Guide to the Secure Configuration of Red Hat OpenShift Container Platform 4

with profile NIST 800-53 Moderate-Impact Baseline for Red Hat Enterprise Linux CoreOS
This compliance profile reflects the core set of Moderate-Impact Baseline configuration settings for deployment of Red Hat Enterprise Linux CoreOS into U.S. Defense, Intelligence, and Civilian agencies. Development partners and sponsors include the U.S. National Institute of Standards and Technology (NIST), U.S. Department of Defense, the National Security Agency, and Red Hat. This baseline implements configuration requirements from the following sources: - NIST 800-53 control selections for Moderate-Impact systems (NIST 800-53) For any differing configuration requirements, e.g. password lengths, the stricter security setting was chosen. Security Requirement Traceability Guides (RTMs) and sample System Security Configuration Guides are provided via the scap-security-guide-docs package. This profile reflects U.S. Government consensus content and is developed through the ComplianceAsCode initiative, championed by the National Security Agency. Except for differences in formatting to accommodate publishing processes, this profile mirrors ComplianceAsCode content as minor divergences, such as bugfixes, work through the consensus and release processes.
This guide presents a catalog of security-relevant configuration settings for Red Hat OpenShift Container Platform 4. It is a rendering of content structured in the eXtensible Configuration Checklist Description Format (XCCDF) in order to support security automation. The SCAP content is is available in the scap-security-guide package which is developed at https://www.open-scap.org/security-policies/scap-security-guide.

Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The NIST National Checklist Program (NCP), which provides required settings for the United States Government, is one example of a baseline created from this guidance.
Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. The creators of this guidance assume no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Evaluation Characteristics

Evaluation targetUnknown
Target IDchroot:///host
Benchmark URL/content/ssg-ocp4-ds.xml
Benchmark IDxccdf_org.ssgproject.content_benchmark_OCP-4
Benchmark version0.1.51
Profile IDxccdf_org.ssgproject.content_profile_moderate
Started at2020-05-28T09:49:14+00:00
Finished at2020-05-28T09:50:19+00:00
Performed by unknown user
Test systemcpe:/a:redhat:openscap:1.3.3

CPE Platforms

  • cpe:/a:redhat:openshift_container_platform:4.1

Addresses

    Compliance and Scoring

    The target system did not satisfy the conditions of 188 rules! Please review rule results and consider applying remediation.

    Rule results

    52 passed
    188 failed
    8 other

    Severity of failed rules

    12 other
    8 low
    162 medium
    6 high

    Score

    Scoring systemScoreMaximumPercent
    urn:xccdf:scoring:default31.787380100.000000
    31.79%

    Rule Overview

    Group rules by:
    TitleSeverityResult
    Guide to the Secure Configuration of Red Hat OpenShift Container Platform 4 188x fail 7x notchecked
    System Settings 177x fail 6x notchecked
    Account and Access Control 7x fail 2x notchecked
    Protect Accounts by Restricting Password-Based Login 2x fail 1x notchecked
    Restrict Root Logins 1x fail
    Ensure that System Accounts Do Not Run a Shell Upon Loginmedium
    pass
    Direct root Logins Not Allowedmedium
    fail
    Verify Only Root Has UID 0high
    pass
    Verify Proper Storage and Existence of Password Hashes 1x fail
    Prevent Login to Accounts With Empty Passwordhigh
    fail
    Verify No netrc Files Existmedium
    pass
    Protect Physical Console Access 4x fail 1x notchecked
    Configure Screen Locking 1x notchecked
    Configure Console Screen Locking 1x notchecked
    Prevent user from disabling the screen lockmedium
    notchecked
    Disable debug-shell SystemD Servicemedium
    pass
    Verify that Interactive Boot is Disabledmedium
    fail
    Require Authentication for Single User Modemedium
    fail
    Disable Ctrl-Alt-Del Reboot Activationhigh
    fail
    Disable Ctrl-Alt-Del Burst Actionhigh
    fail
    Warning Banners for System Accesses 1x fail
    Modify the System Login Bannermedium
    fail
    System Accounting with auditd 114x fail
    Configure auditd Data Retention 6x fail
    Configure auditd Number of Logs Retainedmedium
    pass
    Configure auditd space_left on Low Disk Spacemedium
    fail
    Configure auditd space_left Action on Low Disk Spacemedium
    fail
    Set hostname as computer node name in audit logsmedium
    pass
    Configure auditd admin_space_left Action on Low Disk Spacemedium
    fail
    Configure auditd max_log_file_action Upon Reaching Maximum Log Sizemedium
    pass
    Configure auditd mail_acct Action on Low Disk Spacemedium
    pass
    Configure auditd Max Log File Sizemedium
    pass
    Include Local Events in Audit Logsmedium
    pass
    Configure auditd Disk Error Action on Disk Errormedium
    fail
    Resolve information before writing to audit logsmedium
    pass
    Configure auditd flush prioritymedium
    fail
    Write Audit Logs to the Diskmedium
    pass
    Configure auditd Disk Full Action when Disk Space Is Fullmedium
    fail
    Set number of records to cause an explicit flush to audit logsmedium
    pass
    Configure auditd Rules for Comprehensive Auditing 106x fail
    Record Execution Attempts to Run SELinux Privileged Commands 6x fail
    Record Any Attempts to Run restoreconmedium
    fail
    Record Any Attempts to Run chconmedium
    fail
    Record Any Attempts to Run setfilesmedium
    fail
    Record Any Attempts to Run setseboolmedium
    fail
    Record Any Attempts to Run seunsharemedium
    fail
    Record Any Attempts to Run semanagemedium
    fail
    Records Events that Modify Date and Time Information 5x fail
    Record Attempts to Alter the localtime Filemedium
    fail
    Record attempts to alter time through settimeofdaymedium
    fail
    Record Attempts to Alter Time Through clock_settimemedium
    fail
    Record Attempts to Alter Time Through stimemedium
    fail
    Record attempts to alter time through adjtimexmedium
    fail
    Record Information on the Use of Privileged Commands 23x fail
    Ensure auditd Collects Information on the Use of Privileged Commands - passwdmedium
    fail
    Ensure auditd Collects Information on the Use of Privileged Commands - atmedium
    fail
    Ensure auditd Collects Information on the Use of Privileged Commands - sumedium
    fail
    Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_checkmedium
    fail
    Ensure auditd Collects Information on the Use of Privileged Commands - sudomedium
    fail
    Ensure auditd Collects Information on the Use of Privileged Commands - newgidmapmedium
    fail
    Ensure auditd Collects Information on the Use of Privileged Commands - postdropmedium
    fail
    Ensure auditd Collects Information on the Use of Privileged Commands - mountmedium
    fail
    Ensure auditd Collects Information on the Use of Privileged Commands - userhelpermedium
    fail
    Ensure auditd Collects Information on the Use of Privileged Commands - gpasswdmedium
    fail
    Ensure auditd Collects Information on the Use of Privileged Commands - newuidmapmedium
    fail
    Ensure auditd Collects Information on the Use of Privileged Commands - crontabmedium
    fail
    Ensure auditd Collects Information on the Use of Privileged Commands - postqueuemedium
    fail
    Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysignmedium
    fail
    Ensure auditd Collects Information on the Use of Privileged Commands - chagemedium
    fail
    Ensure auditd Collects Information on the Use of Privileged Commands - newgrpmedium
    fail
    Ensure auditd Collects Information on the Use of Privileged Commands - chshmedium
    fail
    Ensure auditd Collects Information on the Use of Privileged Commands - sudoeditmedium
    fail
    Ensure auditd Collects Information on the Use of Privileged Commands - umountmedium
    fail
    Ensure auditd Collects Information on the Use of Privileged Commandsmedium
    fail
    Ensure auditd Collects Information on the Use of Privileged Commands - usernetctlmedium
    fail
    Ensure auditd Collects Information on the Use of Privileged Commands - pt_chownmedium
    fail
    Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwdmedium
    fail
    Record Events that Modify the System's Discretionary Access Controls 13x fail
    Record Events that Modify the System's Discretionary Access Controls - fchmodmedium
    fail
    Record Events that Modify the System's Discretionary Access Controls - removexattrmedium
    fail
    Record Events that Modify the System's Discretionary Access Controls - lsetxattrmedium
    fail
    Record Events that Modify the System's Discretionary Access Controls - chmodmedium
    fail
    Record Events that Modify the System's Discretionary Access Controls - lchownmedium
    fail
    Record Events that Modify the System's Discretionary Access Controls - lremovexattrmedium
    fail
    Record Events that Modify the System's Discretionary Access Controls - fchownatmedium
    fail
    Record Events that Modify the System's Discretionary Access Controls - chownmedium
    fail
    Record Events that Modify the System's Discretionary Access Controls - fchownmedium
    fail
    Record Events that Modify the System's Discretionary Access Controls - fchmodatmedium
    fail
    Record Events that Modify the System's Discretionary Access Controls - setxattrmedium
    fail
    Record Events that Modify the System's Discretionary Access Controls - fsetxattrmedium
    fail
    Record Events that Modify the System's Discretionary Access Controls - fremovexattrmedium
    fail
    Record Attempts to Alter Logon and Logout Events - tallylogmedium
    fail
    Record Attempts to Alter Logon and Logout Events - lastlogmedium
    fail
    Record Attempts to Alter Logon and Logout Events - faillockmedium
    fail
    Record File Deletion Events by User 5x fail
    Ensure auditd Collects File Deletion Events by User - rmdirmedium
    fail
    Ensure auditd Collects File Deletion Events by User - renamemedium
    fail
    Ensure auditd Collects File Deletion Events by User - unlinkatmedium
    fail
    Ensure auditd Collects File Deletion Events by User - unlinkmedium
    fail
    Ensure auditd Collects File Deletion Events by User - renameatmedium
    fail
    Record Unauthorized Access Attempts Events to Files (unsuccessful) 32x fail
    Record Unsuccessul Ownership Changes to Files - chownmedium
    fail
    Ensure auditd Rules For Unauthorized Attempts To open Are Ordered Correctlymedium
    fail
    Record Unsuccessul Permission Changes to Files - chmodmedium
    fail
    Record Unsuccessul Permission Changes to Files - fchmodatmedium
    fail
    Record Unsuccessul Permission Changes to Files - removexattrmedium
    fail
    Record Unsuccessful Creation Attempts to Files - open O_CREATmedium
    fail
    Record Unsuccessul Delete Attempts to Files - renameatmedium
    fail
    Record Unsuccessul Ownership Changes to Files - fchownmedium
    fail
    Record Unsuccessful Access Attempts to Files - creatmedium
    fail
    Ensure auditd Unauthorized Access Attempts To open_by_handle_at Are Ordered Correctlymedium
    fail
    Record Unsuccessul Permission Changes to Files - lremovexattrmedium
    fail
    Record Unsuccessful Access Attempts to Files - ftruncatemedium
    fail
    Record Unsuccessul Permission Changes to Files - setxattrmedium
    fail
    Record Unsuccessul Ownership Changes to Files - fchownatmedium
    fail
    Record Unsuccessul Permission Changes to Files - fsetxattrmedium
    fail
    Record Unsuccessful Access Attempts to Files - openmedium
    fail
    Record Unsuccessul Delete Attempts to Files - unlinkmedium
    fail
    Ensure auditd Rules For Unauthorized Attempts To openat Are Ordered Correctlymedium
    fail
    Record Unsuccessful Creation Attempts to Files - openat O_CREATmedium
    fail
    Record Unsuccessul Permission Changes to Files - fchmodmedium
    fail
    Record Unsuccessul Permission Changes to Files - lsetxattrmedium
    fail
    Record Unsuccessful Modification Attempts to Files - open O_TRUNC_WRITEmedium
    fail
    Record Unsuccessul Delete Attempts to Files - renamemedium
    fail
    Record Unsuccessful Access Attempts to Files - open_by_handle_atmedium
    fail
    Record Unsuccessful Access Attempts to Files - truncatemedium
    fail
    Record Unsuccessful Creation Attempts to Files - open_by_handle_at O_CREATmedium
    fail
    Record Unsuccessul Delete Attempts to Files - unlinkatmedium
    fail
    Record Unsuccessul Permission Changes to Files - fremovexattrmedium
    fail
    Record Unsuccessul Ownership Changes to Files - lchownmedium
    fail
    Record Unsuccessful Access Attempts to Files - openatmedium
    fail
    Record Unsuccessful Modification Attempts to Files - open_by_handle_at O_TRUNC_WRITEmedium
    fail
    Record Unsuccessful Modification Attempts to Files - openat O_TRUNC_WRITEmedium
    fail
    Record Information on Kernel Modules Loading and Unloading
    Ensure auditd Collects Information on Kernel Module Loading - init_modulemedium
    pass
    Ensure auditd Collects Information on Kernel Module Unloading - delete_modulemedium
    pass
    Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_modulemedium
    pass
    Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/groupmedium
    fail
    Make the auditd Configuration Immutablemedium
    fail
    Record Events that Modify User/Group Information via openat syscall - /etc/shadowmedium
    fail
    Ensure auditd Collects Information on Exporting to Media (successful)medium
    fail
    Record Attempts to Alter Process and Session Initiation Informationmedium
    fail
    Ensure auditd Collects System Administrator Actionsmedium
    fail
    System Audit Logs Must Have Mode 0750 or Less Permissiveunknown
    pass
    Record Events that Modify User/Group Information via open syscall - /etc/gshadowmedium
    fail
    Record Events that Modify User/Group Information via openat syscall - /etc/groupmedium
    fail
    Record Events that Modify User/Group Information via openat syscall - /etc/gshadowmedium
    fail
    Record Access Events to Audit Log Directorymedium
    fail
    Record Events that Modify User/Group Information - /etc/passwdmedium
    pass
    System Audit Logs Must Have Mode 0640 or Less Permissivemedium
    pass
    Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/shadowmedium
    fail
    Record Events that Modify User/Group Information - /etc/security/opasswdmedium
    pass
    Record Events that Modify User/Group Information - /etc/gshadowmedium
    pass
    Record Events that Modify User/Group Information via open syscall - /etc/groupmedium
    fail
    Record Events that Modify the System's Mandatory Access Controlsmedium
    fail
    System Audit Logs Must Be Owned By Rootmedium
    pass
    Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/passwdmedium
    fail
    Record Events that Modify User/Group Information via open syscall - /etc/shadowmedium
    fail
    Record Events that Modify User/Group Information via openat syscall - /etc/passwdmedium
    fail
    Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/gshadowmedium
    fail
    Record Events that Modify the System's Network Environmentmedium
    fail
    Record Events that Modify User/Group Information via open syscall - /etc/passwdmedium
    fail
    Record Events that Modify User/Group Information - /etc/groupmedium
    pass
    Record Events that Modify User/Group Information - /etc/shadowmedium
    pass
    Ensure the audit Subsystem is Installedmedium
    pass
    Enable auditd Servicehigh
    pass
    Enable Auditing for Processes Which Start Prior to the Audit Daemonmedium
    fail
    Extend Audit Backlog Limit for the Audit Daemonmedium
    fail
    Installing and Maintaining Software 6x fail 2x notchecked
    System and Software Integrity 6x fail 2x notchecked
    Software Integrity Checking 2x notchecked
    Verify Integrity with RPM 2x notchecked
    Verify and Correct Ownership with RPMhigh
    notchecked
    Verify and Correct File Permissions with RPMhigh
    notchecked
    Federal Information Processing Standard (FIPS) 2x fail
    Enable FIPS Modehigh
    fail
    Enable Dracut FIPS Modulemedium
    fail
    System Cryptographic Policies 4x fail
    Harden SSHD Crypto Policymedium
    fail
    Configure OpenSSL library to use System Crypto Policymedium
    fail
    Harden SSH client Crypto Policymedium
    fail
    Configure SSH to use System Crypto Policymedium
    pass
    Configure Kerberos to use System Crypto Policymedium
    pass
    Configure System Cryptography Policyhigh
    fail
    Sudo
    Install sudo Packagemedium
    pass
    GRUB2 bootloader configuration 2x fail
    Enable Kernel Page-Table Isolation (KPTI)high
    fail
    Set the UEFI Boot Loader Passwordmedium
    fail
    Network Configuration and Firewalls 26x fail 1x notchecked
    IPv6 6x fail
    Configure IPv6 Settings if Necessary 6x fail
    Disable Accepting ICMP Redirects for All IPv6 Interfacesmedium
    fail
    Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfacesmedium
    fail
    Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Defaultmedium
    fail
    Disable Accepting Router Advertisements on all IPv6 Interfaces by Defaultunknown
    fail
    Configure Accepting Router Advertisements on All IPv6 Interfacesunknown
    fail
    Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfacesmedium
    fail
    Kernel Parameters Which Affect Networking 13x fail
    Network Parameters for Hosts Only 2x fail
    Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfacesmedium
    fail
    Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Defaultmedium
    fail
    Network Related Kernel Runtime Parameters for Hosts and Routers 11x fail
    Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfacesmedium
    pass
    Disable Accepting ICMP Redirects for All IPv4 Interfacesmedium
    fail
    Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Defaultmedium
    fail
    Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfacesmedium
    pass
    Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfacesunknown
    fail
    Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfacesunknown
    fail
    Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfacesmedium
    fail
    Configure Kernel Parameter for Accepting Secure Redirects By Defaultmedium
    fail
    Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Defaultmedium
    fail
    Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfacesmedium
    fail
    Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Defaultunknown
    fail
    Enable Kernel Parameter to Use TCP Syncookies on IPv4 Interfacesmedium
    fail
    Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfacesmedium
    fail
    Uncommon Network Protocols 5x fail
    Disable ATM Supportmedium
    fail
    Disable IEEE 1394 (FireWire) Supportmedium
    fail
    Disable CAN Supportmedium
    fail
    Disable TIPC Supportmedium
    fail
    Disable SCTP Supportmedium
    fail
    iptables and ip6tables
    Install iptables Packagemedium
    pass
    Wireless Networking 1x fail 1x notchecked
    Disable Wireless Through Software Configuration 1x fail 1x notchecked
    Disable Bluetooth Servicemedium
    pass
    Deactivate Wireless Network Interfacesmedium
    pass
    Disable WiFi or Bluetooth in BIOSunknown
    notchecked
    Disable Bluetooth Kernel Modulemedium
    fail
    Prevent non-Privileged Users from Modifying Network Interfaces using nmclimedium
    fail
    Configure Syslog 1x fail
    Ensure All Logs are Rotated by logrotate 1x fail
    Ensure Logrotate Runs Periodicallymedium
    fail
    SELinux
    Ensure SELinux State is Enforcinghigh
    pass
    Configure SELinux Policyhigh
    pass
    Ensure No Daemons are Unconfined by SELinuxmedium
    pass
    Ensure SELinux Not Disabled in /etc/default/grubmedium
    pass
    File Permissions and Masks 21x fail 1x notchecked
    Restrict Dynamic Mounting and Unmounting of Filesystems 10x fail 1x notchecked
    Disable the Automountermedium
    pass
    Disable Mounting of jffs2low
    fail
    Disable Mounting of vFAT filesystemslow
    fail
    Disable Modprobe Loading of USB Storage Drivermedium
    fail
    Disable Mounting of hfspluslow
    fail
    Disable Booting from USB Devices in Boot Firmwareunknown
    notchecked
    Disable Mounting of hfslow
    fail
    Disable Mounting of cramfslow
    fail
    Disable Mounting of udflow
    fail
    Disable Kernel Support for USB via Bootloader Configurationunknown
    fail
    Disable Mounting of freevxfslow
    fail
    Disable Mounting of squashfslow
    fail
    Verify Permissions on Important Files and Directories
    Restrict Programs from Dangerous Execution Patterns 11x fail
    Disable Core Dumps 4x fail
    Disable acquiring, saving, and processing core dumpsunknown
    fail
    Disable Core Dumps for All Usersunknown
    fail
    Disable storing core dumpunknown
    fail
    Disable core dump backtracesunknown
    fail
    Memory Poisoning 1x fail
    Enable page allocator poisoningmedium
    fail
    Enable ExecShield
    Restrict Exposed Kernel Pointer Addresses Accessmedium
    pass
    Disable Kernel Image Loadingmedium
    fail
    Disallow kernel profiling by unprivileged usersmedium
    fail
    Restrict usage of ptrace to descendant processesmedium
    fail
    Harden the operation of the BPF just-in-time compilermedium
    fail
    Restrict Access to Kernel Message Buffermedium
    fail
    Disable vsyscallsinfo
    informational
    Disable storing core dumpsunknown
    pass
    Disable Access to Network bpf() Syscall From Unprivileged Processesmedium
    fail
    Services 11x fail 1x notchecked
    Network Time Protocol 4x fail
    Enable the NTP Daemonmedium
    pass
    Specify Additional Remote NTP Serversmedium
    fail
    Disable network management of chrony daemonunknown
    fail
    Disable chrony daemon from acting as serverunknown
    fail
    Specify a Remote NTP Servermedium
    pass
    Configure Time Service Maxpoll Intervalmedium
    fail
    Hardware RNG Entropy Gatherer Daemon 1x fail
    Enable the Hardware RNG Entropy Gatherer Servicemedium
    fail
    System Security Services Daemon 1x fail
    Configure SSSD to run as user sssdmedium
    fail
    SSH Server 1x fail 1x notchecked
    Configure OpenSSH Server if Necessary 1x fail 1x notchecked
    Set SSH Client Alive Max Countmedium
    fail
    Disable SSH Support for .rhosts Filesmedium
    pass
    Set SSH Idle Timeout Intervalmedium
    pass
    Limit Users' SSH Accessunknown
    notchecked
    Verify Permissions on SSH Server config filemedium
    pass
    Verify Owner on SSH Server config filemedium
    pass
    Verify Permissions on SSH Server Private *_key Key Filesmedium
    pass
    Verify Permissions on SSH Server Public *.pub Key Filesmedium
    pass
    Verify Group Who Owns SSH Server config filemedium
    pass
    USBGuard daemon 4x fail
    Install usbguard Packagemedium
    fail
    Enable the USBGuard Servicemedium
    fail
    Log USBGuard daemon audit events using Linux Auditmedium
    fail
    Authorize Human Interface Devices and USB hubs in USBGuard daemonmedium
    fail

    Result Details

    Ensure that System Accounts Do Not Run a Shell Upon Loginxccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts mediumCCE-82697-4

    Ensure that System Accounts Do Not Run a Shell Upon Login

    Rule IDxccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts
    Result
    pass
    Multi-check ruleno
    OVAL Definition IDoval:ssg-no_shelllogin_for_systemaccounts:def:1
    Time2020-05-28T09:49:14+00:00
    Severitymedium
    Identifiers and References

    Identifiers:  CCE-82697-4

    References:  5.4.2, 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS06.03, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, A.12.4.1, A.12.4.3, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, AC-6, CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6

    Description

    Some accounts are not associated with a human user of the system, and exist to perform some administrative function. Should an attacker be able to log into these accounts, they should not be granted access to a shell.

    The login shell for each local account is stored in the last field of each line in /etc/passwd. System accounts are those user accounts with a user ID less than UID_MIN, where value of UID_MIN directive is set in /etc/login.defs configuration file. In the default configuration UID_MIN is set to 1000, thus system accounts are those user accounts with a user ID less than 1000. The user ID is stored in the third field. If any system account SYSACCT (other than root) has a login shell, disable it with the command:

    $ sudo usermod -s /sbin/nologin SYSACCT

    Rationale

    Ensuring shells are not given to system accounts upon login makes it more difficult for attackers to make use of system accounts.

    Warnings
    warning  Do not perform the steps in this section on the root account. Doing so might cause the system to become inaccessible.
    OVAL test results details

    SYS_UID_MIN not defined in /etc/login.defs  oval:ssg-test_sys_uid_min_not_defined:tst:1  false

    Following items have been found on the system:
    PathContent
    /etc/login.defs# # Please note that the parameters in this configuration file control the # behavior of the tools from the shadow-utils component. None of these # tools uses the PAM mechanism, and the utilities that use PAM (such as the # passwd command) should therefore be configured elsewhere. Refer to # /etc/pam.d/system-auth for more information. # # *REQUIRED* # Directory where mailboxes reside, _or_ name of file, relative to the # home directory. If you _do_ define both, MAIL_DIR takes precedence. # QMAIL_DIR is for Qmail # #QMAIL_DIR Maildir MAIL_DIR /var/spool/mail #MAIL_FILE .mail # Password aging controls: # # PASS_MAX_DAYS Maximum number of days a password may be used. # PASS_MIN_DAYS Minimum number of days allowed between password changes. # PASS_MIN_LEN Minimum acceptable password length. # PASS_WARN_AGE Number of days warning given before a password expires. # PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 PASS_MIN_LEN 5 PASS_WARN_AGE 7 # # Min/max values for automatic uid selection in useradd # UID_MIN 1000 UID_MAX 60000 # System accounts SYS_UID_MIN 201

    SYS_UID_MAX not defined in /etc/login.defs  oval:ssg-test_sys_uid_max_not_defined:tst:1  false

    Following items have been found on the system:
    PathContent
    /etc/login.defs# # Please note that the parameters in this configuration file control the # behavior of the tools from the shadow-utils component. None of these # tools uses the PAM mechanism, and the utilities that use PAM (such as the # passwd command) should therefore be configured elsewhere. Refer to # /etc/pam.d/system-auth for more information. # # *REQUIRED* # Directory where mailboxes reside, _or_ name of file, relative to the # home directory. If you _do_ define both, MAIL_DIR takes precedence. # QMAIL_DIR is for Qmail # #QMAIL_DIR Maildir MAIL_DIR /var/spool/mail #MAIL_FILE .mail # Password aging controls: # # PASS_MAX_DAYS Maximum number of days a password may be used. # PASS_MIN_DAYS Minimum number of days allowed between password changes. # PASS_MIN_LEN Minimum acceptable password length. # PASS_WARN_AGE Number of days warning given before a password expires. # PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 PASS_MIN_LEN 5 PASS_WARN_AGE 7 # # Min/max values for automatic uid selection in useradd # UID_MIN 1000 UID_MAX 60000 # System accounts SYS_UID_MIN 201 SYS_UID_MAX 999

    <0, UID_MIN - 1> system UIDs having shell set  oval:ssg-test_shell_defined_default_uid_range:tst:1  true

    Following items have been found on the system:
    Var refValue
    oval:ssg-variable_default_range_quad_expr:var:11000

    SYS_UID_MIN not defined in /etc/login.defs  oval:ssg-test_sys_uid_min_not_defined:tst:1  false

    Following items have been found on the system:
    PathContent
    /etc/login.defs# # Please note that the parameters in this configuration file control the # behavior of the tools from the shadow-utils component. None of these # tools uses the PAM mechanism, and the utilities that use PAM (such as the # passwd command) should therefore be configured elsewhere. Refer to # /etc/pam.d/system-auth for more information. # # *REQUIRED* # Directory where mailboxes reside, _or_ name of file, relative to the # home directory. If you _do_ define both, MAIL_DIR takes precedence. # QMAIL_DIR is for Qmail # #QMAIL_DIR Maildir MAIL_DIR /var/spool/mail #MAIL_FILE .mail # Password aging controls: # # PASS_MAX_DAYS Maximum number of days a password may be used. # PASS_MIN_DAYS Minimum number of days allowed between password changes. # PASS_MIN_LEN Minimum acceptable password length. # PASS_WARN_AGE Number of days warning given before a password expires. # PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 PASS_MIN_LEN 5 PASS_WARN_AGE 7 # # Min/max values for automatic uid selection in useradd # UID_MIN 1000 UID_MAX 60000 # System accounts SYS_UID_MIN 201

    SYS_UID_MAX not defined in /etc/login.defs  oval:ssg-test_sys_uid_max_not_defined:tst:1  false

    Following items have been found on the system:
    PathContent
    /etc/login.defs# # Please note that the parameters in this configuration file control the # behavior of the tools from the shadow-utils component. None of these # tools uses the PAM mechanism, and the utilities that use PAM (such as the # passwd command) should therefore be configured elsewhere. Refer to # /etc/pam.d/system-auth for more information. # # *REQUIRED* # Directory where mailboxes reside, _or_ name of file, relative to the # home directory. If you _do_ define both, MAIL_DIR takes precedence. # QMAIL_DIR is for Qmail # #QMAIL_DIR Maildir MAIL_DIR /var/spool/mail #MAIL_FILE .mail # Password aging controls: # # PASS_MAX_DAYS Maximum number of days a password may be used. # PASS_MIN_DAYS Minimum number of days allowed between password changes. # PASS_MIN_LEN Minimum acceptable password length. # PASS_WARN_AGE Number of days warning given before a password expires. # PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 PASS_MIN_LEN 5 PASS_WARN_AGE 7 # # Min/max values for automatic uid selection in useradd # UID_MIN 1000 UID_MAX 60000 # System accounts SYS_UID_MIN 201 SYS_UID_MAX 999

    <0, SYS_UID_MIN> system UIDs having shell set  oval:ssg-test_shell_defined_reserved_uid_range:tst:1  true

    Following items have been found on the system:
    Var refValue
    oval:ssg-variable_reserved_range_quad_expr:var:1799000

    <SYS_UID_MIN, SYS_UID_MAX> system UIDS having shell set  oval:ssg-test_shell_defined_dynalloc_uid_range:tst:1  true

    Following items have been found on the system:
    Var refValue
    oval:ssg-variable_dynalloc_range_quad_expr:var:1799
    Direct root Logins Not Allowedxccdf_org.ssgproject.content_rule_no_direct_root_logins mediumCCE-82698-2

    Direct root Logins Not Allowed

    Rule IDxccdf_org.ssgproject.content_rule_no_direct_root_logins
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-no_direct_root_logins:def:1
    Time2020-05-28T09:49:14+00:00
    Severitymedium
    Identifiers and References

    Identifiers:  CCE-82698-2

    References:  NT28(R19), 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.1.1, 3.1.6, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-2, CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7

    Description

    To further limit access to the root account, administrators can disable root logins at the console by editing the /etc/securetty file. This file lists all devices the root user is allowed to login to. If the file does not exist at all, the root user can login through any communication device on the system, whether via the console or via a raw network interface. This is dangerous as user can login to the system as root via Telnet, which sends the password in plain text over the network. By default, Red Hat OpenShift Container Platform 4's /etc/securetty file only allows the root user to login at the console physically attached to the system. To prevent root from logging in, remove the contents of this file. To prevent direct root logins, remove the contents of this file by typing the following command:

    $ sudo echo > /etc/securetty
    

    Rationale

    Disabling direct root logins ensures proper accountability and multifactor authentication to privileged accounts. Users will first login, then escalate to privileged (root) access via su / sudo. This is required for FISMA Low and FISMA Moderate systems.



    echo > /etc/securetty
    


    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 2.2.0
        storage:
          files:
          - contents:
              source: data:,
            filesystem: root
            mode: 0600
            path: /etc/securetty
    
    OVAL test results details

    no entries in /etc/securetty  oval:ssg-test_no_direct_root_logins:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_no_direct_root_logins:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/securetty^$1

    /etc/securetty file exists  oval:ssg-test_etc_securetty_exists:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_etc_securetty_exists:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/securetty^.*$1
    Verify Only Root Has UID 0xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero highCCE-82699-0

    Verify Only Root Has UID 0

    Rule IDxccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero
    Result
    pass
    Multi-check ruleno
    OVAL Definition IDoval:ssg-accounts_no_uid_except_zero:def:1
    Time2020-05-28T09:49:14+00:00
    Severityhigh
    Identifiers and References

    Identifiers:  CCE-82699-0

    References:  1, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.10, 3.1.1, 3.1.5, CCI-000366, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, IA-2, AC-6(5), IA-4(b), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, SRG-OS-000480-GPOS-00227

    Description

    If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed.
    If the account is associated with system commands or applications the UID should be changed to one greater than "0" but less than "1000." Otherwise assign a UID greater than "1000" that has not already been assigned.

    Rationale

    An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner.

    OVAL test results details

    test that there are no accounts with UID 0 except root in the /etc/passwd file  oval:ssg-test_accounts_no_uid_except_root:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-object_accounts_no_uid_except_root:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/passwd^(?!root:)[^:]*:[^:]*:01
    Prevent Login to Accounts With Empty Passwordxccdf_org.ssgproject.content_rule_no_empty_passwords highCCE-82553-9

    Prevent Login to Accounts With Empty Password

    Rule IDxccdf_org.ssgproject.content_rule_no_empty_passwords
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-no_empty_passwords:def:1
    Time2020-05-28T09:49:14+00:00
    Severityhigh
    Identifiers and References

    Identifiers:  CCE-82553-9

    References:  1, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2, APO01.06, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.10, 3.1.1, 3.1.5, CCI-000366, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, IA-5(1)(a), IA-5(c), CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, FIA_AFL.1, Req-8.2.3, SRG-OS-000480-GPOS-00227

    Description

    If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok option in /etc/pam.d/system-auth to prevent logins with empty passwords.

    Rationale

    If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.



    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 2.2.0
        storage:
          files:
          - contents:
              source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
            filesystem: root
            mode: 0644
            path: /etc/pam.d/password-auth
          - contents:
              source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
            filesystem: root
            mode: 0644
            path: /etc/pam.d/system-auth
    
    OVAL test results details

    make sure nullok is not used in /etc/pam.d/system-auth  oval:ssg-test_no_empty_passwords:tst:1  false

    Following items have been found on the system:
    PathContent
    /etc/pam.d/system-authauth required pam_env.so auth required pam_faildelay.so delay=2000000 auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
    Verify No netrc Files Existxccdf_org.ssgproject.content_rule_no_netrc_files mediumCCE-82667-7

    Verify No netrc Files Exist

    Rule IDxccdf_org.ssgproject.content_rule_no_netrc_files
    Result
    pass
    Multi-check ruleno
    OVAL Definition IDoval:ssg-no_netrc_files:def:1
    Time2020-05-28T09:49:14+00:00
    Severitymedium
    Identifiers and References

    Identifiers:  CCE-82667-7

    References:  1, 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10, CCI-000196, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, IA-5(h), IA-5(1)(c), CM-6(a), IA-5(7), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3

    Description

    The .netrc files contain login information used to auto-login into FTP servers and reside in the user's home directory. These files may contain unencrypted passwords to remote FTP servers making them susceptible to access by unauthorized users and should not be used. Any .netrc files should be removed.

    Rationale

    Unencrypted passwords for remote FTP servers may be stored in .netrc files.

    OVAL test results details

    look for .netrc in /home  oval:ssg-test_no_netrc_files_home:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_no_netrc_files_home:obj:1 of type file_object
    BehaviorsPathFilename
    no value/home^\.netrc$
    Prevent user from disabling the screen lockxccdf_org.ssgproject.content_rule_no_tmux_in_shells medium

    Prevent user from disabling the screen lock

    Rule IDxccdf_org.ssgproject.content_rule_no_tmux_in_shells
    Result
    notchecked
    Multi-check ruleno
    Time2020-05-28T09:49:15+00:00
    Severitymedium
    Identifiers and References

    References:  FMT_SMF_EXT.1, SRG-OS-000324-GPOS-00125

    Description

    The tmux terminal multiplexer is used to implement autimatic session locking. It should not be listed in /etc/shells.

    Rationale

    Not listing tmux among permitted shells prevents malicious program running as user from lowering security by disabling the screen lock.

    Evaluation messages
    info 
    No candidate or applicable check found.
    Disable debug-shell SystemD Servicexccdf_org.ssgproject.content_rule_service_debug-shell_disabled mediumCCE-82496-1

    Disable debug-shell SystemD Service

    Rule IDxccdf_org.ssgproject.content_rule_service_debug-shell_disabled
    Result
    pass
    Multi-check ruleno
    OVAL Definition IDoval:ssg-service_debug-shell_disabled:def:1
    Time2020-05-28T09:49:15+00:00
    Severitymedium
    Identifiers and References

    Identifiers:  CCE-82496-1

    References:  3.4.5, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), FIA_AFL.1, SRG-OS-000324-GPOS-00125

    Description

    SystemD's debug-shell service is intended to diagnose SystemD related boot issues with various systemctl commands. Once enabled and following a system reboot, the root shell will be available on tty9 which is access by pressing CTRL-ALT-F9. The debug-shell service should only be used for SystemD related issues and should otherwise be disabled.

    By default, the debug-shell SystemD service is already disabled. The debug-shell service can be disabled with the following command:

    $ sudo systemctl disable debug-shell.service
    The debug-shell service can be masked with the following command:
    $ sudo systemctl mask debug-shell.service

    Rationale

    This prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted.

    OVAL test results details

    package systemd is removed  oval:ssg-test_service_debug-shell_package_systemd_removed:tst:1  false

    Following items have been found on the system:
    NameArchEpochReleaseVersionEvrSignature keyidExtended name
    systemdx86_64(none)27.el82390:239-27.el8199e2f91fd431d51systemd-0:239-27.el8.x86_64

    Test that the debug-shell service is not running  oval:ssg-test_service_not_running_debug-shell:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_service_not_running_debug-shell:obj:1 of type systemdunitproperty_object
    UnitProperty
    ^debug-shell\.(service|socket)$ActiveState

    Test that the property LoadState from the service debug-shell is masked  oval:ssg-test_service_loadstate_is_masked_debug-shell:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_service_loadstate_is_masked_debug-shell:obj:1 of type systemdunitproperty_object
    UnitProperty
    ^debug-shell\.(service|socket)$LoadState

    Test that the property FragmentPath from the service debug-shell is set to /dev/null  oval:ssg-test_service_fragmentpath_is_dev_null_debug-shell:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_service_fragmentpath_is_dev_null_debug-shell:obj:1 of type systemdunitproperty_object
    UnitProperty
    ^debug-shell\.(service|socket)$FragmentPath
    Verify that Interactive Boot is Disabledxccdf_org.ssgproject.content_rule_grub2_disable_interactive_boot mediumCCE-82551-3

    Verify that Interactive Boot is Disabled

    Rule IDxccdf_org.ssgproject.content_rule_grub2_disable_interactive_boot
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-grub2_disable_interactive_boot:def:1
    Time2020-05-28T09:49:15+00:00
    Severitymedium
    Identifiers and References

    Identifiers:  CCE-82551-3

    References:  11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06, 3.1.2, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, SC-2(1), CM-6(a), PR.AC-4, PR.AC-6, PR.PT-3, FIA_AFL.1, SRG-OS-000480-GPOS-00227

    Description

    Red Hat OpenShift Container Platform 4 systems support an "interactive boot" option that can be used to prevent services from being started. On a Red Hat OpenShift Container Platform 4 system, interactive boot can be enabled by providing a 1, yes, true, or on value to the systemd.confirm_spawn kernel argument in /etc/default/grub. Remove any instance of

    systemd.confirm_spawn=(1|yes|true|on)
    from the kernel arguments in that file to disable interactive boot. It is also required to change the runtime configuration, run:
    /sbin/grubby --update-kernel=ALL --remove-args="systemd.confirm_spawn"

    Rationale

    Using interactive boot, the console user could disable auditing, firewalls, or other services, weakening system security.

    OVAL test results details

    Check systemd.confirm_spawn=(1|true|yes|on) not in GRUB_CMDLINE_LINUX  oval:ssg-test_grub2_disable_interactive_boot_grub_cmdline_linux:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-object_grub2_disable_interactive_boot_grub_cmdline_linux:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/default/grub^\s*GRUB_CMDLINE_LINUX=".*systemd.confirm_spawn=(?:1|yes|true|on).*$1

    Check systemd.confirm_spawn=(1|true|yes|on) not in GRUB_CMDLINE_LINUX_DEFAULT  oval:ssg-test_grub2_disable_interactive_boot_grub_cmdline_linux_default:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-object_grub2_disable_interactive_boot_grub_cmdline_linux_default:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/default/grub^\s*GRUB_CMDLINE_LINUX_DEFAULT=".*systemd.confirm_spawn=(?:1|yes|true|on).*$1

    Check for GRUB_DISABLE_RECOVERY=true in /etc/default/grub  oval:ssg-test_bootloader_disable_recovery_set_to_true:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_bootloader_disable_recovery_argument:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/default/grub^\s*GRUB_DISABLE_RECOVERY=(.*)$1
    Require Authentication for Single User Modexccdf_org.ssgproject.content_rule_require_singleuser_auth mediumCCE-82550-5

    Require Authentication for Single User Mode

    Rule IDxccdf_org.ssgproject.content_rule_require_singleuser_auth
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-require_singleuser_auth:def:1
    Time2020-05-28T09:49:15+00:00
    Severitymedium
    Identifiers and References

    Identifiers:  CCE-82550-5

    References:  1, 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10, 3.1.1, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, IA-2, AC-3, CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3, FIA_AFL.1, SRG-OS-000080-GPOS-00048

    Description

    Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup. By default, no authentication is performed if single-user mode is selected.

    By default, single-user mode is protected by requiring a password and is set in /usr/lib/systemd/system/rescue.service.

    Rationale

    This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password.



    Complexity:low
    Disruption:low
    Strategy:restrict
    - name: require single user mode password
      lineinfile:
        create: true
        dest: /usr/lib/systemd/system/rescue.service
        regexp: ^#?ExecStart=
        line: ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block
          default"
      when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
      tags:
        - require_singleuser_auth
        - medium_severity
        - restrict_strategy
        - low_complexity
        - low_disruption
        - no_reboot_needed
        - CCE-82550-5
        - NIST-800-53-IA-2
        - NIST-800-53-AC-3
        - NIST-800-53-CM-6(a)
        - NIST-800-171-3.1.1
        - NIST-800-171-3.4.5
    
    OVAL test results details

    Tests that /sbin/sulogin was not removed from the default systemd rescue.service to ensure that a password must be entered to access single user mode  oval:ssg-test_require_rescue_service:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_require_rescue_service:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/rescue.service^ExecStart=\-/bin/sh[\s]+-c[\s]+\"(/usr)?/sbin/sulogin;[\s]+/usr/bin/systemctl[\s]+--fail[\s]+--no-block[\s]+default\"1

    Tests that the systemd rescue.service is in the runlevel1.target  oval:ssg-test_require_rescue_service_runlevel1:tst:1  true

    Following items have been found on the system:
    PathContent
    /usr/lib/systemd/system/runlevel1.targetRequires=sysinit.target rescue.service

    look for runlevel1.target in /etc/systemd/system  oval:ssg-test_no_custom_runlevel1_target:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_no_custom_runlevel1_target:obj:1 of type file_object
    BehaviorsPathFilename
    no value/etc/systemd/system^runlevel1.target$

    look for rescue.service in /etc/systemd/system  oval:ssg-test_no_custom_rescue_service:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_no_custom_rescue_service:obj:1 of type file_object
    BehaviorsPathFilename
    no value/etc/systemd/system^rescue.service$
    Disable Ctrl-Alt-Del Reboot Activationxccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot highCCE-82493-8

    Disable Ctrl-Alt-Del Reboot Activation

    Rule IDxccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-disable_ctrlaltdel_reboot:def:1
    Time2020-05-28T09:49:15+00:00
    Severityhigh
    Identifiers and References

    Identifiers:  CCE-82493-8

    References:  12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.4.5, CCI-000366, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227

    Description

    By default, SystemD will reboot the system if the Ctrl-Alt-Del key sequence is pressed.

    To configure the system to ignore the Ctrl-Alt-Del key sequence from the command line instead of rebooting the system, do either of the following:

    ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target
    or
    systemctl mask ctrl-alt-del.target


    Do not simply delete the /usr/lib/systemd/system/ctrl-alt-del.service file, as this file may be restored during future system updates.

    Rationale

    A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot.

    Warnings
    warning  Disabling the Ctrl-Alt-Del key sequence in /etc/init/control-alt-delete.conf DOES NOT disable the Ctrl-Alt-Del key sequence if running in runlevel 6 (e.g. in GNOME, KDE, etc.)! The Ctrl-Alt-Del key sequence will only be disabled if running in the non-graphical runlevel 3.
    OVAL test results details

    Disable Ctrl-Alt-Del key sequence override exists  oval:ssg-test_disable_ctrlaltdel_exists:tst:1  false

    Following items have been found on the system:
    FilepathCanonical path
    /etc/systemd/system/ctrl-alt-del.target/usr/lib/systemd/system/reboot.target
    Disable Ctrl-Alt-Del Burst Actionxccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction highCCE-82495-3

    Disable Ctrl-Alt-Del Burst Action

    Rule IDxccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-disable_ctrlaltdel_burstaction:def:1
    Time2020-05-28T09:49:15+00:00
    Severityhigh
    Identifiers and References

    Identifiers:  CCE-82495-3

    References:  12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.4.5, CCI-000366, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), CM-6(a), PR.AC-4, PR.DS-5, SRG-OS-000324-GPOS-00125

    Description

    By default, SystemD will reboot the system if the Ctrl-Alt-Del key sequence is pressed Ctrl-Alt-Delete more than 7 times in 2 seconds.

    To configure the system to ignore the CtrlAltDelBurstAction setting, add or modify the following to /etc/systemd/system.conf:

    CtrlAltDelBurstAction=none

    Rationale

    A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot.

    Warnings
    warning  Disabling the Ctrl-Alt-Del key sequence in /etc/init/control-alt-delete.conf DOES NOT disable the Ctrl-Alt-Del key sequence if running in runlevel 6 (e.g. in GNOME, KDE, etc.)! The Ctrl-Alt-Del key sequence will only be disabled if running in the non-graphical runlevel 3.


    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 2.2.0
        storage:
          files:
          - contents:
              source: data:,CtrlAltDelBurstAction%3Dnone
            filesystem: root
            mode: 0644
            path: /etc/systemd/system.conf.d/disable_ctrlaltdelete_burstaction.conf
    
    OVAL test results details

    check if CtrlAltDelBurstAction is set to none  oval:ssg-test_disable_ctrlaltdel_burstaction:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_disable_ctrlaltdel_burstaction:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/systemd/system.conf^[\s]*CtrlAltDelBurstAction[\s]*=[\s]*none$1
    Modify the System Login Bannerxccdf_org.ssgproject.content_rule_banner_etc_issue mediumCCE-82555-4

    Modify the System Login Banner

    Rule IDxccdf_org.ssgproject.content_rule_banner_etc_issue
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-banner_etc_issue:def:1
    Time2020-05-28T09:49:15+00:00
    Severitymedium
    Identifiers and References

    Identifiers:  CCE-82555-4

    References:  1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.9, CCI-000048, CCI-000050, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-8(a), AC-8(c), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007, SRG-OS-000023-VMM-000060, SRG-OS-000024-VMM-000070

    Description

    To configure the system login banner edit /etc/issue. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either:

    You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:
    -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
    -At any time, the USG may inspect and seize data stored on this IS.
    -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
    -This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy.
    -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.


    OR:

    I've read & consent to terms in IS user agreem't.

    Rationale

    Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

    System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.

    OVAL test results details

    correct banner in /etc/issue  oval:ssg-test_banner_etc_issue:tst:1  false

    Following items have been found on the system:
    PathContent
    /etc/issue\S \S{VERSION_ID}
    Configure auditd Number of Logs Retainedxccdf_org.ssgproject.content_rule_auditd_data_retention_num_logs mediumCCE-82693-3

    Configure auditd Number of Logs Retained

    Rule IDxccdf_org.ssgproject.content_rule_auditd_data_retention_num_logs
    Result
    pass
    Multi-check ruleno
    OVAL Definition IDoval:ssg-auditd_data_retention_num_logs:def:1
    Time2020-05-28T09:49:15+00:00
    Severitymedium
    Identifiers and References

    Identifiers:  CCE-82693-3

    References:  1, 11, 12, 13, 14, 15, 16, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, 3.3.1, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, AU-11, CM-6(a), DE.AE-3, DE.AE-5, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.7

    Description

    Determine how many log files auditd should retain when it rotates logs. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting NUMLOGS with the correct value of 5:

    num_logs = NUMLOGS
    Set the value to 5 for general-purpose systems. Note that values less than 2 result in no log rotation.

    Rationale

    The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained.

    OVAL test results details

    admin space left action   oval:ssg-test_auditd_data_retention_num_logs:tst:1  true

    Following items have been found on the system:
    PathContent
    /etc/audit/auditd.confnum_logs = 5
    Configure auditd space_left on Low Disk Spacexccdf_org.ssgproject.content_rule_auditd_data_retention_space_left mediumCCE-82681-8

    Configure auditd space_left on Low Disk Space

    Rule IDxccdf_org.ssgproject.content_rule_auditd_data_retention_space_left
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-auditd_data_retention_space_left:def:1
    Time2020-05-28T09:49:15+00:00
    Severitymedium
    Identifiers and References

    Identifiers:  CCE-82681-8

    References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, CCI-001855, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.7, SRG-OS-000343-GPOS-00134, SRG-OS-000343-VMM-001240

    Description

    The auditd service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting SIZE_in_MB appropriately:

    space_left = SIZE_in_MB
    Set this value to the appropriate size in Megabytes cause the system to notify the user of an issue.

    Rationale

    Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.

    OVAL test results details

    admin space left action   oval:ssg-test_auditd_data_retention_space_left:tst:1  false

    Following items have been found on the system:
    PathContent
    /etc/audit/auditd.confspace_left = 75
    Configure auditd space_left Action on Low Disk Spacexccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action mediumCCE-82678-4

    Configure auditd space_left Action on Low Disk Space

    Rule IDxccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-auditd_data_retention_space_left_action:def:1
    Time2020-05-28T09:49:15+00:00
    Severitymedium
    Identifiers and References

    Identifiers:  CCE-82678-4

    References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, 3.3.1, CCI-001855, 164.312(a)(2)(ii), 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.7, SRG-OS-000343-GPOS-00134, SRG-OS-000343-VMM-001240

    Description

    The auditd service can be configured to take an action when disk space starts to run low. Edit the file /etc/audit/auditd.conf. Modify the following line, substituting ACTION appropriately:

    space_left_action = ACTION
    Possible values for ACTION are described in the auditd.conf man page. These include:
    • syslog
    • email
    • exec
    • suspend
    • single
    • halt
    Set this to email (instead of the default, which is suspend) as it is more likely to get prompt attention. Acceptable values also include suspend, single, and halt.

    Rationale

    Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.

    OVAL test results details

    space left action  oval:ssg-test_auditd_data_retention_space_left_action:tst:1  false

    Following items have been found on the system:
    PathContent
    /etc/audit/auditd.confspace_left_action = SYSLOG
    Set hostname as computer node name in audit logsxccdf_org.ssgproject.content_rule_auditd_name_format mediumCCE-82513-3

    Set hostname as computer node name in audit logs

    Rule IDxccdf_org.ssgproject.content_rule_auditd_name_format
    Result
    pass
    Multi-check ruleno
    OVAL Definition IDoval:ssg-auditd_name_format:def:1
    Time2020-05-28T09:49:15+00:00
    Severitymedium
    Identifiers and References

    Identifiers:  CCE-82513-3

    References:  CCI-001851, FAU_GEN.1, SRG-OS-000039-GPOS-00017, SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224

    Description

    To configure Audit daemon to use value returned by gethostname syscall as computer node name in the audit events, set name_format to hostname in /etc/audit/auditd.conf.

    Rationale

    If option name_format is left at its default value of none, audit events from different computers may be hard to distinguish.

    OVAL test results details

    tests the value of name_format setting in the /etc/audit/auditd.conf file  oval:ssg-test_auditd_name_format:tst:1  true

    Following items have been found on the system:
    PathContent
    /etc/audit/auditd.confname_format = hostname
    Configure auditd admin_space_left Action on Low Disk Spacexccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action mediumCCE-82677-6

    Configure auditd admin_space_left Action on Low Disk Space

    Rule IDxccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-auditd_data_retention_admin_space_left_action:def:1
    Time2020-05-28T09:49:15+00:00
    Severitymedium
    Identifiers and References

    Identifiers:  CCE-82677-6

    References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, 3.3.1, CCI-000140, CCI-001343, CCI-001855, 164.312(a)(2)(ii), 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.7, SRG-OS-000343-GPOS-00134

    Description

    The auditd service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting ACTION appropriately:

    admin_space_left_action = ACTION
    Set this value to single to cause the system to switch to single user mode for corrective action. Acceptable values also include suspend and halt. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for ACTION are described in the auditd.conf man page.

    Rationale

    Administrators should be made aware of an inability to record audit records. If a separate partition or logical volume of adequate size is used, running low on space for audit records should never occur.

    OVAL test results details

    space left action  oval:ssg-test_auditd_data_retention_admin_space_left_action:tst:1  false

    Following items have been found on the system:
    PathContent
    /etc/audit/auditd.confadmin_space_left_action = SUSPEND
    Configure auditd max_log_file_action Upon Reaching Maximum Log Sizexccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action mediumCCE-82680-0

    Configure auditd max_log_file_action Upon Reaching Maximum Log Size

    Rule IDxccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action
    Result
    pass
    Multi-check ruleno
    OVAL Definition IDoval:ssg-auditd_data_retention_max_log_file_action:def:1
    Time2020-05-28T09:49:15+00:00
    Severitymedium
    Identifiers and References

    Identifiers:  CCE-82680-0

    References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, 164.312(a)(2)(ii), 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.7

    Description

    The default action to take when the logs reach their maximum size is to rotate the log files, discarding the oldest one. To configure the action taken by auditd, add or correct the line in /etc/audit/auditd.conf:

    max_log_file_action = ACTION
    Possible values for ACTION are described in the auditd.conf man page. These include:
    • syslog
    • suspend
    • rotate
    • keep_logs
    Set the ACTION to rotate to ensure log rotation occurs. This is the default. The setting is case-insensitive.

    Rationale

    Automatically rotating logs (by setting this to rotate) minimizes the chances of the system unexpectedly running out of disk space by being overwhelmed with log data. However, for systems that must never discard log data, or which use external processes to transfer it and reclaim space, keep_logs can be employed.

    OVAL test results details

    admin space left action   oval:ssg-test_auditd_data_retention_max_log_file_action:tst:1  true

    Following items have been found on the system:
    PathContent
    /etc/audit/auditd.confmax_log_file_action = ROTATE
    Configure auditd mail_acct Action on Low Disk Spacexccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct mediumCCE-82675-0

    Configure auditd mail_acct Action on Low Disk Space

    Rule IDxccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct
    Result
    pass
    Multi-check ruleno
    OVAL Definition IDoval:ssg-auditd_data_retention_action_mail_acct:def:1
    Time2020-05-28T09:49:15+00:00
    Severitymedium
    Identifiers and References

    Identifiers:  CCE-82675-0

    References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, 3.3.1, CCI-000139, CCI-001855, 164.312(a)(2)(ii), 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, IA-5(1), AU-5(a), AU-5(2), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.7.a, SRG-OS-000343-GPOS-00134, SRG-OS-000046-VMM-000210, SRG-OS-000343-VMM-001240

    Description

    The auditd service can be configured to send email to a designated account in certain situations. Add or correct the following line in /etc/audit/auditd.conf to ensure that administrators are notified via email for those situations:

    action_mail_acct = root

    Rationale

    Email sent to the root account is typically aliased to the administrators of the system, who can take appropriate action.

    OVAL test results details

    email account for actions  oval:ssg-test_auditd_data_retention_action_mail_acct:tst:1  true

    Following items have been found on the system:
    PathContent
    /etc/audit/auditd.confaction_mail_acct = root
    Configure auditd Max Log File Sizexccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file mediumCCE-82694-1

    Configure auditd Max Log File Size

    Rule IDxccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file
    Result
    pass
    Multi-check ruleno
    OVAL Definition IDoval:ssg-auditd_data_retention_max_log_file:def:1
    Time2020-05-28T09:49:15+00:00
    Severitymedium
    Identifiers and References

    Identifiers:  CCE-82694-1

    References:  1, 11, 12, 13, 14, 15, 16, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, AU-11, CM-6(a), DE.AE-3, DE.AE-5, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.7

    Description

    Determine the amount of audit data (in megabytes) which should be retained in each log file. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting the correct value of 6 for STOREMB:

    max_log_file = STOREMB
    Set the value to 6 (MB) or higher for general-purpose systems. Larger values, of course, support retention of even more audit data.

    Rationale

    The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained.

    OVAL test results details

    max log file size  oval:ssg-test_auditd_data_retention_max_log_file:tst:1  true

    Following items have been found on the system:
    PathContent
    /etc/audit/auditd.confmax_log_file = 8
    Include Local Events in Audit Logsxccdf_org.ssgproject.content_rule_auditd_local_events mediumCCE-82509-1

    Include Local Events in Audit Logs

    Rule IDxccdf_org.ssgproject.content_rule_auditd_local_events
    Result
    pass
    Multi-check ruleno
    OVAL Definition IDoval:ssg-auditd_local_events:def:1
    Time2020-05-28T09:49:15+00:00
    Severitymedium
    Identifiers and References

    Identifiers:  CCE-82509-1

    References:  FAU_GEN.1.1.c, SRG-OS-000062-GPOS-00031

    Description

    To configure Audit daemon to include local events in Audit logs, set local_events to yes in /etc/audit/auditd.conf. This is the default setting.

    Rationale

    If option local_events isn't set to yes only events from network will be aggregated.

    OVAL test results details

    tests the value of local_events setting in the /etc/audit/auditd.conf file  oval:ssg-test_auditd_local_events:tst:1  true

    Following items have been found on the system:
    PathContent
    /etc/audit/auditd.conflocal_events = yes

    tests the absence of local_events setting in the /etc/audit/auditd.conf file  oval:ssg-test_auditd_local_events_default_not_overriden:tst:1  false

    Following items have been found on the system:
    PathContent
    /etc/audit/auditd.conflocal_events =
    Configure auditd Disk Error Action on Disk Errorxccdf_org.ssgproject.content_rule_auditd_data_disk_error_action mediumCCE-82679-2

    Configure auditd Disk Error Action on Disk Error

    Rule IDxccdf_org.ssgproject.content_rule_auditd_data_disk_error_action
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-auditd_data_disk_error_action:def:1
    Time2020-05-28T09:49:15+00:00
    Severitymedium
    Identifiers and References

    Identifiers:  CCE-82679-2

    References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4

    Description

    The auditd service can be configured to take an action when there is a disk error. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting ACTION appropriately:

    disk_error_action = ACTION
    Set this value to single to cause the system to switch to single-user mode for corrective action. Acceptable values also include syslog, exec, single, and halt. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for ACTION are described in the auditd.conf man page.

    Rationale

    Taking appropriate action in case of disk errors will minimize the possibility of losing audit records.

    OVAL test results details

    disk full action  oval:ssg-test_auditd_data_disk_error_action:tst:1  false

    Following items have been found on the system:
    PathContent
    /etc/audit/auditd.confdisk_error_action = SUSPEND
    Resolve information before writing to audit logsxccdf_org.ssgproject.content_rule_auditd_log_format mediumCCE-82511-7

    Resolve information before writing to audit logs

    Rule IDxccdf_org.ssgproject.content_rule_auditd_log_format
    Result
    pass
    Multi-check ruleno
    OVAL Definition IDoval:ssg-auditd_log_format:def:1
    Time2020-05-28T09:49:15+00:00
    Severitymedium
    Identifiers and References

    Identifiers:  CCE-82511-7

    References:  FAU_GEN.1, SRG-OS-000255-GPOS-00096

    Description

    To configure Audit daemon to resolve all uid, gid, syscall, architecture, and socket address information before writing the events to disk, set log_format to ENRICHED in /etc/audit/auditd.conf.

    Rationale

    If option log_format isn't set to ENRICHED, the audit records will be stored in a format exactly as the kernel sends them.

    OVAL test results details

    tests the value of log_format setting in the /etc/audit/auditd.conf file  oval:ssg-test_auditd_log_format:tst:1  true

    Following items have been found on the system:
    PathContent
    /etc/audit/auditd.conflog_format = ENRICHED
    Configure auditd flush priorityxccdf_org.ssgproject.content_rule_auditd_data_retention_flush mediumCCE-82508-3

    Configure auditd flush priority

    Rule IDxccdf_org.ssgproject.content_rule_auditd_data_retention_flush
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-auditd_data_retention_flush:def:1
    Time2020-05-28T09:49:15+00:00
    Severitymedium
    Identifiers and References

    Identifiers:  CCE-82508-3

    References:  1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, CCI-001576, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-11, CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000480-GPOS-00227

    Description

    The auditd service can be configured to synchronously write audit event data to disk. Add or correct the following line in /etc/audit/auditd.conf to ensure that audit event data is fully synchronized with the log files on the disk:

    flush = incremental_async

    Rationale

    Audit data should be synchronously written to disk to ensure log integrity. These parameters assure that all audit event data is fully synchronized with the log files on the disk.



    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 2.2.0
        storage:
          files:
          - contents:
              source: data:,%23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20DATA%0Afreq%20%3D%2050%0Amax_log_file%20%3D%208%0Anum_logs%20%3D%205%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20ROTATE%0Aspace_left%20%3D%2075%0Aspace_left_action%20%3D%20SYSLOG%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20root%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20SUSPEND%0Adisk_full_action%20%3D%20SUSPEND%0Adisk_error_action%20%3D%20SUSPEND%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20SYSLOG%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d%0A
            filesystem: root
            mode: 0640
            path: /etc/audit/auditd.conf
    
    OVAL test results details

    test the value of flush parameter in /etc/audit/auditd.conf  oval:ssg-test_auditd_data_retention_flush:tst:1  false

    Following items have been found on the system:
    PathContent
    /etc/audit/auditd.confflush = DATA
    Write Audit Logs to the Diskxccdf_org.ssgproject.content_rule_auditd_write_logs mediumCCE-82510-9

    Write Audit Logs to the Disk

    Rule IDxccdf_org.ssgproject.content_rule_auditd_write_logs
    Result
    pass
    Multi-check ruleno
    OVAL Definition IDoval:ssg-auditd_write_logs:def:1
    Time2020-05-28T09:49:15+00:00
    Severitymedium
    Identifiers and References

    Identifiers:  CCE-82510-9

    References:  FAU_GEN.1.1.c, SRG-OS-000480-GPOS-00227

    Description

    To configure Audit daemon to write Audit logs to the disk, set write_logs to yes in /etc/audit/auditd.conf. This is the default setting.

    Rationale

    If write_logs isn't set to yes, the Audit logs will not be written to the disk.

    OVAL test results details

    tests the value of write_logs setting in the /etc/audit/auditd.conf file  oval:ssg-test_auditd_write_logs:tst:1  true

    Following items have been found on the system:
    PathContent
    /etc/audit/auditd.confwrite_logs = yes

    tests the absence of write_logs setting in the /etc/audit/auditd.conf file  oval:ssg-test_auditd_write_logs_default_not_overriden:tst:1  false

    Following items have been found on the system:
    PathContent
    /etc/audit/auditd.confwrite_logs =
    Configure auditd Disk Full Action when Disk Space Is Fullxccdf_org.ssgproject.content_rule_auditd_data_disk_full_action mediumCCE-82676-8

    Configure auditd Disk Full Action when Disk Space Is Full

    Rule IDxccdf_org.ssgproject.content_rule_auditd_data_disk_full_action
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-auditd_data_disk_full_action:def:1
    Time2020-05-28T09:49:15+00:00
    Severitymedium
    Identifiers and References

    Identifiers:  CCE-82676-8

    References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4

    Description

    The auditd service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting ACTION appropriately:

    disk_full_action = ACTION
    Set this value to single to cause the system to switch to single-user mode for corrective action. Acceptable values also include syslog, exec, single, and halt. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for ACTION are described in the auditd.conf man page.

    Rationale

    Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records.

    OVAL test results details

    disk error action  oval:ssg-test_auditd_data_disk_full_action:tst:1  false

    Following items have been found on the system:
    PathContent
    /etc/audit/auditd.confdisk_full_action = SUSPEND
    Set number of records to cause an explicit flush to audit logsxccdf_org.ssgproject.content_rule_auditd_freq mediumCCE-82512-5

    Set number of records to cause an explicit flush to audit logs

    Rule IDxccdf_org.ssgproject.content_rule_auditd_freq
    Result
    pass
    Multi-check ruleno
    OVAL Definition IDoval:ssg-auditd_freq:def:1
    Time2020-05-28T09:49:15+00:00
    Severitymedium
    Identifiers and References

    Identifiers:  CCE-82512-5

    References:  FAU_GEN.1, SRG-OS-000051-GPOS-00024

    Description

    To configure Audit daemon to issue an explicit flush to disk command after writing 50 records, set freq to 50 in /etc/audit/auditd.conf.

    Rationale

    If option freq isn't set to 50, the flush to disk may happen after higher number of records, increasing the danger of audit loss.

    OVAL test results details

    tests the value of freq setting in the /etc/audit/auditd.conf file  oval:ssg-test_auditd_freq:tst:1  true

    Following items have been found on the system:
    PathContent
    /etc/audit/auditd.conffreq = 50
    Record Any Attempts to Run restoreconxccdf_org.ssgproject.content_rule_audit_rules_execution_restorecon mediumCCE-82570-3

    Record Any Attempts to Run restorecon

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_execution_restorecon
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_execution_restorecon:def:1
    Time2020-05-28T09:49:15+00:00
    Severitymedium
    Identifiers and References

    Identifiers:  CCE-82570-3

    References:  1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-OS-000463-VMM-001850

    Description

    At a minimum, the audit system should collect any execution attempt of the restorecon command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:

    -a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
    -a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change

    Rationale

    Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

    Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.



    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 2.2.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20path%3D/usr/sbin/restorecon%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
            filesystem: root
            mode: 0644
            path: /etc/audit/rules.d/75-usr_sbin_restorecon_execution.rules
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    PathContent
    /usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules restorecon  oval:ssg-test_audit_rules_execution_restorecon_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_execution_restorecon_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/restorecon[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl restorecon  oval:ssg-test_audit_rules_execution_restorecon_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_execution_restorecon_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/restorecon[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
    Record Any Attempts to Run chconxccdf_org.ssgproject.content_rule_audit_rules_execution_chcon mediumCCE-82569-5

    Record Any Attempts to Run chcon

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_execution_chcon
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_execution_chcon:def:1
    Time2020-05-28T09:49:15+00:00
    Severitymedium
    Identifiers and References

    Identifiers:  CCE-82569-5

    References:  1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-OS-000463-VMM-001850

    Description

    At a minimum, the audit system should collect any execution attempt of the chcon command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:

    -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
    -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change

    Rationale

    Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

    Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.



    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 2.2.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20path%3D/usr/bin/chcon%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
            filesystem: root
            mode: 0644
            path: /etc/audit/rules.d/75-usr_bin_chcon_execution.rules
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    PathContent
    /usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules chcon  oval:ssg-test_audit_rules_execution_chcon_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_execution_chcon_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chcon[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl chcon  oval:ssg-test_audit_rules_execution_chcon_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_execution_chcon_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chcon[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
    Record Any Attempts to Run setfilesxccdf_org.ssgproject.content_rule_audit_rules_execution_setfiles mediumCCE-82572-9

    Record Any Attempts to Run setfiles

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_execution_setfiles
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_execution_setfiles:def:1
    Time2020-05-28T09:49:15+00:00
    Severitymedium
    Identifiers and References

    Identifiers:  CCE-82572-9

    References:  CCI-000172, CCI-002884, AU-2(d), AU-12(c), AC-6(9), CM-6(a), SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-OS-000463-VMM-001850

    Description

    At a minimum, the audit system should collect any execution attempt of the setfiles command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:

    -a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
    -a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change

    Rationale

    Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

    Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.



    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 2.2.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20path%3D/usr/sbin/setfiles%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
            filesystem: root
            mode: 0644
            path: /etc/audit/rules.d/75-usr_sbin_setfiles_execution.rules
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    PathContent
    /usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules setfiles  oval:ssg-test_audit_rules_execution_setfiles_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_execution_setfiles_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/setfiles[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl setfiles  oval:ssg-test_audit_rules_execution_setfiles_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_execution_setfiles_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/setfiles[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
    Record Any Attempts to Run setseboolxccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool mediumCCE-82573-7

    Record Any Attempts to Run setsebool

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_execution_setsebool:def:1
    Time2020-05-28T09:49:15+00:00
    Severitymedium
    Identifiers and References

    Identifiers: