1, this check is not applicable. Verify the "/etc/security/faillock.conf" file is configured use a non-default faillock directory to ensure contents persist after reboot: $ sudo grep 'dir =' /etc/security/faillock.conf dir = /var/log/faillock If the "dir" option is not set to a non-default documented tally log directory or is missing or commented out, this is a finding.</RawString> </Rule> <Rule id="V-248661" severity="medium" conversionstatus="pass" title="SRG-OS-000021-GPOS-00005" dscresource="nxFileLine"> <ContainsLine>silent</ContainsLine> <Description><VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. In OL 8.2, the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the" pam_faillock.so" module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in "/etc/passwd" and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable, a different tally directory must be set with the "dir" option. Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*silent</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/security/faillock.conf</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Note: This check applies to OL versions 8.2 or newer. If the system is OL version 8.0 or 8.1, this check is not applicable. Verify the "/etc/security/faillock.conf" file is configured to prevent informative messages from being presented at logon attempts: $ sudo grep silent /etc/security/faillock.conf silent If the "silent" option is not set or is missing or commented out, this is a finding.</RawString> </Rule> <Rule id="V-248663" severity="medium" conversionstatus="pass" title="SRG-OS-000021-GPOS-00005" dscresource="nxFileLine"> <ContainsLine>audit</ContainsLine> <Description><VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. In OL 8.2, the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the "pam_faillock.so" module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in "/etc/passwd" and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable, a different tally directory must be set with the "dir" option. Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*audit</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/security/faillock.conf</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Note: This check applies to OL versions 8.2 or newer. If the system is OL version 8.0 or 8.1, this check is not applicable. Verify the "/etc/security/faillock.conf" file is configured to log user name information when unsuccessful logon attempts occur: $ sudo grep audit /etc/security/faillock.conf audit If the "audit" option is not set, is missing or commented out, this is a finding.</RawString> </Rule> <Rule id="V-248665" severity="medium" conversionstatus="pass" title="SRG-OS-000021-GPOS-00005" dscresource="nxFileLine"> <ContainsLine>even_deny_root</ContainsLine> <Description><VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. In OL 8.2, the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the "pam_faillock.so" module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable, a different tally directory must be set with the "dir" option. Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*even_deny_root</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/security/faillock.conf</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Note: This check applies to OL versions 8.2 or newer. If the system is OL version 8.0 or 8.1, this check is not applicable. Verify the "/etc/security/faillock.conf" file is configured to log user name information when unsuccessful logon attempts occur: $ sudo grep even_deny_root /etc/security/faillock.conf even_deny_root If the "even_deny_root" option is not set or is missing or commented out, this is a finding.</RawString> </Rule> <Rule id="V-248668.a" severity="medium" conversionstatus="pass" title="SRG-OS-000021-GPOS-00005" dscresource="nxFileLine"> <ContainsLine>auth required pam_faillock.so preauth auth required pam_faillock.so authfail account required pam_faillock.so</ContainsLine> <Description><VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. In OL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. The preauth argument must be used when the module is called before the modules that ask for user credentials, such as the password. Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*auth\s*required\s*pam_faillock.so\s*preauth\s*auth\s*required\s*pam_faillock.so\s*authfail\s*account\s*required\s*pam_faillock.so</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/pam.d/password-auth</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Note: This check applies to OL versions 8.2 or newer, if the system is OL version 8.0 or 8.1, this check is not applicable. Verify the pam_faillock.so module is present in the "/etc/pam.d/password-auth" file: $ sudo grep pam_faillock.so /etc/pam.d/password-auth auth required pam_faillock.so preauth auth required pam_faillock.so authfail account required pam_faillock.so If the pam_faillock.so module is not present in the "/etc/pam.d/password-auth" file with the "preauth" line listed before pam_unix.so, this is a finding. </RawString> </Rule> <Rule id="V-248668.b" severity="medium" conversionstatus="pass" title="SRG-OS-000021-GPOS-00005" dscresource="nxFileLine"> <ContainsLine>auth required pam_faillock.so preauth auth required pam_faillock.so authfail account required pam_faillock.so</ContainsLine> <Description><VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. In OL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. The preauth argument must be used when the module is called before the modules that ask for user credentials, such as the password. Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*auth\s*required\s*pam_faillock.so\s*preauth\s*auth\s*required\s*pam_faillock.so\s*authfail\s*account\s*required\s*pam_faillock.so</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/pam.d/password-auth</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Note: This check applies to OL versions 8.2 or newer, if the system is OL version 8.0 or 8.1, this check is not applicable. Verify the pam_faillock.so module is present in the "/etc/pam.d/password-auth" file: $ sudo grep pam_faillock.so /etc/pam.d/password-auth auth required pam_faillock.so preauth auth required pam_faillock.so authfail account required pam_faillock.so If the pam_faillock.so module is not present in the "/etc/pam.d/password-auth" file with the "preauth" line listed before pam_unix.so, this is a finding. </RawString> </Rule> <Rule id="V-248668.c" severity="medium" conversionstatus="pass" title="SRG-OS-000021-GPOS-00005" dscresource="nxFileLine"> <ContainsLine>auth required pam_faillock.so preauth auth required pam_faillock.so authfail account required pam_faillock.so</ContainsLine> <Description><VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. In OL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. The preauth argument must be used when the module is called before the modules that ask for user credentials, such as the password. Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*auth\s*required\s*pam_faillock.so\s*preauth\s*auth\s*required\s*pam_faillock.so\s*authfail\s*account\s*required\s*pam_faillock.so</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/pam.d/password-auth</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Note: This check applies to OL versions 8.2 or newer, if the system is OL version 8.0 or 8.1, this check is not applicable. Verify the pam_faillock.so module is present in the "/etc/pam.d/password-auth" file: $ sudo grep pam_faillock.so /etc/pam.d/password-auth auth required pam_faillock.so preauth auth required pam_faillock.so authfail account required pam_faillock.so If the pam_faillock.so module is not present in the "/etc/pam.d/password-auth" file with the "preauth" line listed before pam_unix.so, this is a finding. </RawString> </Rule> <Rule id="V-248670.a" severity="medium" conversionstatus="pass" title="SRG-OS-000021-GPOS-00005" dscresource="nxFileLine"> <ContainsLine>auth required pam_faillock.so preauth dir=/var/log/faillock auth required pam_faillock.so authfail dir=/var/log/faillock Check the security context type of the non-default tally directory with the following command: $ sudo ls -Zd /var/log/faillock unconfined_u:object_r:faillog_t:s0 /var/log/faillock</ContainsLine> <Description><VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable, a different tally directory must be set with the "dir" option. SELinux, enforcing a targeted policy, will require any non-default tally directory's security context type to match the default directory's security context type. Without updating the security context type, the pam_faillock module will not write failed login attempts to the non-default tally directory. Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*auth\s*required\s*pam_faillock.so\s*preauth\s*dir\s*=\s*/var/log/faillock\s*auth\s*required\s*pam_faillock.so\s*authfail\s*dir\s*=\s*/var/log/faillock\s*Check\s*the\s*security\s*context\s*type\s*of\s*the\s*non-default\s*tally\s*directory\s*with\s*the\s*following\s*command:\s*$\s*sudo\s*ls\s*-Zd\s*/var/log/faillock\s*unconfined_u:object_r:faillog_t:s0\s*/var/log/faillock</DoesNotContainPattern> <DuplicateOf /> <FilePath>/var/log/faillock</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the system does not have SELinux enabled and enforcing a targeted policy, or if the pam_faillock module is not configured for use, this requirement is not applicable. Note: This check applies to OL versions 8.0 and 8.1. If the system is OL version 8.2 or newer, this check is not applicable. Verify the location of the non-default tally directory for the pam_faillock module with the following command: $ sudo grep -w dir /etc/pam.d/password-auth auth required pam_faillock.so preauth dir=/var/log/faillock auth required pam_faillock.so authfail dir=/var/log/faillock Check the security context type of the non-default tally directory with the following command: $ sudo ls -Zd /var/log/faillock unconfined_u:object_r:faillog_t:s0 /var/log/faillock If the security context type of the non-default tally directory is not "faillog_t", this is a finding. </RawString> </Rule> <Rule id="V-248670.b" severity="medium" conversionstatus="pass" title="SRG-OS-000021-GPOS-00005" dscresource="nxFileLine"> <ContainsLine>auth required pam_faillock.so preauth dir=/var/log/faillock auth required pam_faillock.so authfail dir=/var/log/faillock Check the security context type of the non-default tally directory with the following command: $ sudo ls -Zd /var/log/faillock unconfined_u:object_r:faillog_t:s0 /var/log/faillock</ContainsLine> <Description><VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable, a different tally directory must be set with the "dir" option. SELinux, enforcing a targeted policy, will require any non-default tally directory's security context type to match the default directory's security context type. Without updating the security context type, the pam_faillock module will not write failed login attempts to the non-default tally directory. Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*auth\s*required\s*pam_faillock.so\s*preauth\s*dir\s*=\s*/var/log/faillock\s*auth\s*required\s*pam_faillock.so\s*authfail\s*dir\s*=\s*/var/log/faillock\s*Check\s*the\s*security\s*context\s*type\s*of\s*the\s*non-default\s*tally\s*directory\s*with\s*the\s*following\s*command:\s*$\s*sudo\s*ls\s*-Zd\s*/var/log/faillock\s*unconfined_u:object_r:faillog_t:s0\s*/var/log/faillock</DoesNotContainPattern> <DuplicateOf /> <FilePath>/var/log/faillock</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the system does not have SELinux enabled and enforcing a targeted policy, or if the pam_faillock module is not configured for use, this requirement is not applicable. Note: This check applies to OL versions 8.0 and 8.1. If the system is OL version 8.2 or newer, this check is not applicable. Verify the location of the non-default tally directory for the pam_faillock module with the following command: $ sudo grep -w dir /etc/pam.d/password-auth auth required pam_faillock.so preauth dir=/var/log/faillock auth required pam_faillock.so authfail dir=/var/log/faillock Check the security context type of the non-default tally directory with the following command: $ sudo ls -Zd /var/log/faillock unconfined_u:object_r:faillog_t:s0 /var/log/faillock If the security context type of the non-default tally directory is not "faillog_t", this is a finding. </RawString> </Rule> <Rule id="V-248670.c" severity="medium" conversionstatus="pass" title="SRG-OS-000021-GPOS-00005" dscresource="nxFileLine"> <ContainsLine>auth required pam_faillock.so preauth dir=/var/log/faillock auth required pam_faillock.so authfail dir=/var/log/faillock Check the security context type of the non-default tally directory with the following command: $ sudo ls -Zd /var/log/faillock unconfined_u:object_r:faillog_t:s0 /var/log/faillock</ContainsLine> <Description><VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable, a different tally directory must be set with the "dir" option. SELinux, enforcing a targeted policy, will require any non-default tally directory's security context type to match the default directory's security context type. Without updating the security context type, the pam_faillock module will not write failed login attempts to the non-default tally directory. Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*auth\s*required\s*pam_faillock.so\s*preauth\s*dir\s*=\s*/var/log/faillock\s*auth\s*required\s*pam_faillock.so\s*authfail\s*dir\s*=\s*/var/log/faillock\s*Check\s*the\s*security\s*context\s*type\s*of\s*the\s*non-default\s*tally\s*directory\s*with\s*the\s*following\s*command:\s*$\s*sudo\s*ls\s*-Zd\s*/var/log/faillock\s*unconfined_u:object_r:faillog_t:s0\s*/var/log/faillock</DoesNotContainPattern> <DuplicateOf /> <FilePath>/var/log/faillock</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the system does not have SELinux enabled and enforcing a targeted policy, or if the pam_faillock module is not configured for use, this requirement is not applicable. Note: This check applies to OL versions 8.0 and 8.1. If the system is OL version 8.2 or newer, this check is not applicable. Verify the location of the non-default tally directory for the pam_faillock module with the following command: $ sudo grep -w dir /etc/pam.d/password-auth auth required pam_faillock.so preauth dir=/var/log/faillock auth required pam_faillock.so authfail dir=/var/log/faillock Check the security context type of the non-default tally directory with the following command: $ sudo ls -Zd /var/log/faillock unconfined_u:object_r:faillog_t:s0 /var/log/faillock If the security context type of the non-default tally directory is not "faillog_t", this is a finding. </RawString> </Rule> <Rule id="V-248670.d" severity="medium" conversionstatus="pass" title="SRG-OS-000021-GPOS-00005" dscresource="nxFileLine"> <ContainsLine>auth required pam_faillock.so preauth dir=/var/log/faillock auth required pam_faillock.so authfail dir=/var/log/faillock Check the security context type of the non-default tally directory with the following command: $ sudo ls -Zd /var/log/faillock unconfined_u:object_r:faillog_t:s0 /var/log/faillock</ContainsLine> <Description><VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable, a different tally directory must be set with the "dir" option. SELinux, enforcing a targeted policy, will require any non-default tally directory's security context type to match the default directory's security context type. Without updating the security context type, the pam_faillock module will not write failed login attempts to the non-default tally directory. Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*auth\s*required\s*pam_faillock.so\s*preauth\s*dir\s*=\s*/var/log/faillock\s*auth\s*required\s*pam_faillock.so\s*authfail\s*dir\s*=\s*/var/log/faillock\s*Check\s*the\s*security\s*context\s*type\s*of\s*the\s*non-default\s*tally\s*directory\s*with\s*the\s*following\s*command:\s*$\s*sudo\s*ls\s*-Zd\s*/var/log/faillock\s*unconfined_u:object_r:faillog_t:s0\s*/var/log/faillock</DoesNotContainPattern> <DuplicateOf /> <FilePath>/var/log/faillock</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the system does not have SELinux enabled and enforcing a targeted policy, or if the pam_faillock module is not configured for use, this requirement is not applicable. Note: This check applies to OL versions 8.0 and 8.1. If the system is OL version 8.2 or newer, this check is not applicable. Verify the location of the non-default tally directory for the pam_faillock module with the following command: $ sudo grep -w dir /etc/pam.d/password-auth auth required pam_faillock.so preauth dir=/var/log/faillock auth required pam_faillock.so authfail dir=/var/log/faillock Check the security context type of the non-default tally directory with the following command: $ sudo ls -Zd /var/log/faillock unconfined_u:object_r:faillog_t:s0 /var/log/faillock If the security context type of the non-default tally directory is not "faillog_t", this is a finding. </RawString> </Rule> <Rule id="V-248670.e" severity="medium" conversionstatus="pass" title="SRG-OS-000021-GPOS-00005" dscresource="nxFileLine"> <ContainsLine>auth required pam_faillock.so preauth dir=/var/log/faillock auth required pam_faillock.so authfail dir=/var/log/faillock Check the security context type of the non-default tally directory with the following command: $ sudo ls -Zd /var/log/faillock unconfined_u:object_r:faillog_t:s0 /var/log/faillock</ContainsLine> <Description><VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. From "Pam_Faillock" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable, a different tally directory must be set with the "dir" option. SELinux, enforcing a targeted policy, will require any non-default tally directory's security context type to match the default directory's security context type. Without updating the security context type, the pam_faillock module will not write failed login attempts to the non-default tally directory. Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*auth\s*required\s*pam_faillock.so\s*preauth\s*dir\s*=\s*/var/log/faillock\s*auth\s*required\s*pam_faillock.so\s*authfail\s*dir\s*=\s*/var/log/faillock\s*Check\s*the\s*security\s*context\s*type\s*of\s*the\s*non-default\s*tally\s*directory\s*with\s*the\s*following\s*command:\s*$\s*sudo\s*ls\s*-Zd\s*/var/log/faillock\s*unconfined_u:object_r:faillog_t:s0\s*/var/log/faillock</DoesNotContainPattern> <DuplicateOf /> <FilePath>/var/log/faillock</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the system does not have SELinux enabled and enforcing a targeted policy, or if the pam_faillock module is not configured for use, this requirement is not applicable. Note: This check applies to OL versions 8.0 and 8.1. If the system is OL version 8.2 or newer, this check is not applicable. Verify the location of the non-default tally directory for the pam_faillock module with the following command: $ sudo grep -w dir /etc/pam.d/password-auth auth required pam_faillock.so preauth dir=/var/log/faillock auth required pam_faillock.so authfail dir=/var/log/faillock Check the security context type of the non-default tally directory with the following command: $ sudo ls -Zd /var/log/faillock unconfined_u:object_r:faillog_t:s0 /var/log/faillock If the security context type of the non-default tally directory is not "faillog_t", this is a finding. </RawString> </Rule> <Rule id="V-248676.a" severity="medium" conversionstatus="pass" title="SRG-OS-000028-GPOS-00009" dscresource="nxFileLine"> <ContainsLine>Review the tmux script by using the following example:</ContainsLine> <Description><VulnDiscussion>Tmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*Review\s*the\s*tmux\s*script\s*by\s*using\s*the\s*following\s*example:</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/profile.d/tmux.sh</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the operating system shell initialization file is configured to start each shell with the tmux terminal multiplexer with the following commands: Determine if tmux is currently running: $ sudo ps all | grep tmux | grep -v grep If the command does not produce output, this is a finding. Determine the location of the tmux script: $ sudo grep tmux /etc/profile.d/* /etc/profile.d/tmux.sh: case "$name" in (sshd|login) tmux ;; esac Review the tmux script by using the following example: If "tmux" is not configured as the example above, is commented out or missing, this is a finding. </RawString> </Rule> <Rule id="V-248676.b" severity="medium" conversionstatus="pass" title="SRG-OS-000028-GPOS-00009" dscresource="nxFileLine"> <ContainsLine>if [ "$PS1" ]; then</ContainsLine> <Description><VulnDiscussion>Tmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*if\s*[\s*"$PS1"\s*];\s*then</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/profile.d/tmux.sh</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the operating system shell initialization file is configured to start each shell with the tmux terminal multiplexer with the following commands: Determine if tmux is currently running: $ sudo ps all | grep tmux | grep -v grep If the command does not produce output, this is a finding. Determine the location of the tmux script: $ sudo cat /etc/profile.d/tmux.sh if [ "$PS1" ]; then If "tmux" is not configured as the example above, is commented out or missing, this is a finding. </RawString> </Rule> <Rule id="V-248676.c" severity="medium" conversionstatus="pass" title="SRG-OS-000028-GPOS-00009" dscresource="nxFileLine"> <ContainsLine>parent=$(ps -o ppid= -p $$)</ContainsLine> <Description><VulnDiscussion>Tmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*parent\s*=\s*$(ps\s*-o\s*ppid\s*=\s*-p\s*$$)</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/profile.d/tmux.sh</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the operating system shell initialization file is configured to start each shell with the tmux terminal multiplexer with the following commands: Determine if tmux is currently running: $ sudo ps all | grep tmux | grep -v grep If the command does not produce output, this is a finding. Determine the location of the tmux script: $ sudo cat /etc/profile.d/tmux.sh parent=$(ps -o ppid= -p $$) If "tmux" is not configured as the example above, is commented out or missing, this is a finding. </RawString> </Rule> <Rule id="V-248676.d" severity="medium" conversionstatus="pass" title="SRG-OS-000028-GPOS-00009" dscresource="nxFileLine"> <ContainsLine>name=$(ps -o comm= -p $parent)</ContainsLine> <Description><VulnDiscussion>Tmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*name\s*=\s*$(ps\s*-o\s*comm\s*=\s*-p\s*$parent)</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/profile.d/tmux.sh</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the operating system shell initialization file is configured to start each shell with the tmux terminal multiplexer with the following commands: Determine if tmux is currently running: $ sudo ps all | grep tmux | grep -v grep If the command does not produce output, this is a finding. Determine the location of the tmux script: $ sudo cat /etc/profile.d/tmux.sh name=$(ps -o comm= -p $parent) If "tmux" is not configured as the example above, is commented out or missing, this is a finding. </RawString> </Rule> <Rule id="V-248676.e" severity="medium" conversionstatus="pass" title="SRG-OS-000028-GPOS-00009" dscresource="nxFileLine"> <ContainsLine>case "$name" in (sshd|login) tmux ;; esac</ContainsLine> <Description><VulnDiscussion>Tmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*case\s*"$name"\s*in\s*(sshd|login)\s*tmux\s*;;\s*esac</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/profile.d/tmux.sh</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the operating system shell initialization file is configured to start each shell with the tmux terminal multiplexer with the following commands: Determine if tmux is currently running: $ sudo ps all | grep tmux | grep -v grep If the command does not produce output, this is a finding. Determine the location of the tmux script: $ sudo cat /etc/profile.d/tmux.sh case "$name" in (sshd|login) tmux ;; esac If "tmux" is not configured as the example above, is commented out or missing, this is a finding. </RawString> </Rule> <Rule id="V-248676.f" severity="medium" conversionstatus="pass" title="SRG-OS-000028-GPOS-00009" dscresource="nxFileLine"> <ContainsLine>fi</ContainsLine> <Description><VulnDiscussion>Tmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*fi</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/profile.d/tmux.sh</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the operating system shell initialization file is configured to start each shell with the tmux terminal multiplexer with the following commands: Determine if tmux is currently running: $ sudo ps all | grep tmux | grep -v grep If the command does not produce output, this is a finding. Determine the location of the tmux script: $ sudo cat /etc/profile.d/tmux.sh fi If "tmux" is not configured as the example above, is commented out or missing, this is a finding. </RawString> </Rule> <Rule id="V-248678" severity="medium" conversionstatus="pass" title="SRG-OS-000028-GPOS-00009" dscresource="nxFileLine"> <ContainsLine>Binary file /usr/bin/vlock matches</ContainsLine> <Description><VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, OL 8 needs to provide users with the ability to manually invoke a session lock so users may secure their session should the need arise for them to temporarily vacate the immediate physical vicinity. Systemd, a core component of OL 8, has a variety of dependencies needed to function. One of those packages is the Keytable files and keyboard utilities (kbd.x86_64). This package provides the "vlock" binary, a utility used to lock one or several user virtual console sessions. Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*Binary\s*file\s*/usr/bin/vlock\s*matches</DoesNotContainPattern> <DuplicateOf /> <FilePath>/usr/bin/vlock</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify OL 8 has the "vlock" package installed by running the following command: $ sudo grep vlock /usr/bin/* Binary file /usr/bin/vlock matches If "vlock" is not installed, this is a finding.</RawString> </Rule> <Rule id="V-248679" severity="medium" conversionstatus="pass" title="SRG-OS-000028-GPOS-00009" dscresource="nxFileLine"> <ContainsLine>/etc/dconf/db/distro.d/20-authselect:removal-action='lock-screen'</ContainsLine> <Description><VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. Regardless of where the session lock is determined and implemented, once invoked, the session lock must remain in place until the user reauthenticates. No other activity aside from reauthentication must unlock the system. OL 8 includes "authselect" as a tool to configure system identity, authentication sources, and providers by selecting a specific profile. A profile is a set of files that describes the resulting system configuration. When a profile is selected, "authselect" will create the "nsswitch.conf" and "PAM" stack to use identity and authentication sources defined by the profile. Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*/etc/dconf/db/distro.d/20-authselect:removal-action\s*=\s*'lock-screen'</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/dconf/db/distro.d/20-authselect</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the operating system enables a user's session lock until that user reestablishes access using established identification and authentication procedures with the following command: This requirement assumes the use of the OL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable. $ sudo grep -r removal-action /etc/dconf/db/* /etc/dconf/db/distro.d/20-authselect:removal-action='lock-screen' If the "removal-action='lock-screen'" setting is missing or commented out from the "dconf" database files, this is a finding.</RawString> </Rule> <Rule id="V-248681" severity="medium" conversionstatus="pass" title="SRG-OS-000029-GPOS-00010" dscresource="nxFileLine"> <ContainsLine> </ContainsLine> <Description><VulnDiscussion>Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session. Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern> </DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/tmux.conf</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If "lock-after-time" is not set to "900" or less in the global tmux configuration file to enforce session lock after inactivity, this is a finding." </OrganizationValueTestString> <RawString>Verify the operating system initiates a session lock after 15 minutes of inactivity. Check the value of the system inactivity timeout with the following command: $ sudo grep -i lock-after-time /etc/tmux.conf set -g lock-after-time 900 If "lock-after-time" is not set to "900" or less in the global tmux configuration file to enforce session lock after inactivity, this is a finding.</RawString> </Rule> <Rule id="V-248686" severity="medium" conversionstatus="pass" title="SRG-OS-000069-GPOS-00037" dscresource="nxFileLine"> <ContainsLine>password requisite pam_pwquality.so</ContainsLine> <Description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Use of "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system. OL 8 uses "pwquality" as a mechanism to enforce password complexity. This is set in both of the following: /etc/pam.d/password-auth /etc/pam.d/system-auth Satisfies: SRG-OS-000069-GPOS-00037, SRG-OS-000070-GPOS-00038</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*password\s*requisite\s*pam_pwquality.so</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/pam.d/password-auth</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the operating system uses "pwquality" to enforce the password complexity rules. Check for the use of "pwquality" in the password-auth file with the following command: $ sudo cat /etc/pam.d/password-auth | grep pam_pwquality password requisite pam_pwquality.so If the command does not return a line containing the value "pam_pwquality.so" as shown, or the line is commented out, this is a finding.</RawString> </Rule> <Rule id="V-248695" severity="medium" conversionstatus="pass" title="SRG-OS-000075-GPOS-00043" dscresource="nxFileLine"> <ContainsLine> </ContainsLine> <Description><VulnDiscussion>Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern> </DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/login.defs</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the "PASS_MIN_DAYS" parameter value is not "1" or greater or is commented out, this is a finding." </OrganizationValueTestString> <RawString>Verify the operating system enforces 24 hours/one day as the minimum password lifetime for new user accounts. Check for the value of "PASS_MIN_DAYS" in "/etc/login.defs" with the following command: $ sudo grep -i pass_min_days /etc/login.defs PASS_MIN_DAYS 1 If the "PASS_MIN_DAYS" parameter value is not "1" or greater or is commented out, this is a finding.</RawString> </Rule> <Rule id="V-248696" severity="medium" conversionstatus="pass" title="SRG-OS-000076-GPOS-00044" dscresource="nxFileLine"> <ContainsLine> </ContainsLine> <Description><VulnDiscussion>Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If OL 8 does not limit the lifetime of passwords and force users to change their passwords, there is the risk that OL 8 passwords could be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern> </DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/login.defs</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the "PASS_MAX_DAYS" parameter value is greater than "60", or commented out, this is a finding." </OrganizationValueTestString> <RawString>Verify that OL 8 enforces a 60-day maximum password lifetime for new user accounts by running the following command: $ sudo grep -i pass_max_days /etc/login.defs PASS_MAX_DAYS 60 If the "PASS_MAX_DAYS" parameter value is greater than "60", or commented out, this is a finding.</RawString> </Rule> <Rule id="V-248700" severity="medium" conversionstatus="pass" title="SRG-OS-000078-GPOS-00046" dscresource="nxFileLine"> <ContainsLine> </ContainsLine> <Description><VulnDiscussion>The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to increase exponentially the time and/or resources required to compromise the password. The DOD minimum password requirement is 15 characters.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern> </DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/login.defs</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the "PASS_MIN_LEN" parameter value is less than "15" or is commented out, this is a finding." </OrganizationValueTestString> <RawString>Verify that OL 8 enforces a minimum 15-character password length for new user accounts by running the following command: $ sudo grep -i pass_min_len /etc/login.defs PASS_MIN_LEN 15 If the "PASS_MIN_LEN" parameter value is less than "15" or is commented out, this is a finding.</RawString> </Rule> <Rule id="V-248712" severity="medium" conversionstatus="pass" title="SRG-OS-000480-GPOS-00226" dscresource="nxFileLine"> <ContainsLine> </ContainsLine> <Description><VulnDiscussion>Configuring the operating system to implement organization-wide security implementation guides and security checklists verifies compliance with federal standards and establishes a common security baseline across the DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example, registry settings; account, file, and directory permission settings; and settings for functions, ports, protocols, services, and remote connections.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern> </DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/login.defs</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the value of "FAIL_DELAY" is not set to "4" or greater or the line is commented out, this is a finding." </OrganizationValueTestString> <RawString>Verify the operating system enforces a delay of at least four seconds between console logon prompts following a failed logon attempt with the following command: $ sudo grep -i fail_delay /etc/login.defs FAIL_DELAY 4 If the value of "FAIL_DELAY" is not set to "4" or greater or the line is commented out, this is a finding.</RawString> </Rule> <Rule id="V-248717" severity="low" conversionstatus="pass" title="SRG-OS-000480-GPOS-00227" dscresource="nxFileLine"> <ContainsLine>session required pam_lastlog.so showfailed</ContainsLine> <Description><VulnDiscussion>Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>^\s*session\s*(?!required)\w*\s*pam_lastlog\.so.*|#\s*session\s*\w*\s*pam_lastlog\.so.*|^\s*session(?:\t+|\s{2,})required(?:\t+|\s{2,})pam_lastlog\.so.*</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/pam.d/postlogin</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify users are provided with feedback on when account accesses last occurred with the following command: $ sudo grep pam_lastlog /etc/pam.d/postlogin session required pam_lastlog.so showfailed If "pam_lastlog" is missing from the "/etc/pam.d/postlogin" file or the silent option is present, this is a finding.</RawString> </Rule> <Rule id="V-248721.a" severity="medium" conversionstatus="pass" title="SRG-OS-000480-GPOS-00228" dscresource="nxFileLine"> <ContainsLine>/etc/bashrc: umask 077</ContainsLine> <Description><VulnDiscussion>The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 600 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be "0". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*/etc/bashrc:\s*umask\s*077</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/bashrc</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify that the umask default for installed shells is "077". Check for the value of the "UMASK" parameter in the "/etc/bashrc", "/etc/csh.cshrc", and "/etc/profile" files with the following command: Note: If the value of the "UMASK" parameter is set to "000" in the "/etc/bashrc", "/etc/csh.cshrc", or the "/etc/profile" files, the Severity is raised to a CAT I. $ sudo grep -i umask /etc/bashrc /etc/csh.cshrc /etc/profile /etc/bashrc: umask 077 /etc/bashrc: umask 077 If the value for the "UMASK" parameter is not "077", or the "UMASK" parameter is missing or is commented out, this is a finding. </RawString> </Rule> <Rule id="V-248721.b" severity="medium" conversionstatus="pass" title="SRG-OS-000480-GPOS-00228" dscresource="nxFileLine"> <ContainsLine>/etc/csh.cshrc: umask 077</ContainsLine> <Description><VulnDiscussion>The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 600 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be "0". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*/etc/csh.cshrc:\s*umask\s*077</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/csh.cshrc</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify that the umask default for installed shells is "077". Check for the value of the "UMASK" parameter in the "/etc/bashrc", "/etc/csh.cshrc", and "/etc/profile" files with the following command: Note: If the value of the "UMASK" parameter is set to "000" in the "/etc/bashrc", "/etc/csh.cshrc", or the "/etc/profile" files, the Severity is raised to a CAT I. $ sudo grep -i umask /etc/bashrc /etc/csh.cshrc /etc/profile /etc/bashrc: umask 077 /etc/csh.cshrc: umask 077 If the value for the "UMASK" parameter is not "077", or the "UMASK" parameter is missing or is commented out, this is a finding. </RawString> </Rule> <Rule id="V-248721.c" severity="medium" conversionstatus="pass" title="SRG-OS-000480-GPOS-00228" dscresource="nxFileLine"> <ContainsLine>/etc/csh.cshrc: umask 077</ContainsLine> <Description><VulnDiscussion>The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 600 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be "0". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*/etc/csh.cshrc:\s*umask\s*077</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/csh.cshrc</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify that the umask default for installed shells is "077". Check for the value of the "UMASK" parameter in the "/etc/bashrc", "/etc/csh.cshrc", and "/etc/profile" files with the following command: Note: If the value of the "UMASK" parameter is set to "000" in the "/etc/bashrc", "/etc/csh.cshrc", or the "/etc/profile" files, the Severity is raised to a CAT I. $ sudo grep -i umask /etc/bashrc /etc/csh.cshrc /etc/profile /etc/bashrc: umask 077 /etc/csh.cshrc: umask 077 If the value for the "UMASK" parameter is not "077", or the "UMASK" parameter is missing or is commented out, this is a finding. </RawString> </Rule> <Rule id="V-248721.d" severity="medium" conversionstatus="pass" title="SRG-OS-000480-GPOS-00228" dscresource="nxFileLine"> <ContainsLine>/etc/profile: umask 077</ContainsLine> <Description><VulnDiscussion>The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 600 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be "0". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*/etc/profile:\s*umask\s*077</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/profile</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify that the umask default for installed shells is "077". Check for the value of the "UMASK" parameter in the "/etc/bashrc", "/etc/csh.cshrc", and "/etc/profile" files with the following command: Note: If the value of the "UMASK" parameter is set to "000" in the "/etc/bashrc", "/etc/csh.cshrc", or the "/etc/profile" files, the Severity is raised to a CAT I. $ sudo grep -i umask /etc/bashrc /etc/csh.cshrc /etc/profile /etc/bashrc: umask 077 /etc/profile: umask 077 If the value for the "UMASK" parameter is not "077", or the "UMASK" parameter is missing or is commented out, this is a finding. </RawString> </Rule> <Rule id="V-248721.e" severity="medium" conversionstatus="pass" title="SRG-OS-000480-GPOS-00228" dscresource="nxFileLine"> <ContainsLine>/etc/profile: umask 077</ContainsLine> <Description><VulnDiscussion>The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 600 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be "0". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*/etc/profile:\s*umask\s*077</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/profile</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify that the umask default for installed shells is "077". Check for the value of the "UMASK" parameter in the "/etc/bashrc", "/etc/csh.cshrc", and "/etc/profile" files with the following command: Note: If the value of the "UMASK" parameter is set to "000" in the "/etc/bashrc", "/etc/csh.cshrc", or the "/etc/profile" files, the Severity is raised to a CAT I. $ sudo grep -i umask /etc/bashrc /etc/csh.cshrc /etc/profile /etc/bashrc: umask 077 /etc/profile: umask 077 If the value for the "UMASK" parameter is not "077", or the "UMASK" parameter is missing or is commented out, this is a finding. </RawString> </Rule> <Rule id="V-248723.a" severity="medium" conversionstatus="pass" title="SRG-OS-000480-GPOS-00227" dscresource="nxFileLine"> <ContainsLine>cron.* /var/log/cron</ContainsLine> <Description><VulnDiscussion>Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*cron.*\s*/var/log/cron</DoesNotContainPattern> <DuplicateOf /> <FilePath>/var/log/cron</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify that "rsyslog" is configured to log cron events with the following command: Note: If another logging package is used, substitute the utility configuration file for "/etc/rsyslog.conf" or "/etc/rsyslog.d/*.conf" files. $ sudo grep cron /etc/rsyslog.conf /etc/rsyslog.d/*.conf cron.* /var/log/cron If "rsyslog" is not logging messages for the cron facility or all facilities, this is a finding. </RawString> </Rule> <Rule id="V-248723.b" severity="medium" conversionstatus="pass" title="SRG-OS-000480-GPOS-00227" dscresource="nxFileLine"> <ContainsLine>If the command does not return a response, check for cron logging all facilities by inspecting the "/etc/rsyslog.conf" or "/etc/rsyslog.d/*.conf" files.</ContainsLine> <Description><VulnDiscussion>Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*If\s*the\s*command\s*does\s*not\s*return\s*a\s*response,\s*check\s*for\s*cron\s*logging\s*all\s*facilities\s*by\s*inspecting\s*the\s*"/etc/rsyslog.conf"\s*or\s*"/etc/rsyslog.d/*.conf"\s*files.</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/rsyslog.d/</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify that "rsyslog" is configured to log cron events with the following command: Note: If another logging package is used, substitute the utility configuration file for "/etc/rsyslog.conf" or "/etc/rsyslog.d/*.conf" files. $ sudo grep cron /etc/rsyslog.conf /etc/rsyslog.d/*.conf If the command does not return a response, check for cron logging all facilities by inspecting the "/etc/rsyslog.conf" or "/etc/rsyslog.d/*.conf" files. If "rsyslog" is not logging messages for the cron facility or all facilities, this is a finding. </RawString> </Rule> <Rule id="V-248723.c" severity="medium" conversionstatus="pass" title="SRG-OS-000480-GPOS-00227" dscresource="nxFileLine"> <ContainsLine>Look for the following entry:</ContainsLine> <Description><VulnDiscussion>Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*Look\s*for\s*the\s*following\s*entry:</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/rsyslog.d/</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify that "rsyslog" is configured to log cron events with the following command: Note: If another logging package is used, substitute the utility configuration file for "/etc/rsyslog.conf" or "/etc/rsyslog.d/*.conf" files. $ sudo grep cron /etc/rsyslog.conf /etc/rsyslog.d/*.conf Look for the following entry: If "rsyslog" is not logging messages for the cron facility or all facilities, this is a finding. </RawString> </Rule> <Rule id="V-248723.d" severity="medium" conversionstatus="pass" title="SRG-OS-000480-GPOS-00227" dscresource="nxFileLine"> <ContainsLine>*.* /var/log/messages</ContainsLine> <Description><VulnDiscussion>Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s**.*\s*/var/log/messages</DoesNotContainPattern> <DuplicateOf /> <FilePath>/var/log/messages</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify that "rsyslog" is configured to log cron events with the following command: Note: If another logging package is used, substitute the utility configuration file for "/etc/rsyslog.conf" or "/etc/rsyslog.d/*.conf" files. $ sudo grep cron /etc/rsyslog.conf /etc/rsyslog.d/*.conf *.* /var/log/messages If "rsyslog" is not logging messages for the cron facility or all facilities, this is a finding. </RawString> </Rule> <Rule id="V-248725" severity="medium" conversionstatus="pass" title="SRG-OS-000046-GPOS-00022" dscresource="nxFileLine"> <ContainsLine>postmaster: root</ContainsLine> <Description><VulnDiscussion>It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*postmaster:\s*root</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/aliases</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the administrators are notified in the event of an audit processing failure. Check that the "/etc/aliases" file has a defined value for "root". $ sudo grep "postmaster:\s*root$" /etc/aliases postmaster: root If the command does not return a line or the line is commented out, this is a finding.</RawString> </Rule> <Rule id="V-248726" severity="medium" conversionstatus="pass" title="SRG-OS-000047-GPOS-00023" dscresource="nxFileLine"> <ContainsLine>disk_error_action = HALT</ContainsLine> <Description><VulnDiscussion>It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*disk_error_action\s*=\s*HALT</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/audit/auditd.conf</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify OL 8 takes the appropriate action when an audit processing failure occurs with the following command: $ sudo grep disk_error_action /etc/audit/auditd.conf disk_error_action = HALT If the value of the "disk_error_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, this is a finding.</RawString> </Rule> <Rule id="V-248728" severity="medium" conversionstatus="pass" title="SRG-OS-000047-GPOS-00023" dscresource="nxFileLine"> <ContainsLine>disk_full_action = HALT</ContainsLine> <Description><VulnDiscussion>It is critical that when OL 8 is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend on the nature of the failure mode. When availability is an overriding concern, other approved actions in response to an audit failure are as follows: 1) If the failure was caused by the lack of audit record storage capacity, OL 8 must continue generating audit records if possible (automatically restarting the audit service if necessary) and overwriting the oldest audit records in a first-in-first-out manner. 2) If audit records are sent to a centralized collection server and communication with this server is lost or the server fails, OL 8 must queue audit records locally until communication is restored or until the audit records are retrieved manually. Upon restoration of the connection to the centralized collection server, action should be taken to synchronize the local audit data with the collection server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*disk_full_action\s*=\s*HALT</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/audit/auditd.conf</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify OL 8 takes the appropriate action when the audit storage volume is full with the following command: $ sudo grep disk_full_action /etc/audit/auditd.conf disk_full_action = HALT If the value of the "disk_full_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, this is a finding.</RawString> </Rule> <Rule id="V-248729" severity="medium" conversionstatus="pass" title="SRG-OS-000480-GPOS-00227" dscresource="nxFileLine"> <ContainsLine>local_events = yes</ContainsLine> <Description><VulnDiscussion>Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*local_events\s*=\s*yes</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/audit/auditd.conf</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the OL 8 Audit Daemon is configured to include local events, with the following command: $ sudo grep local_events /etc/audit/auditd.conf local_events = yes If the value of the "local_events" option is not set to "yes", or the line is commented out, this is a finding.</RawString> </Rule> <Rule id="V-248730" severity="medium" conversionstatus="pass" title="SRG-OS-000342-GPOS-00133" dscresource="nxFileLine"> <ContainsLine>name_format = hostname</ContainsLine> <Description><VulnDiscussion>Without establishing what type of events occurred and their source, location, and outcome, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Enriched logging is needed to determine who, what, and when events occur on a system. Without this, determining root cause of an event will be much more difficult. When audit logs are not labeled before they are sent to a central log server, the audit data will not be able to be analyzed and tied back to the correct system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>^#\s*name_format.*$|^name_format\s*=\s*(?!hostname$)\w*$</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/audit/auditd.conf</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the OL 8 audit daemon is configured to label all offloaded audit logs with the following command: $ sudo grep "name_format" /etc/audit/auditd.conf name_format = hostname If the "name_format" option is not "hostname", "fqd", or "numeric", or the line is commented out, this is a finding.</RawString> </Rule> <Rule id="V-248731" severity="medium" conversionstatus="pass" title="SRG-OS-000480-GPOS-00227" dscresource="nxFileLine"> <ContainsLine>log_format = ENRICHED</ContainsLine> <Description><VulnDiscussion>Without establishing what type of events occurred and their source, location, and outcome, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Enriched logging aids in making sense of who, what, and when events occur on a system. Without this, determining root cause of an event will be much more difficult.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*log_format\s*=\s*ENRICHED</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/audit/auditd.conf</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the OL 8 audit daemon is configured to resolve audit information before writing to disk, with the following command: $ sudo grep "log_format" /etc/audit/auditd.conf log_format = ENRICHED If the "log_format" option is not "ENRICHED", or the line is commented out, this is a finding.</RawString> </Rule> <Rule id="V-248733.a" severity="medium" conversionstatus="pass" title="SRG-OS-000057-GPOS-00027" dscresource="nxFileLine"> <ContainsLine>log_file = /var/log/audit/audit.log</ContainsLine> <Description><VulnDiscussion>Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit OL 8 activity. Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*log_file\s*=\s*/var/log/audit/audit.log</DoesNotContainPattern> <DuplicateOf /> <FilePath>/var/log/audit/audit.log</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the audit logs are owned by "root". Determine where the audit logs are stored with the following command: $ sudo grep -iw log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log If the audit log is not owned by "root", this is a finding. </RawString> </Rule> <Rule id="V-248733.b" severity="medium" conversionstatus="pass" title="SRG-OS-000057-GPOS-00027" dscresource="nxFileLine"> <ContainsLine>Using the location of the audit log file, determine if the audit log is owned by "root" using the following command:</ContainsLine> <Description><VulnDiscussion>Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit OL 8 activity. Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*Using\s*the\s*location\s*of\s*the\s*audit\s*log\s*file,\s*determine\s*if\s*the\s*audit\s*log\s*is\s*owned\s*by\s*"root"\s*using\s*the\s*following\s*command:</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/audit/auditd.conf</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the audit logs are owned by "root". Determine where the audit logs are stored with the following command: $ sudo grep -iw log_file /etc/audit/auditd.conf Using the location of the audit log file, determine if the audit log is owned by "root" using the following command: If the audit log is not owned by "root", this is a finding. </RawString> </Rule> <Rule id="V-248733.c" severity="medium" conversionstatus="pass" title="SRG-OS-000057-GPOS-00027" dscresource="nxFileLine"> <ContainsLine>$ sudo ls -al /var/log/audit/audit.log</ContainsLine> <Description><VulnDiscussion>Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit OL 8 activity. Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*$\s*sudo\s*ls\s*-al\s*/var/log/audit/audit.log</DoesNotContainPattern> <DuplicateOf /> <FilePath>/var/log/audit/audit.log</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the audit logs are owned by "root". Determine where the audit logs are stored with the following command: $ sudo grep -iw log_file /etc/audit/auditd.conf $ sudo ls -al /var/log/audit/audit.log If the audit log is not owned by "root", this is a finding. </RawString> </Rule> <Rule id="V-248733.d" severity="medium" conversionstatus="pass" title="SRG-OS-000057-GPOS-00027" dscresource="nxFileLine"> <ContainsLine>rw------- 2 root root 23 Jun 11 11:56 /var/log/audit/audit.log</ContainsLine> <Description><VulnDiscussion>Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit OL 8 activity. Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*rw-------\s*2\s*root\s*root\s*23\s*Jun\s*11\s*11:56\s*/var/log/audit/audit.log</DoesNotContainPattern> <DuplicateOf /> <FilePath>/var/log/audit/audit.log</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the audit logs are owned by "root". Determine where the audit logs are stored with the following command: $ sudo grep -iw log_file /etc/audit/auditd.conf rw------- 2 root root 23 Jun 11 11:56 /var/log/audit/audit.log If the audit log is not owned by "root", this is a finding. </RawString> </Rule> <Rule id="V-248740" severity="medium" conversionstatus="pass" title="SRG-OS-000004-GPOS-00004" dscresource="nxFileLine"> <ContainsLine>-w /etc/shadow -p wa -k identity</ContainsLine> <Description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*-w\s*/etc/shadow\s*-p\s*wa\s*-k\s*identity</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/audit/rules.d/audit.rules</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify OL 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/shadow". Check the auditing rules in "/etc/audit/audit.rules" with the following command: $ sudo grep /etc/shadow /etc/audit/audit.rules -w /etc/shadow -p wa -k identity If the command does not return a line or the line is commented out, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.</RawString> </Rule> <Rule id="V-248741" severity="medium" conversionstatus="pass" title="SRG-OS-000004-GPOS-00004" dscresource="nxFileLine"> <ContainsLine>-w /etc/security/opasswd -p wa -k identity</ContainsLine> <Description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*-w\s*/etc/security/opasswd\s*-p\s*wa\s*-k\s*identity</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/audit/rules.d/audit.rules</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify OL 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd". Check the auditing rules in "/etc/audit/audit.rules" with the following command: $ sudo grep /etc/security/opasswd /etc/audit/audit.rules -w /etc/security/opasswd -p wa -k identity If the command does not return a line or the line is commented out, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.</RawString> </Rule> <Rule id="V-248742" severity="medium" conversionstatus="pass" title="SRG-OS-000004-GPOS-00004" dscresource="nxFileLine"> <ContainsLine>-w /etc/passwd -p wa -k identity</ContainsLine> <Description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*-w\s*/etc/passwd\s*-p\s*wa\s*-k\s*identity</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/audit/rules.d/audit.rules</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify OL 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd". Check the auditing rules in "/etc/audit/audit.rules" with the following command: $ sudo grep /etc/passwd /etc/audit/audit.rules -w /etc/passwd -p wa -k identity If the command does not return a line or the line is commented out, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.</RawString> </Rule> <Rule id="V-248743" severity="medium" conversionstatus="pass" title="SRG-OS-000004-GPOS-00004" dscresource="nxFileLine"> <ContainsLine>-w /etc/gshadow -p wa -k identity</ContainsLine> <Description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*-w\s*/etc/gshadow\s*-p\s*wa\s*-k\s*identity</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/audit/rules.d/audit.rules</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify OL 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow". Check the auditing rules in "/etc/audit/audit.rules" with the following command: $ sudo grep /etc/gshadow /etc/audit/audit.rules -w /etc/gshadow -p wa -k identity If the command does not return a line or the line is commented out, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.</RawString> </Rule> <Rule id="V-248744" severity="medium" conversionstatus="pass" title="SRG-OS-000004-GPOS-00004" dscresource="nxFileLine"> <ContainsLine>-w /etc/group -p wa -k identity</ContainsLine> <Description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*-w\s*/etc/group\s*-p\s*wa\s*-k\s*identity</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/audit/rules.d/audit.rules</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify OL 8 generates audit records for all account creations events that affect "/etc/group". Check the auditing rules in "/etc/audit/audit.rules" with the following command: $ sudo grep /etc/group /etc/audit/audit.rules -w /etc/group -p wa -k identity If the command does not return a line or the line is commented out, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.</RawString> </Rule> <Rule id="V-248745" severity="medium" conversionstatus="pass" title="SRG-OS-000004-GPOS-00004" dscresource="nxFileLine"> <ContainsLine>-w /etc/sudoers -p wa -k identity</ContainsLine> <Description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*-w\s*/etc/sudoers\s*-p\s*wa\s*-k\s*identity</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/audit/rules.d/audit.rules</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify OL 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers". Check the auditing rules in "/etc/audit/audit.rules" with the following command: $ sudo grep /etc/sudoers /etc/audit/audit.rules -w /etc/sudoers -p wa -k identity If the command does not return a line, or the line is commented out, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.</RawString> </Rule> <Rule id="V-248746" severity="medium" conversionstatus="pass" title="SRG-OS-000004-GPOS-00004" dscresource="nxFileLine"> <ContainsLine>-w /etc/sudoers.d/ -p wa -k identity</ContainsLine> <Description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*-w\s*/etc/sudoers.d/\s*-p\s*wa\s*-k\s*identity</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/audit/rules.d/audit.rules</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify OL 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/". Check the auditing rules in "/etc/audit/audit.rules" with the following command: $ sudo grep /etc/sudoers.d/ /etc/audit/audit.rules -w /etc/sudoers.d/ -p wa -k identity If the command does not return a line, or the line is commented out, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.</RawString> </Rule> <Rule id="V-248747" severity="medium" conversionstatus="pass" title="SRG-OS-000037-GPOS-00015" dscresource="nxFileLine"> <ContainsLine>-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change</ContainsLine> <Description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "su" command allows a user to run commands with a substitute user and group ID. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/su\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*unset\s*-k\s*privileged-priv_change</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/audit/rules.d/audit.rules</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify OL 8 generates audit records for any use of the "su" command by running the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -iw /usr/bin/su /etc/audit/audit.rules -a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change If the command does not return a line or the line is commented out, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.</RawString> </Rule> <Rule id="V-248748.a" severity="medium" conversionstatus="pass" title="SRG-OS-000037-GPOS-00015" dscresource="nxFileLine"> <ContainsLine>-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod</ContainsLine> <Description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). "Setxattr" is a system call used to set an extended attribute value. "Fsetxattr" is a system call used to set an extended attribute value. This is used to set extended attributes on a file. "Lsetxattr" is a system call used to set an extended attribute value. This is used to set extended attributes on a symbolic link. "Removexattr" is a system call that removes extended attributes. "Fremovexattr" is a system call that removes extended attributes. This is used for removal of extended attributes from a file. "Lremovexattr" is a system call that removes extended attributes. This is used for removal of extended attributes from symbolic links. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. The system call rules are loaded into a matching engine that intercepts each syscall that all programs on the system makes. Therefore, it is very important to only use syscall rules when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, though, by combining syscalls into one rule whenever possible. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000466-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*unset\s*-k\s*perm_mod</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/audit/rules.d/audit.rules</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify if OL 8 is configured to audit the execution of the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" system calls by running the following command: $ sudo grep xattr /etc/audit/audit.rules -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod If the command does not return an audit rule for "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" or any of the lines returned are commented out, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. </RawString> </Rule> <Rule id="V-248748.b" severity="medium" conversionstatus="pass" title="SRG-OS-000037-GPOS-00015" dscresource="nxFileLine"> <ContainsLine>-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod</ContainsLine> <Description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). "Setxattr" is a system call used to set an extended attribute value. "Fsetxattr" is a system call used to set an extended attribute value. This is used to set extended attributes on a file. "Lsetxattr" is a system call used to set an extended attribute value. This is used to set extended attributes on a symbolic link. "Removexattr" is a system call that removes extended attributes. "Fremovexattr" is a system call that removes extended attributes. This is used for removal of extended attributes from a file. "Lremovexattr" is a system call that removes extended attributes. This is used for removal of extended attributes from symbolic links. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. The system call rules are loaded into a matching engine that intercepts each syscall that all programs on the system makes. Therefore, it is very important to only use syscall rules when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, though, by combining syscalls into one rule whenever possible. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000466-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*unset\s*-k\s*perm_mod</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/audit/rules.d/audit.rules</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify if OL 8 is configured to audit the execution of the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" system calls by running the following command: $ sudo grep xattr /etc/audit/audit.rules -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod If the command does not return an audit rule for "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" or any of the lines returned are commented out, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. </RawString> </Rule> <Rule id="V-248748.c" severity="medium" conversionstatus="pass" title="SRG-OS-000037-GPOS-00015" dscresource="nxFileLine"> <ContainsLine>-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod</ContainsLine> <Description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). "Setxattr" is a system call used to set an extended attribute value. "Fsetxattr" is a system call used to set an extended attribute value. This is used to set extended attributes on a file. "Lsetxattr" is a system call used to set an extended attribute value. This is used to set extended attributes on a symbolic link. "Removexattr" is a system call that removes extended attributes. "Fremovexattr" is a system call that removes extended attributes. This is used for removal of extended attributes from a file. "Lremovexattr" is a system call that removes extended attributes. This is used for removal of extended attributes from symbolic links. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. The system call rules are loaded into a matching engine that intercepts each syscall that all programs on the system makes. Therefore, it is very important to only use syscall rules when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, though, by combining syscalls into one rule whenever possible. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000466-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr\s*-F\s*auid\s*=\s*0\s*-k\s*perm_mod</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/audit/rules.d/audit.rules</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify if OL 8 is configured to audit the execution of the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" system calls by running the following command: $ sudo grep xattr /etc/audit/audit.rules -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod If the command does not return an audit rule for "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" or any of the lines returned are commented out, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. </RawString> </Rule> <Rule id="V-248748.d" severity="medium" conversionstatus="pass" title="SRG-OS-000037-GPOS-00015" dscresource="nxFileLine"> <ContainsLine>-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod</ContainsLine> <Description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). "Setxattr" is a system call used to set an extended attribute value. "Fsetxattr" is a system call used to set an extended attribute value. This is used to set extended attributes on a file. "Lsetxattr" is a system call used to set an extended attribute value. This is used to set extended attributes on a symbolic link. "Removexattr" is a system call that removes extended attributes. "Fremovexattr" is a system call that removes extended attributes. This is used for removal of extended attributes from a file. "Lremovexattr" is a system call that removes extended attributes. This is used for removal of extended attributes from symbolic links. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. The system call rules are loaded into a matching engine that intercepts each syscall that all programs on the system makes. Therefore, it is very important to only use syscall rules when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, though, by combining syscalls into one rule whenever possible. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000466-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr\s*-F\s*auid\s*=\s*0\s*-k\s*perm_mod</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/audit/rules.d/audit.rules</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify if OL 8 is configured to audit the execution of the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" system calls by running the following command: $ sudo grep xattr /etc/audit/audit.rules -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod If the command does not return an audit rule for "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" or any of the lines returned are commented out, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. </RawString> </Rule> <Rule id="V-248753" severity="medium" conversionstatus="pass" title="SRG-OS-000037-GPOS-00015" dscresource="nxFileLine"> <ContainsLine>-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chage</ContainsLine> <Description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chage" command is used to change or view user password expiry information. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/chage\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*unset\s*-k\s*privileged-chage</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/audit/rules.d/audit.rules</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify OL 8 generates an audit event for any use of the "chage" command by running the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w chage /etc/audit/audit.rules -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chage If the command does not return a line or the line is commented out, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.</RawString> </Rule> <Rule id="V-248754" severity="medium" conversionstatus="pass" title="SRG-OS-000037-GPOS-00015" dscresource="nxFileLine"> <ContainsLine>-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng</ContainsLine> <Description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chcon" command is used to change file SELinux security context. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/chcon\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*unset\s*-k\s*perm_chng</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/audit/rules.d/audit.rules</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify OL 8 generates an audit record for any use of the "chcon" command by running the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w chcon /etc/audit/audit.rules -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng If the command does not return a line or the line is commented out, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.</RawString> </Rule> <Rule id="V-248756" severity="medium" conversionstatus="pass" title="SRG-OS-000037-GPOS-00015" dscresource="nxFileLine"> <ContainsLine>-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh</ContainsLine> <Description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "ssh-agent" is a program to hold private keys used for public key authentication. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/ssh-agent\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*unset\s*-k\s*privileged-ssh</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/audit/rules.d/audit.rules</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify OL 8 generates an audit record for any use of the "ssh-agent" command by running the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep ssh-agent /etc/audit/audit.rules -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh If the command does not return a line or the line is commented out, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.</RawString> </Rule> <Rule id="V-248757" severity="medium" conversionstatus="pass" title="SRG-OS-000037-GPOS-00015" dscresource="nxFileLine"> <ContainsLine>-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd</ContainsLine> <Description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "passwd" command is used to change passwords for user accounts. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/passwd\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*unset\s*-k\s*privileged-passwd</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/audit/rules.d/audit.rules</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify OL 8 generates an audit event for any use of the "passwd" command by running the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w passwd /etc/audit/audit.rules -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd If the command does not return a line or the line is commented out, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.</RawString> </Rule> <Rule id="V-248758" severity="medium" conversionstatus="pass" title="SRG-OS-000037-GPOS-00015" dscresource="nxFileLine"> <ContainsLine>-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount</ContainsLine> <Description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "mount" command is used to mount a filesystem. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/mount\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*unset\s*-k\s*privileged-mount</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/audit/rules.d/audit.rules</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify OL 8 generates an audit event for any use of the "mount" command by running the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w /usr/bin/mount /etc/audit/audit.rules -a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount If the command does not return a line or the line is commented out, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.</RawString> </Rule> <Rule id="V-248759" severity="medium" conversionstatus="pass" title="SRG-OS-000037-GPOS-00015" dscresource="nxFileLine"> <ContainsLine>-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount</ContainsLine> <Description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "mount" command is used to mount a filesystem. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/umount\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*unset\s*-k\s*privileged-mount</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/audit/rules.d/audit.rules</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify OL 8 generates an audit event for any use of the "umount" command by running the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w /usr/bin/umount /etc/audit/audit.rules -a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount If the command does not return a line or the line is commented out, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.</RawString> </Rule> <Rule id="V-248760.a" severity="medium" conversionstatus="pass" title="SRG-OS-000037-GPOS-00015" dscresource="nxFileLine"> <ContainsLine>-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount</ContainsLine> <Description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "mount" command is used to mount a filesystem. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*mount\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*unset\s*-k\s*privileged-mount</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/audit/rules.d/audit.rules</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify OL 8 generates an audit event for any use of the "mount" syscall by running the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w mount /etc/audit/audit.rules -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount If the command does not return a line or the line is commented out, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. </RawString> </Rule> <Rule id="V-248760.b" severity="medium" conversionstatus="pass" title="SRG-OS-000037-GPOS-00015" dscresource="nxFileLine"> <ContainsLine>-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount</ContainsLine> <Description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "mount" command is used to mount a filesystem. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*mount\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*unset\s*-k\s*privileged-mount</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/audit/rules.d/audit.rules</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify OL 8 generates an audit event for any use of the "mount" syscall by running the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w mount /etc/audit/audit.rules -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount If the command does not return a line or the line is commented out, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. </RawString> </Rule> <Rule id="V-248761" severity="medium" conversionstatus="pass" title="SRG-OS-000037-GPOS-00015" dscresource="nxFileLine"> <ContainsLine>-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update</ContainsLine> <Description><VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. "Unix_update" is a helper program for the "pam_unix" module that updates the password for a given user. It is not intended to be run directly from the command line and logs a security violation in that event. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/sbin/unix_update\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*unset\s*-k\s*privileged-unix-update</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/audit/rules.d/audit.rules</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify OL 8 generates an audit event for any use of the "unix_update" command by running the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w "unix_update" /etc/audit/audit.rules -a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update If the command does not return a line or the line is commented out, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.</RawString> </Rule> <Rule id="V-248762" severity="medium" conversionstatus="pass" title="SRG-OS-000037-GPOS-00015" dscresource="nxFileLine"> <ContainsLine>-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update</ContainsLine> <Description><VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "postdrop" command creates a file in the maildrop directory and copies its standard input to the file. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/sbin/postdrop\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*unset\s*-k\s*privileged-unix-update</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/audit/rules.d/audit.rules</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify OL 8 generates an audit event for any use of the "postdrop" command by running the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w "postdrop" /etc/audit/audit.rules -a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update If the command does not return a line or the line is commented out, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.</RawString> </Rule> <Rule id="V-248763" severity="medium" conversionstatus="pass" title="SRG-OS-000037-GPOS-00015" dscresource="nxFileLine"> <ContainsLine>-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update</ContainsLine> <Description><VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "postqueue" command implements the Postfix user interface for queue management. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/sbin/postqueue\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*unset\s*-k\s*privileged-unix-update</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/audit/rules.d/audit.rules</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify OL 8 generates an audit event for any use of the "postqueue" command by running the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w "postqueue" /etc/audit/audit.rules -a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update If the command does not return a line or the line is commented out, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.</RawString> </Rule> <Rule id="V-248769" severity="medium" conversionstatus="pass" title="SRG-OS-000037-GPOS-00015" dscresource="nxFileLine"> <ContainsLine>-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh</ContainsLine> <Description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "ssh-keysign" program is an SSH helper program for host-based authentication. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/libexec/openssh/ssh-keysign\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*unset\s*-k\s*privileged-ssh</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/audit/rules.d/audit.rules</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify OL 8 generates an audit record for any use of "ssh-keysign" by running the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep ssh-keysign /etc/audit/audit.rules -a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh If the command does not return a line or the line is commented out, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.</RawString> </Rule> <Rule id="V-248770" severity="medium" conversionstatus="pass" title="SRG-OS-000037-GPOS-00015" dscresource="nxFileLine"> <ContainsLine>-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng</ContainsLine> <Description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "setfacl" command is used to set file access control lists. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/setfacl\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*unset\s*-k\s*perm_chng</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/audit/rules.d/audit.rules</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify OL 8 generates an audit record for any use of the "setfacl" command by running the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w setfacl /etc/audit/audit.rules -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng If the command does not return a line or the line is commented out, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.</RawString> </Rule> <Rule id="V-248771" severity="medium" conversionstatus="pass" title="SRG-OS-000037-GPOS-00015" dscresource="nxFileLine"> <ContainsLine>-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam_timestamp_check</ContainsLine> <Description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "pam_timestamp_check" command is used to check if the default timestamp is valid. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/sbin/pam_timestamp_check\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*unset\s*-k\s*privileged-pam_timestamp_check</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/audit/rules.d/audit.rules</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify OL 8 generates an audit event for any use of the "pam_timestamp_check" command by running the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w pam_timestamp_check /etc/audit/audit.rules -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam_timestamp_check If the command does not return a line or the line is commented out, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.</RawString> </Rule> <Rule id="V-248772" severity="medium" conversionstatus="pass" title="SRG-OS-000037-GPOS-00015" dscresource="nxFileLine"> <ContainsLine>-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd</ContainsLine> <Description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "newgrp" command is used to change the current group ID during a login session. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/newgrp\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*unset\s*-k\s*priv_cmd</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/audit/rules.d/audit.rules</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify OL 8 generates an audit record for any use of the "newgrp" command by running the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w newgrp /etc/audit/audit.rules -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd If the command does not return a line or the line is commented out, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.</RawString> </Rule> <Rule id="V-248773.a" severity="medium" conversionstatus="pass" title="SRG-OS-000037-GPOS-00015" dscresource="nxFileLine"> <ContainsLine>-a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng</ContainsLine> <Description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "init_module" and "finit_module" system calls are used to load a kernel module. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. The system call rules are loaded into a matching engine that intercepts each syscall that all programs on the system makes. Therefore, it is very important to only use syscall rules when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, though, by combining syscalls into one rule whenever possible. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*init_module,finit_module\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*unset\s*-k\s*module_chng</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/audit/rules.d/audit.rules</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify OL 8 generates an audit record for any use of the "init_module" and "finit_module" system calls by running the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep init_module /etc/audit/audit.rules -a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng If the command does not return an audit rule for "init_module" and "finit_module" or any of the lines returned are commented out, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. </RawString> </Rule> <Rule id="V-248773.b" severity="medium" conversionstatus="pass" title="SRG-OS-000037-GPOS-00015" dscresource="nxFileLine"> <ContainsLine>-a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng</ContainsLine> <Description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "init_module" and "finit_module" system calls are used to load a kernel module. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. The system call rules are loaded into a matching engine that intercepts each syscall that all programs on the system makes. Therefore, it is very important to only use syscall rules when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, though, by combining syscalls into one rule whenever possible. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*init_module,finit_module\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*unset\s*-k\s*module_chng</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/audit/rules.d/audit.rules</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify OL 8 generates an audit record for any use of the "init_module" and "finit_module" system calls by running the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep init_module /etc/audit/audit.rules -a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng If the command does not return an audit rule for "init_module" and "finit_module" or any of the lines returned are commented out, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. </RawString> </Rule> <Rule id="V-248774.a" severity="medium" conversionstatus="pass" title="SRG-OS-000037-GPOS-00015" dscresource="nxFileLine"> <ContainsLine>-a always,exit -F arch=b32 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete</ContainsLine> <Description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "rename" system call will rename the specified files by replacing the first occurrence of expression in their name by replacement. The "unlink" system call deletes a name from the filesystem. If that name was the last link to a file and no processes have the file open, the file is deleted and the space it was using is made available for reuse. The "rmdir" system call removes empty directories. The "renameat" system call renames a file, moving it between directories, if required. The "unlinkat" system call operates in exactly the same way as either "unlink" or "rmdir" except for the differences described in the manual page. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. The system call rules are loaded into a matching engine that intercepts each syscall that all programs on the system makes. Therefore, it is very important to only use syscall rules when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, though, by combining syscalls into one rule whenever possible. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*rename,unlink,rmdir,renameat,unlinkat\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*unset\s*-k\s*delete</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/audit/rules.d/audit.rules</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify OL 8 is configured to generate audit records for any use of the "rename", "unlink", "rmdir", "renameat", and "unlinkat" system calls by running the following command: $ sudo grep 'rename\|unlink\|rmdir' /etc/audit/audit.rules -a always,exit -F arch=b32 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete If the command does not return an audit rule for "rename", "unlink", "rmdir", "renameat" and "unlinkat" or any of the lines returned are commented out, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. </RawString> </Rule> <Rule id="V-248774.b" severity="medium" conversionstatus="pass" title="SRG-OS-000037-GPOS-00015" dscresource="nxFileLine"> <ContainsLine>-a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete</ContainsLine> <Description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "rename" system call will rename the specified files by replacing the first occurrence of expression in their name by replacement. The "unlink" system call deletes a name from the filesystem. If that name was the last link to a file and no processes have the file open, the file is deleted and the space it was using is made available for reuse. The "rmdir" system call removes empty directories. The "renameat" system call renames a file, moving it between directories, if required. The "unlinkat" system call operates in exactly the same way as either "unlink" or "rmdir" except for the differences described in the manual page. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. The system call rules are loaded into a matching engine that intercepts each syscall that all programs on the system makes. Therefore, it is very important to only use syscall rules when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, though, by combining syscalls into one rule whenever possible. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*rename,unlink,rmdir,renameat,unlinkat\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*unset\s*-k\s*delete</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/audit/rules.d/audit.rules</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify OL 8 is configured to generate audit records for any use of the "rename", "unlink", "rmdir", "renameat", and "unlinkat" system calls by running the following command: $ sudo grep 'rename\|unlink\|rmdir' /etc/audit/audit.rules -a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete If the command does not return an audit rule for "rename", "unlink", "rmdir", "renameat" and "unlinkat" or any of the lines returned are commented out, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. </RawString> </Rule> <Rule id="V-248779" severity="medium" conversionstatus="pass" title="SRG-OS-000037-GPOS-00015" dscresource="nxFileLine"> <ContainsLine>-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-gpasswd</ContainsLine> <Description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "gpasswd" command is used to administer "/etc/group" and "/etc/gshadow". Every group can have administrators, members, and a password. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/gpasswd\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*unset\s*-k\s*privileged-gpasswd</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/audit/rules.d/audit.rules</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify OL 8 generates an audit event for any use of the "gpasswd" command by running the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w gpasswd /etc/audit/audit.rules -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-gpasswd If the command does not return a line or the line is commented out, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.</RawString> </Rule> <Rule id="V-248781.a" severity="medium" conversionstatus="pass" title="SRG-OS-000037-GPOS-00015" dscresource="nxFileLine"> <ContainsLine>-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=unset -k module_chng</ContainsLine> <Description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "delete_module" command is used to unload a kernel module. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*delete_module\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*unset\s*-k\s*module_chng</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/audit/rules.d/audit.rules</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify OL 8 generates an audit record for any use of the "delete_module" syscall by running the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w "delete_module" /etc/audit/audit.rules -a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=unset -k module_chng If the command does not return a line or the line is commented out, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. </RawString> </Rule> <Rule id="V-248781.b" severity="medium" conversionstatus="pass" title="SRG-OS-000037-GPOS-00015" dscresource="nxFileLine"> <ContainsLine>-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=unset -k module_chng</ContainsLine> <Description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "delete_module" command is used to unload a kernel module. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*delete_module\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*unset\s*-k\s*module_chng</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/audit/rules.d/audit.rules</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify OL 8 generates an audit record for any use of the "delete_module" syscall by running the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w "delete_module" /etc/audit/audit.rules -a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=unset -k module_chng If the command does not return a line or the line is commented out, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. </RawString> </Rule> <Rule id="V-248782" severity="medium" conversionstatus="pass" title="SRG-OS-000037-GPOS-00015" dscresource="nxFileLine"> <ContainsLine>-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-crontab</ContainsLine> <Description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "crontab" command is used to maintain crontab files for individual users. Crontab is the program used to install, remove, or list the tables used to drive the cron daemon. This is similar to the task scheduler used in other operating systems. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/crontab\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*unset\s*-k\s*privileged-crontab</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/audit/rules.d/audit.rules</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify OL 8 generates an audit event for any use of the "crontab" command by running the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w crontab /etc/audit/audit.rules -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-crontab If the command does not return a line or the line is commented out, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.</RawString> </Rule> <Rule id="V-248783" severity="medium" conversionstatus="pass" title="SRG-OS-000037-GPOS-00015" dscresource="nxFileLine"> <ContainsLine>-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd</ContainsLine> <Description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chsh" command is used to change the login shell. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/chsh\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*unset\s*-k\s*priv_cmd</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/audit/rules.d/audit.rules</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify OL 8 generates an audit record for any use of the "chsh" command by running the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w chsh /etc/audit/audit.rules -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd If the command does not return a line or the line is commented out, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.</RawString> </Rule> <Rule id="V-248784.a" severity="medium" conversionstatus="pass" title="SRG-OS-000037-GPOS-00015" dscresource="nxFileLine"> <ContainsLine>-a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access</ContainsLine> <Description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "truncate" and "ftruncate" functions are used to truncate a file to a specified length. The "creat" system call is used to open and possibly create a file or device. The "open" system call opens a file specified by a pathname. If the specified file does not exist, it may optionally be created by "open". The "openat" system call opens a file specified by a relative pathname. The "name_to_handle_at" and "open_by_handle_at" system calls split the functionality of openat into two parts: "name_to_handle_at" returns an opaque handle that corresponds to a specified file; "open_by_handle_at" opens the file corresponding to a handle returned by a previous call to "name_to_handle_at" and returns an open file descriptor. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. The system call rules are loaded into a matching engine that intercepts each syscall that all programs on the system makes. Therefore, it is very important to only use syscall rules when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, though, by combining syscalls into one rule whenever possible. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*truncate,ftruncate,creat,open,openat,open_by_handle_at\s*-F\s*exit\s*=\s*-EPERM\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*unset\s*-k\s*perm_access</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/audit/rules.d/audit.rules</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify OL 8 generates an audit record for any use of the "truncate", "ftruncate", "creat", "open", "openat", and "open_by_handle_at" system calls by running the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep 'open\|truncate\|creat' /etc/audit/audit.rules -a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access If the output does not produce rules containing "-F exit=-EPERM", this is a finding. If the output does not produce rules containing "-F exit=-EACCES", this is a finding. If the command does not return an audit rule for "truncate", "ftruncate", "creat", "open", "openat", and "open_by_handle_at" or any of the lines returned are commented out, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. </RawString> </Rule> <Rule id="V-248784.b" severity="medium" conversionstatus="pass" title="SRG-OS-000037-GPOS-00015" dscresource="nxFileLine"> <ContainsLine>-a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access</ContainsLine> <Description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "truncate" and "ftruncate" functions are used to truncate a file to a specified length. The "creat" system call is used to open and possibly create a file or device. The "open" system call opens a file specified by a pathname. If the specified file does not exist, it may optionally be created by "open". The "openat" system call opens a file specified by a relative pathname. The "name_to_handle_at" and "open_by_handle_at" system calls split the functionality of openat into two parts: "name_to_handle_at" returns an opaque handle that corresponds to a specified file; "open_by_handle_at" opens the file corresponding to a handle returned by a previous call to "name_to_handle_at" and returns an open file descriptor. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. The system call rules are loaded into a matching engine that intercepts each syscall that all programs on the system makes. Therefore, it is very important to only use syscall rules when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, though, by combining syscalls into one rule whenever possible. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*truncate,ftruncate,creat,open,openat,open_by_handle_at\s*-F\s*exit\s*=\s*-EPERM\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*unset\s*-k\s*perm_access</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/audit/rules.d/audit.rules</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify OL 8 generates an audit record for any use of the "truncate", "ftruncate", "creat", "open", "openat", and "open_by_handle_at" system calls by running the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep 'open\|truncate\|creat' /etc/audit/audit.rules -a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access If the output does not produce rules containing "-F exit=-EPERM", this is a finding. If the output does not produce rules containing "-F exit=-EACCES", this is a finding. If the command does not return an audit rule for "truncate", "ftruncate", "creat", "open", "openat", and "open_by_handle_at" or any of the lines returned are commented out, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. </RawString> </Rule> <Rule id="V-248784.c" severity="medium" conversionstatus="pass" title="SRG-OS-000037-GPOS-00015" dscresource="nxFileLine"> <ContainsLine>-a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access</ContainsLine> <Description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "truncate" and "ftruncate" functions are used to truncate a file to a specified length. The "creat" system call is used to open and possibly create a file or device. The "open" system call opens a file specified by a pathname. If the specified file does not exist, it may optionally be created by "open". The "openat" system call opens a file specified by a relative pathname. The "name_to_handle_at" and "open_by_handle_at" system calls split the functionality of openat into two parts: "name_to_handle_at" returns an opaque handle that corresponds to a specified file; "open_by_handle_at" opens the file corresponding to a handle returned by a previous call to "name_to_handle_at" and returns an open file descriptor. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. The system call rules are loaded into a matching engine that intercepts each syscall that all programs on the system makes. Therefore, it is very important to only use syscall rules when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, though, by combining syscalls into one rule whenever possible. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*truncate,ftruncate,creat,open,openat,open_by_handle_at\s*-F\s*exit\s*=\s*-EACCES\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*unset\s*-k\s*perm_access</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/audit/rules.d/audit.rules</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify OL 8 generates an audit record for any use of the "truncate", "ftruncate", "creat", "open", "openat", and "open_by_handle_at" system calls by running the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep 'open\|truncate\|creat' /etc/audit/audit.rules -a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access If the output does not produce rules containing "-F exit=-EPERM", this is a finding. If the output does not produce rules containing "-F exit=-EACCES", this is a finding. If the command does not return an audit rule for "truncate", "ftruncate", "creat", "open", "openat", and "open_by_handle_at" or any of the lines returned are commented out, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. </RawString> </Rule> <Rule id="V-248784.d" severity="medium" conversionstatus="pass" title="SRG-OS-000037-GPOS-00015" dscresource="nxFileLine"> <ContainsLine>-a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access</ContainsLine> <Description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "truncate" and "ftruncate" functions are used to truncate a file to a specified length. The "creat" system call is used to open and possibly create a file or device. The "open" system call opens a file specified by a pathname. If the specified file does not exist, it may optionally be created by "open". The "openat" system call opens a file specified by a relative pathname. The "name_to_handle_at" and "open_by_handle_at" system calls split the functionality of openat into two parts: "name_to_handle_at" returns an opaque handle that corresponds to a specified file; "open_by_handle_at" opens the file corresponding to a handle returned by a previous call to "name_to_handle_at" and returns an open file descriptor. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. The system call rules are loaded into a matching engine that intercepts each syscall that all programs on the system makes. Therefore, it is very important to only use syscall rules when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, though, by combining syscalls into one rule whenever possible. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*truncate,ftruncate,creat,open,openat,open_by_handle_at\s*-F\s*exit\s*=\s*-EACCES\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*unset\s*-k\s*perm_access</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/audit/rules.d/audit.rules</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify OL 8 generates an audit record for any use of the "truncate", "ftruncate", "creat", "open", "openat", and "open_by_handle_at" system calls by running the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep 'open\|truncate\|creat' /etc/audit/audit.rules -a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access If the output does not produce rules containing "-F exit=-EPERM", this is a finding. If the output does not produce rules containing "-F exit=-EACCES", this is a finding. If the command does not return an audit rule for "truncate", "ftruncate", "creat", "open", "openat", and "open_by_handle_at" or any of the lines returned are commented out, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. </RawString> </Rule> <Rule id="V-248790.a" severity="medium" conversionstatus="pass" title="SRG-OS-000037-GPOS-00015" dscresource="nxFileLine"> <ContainsLine>-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_chng</ContainsLine> <Description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chown" command is used to change file owner and group. The "fchown" system call is used to change the ownership of a file referred to by the open file descriptor. The "fchownat" system call is used to change ownership of a file relative to a directory file descriptor. The "lchown" system call is used to change the ownership of the file specified by a path, which does not dereference symbolic links. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. The system call rules are loaded into a matching engine that intercepts each syscall that all programs on the system makes. Therefore, it is very important to only use syscall rules when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, though, by combining syscalls into one rule whenever possible. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*chown,fchown,fchownat,lchown\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*unset\s*-k\s*perm_chng</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/audit/rules.d/audit.rules</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify OL 8 generates an audit record for any use of the "chown", "fchown", "fchownat", and "lchown" system calls by running the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep chown /etc/audit/audit.rules -a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_chng If audit rules are not defined for "chown", "fchown", "fchownat", and "lchown" or any of the lines returned are commented out, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. </RawString> </Rule> <Rule id="V-248790.b" severity="medium" conversionstatus="pass" title="SRG-OS-000037-GPOS-00015" dscresource="nxFileLine"> <ContainsLine>-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_chng</ContainsLine> <Description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chown" command is used to change file owner and group. The "fchown" system call is used to change the ownership of a file referred to by the open file descriptor. The "fchownat" system call is used to change ownership of a file relative to a directory file descriptor. The "lchown" system call is used to change the ownership of the file specified by a path, which does not dereference symbolic links. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. The system call rules are loaded into a matching engine that intercepts each syscall that all programs on the system makes. Therefore, it is very important to only use syscall rules when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, though, by combining syscalls into one rule whenever possible. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*chown,fchown,fchownat,lchown\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*unset\s*-k\s*perm_chng</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/audit/rules.d/audit.rules</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify OL 8 generates an audit record for any use of the "chown", "fchown", "fchownat", and "lchown" system calls by running the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep chown /etc/audit/audit.rules -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_chng If audit rules are not defined for "chown", "fchown", "fchownat", and "lchown" or any of the lines returned are commented out, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. </RawString> </Rule> <Rule id="V-248791.a" severity="medium" conversionstatus="pass" title="SRG-OS-000037-GPOS-00015" dscresource="nxFileLine"> <ContainsLine>-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_chng</ContainsLine> <Description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chmod" system call changes the file mode bits of each given file according to mode, which can be either a symbolic representation of changes to make or an octal number representing the bit pattern for the new mode bits. The "fchmod" system call is used to change permissions of a file. The "fchmodat" system call is used to change permissions of a file relative to a directory file descriptor. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. The system call rules are loaded into a matching engine that intercepts each syscall that all programs on the system makes. Therefore, it is very important to only use syscall rules when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, though, by combining syscalls into one rule whenever possible. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*chmod,fchmod,fchmodat\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*unset\s*-k\s*perm_chng</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/audit/rules.d/audit.rules</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify OL 8 generates an audit record for any use of the "chmod","fchmod", and "fchmodat" syscalls by running the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep chmod /etc/audit/audit.rules -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_chng If the command does not return an audit rule for "chmod", "fchmod", and "fchmodat", or any of the lines returned are commented out, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. </RawString> </Rule> <Rule id="V-248791.b" severity="medium" conversionstatus="pass" title="SRG-OS-000037-GPOS-00015" dscresource="nxFileLine"> <ContainsLine>-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_chng</ContainsLine> <Description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chmod" system call changes the file mode bits of each given file according to mode, which can be either a symbolic representation of changes to make or an octal number representing the bit pattern for the new mode bits. The "fchmod" system call is used to change permissions of a file. The "fchmodat" system call is used to change permissions of a file relative to a directory file descriptor. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. The system call rules are loaded into a matching engine that intercepts each syscall that all programs on the system makes. Therefore, it is very important to only use syscall rules when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, though, by combining syscalls into one rule whenever possible. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*chmod,fchmod,fchmodat\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*unset\s*-k\s*perm_chng</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/audit/rules.d/audit.rules</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify OL 8 generates an audit record for any use of the "chmod","fchmod", and "fchmodat" syscalls by running the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep chmod /etc/audit/audit.rules -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_chng If the command does not return an audit rule for "chmod", "fchmod", and "fchmodat", or any of the lines returned are commented out, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. </RawString> </Rule> <Rule id="V-248797" severity="medium" conversionstatus="pass" title="SRG-OS-000037-GPOS-00015" dscresource="nxFileLine"> <ContainsLine>-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd</ContainsLine> <Description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "sudo" command allows a permitted user to execute a command as the superuser or another user as specified by the security policy. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/sudo\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*unset\s*-k\s*priv_cmd</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/audit/rules.d/audit.rules</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify OL 8 generates an audit event for any use of the "sudo" command by running the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w sudo /etc/audit/audit.rules -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd If the command does not return a line or the line is commented out, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.</RawString> </Rule> <Rule id="V-248798" severity="medium" conversionstatus="pass" title="SRG-OS-000037-GPOS-00015" dscresource="nxFileLine"> <ContainsLine>-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-usermod</ContainsLine> <Description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "usermod" command modifies the system account files to reflect the changes that are specified on the command line. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/sbin/usermod\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*unset\s*-k\s*privileged-usermod</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/audit/rules.d/audit.rules</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify OL 8 generates an audit event for any use of the "usermod" command by running the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w usermod /etc/audit/audit.rules -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-usermod If the command does not return a line or the line is commented out, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.</RawString> </Rule> <Rule id="V-248799" severity="medium" conversionstatus="pass" title="SRG-OS-000037-GPOS-00015" dscresource="nxFileLine"> <ContainsLine>-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng</ContainsLine> <Description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chacl" command is used to change the access control list of a file or directory. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/chacl\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*unset\s*-k\s*perm_chng</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/audit/rules.d/audit.rules</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify OL 8 generates an audit record for any use of the "chacl" command by running the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w chacl /etc/audit/audit.rules -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng If the command does not return a line or the line is commented out, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.</RawString> </Rule> <Rule id="V-248800" severity="medium" conversionstatus="pass" title="SRG-OS-000037-GPOS-00015" dscresource="nxFileLine"> <ContainsLine>-w /usr/bin/kmod -p x -k modules</ContainsLine> <Description><VulnDiscussion>Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "kmod" command is used to control Linux Kernel modules. The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. DoD has defined the list of events for which OL 8 will provide an audit record generation capability as the following: 1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); 2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*-w\s*/usr/bin/kmod\s*-p\s*x\s*-k\s*modules</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/audit/rules.d/audit.rules</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify OL 8 is configured to audit the execution of the module management program "kmod" by running the following command: $ sudo grep "/usr/bin/kmod" /etc/audit/audit.rules -w /usr/bin/kmod -p x -k modules If the command does not return a line or the line is commented out, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.</RawString> </Rule> <Rule id="V-248802" severity="medium" conversionstatus="pass" title="SRG-OS-000037-GPOS-00015" dscresource="nxFileLine"> <ContainsLine>-w /var/log/lastlog -p wa -k logins</ContainsLine> <Description><VulnDiscussion>Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. DoD has defined the list of events for which OL 8 will provide an audit record generation capability as the following: 1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); 2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000473-GPOS-00218</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*-w\s*/var/log/lastlog\s*-p\s*wa\s*-k\s*logins</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/audit/rules.d/audit.rules</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify OL 8 generates an audit record for any attempted modifications to the "lastlog" file by running the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w lastlog /etc/audit/audit.rules -w /var/log/lastlog -p wa -k logins If the command does not return a line or the line is commented out, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.</RawString> </Rule> <Rule id="V-248803" severity="medium" conversionstatus="pass" title="SRG-OS-000037-GPOS-00015" dscresource="nxFileLine"> <ContainsLine>GRUB_CMDLINE_LINUX="audit=1"</ContainsLine> <Description><VulnDiscussion>Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. DoD has defined the list of events for which OL 8 will provide an audit record generation capability as the following: 1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); 2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000473-GPOS-00218</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*GRUB_CMDLINE_LINUX\s*=\s*"audit\s*=\s*1"</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/default/grub</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify OL 8 enables auditing of processes that start prior to the audit daemon with the following commands: $ sudo grub2-editenv list | grep audit kernelopts=root=/dev/mapper/ol-root ro crashkernel=auto resume=/dev/mapper/ol-swap rd.lvm.lv=ol/root rd.lvm.lv=ol/swap rhgb quiet fips=1 audit=1 audit_backlog_limit=8192 boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82 If the "audit" entry does not equal "1", is missing, or the line is commented out, this is a finding. Check that auditing is enabled by default to persist in kernel updates: $ sudo grep audit /etc/default/grub GRUB_CMDLINE_LINUX="audit=1" If "audit" is not set to "1", is missing or commented out, this is a finding.</RawString> </Rule> <Rule id="V-248804" severity="low" conversionstatus="pass" title="SRG-OS-000037-GPOS-00015" dscresource="nxFileLine"> <ContainsLine>GRUB_CMDLINE_LINUX="audit_backlog_limit=8192"</ContainsLine> <Description><VulnDiscussion>Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created. Audit records can be generated from various components within the information system (e.g., module or policy filter). Allocating an "audit_backlog_limit" of sufficient size is critical in maintaining a stable boot process. With an insufficient limit allocated, the system is susceptible to boot failures and crashes. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*GRUB_CMDLINE_LINUX\s*=\s*"audit_backlog_limit\s*=\s*8192"</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/default/grub</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify OL 8 allocates a sufficient "audit_backlog_limit" to capture processes that start prior to the audit daemon with the following commands: $ sudo grub2-editenv list | grep audit kernelopts=root=/dev/mapper/ol-root ro crashkernel=auto resume=/dev/mapper/ol-swap rd.lvm.lv=ol/root rd.lvm.lv=ol/swap rhgb quiet fips=1 audit=1 audit_backlog_limit=8192 boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82 If the "audit_backlog_limit" entry does not equal "8192" or larger, is missing, or the line is commented out, this is a finding. Verify "audit_backlog_limit" is set to persist in kernel updates: $ sudo grep audit /etc/default/grub GRUB_CMDLINE_LINUX="audit_backlog_limit=8192" If "audit_backlog_limit" is not set to "8192" or larger or is missing or commented out, this is a finding.</RawString> </Rule> <Rule id="V-248805" severity="medium" conversionstatus="pass" title="SRG-OS-000471-GPOS-00215" dscresource="nxFileLine"> <ContainsLine>AuditBackend=LinuxAudit</ContainsLine> <Description><VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*AuditBackend\s*=\s*LinuxAudit</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/usbguard/usbguard-daemon.conf</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify OL 8 enables Linux audit logging of the USBGuard daemon with the following commands. Note: If the USBGuard daemon is not installed and enabled, this requirement is not applicable. $ sudo grep -i auditbackend /etc/usbguard/usbguard-daemon.conf AuditBackend=LinuxAudit If the "AuditBackend" entry does not equal "LinuxAudit", is missing, or the line is commented out, this is a finding.</RawString> </Rule> <Rule id="V-248815" severity="medium" conversionstatus="pass" title="SRG-OS-000342-GPOS-00133" dscresource="nxFileLine"> <ContainsLine>overflow_action = syslog</ContainsLine> <Description><VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Offloading is a common process in information systems with limited audit storage capacity. OL 8 installation media provides "rsyslogd". This is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Coupling this utility with "gnutls" (which is a secure communications library implementing the SSL, TLS and DTLS protocols) provides a method to securely encrypt and offload auditing. Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>^#\s*overflow_action.*$|^overflow_action\s*=\s*(?!syslog$)\w*$</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/audit/auditd.conf</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the audit system is configured to take an appropriate action when the internal event queue is full: $ sudo grep -i overflow_action /etc/audit/auditd.conf overflow_action = syslog If the value of the "overflow_action" option is not set to "syslog", "single", or "halt", or the line is commented out, ask the System Administrator to indicate how the audit logs are offloaded to a different system or media. If there is no evidence that the transfer of the audit logs being offloaded to another system or media takes appropriate action if the internal event queue becomes full, this is a finding.</RawString> </Rule> <Rule id="V-248816" severity="medium" conversionstatus="pass" title="SRG-OS-000342-GPOS-00133" dscresource="nxFileLine"> <ContainsLine>$ sudo grep -i '$ActionSendStreamDriverMode' /etc/rsyslog.conf /etc/rsyslog.d/*.conf /etc/rsyslog.conf:$ActionSendStreamDriverMode 1</ContainsLine> <Description><VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Offloading is a common process in information systems with limited audit storage capacity. OL 8 installation media provides "rsyslogd". This is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Coupling this utility with "gnutls" (which is a secure communications library implementing the SSL, TLS, and DTLS protocols) provides a method to securely encrypt and offload auditing. Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*$\s*sudo\s*grep\s*-i\s*'$ActionSendStreamDriverMode'\s*/etc/rsyslog.conf\s*/etc/rsyslog.d/*.conf\s*/etc/rsyslog.conf:$ActionSendStreamDriverMode\s*1</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/rsyslog.conf</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the operating system encrypts audit records offloaded onto a different system or media from the system being audited with the following commands: $ sudo grep -i '$DefaultNetstreamDriver' /etc/rsyslog.conf /etc/rsyslog.d/*.conf /etc/rsyslog.conf:$DefaultNetstreamDriver gtls If the value of the "$DefaultNetstreamDriver" option is not set to "gtls" or the line is commented out, this is a finding. $ sudo grep -i '$ActionSendStreamDriverMode' /etc/rsyslog.conf /etc/rsyslog.d/*.conf /etc/rsyslog.conf:$ActionSendStreamDriverMode 1 If the value of the "$ActionSendStreamDriverMode" option is not set to "1" or the line is commented out, this is a finding. If neither of the definitions above are set, ask the System Administrator to indicate how the audit logs are offloaded to a different system or media. If there is no evidence that the transfer of the audit logs being offloaded to another system or media is encrypted, this is a finding.</RawString> </Rule> <Rule id="V-248820" severity="medium" conversionstatus="pass" title="SRG-OS-000355-GPOS-00143" dscresource="nxFileLine"> <ContainsLine> </ContainsLine> <Description><VulnDiscussion>Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints). If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis. Time stamps generated by the operating system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. OL 8 uses the "timedatectl" command to view the status of the "systemd-timesyncd.service". The "timedatectl" status will display the local time, UTC, and the offset from UTC. Note that USNO offers authenticated NTP service to DOD and U.S. Government agencies operating on the NIPR and SIPR networks. Visit https://www.usno.navy.mil/USNO/time/ntp/dod-customers for more information. Satisfies: SRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144, SRG-OS-000359-GPOS-00146</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern> </DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/chrony.conf</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the "maxpoll" option is set to a number greater than "16" or the line is commented out, this is a finding." </OrganizationValueTestString> <RawString>Verify OL 8 is comparing internal information system clocks at least every 24 hours with an NTP server with the following command: $ sudo grep maxpoll /etc/chrony.conf server [ntp.server.name] iburst maxpoll 16 If the "maxpoll" option is set to a number greater than "16" or the line is commented out, this is a finding.</RawString> </Rule> <Rule id="V-248821" severity="low" conversionstatus="pass" title="SRG-OS-000095-GPOS-00049" dscresource="nxFileLine"> <ContainsLine>port 0</ContainsLine> <Description><VulnDiscussion>Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. Minimizing the exposure of the server functionality of the chrony daemon diminishes the attack surface. Note that USNO offers authenticated NTP service to DOD and U.S. Government agencies operating on the NIPR and SIPR networks. Visit https://www.usno.navy.mil/USNO/time/ntp/DOD-customers for more information.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*port\s*0</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/chrony.conf</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Note: If the system is approved and documented by the information system security officer (ISSO) to function as an NTP time server, this requirement is Not Applicable. Verify OL 8 disables the chrony daemon from acting as a server with the following command: $ sudo grep -w 'port' /etc/chrony.conf port 0 If the "port" option is not set to "0" or is commented out or missing, this is a finding.</RawString> </Rule> <Rule id="V-248822" severity="low" conversionstatus="pass" title="SRG-OS-000095-GPOS-00049" dscresource="nxFileLine"> <ContainsLine>cmdport 0</ContainsLine> <Description><VulnDiscussion>Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. Minimizing the exposure of the server functionality of the chrony daemon diminishes the attack surface. Note that USNO offers authenticated NTP service to DOD and U.S. Government agencies operating on the NIPR and SIPR networks. Visit https://www.usno.navy.mil/USNO/time/ntp/DOD-customers for more information.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*cmdport\s*0</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/chrony.conf</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Note: If the system is approved and documented by the information system security officer (ISSO) to function as an NTP time server, this requirement is Not Applicable. Verify OL 8 disables network management of the chrony daemon with the following command: $ sudo grep -w 'cmdport' /etc/chrony.conf cmdport 0 If the "cmdport" option is not set to "0" or is commented out or missing, this is a finding.</RawString> </Rule> <Rule id="V-248826" severity="low" conversionstatus="pass" title="SRG-OS-000095-GPOS-00049" dscresource="nxFileLine"> <ContainsLine>GRUB_CMDLINE_LINUX="pti=on"</ContainsLine> <Description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled. Verify the operating system is configured to disable non-essential capabilities. The most secure way of ensuring a non-essential capability is disabled is to not have the capability installed. Kernel page-table isolation is a kernel feature that mitigates the Meltdown security vulnerability and hardens the kernel against attempts to bypass kernel address space layout randomization (KASLR).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*GRUB_CMDLINE_LINUX\s*=\s*"pti\s*=\s*on"</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/default/grub</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify OL 8 enables kernel page-table isolation with the following commands: $ sudo grub2-editenv list | grep pti kernelopts=root=/dev/mapper/ol-root ro crashkernel=auto resume=/dev/mapper/ol-swap rd.lvm.lv=ol/root rd.lvm.lv=ol/swap rhgb quiet fips=1 audit=1 audit_backlog_limit=8192 pti=on boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82 If the "pti" entry does not equal "on", is missing, or the line is commented out, this is a finding. Check that kernel page-table isolation is enabled by default to persist in kernel updates: $ sudo grep pti /etc/default/grub GRUB_CMDLINE_LINUX="pti=on" If "pti" is not set to "on", is missing or commented out, this is a finding.</RawString> </Rule> <Rule id="V-248828.a" severity="medium" conversionstatus="pass" title="SRG-OS-000095-GPOS-00049" dscresource="nxFileLine"> <ContainsLine>install uvcvideo /bin/false</ContainsLine> <Description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Failing to disconnect from collaborative computing devices (i.e., cameras) can result in subsequent compromises of organizational information. Providing easy methods to physically disconnect from such devices after a collaborative computing session helps to ensure participants actually carry out the disconnect activity without having to go through complex and tedious procedures.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*install\s*uvcvideo\s*/bin/false</DoesNotContainPattern> <DuplicateOf /> <FilePath>/bin/false</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the device or operating system does not have a camera installed, this requirement is not applicable. This requirement is not applicable to mobile devices (smartphones and tablets), where the use of the camera is a local AO decision. This requirement is not applicable to dedicated VTC suites located in approved VTC locations that are centrally managed. For an external camera, if there is not a method for the operator to manually disconnect the camera at the end of collaborative computing sessions, this is a finding. For a built-in camera, the camera must be protected by a camera cover (e.g., laptop camera cover slide) when not in use. If the built-in camera is not protected with a camera cover or is not physically disabled, this is a finding. If the camera is not disconnected, covered, or physically disabled, determine if it is being disabled via software with the following commands: Verify the operating system disables the ability to load the uvcvideo kernel module. $ sudo grep -r uvcvideo /etc/modprobe.d/* | grep "/bin/false" install uvcvideo /bin/false If the command does not return any output, or the line is commented out, and the collaborative computing device has not been authorized for use, this is a finding. Verify the camera is disabled via blacklist with the following command: If the command does not return any output or the output is not "blacklist uvcvideo", and the collaborative computing device has not been authorized for use, this is a finding. </RawString> </Rule> <Rule id="V-248828.b" severity="medium" conversionstatus="pass" title="SRG-OS-000095-GPOS-00049" dscresource="nxFileLine"> <ContainsLine>blacklist uvcvideo</ContainsLine> <Description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Failing to disconnect from collaborative computing devices (i.e., cameras) can result in subsequent compromises of organizational information. Providing easy methods to physically disconnect from such devices after a collaborative computing session helps to ensure participants actually carry out the disconnect activity without having to go through complex and tedious procedures.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*blacklist\s*uvcvideo</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/modprobe.d/</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the device or operating system does not have a camera installed, this requirement is not applicable. This requirement is not applicable to mobile devices (smartphones and tablets), where the use of the camera is a local AO decision. This requirement is not applicable to dedicated VTC suites located in approved VTC locations that are centrally managed. For an external camera, if there is not a method for the operator to manually disconnect the camera at the end of collaborative computing sessions, this is a finding. For a built-in camera, the camera must be protected by a camera cover (e.g., laptop camera cover slide) when not in use. If the built-in camera is not protected with a camera cover or is not physically disabled, this is a finding. If the camera is not disconnected, covered, or physically disabled, determine if it is being disabled via software with the following commands: Verify the operating system disables the ability to load the uvcvideo kernel module. $ sudo grep -r uvcvideo /etc/modprobe.d/* | grep "blacklist" blacklist uvcvideo If the command does not return any output or the output is not "blacklist uvcvideo", and the collaborative computing device has not been authorized for use, this is a finding. </RawString> </Rule> <Rule id="V-248829.a" severity="medium" conversionstatus="pass" title="SRG-OS-000480-GPOS-00227" dscresource="nxFileLine"> <ContainsLine>install atm /bin/false</ContainsLine> <Description><VulnDiscussion>The ATM is a transport layer protocol designed for digital transmission of multiple types of traffic, including telephony (voice), data, and video signals, in one network without the use of separate overlay networks. Disabling ATM protects the system against exploitation of any flaws in its implementation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*install\s*atm\s*/bin/false</DoesNotContainPattern> <DuplicateOf /> <FilePath>/bin/false</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the operating system disables the ability to load the "atm" kernel module. $ sudo grep -r atm /etc/modprobe.d/* | grep -i "/bin/false" | grep -v "^#" install atm /bin/false If the command does not return any output or the line is commented out, and use of ATM is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding. Verify the operating system disables the ability to use ATM with the following command: If the command does not return any output or the output is not "blacklist atm", and use of ATM is not documented with the ISSO as an operational requirement, this is a finding. </RawString> </Rule> <Rule id="V-248829.b" severity="medium" conversionstatus="pass" title="SRG-OS-000480-GPOS-00227" dscresource="nxFileLine"> <ContainsLine>blacklist atm</ContainsLine> <Description><VulnDiscussion>The ATM is a transport layer protocol designed for digital transmission of multiple types of traffic, including telephony (voice), data, and video signals, in one network without the use of separate overlay networks. Disabling ATM protects the system against exploitation of any flaws in its implementation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*blacklist\s*atm</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/modprobe.d/</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the operating system disables the ability to load the "atm" kernel module. $ sudo grep atm /etc/modprobe.d/* | grep -i "blacklist" | grep -v "^#" blacklist atm If the command does not return any output or the output is not "blacklist atm", and use of ATM is not documented with the ISSO as an operational requirement, this is a finding. </RawString> </Rule> <Rule id="V-248830.a" severity="medium" conversionstatus="pass" title="SRG-OS-000480-GPOS-00227" dscresource="nxFileLine"> <ContainsLine>install can /bin/false</ContainsLine> <Description><VulnDiscussion>The CAN protocol is a robust vehicle bus standard designed to allow microcontrollers and devices to communicate with each other's applications without a host computer. Disabling CAN protects the system against exploitation of any flaws in its implementation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*install\s*can\s*/bin/false</DoesNotContainPattern> <DuplicateOf /> <FilePath>/bin/false</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the operating system disables the ability to load the "can" kernel module. $ sudo grep -r can /etc/modprobe.d/* | grep -i "/bin/false" | grep -v "^#" install can /bin/false If the command does not return any output or the line is commented out, and use of "can" is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding. Verify the operating system disables the ability to use CAN with the following command: If the command does not return any output or the output is not "blacklist can", and use of CAN is not documented with the ISSO as an operational requirement, this is a finding. </RawString> </Rule> <Rule id="V-248830.b" severity="medium" conversionstatus="pass" title="SRG-OS-000480-GPOS-00227" dscresource="nxFileLine"> <ContainsLine>blacklist can</ContainsLine> <Description><VulnDiscussion>The CAN protocol is a robust vehicle bus standard designed to allow microcontrollers and devices to communicate with each other's applications without a host computer. Disabling CAN protects the system against exploitation of any flaws in its implementation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*blacklist\s*can</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/modprobe.d/</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the operating system disables the ability to load the "can" kernel module. $ sudo grep can /etc/modprobe.d/* | grep -i "blacklist" | grep -v "^#" blacklist can If the command does not return any output or the output is not "blacklist can", and use of CAN is not documented with the ISSO as an operational requirement, this is a finding. </RawString> </Rule> <Rule id="V-248831.a" severity="medium" conversionstatus="pass" title="SRG-OS-000480-GPOS-00227" dscresource="nxFileLine"> <ContainsLine>install sctp /bin/false</ContainsLine> <Description><VulnDiscussion>The SCTP is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. Disabling SCTP protects the system against exploitation of any flaws in its implementation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*install\s*sctp\s*/bin/false</DoesNotContainPattern> <DuplicateOf /> <FilePath>/bin/false</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the operating system disables the ability to load the "sctp" kernel module. $ sudo grep -r sctp /etc/modprobe.d/* | grep -i "/bin/false" | grep -v "^#" install sctp /bin/false If the command does not return any output or the line is commented out, and use of SCTP is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding. Verify the operating system disables the ability to use SCTP with the following command: If the command does not return any output or the output is not "blacklist sctp", and use of SCTP is not documented with the ISSO as an operational requirement, this is a finding. </RawString> </Rule> <Rule id="V-248831.b" severity="medium" conversionstatus="pass" title="SRG-OS-000480-GPOS-00227" dscresource="nxFileLine"> <ContainsLine>blacklist sctp</ContainsLine> <Description><VulnDiscussion>The SCTP is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. Disabling SCTP protects the system against exploitation of any flaws in its implementation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*blacklist\s*sctp</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/modprobe.d/</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the operating system disables the ability to load the "sctp" kernel module. $ sudo grep sctp /etc/modprobe.d/* | grep -i "blacklist" | grep -v "^#" blacklist sctp If the command does not return any output or the output is not "blacklist sctp", and use of SCTP is not documented with the ISSO as an operational requirement, this is a finding. </RawString> </Rule> <Rule id="V-248832.a" severity="low" conversionstatus="pass" title="SRG-OS-000095-GPOS-00049" dscresource="nxFileLine"> <ContainsLine>install tipc /bin/false</ContainsLine> <Description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Failing to disconnect unused protocols can result in a system compromise. The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in a cluster. Disabling TIPC protects the system against exploitation of any flaws in its implementation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*install\s*tipc\s*/bin/false</DoesNotContainPattern> <DuplicateOf /> <FilePath>/bin/false</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the operating system disables the ability to load the TIPC protocol kernel module. $ sudo grep -r tipc /etc/modprobe.d/* | grep "/bin/false" install tipc /bin/false If the command does not return any output, or the line is commented out, and use of the TIPC protocol is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding. Verify the operating system disables the ability to use the TIPC protocol. Determine if the TIPC protocol is disabled with the following command: If the command does not return any output or the output is not "blacklist tipc", and use of the TIPC protocol is not documented with the ISSO as an operational requirement, this is a finding. </RawString> </Rule> <Rule id="V-248832.b" severity="low" conversionstatus="pass" title="SRG-OS-000095-GPOS-00049" dscresource="nxFileLine"> <ContainsLine>blacklist tipc</ContainsLine> <Description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Failing to disconnect unused protocols can result in a system compromise. The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in a cluster. Disabling TIPC protects the system against exploitation of any flaws in its implementation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*blacklist\s*tipc</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/modprobe.d/</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the operating system disables the ability to load the TIPC protocol kernel module. $ sudo grep -r tipc /etc/modprobe.d/* | grep "blacklist" blacklist tipc If the command does not return any output or the output is not "blacklist tipc", and use of the TIPC protocol is not documented with the ISSO as an operational requirement, this is a finding. </RawString> </Rule> <Rule id="V-248833.a" severity="low" conversionstatus="pass" title="SRG-OS-000095-GPOS-00049" dscresource="nxFileLine"> <ContainsLine>install cramfs /bin/false</ContainsLine> <Description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Removing support for unneeded filesystem types reduces the local attack surface of the server. Compressed ROM/RAM file system (or cramfs) is a read-only file system designed for simplicity and space-efficiency. It is mainly used in embedded and small-footprint systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*install\s*cramfs\s*/bin/false</DoesNotContainPattern> <DuplicateOf /> <FilePath>/bin/false</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the operating system disables the ability to load the cramfs kernel module. $ sudo grep -ri cramfs /etc/modprobe.d/* | grep -i "/bin/false" install cramfs /bin/false If the command does not return any output, or the line is commented out, and use of the cramfs protocol is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding. Verify the operating system disables the ability to use the cramfs kernel module. Determine if the cramfs kernel module is disabled with the following command: If the command does not return any output or the output is not "blacklist cramfs", and use of the cramfs kernel module is not documented with the ISSO as an operational requirement, this is a finding. </RawString> </Rule> <Rule id="V-248833.b" severity="low" conversionstatus="pass" title="SRG-OS-000095-GPOS-00049" dscresource="nxFileLine"> <ContainsLine>blacklist cramfs</ContainsLine> <Description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Removing support for unneeded filesystem types reduces the local attack surface of the server. Compressed ROM/RAM file system (or cramfs) is a read-only file system designed for simplicity and space-efficiency. It is mainly used in embedded and small-footprint systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*blacklist\s*cramfs</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/modprobe.d/</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the operating system disables the ability to load the cramfs kernel module. $ sudo grep -ri cramfs /etc/modprobe.d/* | grep -i "blacklist" blacklist cramfs If the command does not return any output or the output is not "blacklist cramfs", and use of the cramfs kernel module is not documented with the ISSO as an operational requirement, this is a finding. </RawString> </Rule> <Rule id="V-248834.a" severity="low" conversionstatus="pass" title="SRG-OS-000095-GPOS-00049" dscresource="nxFileLine"> <ContainsLine>install firewire-core /bin/false</ContainsLine> <Description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. The IEEE 1394 (FireWire) is a serial bus standard for high-speed real-time communication. Disabling FireWire protects the system against exploitation of any flaws in its implementation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*install\s*firewire-core\s*/bin/false</DoesNotContainPattern> <DuplicateOf /> <FilePath>/bin/false</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the operating system disables the ability to load the firewire-core kernel module. $ sudo grep -ri firewire-core /etc/modprobe.d/* | grep -i "/bin/false" install firewire-core /bin/false If the command does not return any output, or the line is commented out, and use of the firewire-core protocol is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding. Verify the operating system disables the ability to use the firewire-core kernel module. Determine if the firewire-core kernel module is disabled with the following command: If the command does not return any output or the output is not "blacklist firewire-core", and use of the firewire-core kernel module is not documented with the ISSO as an operational requirement, this is a finding. </RawString> </Rule> <Rule id="V-248834.b" severity="low" conversionstatus="pass" title="SRG-OS-000095-GPOS-00049" dscresource="nxFileLine"> <ContainsLine>blacklist firewire-core</ContainsLine> <Description><VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. The IEEE 1394 (FireWire) is a serial bus standard for high-speed real-time communication. Disabling FireWire protects the system against exploitation of any flaws in its implementation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*blacklist\s*firewire-core</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/modprobe.d/</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the operating system disables the ability to load the firewire-core kernel module. $ sudo grep -ri firewire-core /etc/modprobe.d/* | grep -i "blacklist" blacklist firewire-core If the command does not return any output or the output is not "blacklist firewire-core", and use of the firewire-core kernel module is not documented with the ISSO as an operational requirement, this is a finding. </RawString> </Rule> <Rule id="V-248837.a" severity="medium" conversionstatus="pass" title="SRG-OS-000114-GPOS-00059" dscresource="nxFileLine"> <ContainsLine>install usb-storage /bin/false</ContainsLine> <Description><VulnDiscussion>USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*install\s*usb-storage\s*/bin/false</DoesNotContainPattern> <DuplicateOf /> <FilePath>/bin/false</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the operating system disables the ability to load the USB Storage kernel module. $ sudo grep -r usb-storage /etc/modprobe.d/* | grep -i "/bin/false" install usb-storage /bin/false If the command does not return any output, or the line is commented out, and use of USB Storage is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding. Determine if USB mass storage is disabled with the following command: If the command does not return any output or the output is not "blacklist usb-storage" and use of USB storage devices is not documented with the ISSO as an operational requirement, this is a finding. </RawString> </Rule> <Rule id="V-248837.b" severity="medium" conversionstatus="pass" title="SRG-OS-000114-GPOS-00059" dscresource="nxFileLine"> <ContainsLine>/etc/modprobe.d/blacklist.conf:blacklist usb-storage</ContainsLine> <Description><VulnDiscussion>USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*/etc/modprobe.d/blacklist.conf:blacklist\s*usb-storage</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/modprobe.d/blacklist.conf</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the operating system disables the ability to load the USB Storage kernel module. $ sudo grep usb-storage /etc/modprobe.d/* | grep -i "blacklist" | grep -v "^#" /etc/modprobe.d/blacklist.conf:blacklist usb-storage If the command does not return any output or the output is not "blacklist usb-storage" and use of USB storage devices is not documented with the ISSO as an operational requirement, this is a finding. </RawString> </Rule> <Rule id="V-248843.a" severity="medium" conversionstatus="pass" title="SRG-OS-000300-GPOS-00118" dscresource="nxFileLine"> <ContainsLine>Verify the operating system disables the ability to use Bluetooth with the following command:</ContainsLine> <Description><VulnDiscussion>Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and read, altered, or used to compromise the OL 8 operating system. This requirement applies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays, etc.) used with OL 8 systems. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR keyboards, mice, and pointing devices and Near Field Communications [NFC]) present a unique challenge by creating an open, unsecured port on a computer. Wireless peripherals must meet DoD requirements for wireless data transmission and be approved for use by the Authorizing Official (AO). Although some wireless peripherals, such as mice and pointing devices, do not ordinarily carry information that need to be protected, modification of communications with these wireless peripherals may be used to compromise the OL 8 operating system. Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of communications with wireless peripherals can be accomplished by physical means (e.g., employing physical barriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, logical means (cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only passing telemetry data, encryption of the data may not be required.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*Verify\s*the\s*operating\s*system\s*disables\s*the\s*ability\s*to\s*use\s*Bluetooth\s*with\s*the\s*following\s*command:</DoesNotContainPattern> <DuplicateOf /> <FilePath>/bin/false</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the device or operating system does not have a Bluetooth adapter installed, this requirement is not applicable. This requirement is not applicable to mobile devices (smartphones and tablets), where the use of Bluetooth is a local AO decision. Determine if Bluetooth is disabled with the following command: $ sudo grep -r bluetooth /etc/modprobe.d /etc/modprobe.d/bluetooth.conf:install bluetooth /bin/false If the command does not return any output or the line is commented out and the collaborative computing device has not been authorized for use, this is a finding. Verify the operating system disables the ability to use Bluetooth with the following command: If the command does not return any output or the output is not "blacklist bluetooth", and use of Bluetooth is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding. </RawString> </Rule> <Rule id="V-248843.b" severity="medium" conversionstatus="pass" title="SRG-OS-000300-GPOS-00118" dscresource="nxFileLine"> <ContainsLine>blacklist bluetooth</ContainsLine> <Description><VulnDiscussion>Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and read, altered, or used to compromise the OL 8 operating system. This requirement applies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays, etc.) used with OL 8 systems. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR keyboards, mice, and pointing devices and Near Field Communications [NFC]) present a unique challenge by creating an open, unsecured port on a computer. Wireless peripherals must meet DoD requirements for wireless data transmission and be approved for use by the Authorizing Official (AO). Although some wireless peripherals, such as mice and pointing devices, do not ordinarily carry information that need to be protected, modification of communications with these wireless peripherals may be used to compromise the OL 8 operating system. Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of communications with wireless peripherals can be accomplished by physical means (e.g., employing physical barriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, logical means (cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only passing telemetry data, encryption of the data may not be required.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*blacklist\s*bluetooth</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/modprobe.d</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the device or operating system does not have a Bluetooth adapter installed, this requirement is not applicable. This requirement is not applicable to mobile devices (smartphones and tablets), where the use of Bluetooth is a local AO decision. Determine if Bluetooth is disabled with the following command: $ sudo grep -r bluetooth /etc/modprobe.d | grep -i "blacklist" | grep -v "^#" blacklist bluetooth If the command does not return any output or the output is not "blacklist bluetooth", and use of Bluetooth is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding. </RawString> </Rule> <Rule id="V-248844" severity="medium" conversionstatus="pass" title="SRG-OS-000368-GPOS-00154" dscresource="nxFileLine"> <ContainsLine>tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0</ContainsLine> <Description><VulnDiscussion>The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*tmpfs\s*/dev/shm\s*tmpfs\s*defaults,nodev,nosuid,noexec\s*0\s*0</DoesNotContainPattern> <DuplicateOf /> <FilePath>/dev/shm</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify "/dev/shm" is mounted with the "nodev" option: $ sudo mount | grep /dev/shm tmpfs on /dev/shm type tmpfs (rw,nodev,nosuid,noexec,seclabel) Verify that the "nodev" option is configured for "/dev/shm": $ sudo cat /etc/fstab | grep /dev/shm tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0 If results are returned and the "nodev" option is missing, or if "/dev/shm" is mounted without the "nodev" option, this is a finding.</RawString> </Rule> <Rule id="V-248847" severity="medium" conversionstatus="pass" title="SRG-OS-000368-GPOS-00154" dscresource="nxFileLine"> <ContainsLine>/dev/mapper/ol-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0</ContainsLine> <Description><VulnDiscussion>The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*/dev/mapper/ol-tmp\s*/tmp\s*xfs\s*defaults,nodev,nosuid,noexec\s*0\s*0</DoesNotContainPattern> <DuplicateOf /> <FilePath>/dev/mapper/ol-tmp</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify "/tmp" is mounted with the "nodev" option: $ sudo mount | grep /tmp /dev/mapper/ol-tmp on /tmp type xfs (rw,nodev,nosuid,noexec,seclabel) Verify that the "nodev" option is configured for /tmp: $ sudo cat /etc/fstab | grep /tmp /dev/mapper/ol-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0 If results are returned and the "nodev" option is missing, or if /tmp is mounted without the "nodev" option, this is a finding.</RawString> </Rule> <Rule id="V-248850" severity="medium" conversionstatus="pass" title="SRG-OS-000368-GPOS-00154" dscresource="nxFileLine"> <ContainsLine>/dev/mapper/ol-var_log /var/log xfs defaults,nodev,nosuid,noexec 0 0</ContainsLine> <Description><VulnDiscussion>The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*/dev/mapper/ol-var_log\s*/var/log\s*xfs\s*defaults,nodev,nosuid,noexec\s*0\s*0</DoesNotContainPattern> <DuplicateOf /> <FilePath>/var/log</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify "/var/log" is mounted with the "nodev" option: $ sudo mount | grep /var/log /dev/mapper/ol-var_log on /var/log type xfs (rw,nodev,nosuid,noexec,seclabel) Verify that the "nodev" option is configured for /var/log: $ sudo cat /etc/fstab | grep /var/log /dev/mapper/ol-var_log /var/log xfs defaults,nodev,nosuid,noexec 0 0 If results are returned and the "nodev" option is missing, or if /var/log is mounted without the "nodev" option, this is a finding.</RawString> </Rule> <Rule id="V-248853" severity="medium" conversionstatus="pass" title="SRG-OS-000368-GPOS-00154" dscresource="nxFileLine"> <ContainsLine>/dev/mapper/ol-var_log_audit /var/log/audit xfs defaults,nodev,nosuid,noexec 0 0</ContainsLine> <Description><VulnDiscussion>The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*/dev/mapper/ol-var_log_audit\s*/var/log/audit\s*xfs\s*defaults,nodev,nosuid,noexec\s*0\s*0</DoesNotContainPattern> <DuplicateOf /> <FilePath>/var/log/audit</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify "/var/log/audit" is mounted with the "nodev" option: $ sudo mount | grep /var/log/audit /dev/mapper/ol-var_log_audit on /var/log/audit type xfs (rw,nodev,nosuid,noexec,seclabel) Verify that the "nodev" option is configured for /var/log/audit: $ sudo cat /etc/fstab | grep /var/log/audit /dev/mapper/ol-var_log_audit /var/log/audit xfs defaults,nodev,nosuid,noexec 0 0 If results are returned and the "nodev" option is missing, or if /var/log/audit is mounted without the "nodev" option, this is a finding.</RawString> </Rule> <Rule id="V-248856" severity="medium" conversionstatus="pass" title="SRG-OS-000368-GPOS-00154" dscresource="nxFileLine"> <ContainsLine>/dev/mapper/ol-var_tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0</ContainsLine> <Description><VulnDiscussion>The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*/dev/mapper/ol-var_tmp\s*/var/tmp\s*xfs\s*defaults,nodev,nosuid,noexec\s*0\s*0</DoesNotContainPattern> <DuplicateOf /> <FilePath>/var/tmp</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify "/var/tmp" is mounted with the "nodev" option: $ sudo mount | grep /var/tmp /dev/mapper/ol-var_tmp on /var/tmp type xfs (rw,nodev,nosuid,noexec,seclabel) Verify that the "nodev" option is configured for /var/tmp: $ sudo cat /etc/fstab | grep /var/tmp /dev/mapper/ol-var_tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0 If results are returned and the "nodev" option is missing, or if /var/tmp is mounted without the "nodev" option, this is a finding.</RawString> </Rule> <Rule id="V-248865.a" severity="medium" conversionstatus="pass" title="SRG-OS-000142-GPOS-00071" dscresource="nxFileLine"> <ContainsLine># FirewallBackend</ContainsLine> <Description><VulnDiscussion>DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. This requirement addresses the configuration of OL 8 to mitigate the impact of DoS attacks that have occurred or are ongoing on system availability. For each system, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exists to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing memory partitions). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks. Since version 0.6.0, "firewalld" has incorporated "nftables" as its backend support. Using the limit statement in "nftables" can help to mitigate DoS attacks. Satisfies: SRG-OS-000142-GPOS-00071, SRG-OS-000298-GPOS-00116, SRG-OS-000420-GPOS-00186</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*#\s*FirewallBackend</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/firewalld/firewalld.conf</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify "nftables" is configured to allow rate limits on any connection to the system with the following command. Verify "firewalld" has "nftables" set as the default backend: $ sudo grep -i firewallbackend /etc/firewalld/firewalld.conf # FirewallBackend If the "nftables" is not set as the "firewallbackend" default, this is a finding. </RawString> </Rule> <Rule id="V-248865.b" severity="medium" conversionstatus="pass" title="SRG-OS-000142-GPOS-00071" dscresource="nxFileLine"> <ContainsLine>FirewallBackend=nftables</ContainsLine> <Description><VulnDiscussion>DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. This requirement addresses the configuration of OL 8 to mitigate the impact of DoS attacks that have occurred or are ongoing on system availability. For each system, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exists to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing memory partitions). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks. Since version 0.6.0, "firewalld" has incorporated "nftables" as its backend support. Using the limit statement in "nftables" can help to mitigate DoS attacks. Satisfies: SRG-OS-000142-GPOS-00071, SRG-OS-000298-GPOS-00116, SRG-OS-000420-GPOS-00186</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*FirewallBackend\s*=\s*nftables</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/firewalld/firewalld.conf</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify "nftables" is configured to allow rate limits on any connection to the system with the following command. Verify "firewalld" has "nftables" set as the default backend: $ sudo grep -i firewallbackend /etc/firewalld/firewalld.conf FirewallBackend=nftables If the "nftables" is not set as the "firewallbackend" default, this is a finding. </RawString> </Rule> <Rule id="V-248870" severity="high" conversionstatus="pass" title="SRG-OS-000480-GPOS-00227" dscresource="nxFileLine"> <ContainsLine>logout=''</ContainsLine> <Description><VulnDiscussion>A locally logged-on user, who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*logout\s*=\s*''</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/dconf/db/local.d/</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify OL 8 is not configured to reboot the system when Ctrl-Alt-Delete is pressed when using a graphical user interface with the following command: $ sudo grep logout /etc/dconf/db/local.d/* logout='' If the "logout" key is bound to an action, is commented out, or is missing, this is a finding.</RawString> </Rule> <Rule id="V-248871" severity="medium" conversionstatus="pass" title="SRG-OS-000480-GPOS-00227" dscresource="nxFileLine"> <ContainsLine>CtrlAltDelBurstAction=none</ContainsLine> <Description><VulnDiscussion>A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*CtrlAltDelBurstAction\s*=\s*none</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/systemd/system.conf</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify OL 8 is not configured to reboot the system when Ctrl-Alt-Delete is pressed seven times within two seconds with the following command: $ sudo grep -i ctrl /etc/systemd/system.conf CtrlAltDelBurstAction=none If the "CtrlAltDelBurstAction" is not set to "none" or is commented out or missing, this is a finding.</RawString> </Rule> <Rule id="V-248897" severity="low" conversionstatus="pass" title="SRG-OS-000480-GPOS-00227" dscresource="nxFileLine"> <ContainsLine>VarFile = OwnerMode+n+l+X+acl</ContainsLine> <Description><VulnDiscussion>ACLs can provide permissions beyond those permitted through the file mode and must be verified by file integrity tools. OL 8 installation media come with a file integrity tool, Advanced Intrusion Detection Environment (AIDE).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*VarFile\s*=\s*OwnerMode+n+l+X+acl</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/aide.conf</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the file integrity tool is configured to verify ACLs. Use the following command to determine if the file is in a location other than "/etc/aide/aide.conf": $ sudo find / -name aide.conf Check the "aide.conf" file to determine if the "acl" rule has been added to the rule list being applied to the files and directories selection lists with the following command: $ sudo grep -E "[+]?acl" /etc/aide.conf VarFile = OwnerMode+n+l+X+acl If the "acl" rule is not being used on all selection lines in the "/etc/aide.conf" file or is commented out, or ACLs are not being checked by another file integrity tool, this is a finding.</RawString> </Rule> <Rule id="V-248902" severity="medium" conversionstatus="pass" title="SRG-OS-000480-GPOS-00227" dscresource="nxFileLine"> <ContainsLine>server_args = -s /var/lib/tftpboot</ContainsLine> <Description><VulnDiscussion>Restricting TFTP to a specific directory prevents remote users from copying, transferring, or overwriting system files.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*server_args\s*=\s*-s\s*/var/lib/tftpboot</DoesNotContainPattern> <DuplicateOf /> <FilePath>/var/lib/tftpboot</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the TFTP daemon is configured to operate in secure mode with the following commands: $ sudo yum list installed tftp-server tftp-server.x86_64 x.x-x.el8 If a TFTP server is not installed, this is not applicable. If a TFTP server is installed, check for the server arguments with the following command: $ sudo grep server_args /etc/xinetd.d/tftp server_args = -s /var/lib/tftpboot If the "server_args" line does not have a "-s" option and a subdirectory is not assigned, this is a finding.</RawString> </Rule> <Rule id="V-252658" severity="medium" conversionstatus="pass" title="SRG-OS-000480-GPOS-00227" dscresource="nxFileLine"> <ContainsLine> </ContainsLine> <Description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system. OL 8 utilizes "pwquality" as a mechanism to enforce password complexity. This is set in both: /etc/pam.d/password-auth /etc/pam.d/system-auth By limiting the number of attempts to meet the pwquality module complexity requirements before returning with an error, the system will audit abnormal attempts at password changes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern> </DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/pam.d/system-auth</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the value of "retry" is set to "0" or greater than "3", this is a finding." </OrganizationValueTestString> <RawString>Note: This requirement applies to OL versions 8.0 through 8.3. If the system is OL version 8.4 or newer, this requirement is not applicable. Verify the operating system is configured to limit the "pwquality" retry option to 3. Check for the use of the "pwquality" retry option in the system-auth file with the following command: $ sudo cat /etc/pam.d/system-auth | grep pam_pwquality password requisite pam_pwquality.so retry=3 If the value of "retry" is set to "0" or greater than "3", this is a finding.</RawString> </Rule> <Rule id="V-252659" severity="medium" conversionstatus="pass" title="SRG-OS-000480-GPOS-00227" dscresource="nxFileLine"> <ContainsLine> </ContainsLine> <Description><VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system. OL 8 utilizes "pwquality" as a mechanism to enforce password complexity. This is set in both: /etc/pam.d/password-auth /etc/pam.d/system-auth By limiting the number of attempts to meet the pwquality module complexity requirements before returning with an error, the system will audit abnormal attempts at password changes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern> </DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/pam.d/password-auth</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the value of "retry" is set to "0" or greater than "3", this is a finding." </OrganizationValueTestString> <RawString>Note: This requirement applies to OL versions 8.0 through 8.3. If the system is OL version 8.4 or newer, this requirement is not applicable. Verify the operating system is configured to limit the "pwquality" retry option to 3. Check for the use of the "pwquality" retry option in the password-auth file with the following command: $ sudo cat /etc/pam.d/password-auth | grep pam_pwquality password requisite pam_pwquality.so retry=3 If the value of "retry" is set to "0" or greater than "3", this is a finding.</RawString> </Rule> <Rule id="V-255898" severity="medium" conversionstatus="pass" title="SRG-OS-000250-GPOS-00093" dscresource="nxFileLine"> <ContainsLine>CRYPTO_POLICY='-oKexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512'</ContainsLine> <Description><VulnDiscussion>Without cryptographic integrity protections provided by FIPS-validated cryptographic algorithms, information can be viewed and altered by unauthorized users without detection. OL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file. The system will attempt to use the first algorithm presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest algorithm available to secure the SSH connection.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*CRYPTO_POLICY\s*=\s*'-oKexAlgorithms\s*=\s*ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512'</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/crypto-policies/back-ends/opensshserver.config</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify that the SSH server is configured to use only FIPS-validated key exchange algorithms: $ sudo grep -i kexalgorithms /etc/crypto-policies/back-ends/opensshserver.config CRYPTO_POLICY='-oKexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512' If the entries following "KexAlgorithms" have any algorithms defined other than "ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512", appear in a different order than shown, or are missing or commented out, this is a finding.</RawString> </Rule> <Rule id="V-257259" severity="medium" conversionstatus="pass" title="SRG-OS-000163-GPOS-00072" dscresource="nxFileLine"> <ContainsLine>StopIdleSessionSec=900</ContainsLine> <Description><VulnDiscussion>Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DoesNotContainPattern>#\s*StopIdleSessionSec\s*=\s*900</DoesNotContainPattern> <DuplicateOf /> <FilePath>/etc/systemd/logind.conf</FilePath> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify that OL 8 logs out sessions that are idle for 15 minutes with the following command: $ sudo grep -i ^StopIdleSessionSec /etc/systemd/logind.conf StopIdleSessionSec=900 If "StopIdleSessionSec" is not configured to 900 seconds, this is a finding.</RawString> </Rule> </nxFileLineRule> <nxServiceRule dscresourcemodule="nx"> <Rule id="V-248628" severity="medium" conversionstatus="pass" title="SRG-OS-000269-GPOS-00103" dscresource="nxService"> <Description><VulnDiscussion>Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition. OL 8 installation media presents the option to enable or disable the kdump service at the time of system installation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DuplicateOf /> <Enabled>False</Enabled> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <Name>kdump</Name> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify that kernel core dumps are disabled unless needed with the following command: $ sudo systemctl status kdump.service kdump.service - Crash recovery kernel arming Loaded: loaded (/usr/lib/systemd/system/kdump.service; disabled; vendor preset: enabled) Active: failed (Result: exit-code)since Mon 2020-05-04 16:08:09 EDT; 3min ago Main PID: 1130 (code=exited, status=0/FAILURE) If the "kdump" service is active, ask the System Administrator if the use of the service is required and documented with the Information System Security Officer (ISSO). If the service is active and is not documented, this is a finding.</RawString> <State /> </Rule> <Rule id="V-248836" severity="medium" conversionstatus="pass" title="SRG-OS-000114-GPOS-00059" dscresource="nxService"> <Description><VulnDiscussion>Verify the operating system disables the ability to automount devices. Determine if automounter service is active with the following command: $ sudo systemctl status autofs autofs.service - Automounts filesystems on demand Loaded: loaded (/usr/lib/systemd/system/autofs.service; disabled) Active: inactive (dead) If the "autofs" status is set to "active" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DuplicateOf /> <Enabled>False</Enabled> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <Name>autofs</Name> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the operating system disables the ability to automount devices. Determine if the automounter service is active with the following command: $ sudo systemctl status autofs autofs.service - Automounts filesystems on demand Loaded: loaded (/usr/lib/systemd/system/autofs.service; disabled) Active: inactive (dead) If the "autofs" status is set to "active" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.</RawString> <State /> </Rule> </nxServiceRule> </DISASTIG> |