Guide to the Secure Configuration of Red Hat OpenShift Container Platform 4
with profile NIST 800-53 Moderate-Impact Baseline for Red Hat Enterprise Linux CoreOSThis compliance profile reflects the core set of Moderate-Impact Baseline configuration settings for deployment of Red Hat Enterprise Linux CoreOS into U.S. Defense, Intelligence, and Civilian agencies. Development partners and sponsors include the U.S. National Institute of Standards and Technology (NIST), U.S. Department of Defense, the National Security Agency, and Red Hat. This baseline implements configuration requirements from the following sources: - NIST 800-53 control selections for Moderate-Impact systems (NIST 800-53) For any differing configuration requirements, e.g. password lengths, the stricter security setting was chosen. Security Requirement Traceability Guides (RTMs) and sample System Security Configuration Guides are provided via the scap-security-guide-docs package. This profile reflects U.S. Government consensus content and is developed through the ComplianceAsCode initiative, championed by the National Security Agency. Except for differences in formatting to accommodate publishing processes, this profile mirrors ComplianceAsCode content as minor divergences, such as bugfixes, work through the consensus and release processes.
https://www.open-scap.org/security-policies/scap-security-guide
scap-security-guide
package which is developed at
https://www.open-scap.org/security-policies/scap-security-guide.
Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The NIST National Checklist Program (NCP), which provides required settings for the United States Government, is one example of a baseline created from this guidance.
Evaluation Characteristics
Evaluation target | Unknown |
---|---|
Target ID | chroot:///host |
Benchmark URL | /content/ssg-ocp4-ds.xml |
Benchmark ID | xccdf_org.ssgproject.content_benchmark_OCP-4 |
Benchmark version | 0.1.51 |
Profile ID | xccdf_org.ssgproject.content_profile_moderate |
Started at | 2020-05-28T09:49:14+00:00 |
Finished at | 2020-05-28T09:50:19+00:00 |
Performed by | unknown user |
Test system | cpe:/a:redhat:openscap:1.3.3 |
CPE Platforms
- cpe:/a:redhat:openshift_container_platform:4.1
Addresses
Compliance and Scoring
Rule results
Severity of failed rules
Score
Scoring system | Score | Maximum | Percent |
---|---|---|---|
urn:xccdf:scoring:default | 31.787380 | 100.000000 |
Rule Overview
Result Details
Ensure that System Accounts Do Not Run a Shell Upon Login
Rule ID | xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-no_shelllogin_for_systemaccounts:def:1 |
Time | 2020-05-28T09:49:14+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82697-4 References: 5.4.2, 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS06.03, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, A.12.4.1, A.12.4.3, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, AC-6, CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6 |
Description | Some accounts are not associated with a human user of the system, and exist to
perform some administrative function. Should an attacker be able to log into
these accounts, they should not be granted access to a shell.
$ sudo usermod -s /sbin/nologin SYSACCT |
Rationale | Ensuring shells are not given to system accounts upon login makes it more difficult for attackers to make use of system accounts. |
Warnings | warning
Do not perform the steps in this section on the root account. Doing so might
cause the system to become inaccessible. |
SYS_UID_MIN not defined in /etc/login.defs oval:ssg-test_sys_uid_min_not_defined:tst:1 false
Following items have been found on the system:
Path | Content |
---|---|
/etc/login.defs | # # Please note that the parameters in this configuration file control the # behavior of the tools from the shadow-utils component. None of these # tools uses the PAM mechanism, and the utilities that use PAM (such as the # passwd command) should therefore be configured elsewhere. Refer to # /etc/pam.d/system-auth for more information. # # *REQUIRED* # Directory where mailboxes reside, _or_ name of file, relative to the # home directory. If you _do_ define both, MAIL_DIR takes precedence. # QMAIL_DIR is for Qmail # #QMAIL_DIR Maildir MAIL_DIR /var/spool/mail #MAIL_FILE .mail # Password aging controls: # # PASS_MAX_DAYS Maximum number of days a password may be used. # PASS_MIN_DAYS Minimum number of days allowed between password changes. # PASS_MIN_LEN Minimum acceptable password length. # PASS_WARN_AGE Number of days warning given before a password expires. # PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 PASS_MIN_LEN 5 PASS_WARN_AGE 7 # # Min/max values for automatic uid selection in useradd # UID_MIN 1000 UID_MAX 60000 # System accounts SYS_UID_MIN 201 |
SYS_UID_MAX not defined in /etc/login.defs oval:ssg-test_sys_uid_max_not_defined:tst:1 false
Following items have been found on the system:
Path | Content |
---|---|
/etc/login.defs | # # Please note that the parameters in this configuration file control the # behavior of the tools from the shadow-utils component. None of these # tools uses the PAM mechanism, and the utilities that use PAM (such as the # passwd command) should therefore be configured elsewhere. Refer to # /etc/pam.d/system-auth for more information. # # *REQUIRED* # Directory where mailboxes reside, _or_ name of file, relative to the # home directory. If you _do_ define both, MAIL_DIR takes precedence. # QMAIL_DIR is for Qmail # #QMAIL_DIR Maildir MAIL_DIR /var/spool/mail #MAIL_FILE .mail # Password aging controls: # # PASS_MAX_DAYS Maximum number of days a password may be used. # PASS_MIN_DAYS Minimum number of days allowed between password changes. # PASS_MIN_LEN Minimum acceptable password length. # PASS_WARN_AGE Number of days warning given before a password expires. # PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 PASS_MIN_LEN 5 PASS_WARN_AGE 7 # # Min/max values for automatic uid selection in useradd # UID_MIN 1000 UID_MAX 60000 # System accounts SYS_UID_MIN 201 SYS_UID_MAX 999 |
<0, UID_MIN - 1> system UIDs having shell set oval:ssg-test_shell_defined_default_uid_range:tst:1 true
Following items have been found on the system:
Var ref | Value |
---|---|
oval:ssg-variable_default_range_quad_expr:var:1 | 1000 |
SYS_UID_MIN not defined in /etc/login.defs oval:ssg-test_sys_uid_min_not_defined:tst:1 false
Following items have been found on the system:
Path | Content |
---|---|
/etc/login.defs | # # Please note that the parameters in this configuration file control the # behavior of the tools from the shadow-utils component. None of these # tools uses the PAM mechanism, and the utilities that use PAM (such as the # passwd command) should therefore be configured elsewhere. Refer to # /etc/pam.d/system-auth for more information. # # *REQUIRED* # Directory where mailboxes reside, _or_ name of file, relative to the # home directory. If you _do_ define both, MAIL_DIR takes precedence. # QMAIL_DIR is for Qmail # #QMAIL_DIR Maildir MAIL_DIR /var/spool/mail #MAIL_FILE .mail # Password aging controls: # # PASS_MAX_DAYS Maximum number of days a password may be used. # PASS_MIN_DAYS Minimum number of days allowed between password changes. # PASS_MIN_LEN Minimum acceptable password length. # PASS_WARN_AGE Number of days warning given before a password expires. # PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 PASS_MIN_LEN 5 PASS_WARN_AGE 7 # # Min/max values for automatic uid selection in useradd # UID_MIN 1000 UID_MAX 60000 # System accounts SYS_UID_MIN 201 |
SYS_UID_MAX not defined in /etc/login.defs oval:ssg-test_sys_uid_max_not_defined:tst:1 false
Following items have been found on the system:
Path | Content |
---|---|
/etc/login.defs | # # Please note that the parameters in this configuration file control the # behavior of the tools from the shadow-utils component. None of these # tools uses the PAM mechanism, and the utilities that use PAM (such as the # passwd command) should therefore be configured elsewhere. Refer to # /etc/pam.d/system-auth for more information. # # *REQUIRED* # Directory where mailboxes reside, _or_ name of file, relative to the # home directory. If you _do_ define both, MAIL_DIR takes precedence. # QMAIL_DIR is for Qmail # #QMAIL_DIR Maildir MAIL_DIR /var/spool/mail #MAIL_FILE .mail # Password aging controls: # # PASS_MAX_DAYS Maximum number of days a password may be used. # PASS_MIN_DAYS Minimum number of days allowed between password changes. # PASS_MIN_LEN Minimum acceptable password length. # PASS_WARN_AGE Number of days warning given before a password expires. # PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 PASS_MIN_LEN 5 PASS_WARN_AGE 7 # # Min/max values for automatic uid selection in useradd # UID_MIN 1000 UID_MAX 60000 # System accounts SYS_UID_MIN 201 SYS_UID_MAX 999 |
<0, SYS_UID_MIN> system UIDs having shell set oval:ssg-test_shell_defined_reserved_uid_range:tst:1 true
Following items have been found on the system:
Var ref | Value |
---|---|
oval:ssg-variable_reserved_range_quad_expr:var:1 | 799000 |
<SYS_UID_MIN, SYS_UID_MAX> system UIDS having shell set oval:ssg-test_shell_defined_dynalloc_uid_range:tst:1 true
Following items have been found on the system:
Var ref | Value |
---|---|
oval:ssg-variable_dynalloc_range_quad_expr:var:1 | 799 |
Direct root Logins Not Allowed
Rule ID | xccdf_org.ssgproject.content_rule_no_direct_root_logins |
Result | fail |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-no_direct_root_logins:def:1 |
Time | 2020-05-28T09:49:14+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82698-2 References: NT28(R19), 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.1.1, 3.1.6, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-2, CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7 |
Description | To further limit access to the $ sudo echo > /etc/securetty |
Rationale | Disabling direct root logins ensures proper accountability and multifactor authentication to privileged accounts. Users will first login, then escalate to privileged (root) access via su / sudo. This is required for FISMA Low and FISMA Moderate systems. |
no entries in /etc/securetty oval:ssg-test_no_direct_root_logins:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_no_direct_root_logins:obj:1 of type textfilecontent54_object
Filepath | Pattern | Instance |
---|---|---|
/etc/securetty | ^$ | 1 |
/etc/securetty file exists oval:ssg-test_etc_securetty_exists:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_etc_securetty_exists:obj:1 of type textfilecontent54_object
Filepath | Pattern | Instance |
---|---|---|
/etc/securetty | ^.*$ | 1 |
Verify Only Root Has UID 0
Rule ID | xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-accounts_no_uid_except_zero:def:1 |
Time | 2020-05-28T09:49:14+00:00 |
Severity | high |
Identifiers and References | Identifiers: CCE-82699-0 References: 1, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.10, 3.1.1, 3.1.5, CCI-000366, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, IA-2, AC-6(5), IA-4(b), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, SRG-OS-000480-GPOS-00227 |
Description | If any account other than root has a UID of 0, this misconfiguration should
be investigated and the accounts other than root should be removed or have
their UID changed.
|
Rationale | An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner. |
test that there are no accounts with UID 0 except root in the /etc/passwd file oval:ssg-test_accounts_no_uid_except_root:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_no_uid_except_root:obj:1 of type textfilecontent54_object
Filepath | Pattern | Instance |
---|---|---|
/etc/passwd | ^(?!root:)[^:]*:[^:]*:0 | 1 |
Set Account Expiration Following Inactivity
Rule ID | xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration |
Result | notchecked |
Multi-check rule | no |
Time | 2020-05-28T09:49:14+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82695-8 References: 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, 5.6.2.1.1, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.6, CCI-000017, CCI-000795, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, A.12.4.1, A.12.4.3, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, IA-4(e), AC-2(3), CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, Req-8.1.4, SRG-OS-000118-GPOS-00060, SRG-OS-000003-VMM-000030, SRG-OS-000118-VMM-000590 |
Description | To specify the number of days after a password expires (which
signifies inactivity) until an account is permanently disabled, add or correct
the following lines in INACTIVE=35A value of 35 is recommended; however, this profile expects that the value is set to 35 .
If a password is currently on the
verge of expiration, then 35 days remain until the account is automatically
disabled. However, if the password will not expire for another 60 days, then 95
days could elapse until the account would be automatically disabled. See the
useradd man page for more information. Determining the inactivity
timeout must be done with careful consideration of the length of a "normal"
period of inactivity for users in the particular environment. Setting
the timeout too low incurs support costs and also has the potential to impact
availability of the system to legitimate users. |
Rationale | Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials. |
Prevent Login to Accounts With Empty Password
Rule ID | xccdf_org.ssgproject.content_rule_no_empty_passwords |
Result | fail |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-no_empty_passwords:def:1 |
Time | 2020-05-28T09:49:14+00:00 |
Severity | high |
Identifiers and References | Identifiers: CCE-82553-9 References: 1, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2, APO01.06, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.10, 3.1.1, 3.1.5, CCI-000366, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, IA-5(1)(a), IA-5(c), CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, FIA_AFL.1, Req-8.2.3, SRG-OS-000480-GPOS-00227 |
Description | If an account is configured for password authentication
but does not have an assigned password, it may be possible to log
into the account without authentication. Remove any instances of the |
Rationale | If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. |
make sure nullok is not used in /etc/pam.d/system-auth oval:ssg-test_no_empty_passwords:tst:1 false
Following items have been found on the system:
Path | Content |
---|---|
/etc/pam.d/system-auth | auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok |
Verify No netrc Files Exist
Rule ID | xccdf_org.ssgproject.content_rule_no_netrc_files |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-no_netrc_files:def:1 |
Time | 2020-05-28T09:49:14+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82667-7 References: 1, 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10, CCI-000196, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, IA-5(h), IA-5(1)(c), CM-6(a), IA-5(7), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3 |
Description | The |
Rationale | Unencrypted passwords for remote FTP servers may be stored in |
look for .netrc in /home oval:ssg-test_no_netrc_files_home:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_no_netrc_files_home:obj:1 of type file_object
Behaviors | Path | Filename |
---|---|---|
no value | /home | ^\.netrc$ |
Prevent user from disabling the screen lock
Rule ID | xccdf_org.ssgproject.content_rule_no_tmux_in_shells |
Result | notchecked |
Multi-check rule | no |
Time | 2020-05-28T09:49:15+00:00 |
Severity | medium |
Identifiers and References | References: FMT_SMF_EXT.1, SRG-OS-000324-GPOS-00125 |
Description | The |
Rationale | Not listing |
Disable debug-shell SystemD Service
Rule ID | xccdf_org.ssgproject.content_rule_service_debug-shell_disabled |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-service_debug-shell_disabled:def:1 |
Time | 2020-05-28T09:49:15+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82496-1 References: 3.4.5, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), FIA_AFL.1, SRG-OS-000324-GPOS-00125 |
Description | SystemD's $ sudo systemctl disable debug-shell.serviceThe debug-shell service can be masked with the following command:
$ sudo systemctl mask debug-shell.service |
Rationale | This prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted. |
package systemd is removed oval:ssg-test_service_debug-shell_package_systemd_removed:tst:1 false
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|---|---|---|---|---|---|---|
systemd | x86_64 | (none) | 27.el8 | 239 | 0:239-27.el8 | 199e2f91fd431d51 | systemd-0:239-27.el8.x86_64 |
Test that the debug-shell service is not running oval:ssg-test_service_not_running_debug-shell:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_service_not_running_debug-shell:obj:1 of type systemdunitproperty_object
Unit | Property |
---|---|
^debug-shell\.(service|socket)$ | ActiveState |
Test that the property LoadState from the service debug-shell is masked oval:ssg-test_service_loadstate_is_masked_debug-shell:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_service_loadstate_is_masked_debug-shell:obj:1 of type systemdunitproperty_object
Unit | Property |
---|---|
^debug-shell\.(service|socket)$ | LoadState |
Test that the property FragmentPath from the service debug-shell is set to /dev/null oval:ssg-test_service_fragmentpath_is_dev_null_debug-shell:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_service_fragmentpath_is_dev_null_debug-shell:obj:1 of type systemdunitproperty_object
Unit | Property |
---|---|
^debug-shell\.(service|socket)$ | FragmentPath |
Verify that Interactive Boot is Disabled
Rule ID | xccdf_org.ssgproject.content_rule_grub2_disable_interactive_boot |
Result | fail |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-grub2_disable_interactive_boot:def:1 |
Time | 2020-05-28T09:49:15+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82551-3 References: 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06, 3.1.2, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, SC-2(1), CM-6(a), PR.AC-4, PR.AC-6, PR.PT-3, FIA_AFL.1, SRG-OS-000480-GPOS-00227 |
Description | Red Hat OpenShift Container Platform 4 systems support an "interactive boot" option that can
be used to prevent services from being started. On a Red Hat OpenShift Container Platform 4
system, interactive boot can be enabled by providing a systemd.confirm_spawn=(1|yes|true|on)from the kernel arguments in that file to disable interactive boot. It is also required to change the runtime configuration, run: /sbin/grubby --update-kernel=ALL --remove-args="systemd.confirm_spawn" |
Rationale | Using interactive boot, the console user could disable auditing, firewalls, or other services, weakening system security. |
Check systemd.confirm_spawn=(1|true|yes|on) not in GRUB_CMDLINE_LINUX oval:ssg-test_grub2_disable_interactive_boot_grub_cmdline_linux:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_disable_interactive_boot_grub_cmdline_linux:obj:1 of type textfilecontent54_object
Filepath | Pattern | Instance |
---|---|---|
/etc/default/grub | ^\s*GRUB_CMDLINE_LINUX=".*systemd.confirm_spawn=(?:1|yes|true|on).*$ | 1 |
Check systemd.confirm_spawn=(1|true|yes|on) not in GRUB_CMDLINE_LINUX_DEFAULT oval:ssg-test_grub2_disable_interactive_boot_grub_cmdline_linux_default:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_disable_interactive_boot_grub_cmdline_linux_default:obj:1 of type textfilecontent54_object
Filepath | Pattern | Instance |
---|---|---|
/etc/default/grub | ^\s*GRUB_CMDLINE_LINUX_DEFAULT=".*systemd.confirm_spawn=(?:1|yes|true|on).*$ | 1 |
Check for GRUB_DISABLE_RECOVERY=true in /etc/default/grub oval:ssg-test_bootloader_disable_recovery_set_to_true:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_bootloader_disable_recovery_argument:obj:1 of type textfilecontent54_object
Filepath | Pattern | Instance |
---|---|---|
/etc/default/grub | ^\s*GRUB_DISABLE_RECOVERY=(.*)$ | 1 |
Require Authentication for Single User Mode
Rule ID | xccdf_org.ssgproject.content_rule_require_singleuser_auth |
Result | fail |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-require_singleuser_auth:def:1 |
Time | 2020-05-28T09:49:15+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82550-5 References: 1, 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10, 3.1.1, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, IA-2, AC-3, CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3, FIA_AFL.1, SRG-OS-000080-GPOS-00048 |
Description | Single-user mode is intended as a system recovery
method, providing a single user root access to the system by
providing a boot option at startup. By default, no authentication
is performed if single-user mode is selected.
|
Rationale | This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password. |
Tests that /sbin/sulogin was not removed from the default systemd rescue.service to ensure that a password must be entered to access single user mode oval:ssg-test_require_rescue_service:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_require_rescue_service:obj:1 of type textfilecontent54_object
Filepath | Pattern | Instance |
---|---|---|
/usr/lib/systemd/system/rescue.service | ^ExecStart=\-/bin/sh[\s]+-c[\s]+\"(/usr)?/sbin/sulogin;[\s]+/usr/bin/systemctl[\s]+--fail[\s]+--no-block[\s]+default\" | 1 |
Tests that the systemd rescue.service is in the runlevel1.target oval:ssg-test_require_rescue_service_runlevel1:tst:1 true
Following items have been found on the system:
Path | Content |
---|---|
/usr/lib/systemd/system/runlevel1.target | Requires=sysinit.target rescue.service |
look for runlevel1.target in /etc/systemd/system oval:ssg-test_no_custom_runlevel1_target:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_no_custom_runlevel1_target:obj:1 of type file_object
Behaviors | Path | Filename |
---|---|---|
no value | /etc/systemd/system | ^runlevel1.target$ |
look for rescue.service in /etc/systemd/system oval:ssg-test_no_custom_rescue_service:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_no_custom_rescue_service:obj:1 of type file_object
Behaviors | Path | Filename |
---|---|---|
no value | /etc/systemd/system | ^rescue.service$ |
Disable Ctrl-Alt-Del Reboot Activation
Rule ID | xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot |
Result | fail |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-disable_ctrlaltdel_reboot:def:1 |
Time | 2020-05-28T09:49:15+00:00 |
Severity | high |
Identifiers and References | Identifiers: CCE-82493-8 References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.4.5, CCI-000366, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227 |
Description |
By default, ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.targetor systemctl mask ctrl-alt-del.target Do not simply delete the /usr/lib/systemd/system/ctrl-alt-del.service file,
as this file may be restored during future system updates. |
Rationale | A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. |
Warnings | warning
Disabling the Ctrl-Alt-Del key sequence
in /etc/init/control-alt-delete.conf DOES NOT disable the Ctrl-Alt-Del
key sequence if running in runlevel 6 (e.g. in GNOME, KDE, etc.)! The
Ctrl-Alt-Del key sequence will only be disabled if running in
the non-graphical runlevel 3 . |
Disable Ctrl-Alt-Del key sequence override exists oval:ssg-test_disable_ctrlaltdel_exists:tst:1 false
Following items have been found on the system:
Filepath | Canonical path |
---|---|
/etc/systemd/system/ctrl-alt-del.target | /usr/lib/systemd/system/reboot.target |
Disable Ctrl-Alt-Del Burst Action
Rule ID | xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction |
Result | fail |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-disable_ctrlaltdel_burstaction:def:1 |
Time | 2020-05-28T09:49:15+00:00 |
Severity | high |
Identifiers and References | Identifiers: CCE-82495-3 References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.4.5, CCI-000366, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), CM-6(a), PR.AC-4, PR.DS-5, SRG-OS-000324-GPOS-00125 |
Description | By default, CtrlAltDelBurstAction=none |
Rationale | A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. |
Warnings | warning
Disabling the Ctrl-Alt-Del key sequence
in /etc/init/control-alt-delete.conf DOES NOT disable the Ctrl-Alt-Del
key sequence if running in runlevel 6 (e.g. in GNOME, KDE, etc.)! The
Ctrl-Alt-Del key sequence will only be disabled if running in
the non-graphical runlevel 3 . |
check if CtrlAltDelBurstAction is set to none oval:ssg-test_disable_ctrlaltdel_burstaction:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_disable_ctrlaltdel_burstaction:obj:1 of type textfilecontent54_object
Filepath | Pattern | Instance |
---|---|---|
/etc/systemd/system.conf | ^[\s]*CtrlAltDelBurstAction[\s]*=[\s]*none$ | 1 |
Configure auditd Number of Logs Retained
Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_retention_num_logs |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-auditd_data_retention_num_logs:def:1 |
Time | 2020-05-28T09:49:15+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82693-3 References: 1, 11, 12, 13, 14, 15, 16, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, 3.3.1, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, AU-11, CM-6(a), DE.AE-3, DE.AE-5, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.7 |
Description | Determine how many log files
num_logs = NUMLOGSSet the value to 5 for general-purpose systems. Note that values less than 2 result in no log rotation. |
Rationale | The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained. |
admin space left action oval:ssg-test_auditd_data_retention_num_logs:tst:1 true
Following items have been found on the system:
Path | Content |
---|---|
/etc/audit/auditd.conf | num_logs = 5 |
Configure auditd space_left on Low Disk Space
Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left |
Result | fail |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-auditd_data_retention_space_left:def:1 |
Time | 2020-05-28T09:49:15+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82681-8 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, CCI-001855, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.7, SRG-OS-000343-GPOS-00134, SRG-OS-000343-VMM-001240 |
Description | The space_left = SIZE_in_MBSet this value to the appropriate size in Megabytes cause the system to notify the user of an issue. |
Rationale | Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption. |
admin space left action oval:ssg-test_auditd_data_retention_space_left:tst:1 false
Following items have been found on the system:
Path | Content |
---|---|
/etc/audit/auditd.conf | space_left = 75 |
Configure auditd space_left Action on Low Disk Space
Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action |
Result | fail |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-auditd_data_retention_space_left_action:def:1 |
Time | 2020-05-28T09:49:15+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82678-4 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, 3.3.1, CCI-001855, 164.312(a)(2)(ii), 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.7, SRG-OS-000343-GPOS-00134, SRG-OS-000343-VMM-001240 |
Description | The space_left_action = ACTIONPossible values for ACTION are described in the auditd.conf man page.
These include:
email (instead of the default,
which is suspend ) as it is more likely to get prompt attention. Acceptable values
also include suspend , single , and halt . |
Rationale | Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption. |
space left action oval:ssg-test_auditd_data_retention_space_left_action:tst:1 false
Following items have been found on the system:
Path | Content |
---|---|
/etc/audit/auditd.conf | space_left_action = SYSLOG |
Set hostname as computer node name in audit logs
Rule ID | xccdf_org.ssgproject.content_rule_auditd_name_format |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-auditd_name_format:def:1 |
Time | 2020-05-28T09:49:15+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82513-3 References: CCI-001851, FAU_GEN.1, SRG-OS-000039-GPOS-00017, SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224 |
Description | To configure Audit daemon to use value returned by gethostname
syscall as computer node name in the audit events,
set |
Rationale | If option |
tests the value of name_format setting in the /etc/audit/auditd.conf file oval:ssg-test_auditd_name_format:tst:1 true
Following items have been found on the system:
Path | Content |
---|---|
/etc/audit/auditd.conf | name_format = hostname |
Configure auditd admin_space_left Action on Low Disk Space
Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action |
Result | fail |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-auditd_data_retention_admin_space_left_action:def:1 |
Time | 2020-05-28T09:49:15+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82677-6 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, 3.3.1, CCI-000140, CCI-001343, CCI-001855, 164.312(a)(2)(ii), 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.7, SRG-OS-000343-GPOS-00134 |
Description | The admin_space_left_action = ACTIONSet this value to single to cause the system to switch to single user
mode for corrective action. Acceptable values also include suspend and
halt . For certain systems, the need for availability
outweighs the need to log all actions, and a different setting should be
determined. Details regarding all possible values for ACTION are described in the
auditd.conf man page. |
Rationale | Administrators should be made aware of an inability to record audit records. If a separate partition or logical volume of adequate size is used, running low on space for audit records should never occur. |
space left action oval:ssg-test_auditd_data_retention_admin_space_left_action:tst:1 false
Following items have been found on the system:
Path | Content |
---|---|
/etc/audit/auditd.conf | admin_space_left_action = SUSPEND |
Configure auditd max_log_file_action Upon Reaching Maximum Log Size
Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-auditd_data_retention_max_log_file_action:def:1 |
Time | 2020-05-28T09:49:15+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82680-0 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, 164.312(a)(2)(ii), 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.7 |
Description | The default action to take when the logs reach their maximum size
is to rotate the log files, discarding the oldest one. To configure the action taken
by max_log_file_action = ACTIONPossible values for ACTION are described in the auditd.conf man
page. These include:
ACTION to rotate to ensure log rotation
occurs. This is the default. The setting is case-insensitive. |
Rationale | Automatically rotating logs (by setting this to |
admin space left action oval:ssg-test_auditd_data_retention_max_log_file_action:tst:1 true
Following items have been found on the system:
Path | Content |
---|---|
/etc/audit/auditd.conf | max_log_file_action = ROTATE |
Configure auditd mail_acct Action on Low Disk Space
Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-auditd_data_retention_action_mail_acct:def:1 |
Time | 2020-05-28T09:49:15+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82675-0 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, 3.3.1, CCI-000139, CCI-001855, 164.312(a)(2)(ii), 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, IA-5(1), AU-5(a), AU-5(2), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.7.a, SRG-OS-000343-GPOS-00134, SRG-OS-000046-VMM-000210, SRG-OS-000343-VMM-001240 |
Description | The action_mail_acct = root |
Rationale | Email sent to the root account is typically aliased to the administrators of the system, who can take appropriate action. |
email account for actions oval:ssg-test_auditd_data_retention_action_mail_acct:tst:1 true
Following items have been found on the system:
Path | Content |
---|---|
/etc/audit/auditd.conf | action_mail_acct = root |
Configure auditd Max Log File Size
Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-auditd_data_retention_max_log_file:def:1 |
Time | 2020-05-28T09:49:15+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82694-1 References: 1, 11, 12, 13, 14, 15, 16, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, AU-11, CM-6(a), DE.AE-3, DE.AE-5, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.7 |
Description | Determine the amount of audit data (in megabytes)
which should be retained in each log file. Edit the file
max_log_file = STOREMBSet the value to 6 (MB) or higher for general-purpose systems.
Larger values, of course,
support retention of even more audit data. |
Rationale | The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained. |
max log file size oval:ssg-test_auditd_data_retention_max_log_file:tst:1 true
Following items have been found on the system:
Path | Content |
---|---|
/etc/audit/auditd.conf | max_log_file = 8 |
Include Local Events in Audit Logs
Rule ID | xccdf_org.ssgproject.content_rule_auditd_local_events |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-auditd_local_events:def:1 |
Time | 2020-05-28T09:49:15+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82509-1 References: FAU_GEN.1.1.c, SRG-OS-000062-GPOS-00031 |
Description | To configure Audit daemon to include local events in Audit logs, set
|
Rationale | If option |
tests the value of local_events setting in the /etc/audit/auditd.conf file oval:ssg-test_auditd_local_events:tst:1 true
Following items have been found on the system:
Path | Content |
---|---|
/etc/audit/auditd.conf | local_events = yes |
tests the absence of local_events setting in the /etc/audit/auditd.conf file oval:ssg-test_auditd_local_events_default_not_overriden:tst:1 false
Following items have been found on the system:
Path | Content |
---|---|
/etc/audit/auditd.conf | local_events = |
Configure auditd Disk Error Action on Disk Error
Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_disk_error_action |
Result | fail |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-auditd_data_disk_error_action:def:1 |
Time | 2020-05-28T09:49:15+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82679-2 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4 |
Description | The disk_error_action = ACTIONSet this value to single to cause the system to switch to single-user
mode for corrective action. Acceptable values also include syslog ,
exec , single , and halt . For certain systems, the need for availability
outweighs the need to log all actions, and a different setting should be
determined. Details regarding all possible values for ACTION are described in the
auditd.conf man page. |
Rationale | Taking appropriate action in case of disk errors will minimize the possibility of losing audit records. |
disk full action oval:ssg-test_auditd_data_disk_error_action:tst:1 false
Following items have been found on the system:
Path | Content |
---|---|
/etc/audit/auditd.conf | disk_error_action = SUSPEND |
Resolve information before writing to audit logs
Rule ID | xccdf_org.ssgproject.content_rule_auditd_log_format |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-auditd_log_format:def:1 |
Time | 2020-05-28T09:49:15+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82511-7 References: FAU_GEN.1, SRG-OS-000255-GPOS-00096 |
Description | To configure Audit daemon to resolve all uid, gid, syscall,
architecture, and socket address information before writing the
events to disk, set |
Rationale | If option |
tests the value of log_format setting in the /etc/audit/auditd.conf file oval:ssg-test_auditd_log_format:tst:1 true
Following items have been found on the system:
Path | Content |
---|---|
/etc/audit/auditd.conf | log_format = ENRICHED |
Configure auditd flush priority
Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_retention_flush |
Result | fail |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-auditd_data_retention_flush:def:1 |
Time | 2020-05-28T09:49:15+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82508-3 References: 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, CCI-001576, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-11, CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000480-GPOS-00227 |
Description | The flush = incremental_async |
Rationale | Audit data should be synchronously written to disk to ensure log integrity. These parameters assure that all audit event data is fully synchronized with the log files on the disk. |
test the value of flush parameter in /etc/audit/auditd.conf oval:ssg-test_auditd_data_retention_flush:tst:1 false
Following items have been found on the system:
Path | Content |
---|---|
/etc/audit/auditd.conf | flush = DATA |
Write Audit Logs to the Disk
Rule ID | xccdf_org.ssgproject.content_rule_auditd_write_logs |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-auditd_write_logs:def:1 |
Time | 2020-05-28T09:49:15+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82510-9 References: FAU_GEN.1.1.c, SRG-OS-000480-GPOS-00227 |
Description | To configure Audit daemon to write Audit logs to the disk, set
|
Rationale | If |
tests the value of write_logs setting in the /etc/audit/auditd.conf file oval:ssg-test_auditd_write_logs:tst:1 true
Following items have been found on the system:
Path | Content |
---|---|
/etc/audit/auditd.conf | write_logs = yes |
tests the absence of write_logs setting in the /etc/audit/auditd.conf file oval:ssg-test_auditd_write_logs_default_not_overriden:tst:1 false
Following items have been found on the system:
Path | Content |
---|---|
/etc/audit/auditd.conf | write_logs = |
Configure auditd Disk Full Action when Disk Space Is Full
Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_disk_full_action |
Result | fail |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-auditd_data_disk_full_action:def:1 |
Time | 2020-05-28T09:49:15+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82676-8 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4 |
Description | The disk_full_action = ACTIONSet this value to single to cause the system to switch to single-user
mode for corrective action. Acceptable values also include syslog ,
exec , single , and halt . For certain systems, the need for availability
outweighs the need to log all actions, and a different setting should be
determined. Details regarding all possible values for ACTION are described in the
auditd.conf man page. |
Rationale | Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records. |
disk error action oval:ssg-test_auditd_data_disk_full_action:tst:1 false
Following items have been found on the system:
Path | Content |
---|---|
/etc/audit/auditd.conf | disk_full_action = SUSPEND |
Set number of records to cause an explicit flush to audit logs
Rule ID | xccdf_org.ssgproject.content_rule_auditd_freq |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-auditd_freq:def:1 |
Time | 2020-05-28T09:49:15+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82512-5 References: FAU_GEN.1, SRG-OS-000051-GPOS-00024 |
Description | To configure Audit daemon to issue an explicit flush to disk command
after writing 50 records, set |
Rationale | If option |
tests the value of freq setting in the /etc/audit/auditd.conf file oval:ssg-test_auditd_freq:tst:1 true
Following items have been found on the system:
Path | Content |
---|---|
/etc/audit/auditd.conf | freq = 50 |
Record Any Attempts to Run restorecon
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_execution_restorecon |
Result | fail |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-audit_rules_execution_restorecon:def:1 |
Time | 2020-05-28T09:49:15+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82570-3 References: 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-OS-000463-VMM-001850 |
Description | At a minimum, the audit system should collect any execution attempt
of the -a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_changeIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change |
Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
|
audit augenrules oval:ssg-test_audit_rules_augenrules:tst:1 true
Following items have been found on the system:
Path | Content |
---|---|
/usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules restorecon oval:ssg-test_audit_rules_execution_restorecon_augenrules:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_restorecon_augenrules:obj:1 of type textfilecontent54_object
Filepath | Pattern | Instance |
---|---|---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/restorecon[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl oval:ssg-test_audit_rules_auditctl:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
Filepath | Pattern | Instance |
---|---|---|
/usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl restorecon oval:ssg-test_audit_rules_execution_restorecon_auditctl:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_restorecon_auditctl:obj:1 of type textfilecontent54_object
Filepath | Pattern | Instance |
---|---|---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/restorecon[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Any Attempts to Run chcon
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon |
Result | fail |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-audit_rules_execution_chcon:def:1 |
Time | 2020-05-28T09:49:15+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82569-5 References: 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-OS-000463-VMM-001850 |
Description | At a minimum, the audit system should collect any execution attempt
of the -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_changeIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change |
Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
|
audit augenrules oval:ssg-test_audit_rules_augenrules:tst:1 true
Following items have been found on the system:
Path | Content |
---|---|
/usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules chcon oval:ssg-test_audit_rules_execution_chcon_augenrules:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_chcon_augenrules:obj:1 of type textfilecontent54_object
Filepath | Pattern | Instance |
---|---|---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chcon[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl oval:ssg-test_audit_rules_auditctl:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
Filepath | Pattern | Instance |
---|---|---|
/usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl chcon oval:ssg-test_audit_rules_execution_chcon_auditctl:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_chcon_auditctl:obj:1 of type textfilecontent54_object
Filepath | Pattern | Instance |
---|---|---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chcon[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Any Attempts to Run setfiles
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_execution_setfiles |
Result | fail |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-audit_rules_execution_setfiles:def:1 |
Time | 2020-05-28T09:49:15+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82572-9 References: CCI-000172, CCI-002884, AU-2(d), AU-12(c), AC-6(9), CM-6(a), SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-OS-000463-VMM-001850 |
Description | At a minimum, the audit system should collect any execution attempt
of the -a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_changeIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change |
Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
|
audit augenrules oval:ssg-test_audit_rules_augenrules:tst:1 true
Following items have been found on the system:
Path | Content |
---|---|
/usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules setfiles oval:ssg-test_audit_rules_execution_setfiles_augenrules:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_setfiles_augenrules:obj:1 of type textfilecontent54_object
Filepath | Pattern | Instance |
---|---|---|
^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/setfiles[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl oval:ssg-test_audit_rules_auditctl:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
Filepath | Pattern | Instance |
---|---|---|
/usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl setfiles oval:ssg-test_audit_rules_execution_setfiles_auditctl:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_setfiles_auditctl:obj:1 of type textfilecontent54_object
Filepath | Pattern | Instance |
---|---|---|
/etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/setfiles[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Any Attempts to Run setsebool
Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool |
Result | fail |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-audit_rules_execution_setsebool:def:1 |
Time | 2020-05-28T09:49:15+00:00 |
Severity | medium |
Identifiers and References | Identifiers: |