xccdf_org.open-scap_testresult_xccdf_org.ssgproject.content_profile_moderate

Guide to the Secure Configuration of Red Hat OpenShift Container Platform 4

with profile NIST 800-53 Moderate-Impact Baseline for Red Hat Enterprise Linux CoreOS
This compliance profile reflects the core set of Moderate-Impact Baseline configuration settings for deployment of Red Hat Enterprise Linux CoreOS into U.S. Defense, Intelligence, and Civilian agencies. Development partners and sponsors include the U.S. National Institute of Standards and Technology (NIST), U.S. Department of Defense, the National Security Agency, and Red Hat. This baseline implements configuration requirements from the following sources: - NIST 800-53 control selections for Moderate-Impact systems (NIST 800-53) For any differing configuration requirements, e.g. password lengths, the stricter security setting was chosen. Security Requirement Traceability Guides (RTMs) and sample System Security Configuration Guides are provided via the scap-security-guide-docs package. This profile reflects U.S. Government consensus content and is developed through the ComplianceAsCode initiative, championed by the National Security Agency. Except for differences in formatting to accommodate publishing processes, this profile mirrors ComplianceAsCode content as minor divergences, such as bugfixes, work through the consensus and release processes.

The ComplianceAsCode Project
https://www.open-scap.org/security-policies/scap-security-guide

This guide presents a catalog of security-relevant configuration settings for Red Hat OpenShift Container Platform 4. It is a rendering of content structured in the eXtensible Configuration Checklist Description Format (XCCDF) in order to support security automation. The SCAP content is is available in the scap-security-guide package which is developed at https://www.open-scap.org/security-policies/scap-security-guide.

Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The NIST National Checklist Program (NCP), which provides required settings for the United States Government, is one example of a baseline created from this guidance.

Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. The creators of this guidance assume no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Evaluation Characteristics

Evaluation target	Unknown
Target ID	chroot:///host
Benchmark URL	/content/ssg-ocp4-ds.xml
Benchmark ID	xccdf_org.ssgproject.content_benchmark_OCP-4
Benchmark version	0.1.51
Profile ID	xccdf_org.ssgproject.content_profile_moderate
Started at	2020-05-28T09:49:14+00:00
Finished at	2020-05-28T09:50:19+00:00
Performed by	unknown user
Test system	cpe:/a:redhat:openscap:1.3.3

CPE Platforms

cpe:/a:redhat:openshift_container_platform:4.1

Addresses

Compliance and Scoring

The target system did not satisfy the conditions of 188 rules! Please review rule results and consider applying remediation.

Rule results

52 passed

188 failed

8 other

Severity of failed rules

12 other

8 low

162 medium

6 high

Score

Scoring system	Score	Maximum	Percent
urn:xccdf:scoring:default	31.787380	100.000000	31.79%

Rule Overview

Title	Severity	Result
Guide to the Secure Configuration of Red Hat OpenShift Container Platform 4 188x fail 7x notchecked
System Settings 177x fail 6x notchecked
Account and Access Control 7x fail 2x notchecked
Protect Accounts by Restricting Password-Based Login 2x fail 1x notchecked
Restrict Root Logins 1x fail
Ensure that System Accounts Do Not Run a Shell Upon Login	medium	pass
Direct root Logins Not Allowed	medium	fail
Verify Only Root Has UID 0	high	pass
Set Account Expiration Parameters 1x notchecked
Set Account Expiration Following Inactivity	medium	notchecked
Verify Proper Storage and Existence of Password Hashes 1x fail
Prevent Login to Accounts With Empty Password	high	fail
Verify No netrc Files Exist	medium	pass
Protect Physical Console Access 4x fail 1x notchecked
Configure Screen Locking 1x notchecked
Configure Console Screen Locking 1x notchecked
Prevent user from disabling the screen lock	medium	notchecked
Disable debug-shell SystemD Service	medium	pass
Verify that Interactive Boot is Disabled	medium	fail
Require Authentication for Single User Mode	medium	fail
Disable Ctrl-Alt-Del Reboot Activation	high	fail
Disable Ctrl-Alt-Del Burst Action	high	fail
Warning Banners for System Accesses 1x fail
Modify the System Login Banner	medium	fail
System Accounting with auditd 114x fail
Configure auditd Data Retention 6x fail
Configure auditd Number of Logs Retained	medium	pass
Configure auditd space_left on Low Disk Space	medium	fail
Configure auditd space_left Action on Low Disk Space	medium	fail
Set hostname as computer node name in audit logs	medium	pass
Configure auditd admin_space_left Action on Low Disk Space	medium	fail
Configure auditd max_log_file_action Upon Reaching Maximum Log Size	medium	pass
Configure auditd mail_acct Action on Low Disk Space	medium	pass
Configure auditd Max Log File Size	medium	pass
Include Local Events in Audit Logs	medium	pass
Configure auditd Disk Error Action on Disk Error	medium	fail
Resolve information before writing to audit logs	medium	pass
Configure auditd flush priority	medium	fail
Write Audit Logs to the Disk	medium	pass
Configure auditd Disk Full Action when Disk Space Is Full	medium	fail
Set number of records to cause an explicit flush to audit logs	medium	pass
Configure auditd Rules for Comprehensive Auditing 106x fail
Record Execution Attempts to Run SELinux Privileged Commands 6x fail
Record Any Attempts to Run restorecon	medium	fail
Record Any Attempts to Run chcon	medium	fail
Record Any Attempts to Run setfiles	medium	fail
Record Any Attempts to Run setsebool	medium	fail
Record Any Attempts to Run seunshare	medium	fail
Record Any Attempts to Run semanage	medium	fail
Records Events that Modify Date and Time Information 5x fail
Record Attempts to Alter the localtime File	medium	fail
Record attempts to alter time through settimeofday	medium	fail
Record Attempts to Alter Time Through clock_settime	medium	fail
Record Attempts to Alter Time Through stime	medium	fail
Record attempts to alter time through adjtimex	medium	fail
Record Information on the Use of Privileged Commands 23x fail
Ensure auditd Collects Information on the Use of Privileged Commands - passwd	medium	fail
Ensure auditd Collects Information on the Use of Privileged Commands - at	medium	fail
Ensure auditd Collects Information on the Use of Privileged Commands - su	medium	fail
Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check	medium	fail
Ensure auditd Collects Information on the Use of Privileged Commands - sudo	medium	fail
Ensure auditd Collects Information on the Use of Privileged Commands - newgidmap	medium	fail
Ensure auditd Collects Information on the Use of Privileged Commands - postdrop	medium	fail
Ensure auditd Collects Information on the Use of Privileged Commands - mount	medium	fail
Ensure auditd Collects Information on the Use of Privileged Commands - userhelper	medium	fail
Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd	medium	fail
Ensure auditd Collects Information on the Use of Privileged Commands - newuidmap	medium	fail
Ensure auditd Collects Information on the Use of Privileged Commands - crontab	medium	fail
Ensure auditd Collects Information on the Use of Privileged Commands - postqueue	medium	fail
Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign	medium	fail
Ensure auditd Collects Information on the Use of Privileged Commands - chage	medium	fail
Ensure auditd Collects Information on the Use of Privileged Commands - newgrp	medium	fail
Ensure auditd Collects Information on the Use of Privileged Commands - chsh	medium	fail
Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit	medium	fail
Ensure auditd Collects Information on the Use of Privileged Commands - umount	medium	fail
Ensure auditd Collects Information on the Use of Privileged Commands	medium	fail
Ensure auditd Collects Information on the Use of Privileged Commands - usernetctl	medium	fail
Ensure auditd Collects Information on the Use of Privileged Commands - pt_chown	medium	fail
Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd	medium	fail
Record Events that Modify the System's Discretionary Access Controls 13x fail
Record Events that Modify the System's Discretionary Access Controls - fchmod	medium	fail
Record Events that Modify the System's Discretionary Access Controls - removexattr	medium	fail
Record Events that Modify the System's Discretionary Access Controls - lsetxattr	medium	fail
Record Events that Modify the System's Discretionary Access Controls - chmod	medium	fail
Record Events that Modify the System's Discretionary Access Controls - lchown	medium	fail
Record Events that Modify the System's Discretionary Access Controls - lremovexattr	medium	fail
Record Events that Modify the System's Discretionary Access Controls - fchownat	medium	fail
Record Events that Modify the System's Discretionary Access Controls - chown	medium	fail
Record Events that Modify the System's Discretionary Access Controls - fchown	medium	fail
Record Events that Modify the System's Discretionary Access Controls - fchmodat	medium	fail
Record Events that Modify the System's Discretionary Access Controls - setxattr	medium	fail
Record Events that Modify the System's Discretionary Access Controls - fsetxattr	medium	fail
Record Events that Modify the System's Discretionary Access Controls - fremovexattr	medium	fail
Record Attempts to Alter Logon and Logout Events 3x fail
Record Attempts to Alter Logon and Logout Events - tallylog	medium	fail
Record Attempts to Alter Logon and Logout Events - lastlog	medium	fail
Record Attempts to Alter Logon and Logout Events - faillock	medium	fail
Record File Deletion Events by User 5x fail
Ensure auditd Collects File Deletion Events by User - rmdir	medium	fail
Ensure auditd Collects File Deletion Events by User - rename	medium	fail
Ensure auditd Collects File Deletion Events by User - unlinkat	medium	fail
Ensure auditd Collects File Deletion Events by User - unlink	medium	fail
Ensure auditd Collects File Deletion Events by User - renameat	medium	fail
Record Unauthorized Access Attempts Events to Files (unsuccessful) 32x fail
Record Unsuccessul Ownership Changes to Files - chown	medium	fail
Ensure auditd Rules For Unauthorized Attempts To open Are Ordered Correctly	medium	fail
Record Unsuccessul Permission Changes to Files - chmod	medium	fail
Record Unsuccessul Permission Changes to Files - fchmodat	medium	fail
Record Unsuccessul Permission Changes to Files - removexattr	medium	fail
Record Unsuccessful Creation Attempts to Files - open O_CREAT	medium	fail
Record Unsuccessul Delete Attempts to Files - renameat	medium	fail
Record Unsuccessul Ownership Changes to Files - fchown	medium	fail
Record Unsuccessful Access Attempts to Files - creat	medium	fail
Ensure auditd Unauthorized Access Attempts To open_by_handle_at Are Ordered Correctly	medium	fail
Record Unsuccessul Permission Changes to Files - lremovexattr	medium	fail
Record Unsuccessful Access Attempts to Files - ftruncate	medium	fail
Record Unsuccessul Permission Changes to Files - setxattr	medium	fail
Record Unsuccessul Ownership Changes to Files - fchownat	medium	fail
Record Unsuccessul Permission Changes to Files - fsetxattr	medium	fail
Record Unsuccessful Access Attempts to Files - open	medium	fail
Record Unsuccessul Delete Attempts to Files - unlink	medium	fail
Ensure auditd Rules For Unauthorized Attempts To openat Are Ordered Correctly	medium	fail
Record Unsuccessful Creation Attempts to Files - openat O_CREAT	medium	fail
Record Unsuccessul Permission Changes to Files - fchmod	medium	fail
Record Unsuccessul Permission Changes to Files - lsetxattr	medium	fail
Record Unsuccessful Modification Attempts to Files - open O_TRUNC_WRITE	medium	fail
Record Unsuccessul Delete Attempts to Files - rename	medium	fail
Record Unsuccessful Access Attempts to Files - open_by_handle_at	medium	fail
Record Unsuccessful Access Attempts to Files - truncate	medium	fail
Record Unsuccessful Creation Attempts to Files - open_by_handle_at O_CREAT	medium	fail
Record Unsuccessul Delete Attempts to Files - unlinkat	medium	fail
Record Unsuccessul Permission Changes to Files - fremovexattr	medium	fail
Record Unsuccessul Ownership Changes to Files - lchown	medium	fail
Record Unsuccessful Access Attempts to Files - openat	medium	fail
Record Unsuccessful Modification Attempts to Files - open_by_handle_at O_TRUNC_WRITE	medium	fail
Record Unsuccessful Modification Attempts to Files - openat O_TRUNC_WRITE	medium	fail
Record Information on Kernel Modules Loading and Unloading
Ensure auditd Collects Information on Kernel Module Loading - init_module	medium	pass
Ensure auditd Collects Information on Kernel Module Unloading - delete_module	medium	pass
Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module	medium	pass
Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/group	medium	fail
Make the auditd Configuration Immutable	medium	fail
Record Events that Modify User/Group Information via openat syscall - /etc/shadow	medium	fail
Ensure auditd Collects Information on Exporting to Media (successful)	medium	fail
Record Attempts to Alter Process and Session Initiation Information	medium	fail
Ensure auditd Collects System Administrator Actions	medium	fail
System Audit Logs Must Have Mode 0750 or Less Permissive	unknown	pass
Record Events that Modify User/Group Information via open syscall - /etc/gshadow	medium	fail
Record Events that Modify User/Group Information via openat syscall - /etc/group	medium	fail
Record Events that Modify User/Group Information via openat syscall - /etc/gshadow	medium	fail
Record Access Events to Audit Log Directory	medium	fail
Record Events that Modify User/Group Information - /etc/passwd	medium	pass
System Audit Logs Must Have Mode 0640 or Less Permissive	medium	pass
Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/shadow	medium	fail
Record Events that Modify User/Group Information - /etc/security/opasswd	medium	pass
Record Events that Modify User/Group Information - /etc/gshadow	medium	pass
Record Events that Modify User/Group Information via open syscall - /etc/group	medium	fail
Record Events that Modify the System's Mandatory Access Controls	medium	fail
System Audit Logs Must Be Owned By Root	medium	pass
Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/passwd	medium	fail
Record Events that Modify User/Group Information via open syscall - /etc/shadow	medium	fail
Record Events that Modify User/Group Information via openat syscall - /etc/passwd	medium	fail
Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/gshadow	medium	fail
Record Events that Modify the System's Network Environment	medium	fail
Record Events that Modify User/Group Information via open syscall - /etc/passwd	medium	fail
Record Events that Modify User/Group Information - /etc/group	medium	pass
Record Events that Modify User/Group Information - /etc/shadow	medium	pass
Ensure the audit Subsystem is Installed	medium	pass
Enable auditd Service	high	pass
Enable Auditing for Processes Which Start Prior to the Audit Daemon	medium	fail
Extend Audit Backlog Limit for the Audit Daemon	medium	fail
Installing and Maintaining Software 6x fail 2x notchecked
System and Software Integrity 6x fail 2x notchecked
Software Integrity Checking 2x notchecked
Verify Integrity with RPM 2x notchecked
Verify and Correct Ownership with RPM	high	notchecked
Verify and Correct File Permissions with RPM	high	notchecked
Federal Information Processing Standard (FIPS) 2x fail
Enable FIPS Mode	high	fail
Enable Dracut FIPS Module	medium	fail
System Cryptographic Policies 4x fail
Harden SSHD Crypto Policy	medium	fail
Configure OpenSSL library to use System Crypto Policy	medium	fail
Harden SSH client Crypto Policy	medium	fail
Configure SSH to use System Crypto Policy	medium	pass
Configure Kerberos to use System Crypto Policy	medium	pass
Configure System Cryptography Policy	high	fail
Sudo
Install sudo Package	medium	pass
GRUB2 bootloader configuration 2x fail
Enable Kernel Page-Table Isolation (KPTI)	high	fail
Set the UEFI Boot Loader Password	medium	fail
Network Configuration and Firewalls 26x fail 1x notchecked
IPv6 6x fail
Configure IPv6 Settings if Necessary 6x fail
Disable Accepting ICMP Redirects for All IPv6 Interfaces	medium	fail
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces	medium	fail
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default	medium	fail
Disable Accepting Router Advertisements on all IPv6 Interfaces by Default	unknown	fail
Configure Accepting Router Advertisements on All IPv6 Interfaces	unknown	fail
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces	medium	fail
Kernel Parameters Which Affect Networking 13x fail
Network Parameters for Hosts Only 2x fail
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces	medium	fail
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default	medium	fail
Network Related Kernel Runtime Parameters for Hosts and Routers 11x fail
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces	medium	pass
Disable Accepting ICMP Redirects for All IPv4 Interfaces	medium	fail
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default	medium	fail
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces	medium	pass
Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces	unknown	fail
Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces	unknown	fail
Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces	medium	fail
Configure Kernel Parameter for Accepting Secure Redirects By Default	medium	fail
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default	medium	fail
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces	medium	fail
Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default	unknown	fail
Enable Kernel Parameter to Use TCP Syncookies on IPv4 Interfaces	medium	fail
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces	medium	fail
Uncommon Network Protocols 5x fail
Disable ATM Support	medium	fail
Disable IEEE 1394 (FireWire) Support	medium	fail
Disable CAN Support	medium	fail
Disable TIPC Support	medium	fail
Disable SCTP Support	medium	fail
iptables and ip6tables
Install iptables Package	medium	pass
Wireless Networking 1x fail 1x notchecked
Disable Wireless Through Software Configuration 1x fail 1x notchecked
Disable Bluetooth Service	medium	pass
Deactivate Wireless Network Interfaces	medium	pass
Disable WiFi or Bluetooth in BIOS	unknown	notchecked
Disable Bluetooth Kernel Module	medium	fail
Prevent non-Privileged Users from Modifying Network Interfaces using nmcli	medium	fail
Configure Syslog 1x fail
Ensure All Logs are Rotated by logrotate 1x fail
Ensure Logrotate Runs Periodically	medium	fail
SELinux
Ensure SELinux State is Enforcing	high	pass
Configure SELinux Policy	high	pass
Ensure No Daemons are Unconfined by SELinux	medium	pass
Ensure SELinux Not Disabled in /etc/default/grub	medium	pass
File Permissions and Masks 21x fail 1x notchecked
Restrict Dynamic Mounting and Unmounting of Filesystems 10x fail 1x notchecked
Disable the Automounter	medium	pass
Disable Mounting of jffs2	low	fail
Disable Mounting of vFAT filesystems	low	fail
Disable Modprobe Loading of USB Storage Driver	medium	fail
Disable Mounting of hfsplus	low	fail
Disable Booting from USB Devices in Boot Firmware	unknown	notchecked
Disable Mounting of hfs	low	fail
Disable Mounting of cramfs	low	fail
Disable Mounting of udf	low	fail
Disable Kernel Support for USB via Bootloader Configuration	unknown	fail
Disable Mounting of freevxfs	low	fail
Disable Mounting of squashfs	low	fail
Verify Permissions on Important Files and Directories
Enable Kernel Parameter to Enforce DAC on Symlinks	unknown	pass
Enable Kernel Parameter to Enforce DAC on Hardlinks	unknown	pass
Restrict Programs from Dangerous Execution Patterns 11x fail
Disable Core Dumps 4x fail
Disable acquiring, saving, and processing core dumps	unknown	fail
Disable Core Dumps for All Users	unknown	fail
Disable storing core dump	unknown	fail
Disable core dump backtraces	unknown	fail
Memory Poisoning 1x fail
Enable page allocator poisoning	medium	fail
Enable ExecShield
Restrict Exposed Kernel Pointer Addresses Access	medium	pass
Disable Kernel Image Loading	medium	fail
Disallow kernel profiling by unprivileged users	medium	fail
Restrict usage of ptrace to descendant processes	medium	fail
Harden the operation of the BPF just-in-time compiler	medium	fail
Restrict Access to Kernel Message Buffer	medium	fail
Disable vsyscalls	info	informational
Disable storing core dumps	unknown	pass
Disable Access to Network bpf() Syscall From Unprivileged Processes	medium	fail
Services 11x fail 1x notchecked
Network Time Protocol 4x fail
Enable the NTP Daemon	medium	pass
Specify Additional Remote NTP Servers	medium	fail
Disable network management of chrony daemon	unknown	fail
Disable chrony daemon from acting as server	unknown	fail
Specify a Remote NTP Server	medium	pass
Configure Time Service Maxpoll Interval	medium	fail
Hardware RNG Entropy Gatherer Daemon 1x fail
Enable the Hardware RNG Entropy Gatherer Service	medium	fail
System Security Services Daemon 1x fail
Configure SSSD to run as user sssd	medium	fail
SSH Server 1x fail 1x notchecked
Configure OpenSSH Server if Necessary 1x fail 1x notchecked
Set SSH Client Alive Max Count	medium	fail
Disable SSH Support for .rhosts Files	medium	pass
Set SSH Idle Timeout Interval	medium	pass
Limit Users' SSH Access	unknown	notchecked
Verify Permissions on SSH Server config file	medium	pass
Verify Owner on SSH Server config file	medium	pass
Verify Permissions on SSH Server Private *_key Key Files	medium	pass
Verify Permissions on SSH Server Public *.pub Key Files	medium	pass
Verify Group Who Owns SSH Server config file	medium	pass
USBGuard daemon 4x fail
Install usbguard Package	medium	fail
Enable the USBGuard Service	medium	fail
Log USBGuard daemon audit events using Linux Audit	medium	fail
Authorize Human Interface Devices and USB hubs in USBGuard daemon	medium	fail

Result Details

Ensure that System Accounts Do Not Run a Shell Upon Login

Rule ID	xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-no_shelllogin_for_systemaccounts:def:1
Time	2020-05-28T09:49:14+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-82697-4 References: 5.4.2, 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS06.03, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, A.12.4.1, A.12.4.3, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, AC-6, CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6
Description	Some accounts are not associated with a human user of the system, and exist to perform some administrative function. Should an attacker be able to log into these accounts, they should not be granted access to a shell. The login shell for each local account is stored in the last field of each line in `/etc/passwd`. System accounts are those user accounts with a user ID less than UID_MIN, where value of UID_MIN directive is set in /etc/login.defs configuration file. In the default configuration UID_MIN is set to 1000, thus system accounts are those user accounts with a user ID less than 1000. The user ID is stored in the third field. If any system account SYSACCT (other than root) has a login shell, disable it with the command: $ sudo usermod -s /sbin/nologin SYSACCT
Rationale	Ensuring shells are not given to system accounts upon login makes it more difficult for attackers to make use of system accounts.
Warnings	warning Do not perform the steps in this section on the root account. Doing so might cause the system to become inaccessible.

OVAL test results details

SYS_UID_MIN not defined in /etc/login.defs oval:ssg-test_sys_uid_min_not_defined:tst:1 false

Following items have been found on the system:

Path	Content
/etc/login.defs	# # Please note that the parameters in this configuration file control the # behavior of the tools from the shadow-utils component. None of these # tools uses the PAM mechanism, and the utilities that use PAM (such as the # passwd command) should therefore be configured elsewhere. Refer to # /etc/pam.d/system-auth for more information. # # REQUIRED # Directory where mailboxes reside, _or_ name of file, relative to the # home directory. If you _do_ define both, MAIL_DIR takes precedence. # QMAIL_DIR is for Qmail # #QMAIL_DIR Maildir MAIL_DIR /var/spool/mail #MAIL_FILE .mail # Password aging controls: # # PASS_MAX_DAYS Maximum number of days a password may be used. # PASS_MIN_DAYS Minimum number of days allowed between password changes. # PASS_MIN_LEN Minimum acceptable password length. # PASS_WARN_AGE Number of days warning given before a password expires. # PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 PASS_MIN_LEN 5 PASS_WARN_AGE 7 # # Min/max values for automatic uid selection in useradd # UID_MIN 1000 UID_MAX 60000 # System accounts SYS_UID_MIN 201

SYS_UID_MAX not defined in /etc/login.defs oval:ssg-test_sys_uid_max_not_defined:tst:1 false

Following items have been found on the system:

Path	Content
/etc/login.defs	# # Please note that the parameters in this configuration file control the # behavior of the tools from the shadow-utils component. None of these # tools uses the PAM mechanism, and the utilities that use PAM (such as the # passwd command) should therefore be configured elsewhere. Refer to # /etc/pam.d/system-auth for more information. # # REQUIRED # Directory where mailboxes reside, _or_ name of file, relative to the # home directory. If you _do_ define both, MAIL_DIR takes precedence. # QMAIL_DIR is for Qmail # #QMAIL_DIR Maildir MAIL_DIR /var/spool/mail #MAIL_FILE .mail # Password aging controls: # # PASS_MAX_DAYS Maximum number of days a password may be used. # PASS_MIN_DAYS Minimum number of days allowed between password changes. # PASS_MIN_LEN Minimum acceptable password length. # PASS_WARN_AGE Number of days warning given before a password expires. # PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 PASS_MIN_LEN 5 PASS_WARN_AGE 7 # # Min/max values for automatic uid selection in useradd # UID_MIN 1000 UID_MAX 60000 # System accounts SYS_UID_MIN 201 SYS_UID_MAX 999

<0, UID_MIN - 1> system UIDs having shell set oval:ssg-test_shell_defined_default_uid_range:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-variable_default_range_quad_expr:var:1	1000

SYS_UID_MIN not defined in /etc/login.defs oval:ssg-test_sys_uid_min_not_defined:tst:1 false

Following items have been found on the system:

Path	Content
/etc/login.defs	# # Please note that the parameters in this configuration file control the # behavior of the tools from the shadow-utils component. None of these # tools uses the PAM mechanism, and the utilities that use PAM (such as the # passwd command) should therefore be configured elsewhere. Refer to # /etc/pam.d/system-auth for more information. # # REQUIRED # Directory where mailboxes reside, _or_ name of file, relative to the # home directory. If you _do_ define both, MAIL_DIR takes precedence. # QMAIL_DIR is for Qmail # #QMAIL_DIR Maildir MAIL_DIR /var/spool/mail #MAIL_FILE .mail # Password aging controls: # # PASS_MAX_DAYS Maximum number of days a password may be used. # PASS_MIN_DAYS Minimum number of days allowed between password changes. # PASS_MIN_LEN Minimum acceptable password length. # PASS_WARN_AGE Number of days warning given before a password expires. # PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 PASS_MIN_LEN 5 PASS_WARN_AGE 7 # # Min/max values for automatic uid selection in useradd # UID_MIN 1000 UID_MAX 60000 # System accounts SYS_UID_MIN 201

SYS_UID_MAX not defined in /etc/login.defs oval:ssg-test_sys_uid_max_not_defined:tst:1 false

Following items have been found on the system:

Path	Content
/etc/login.defs	# # Please note that the parameters in this configuration file control the # behavior of the tools from the shadow-utils component. None of these # tools uses the PAM mechanism, and the utilities that use PAM (such as the # passwd command) should therefore be configured elsewhere. Refer to # /etc/pam.d/system-auth for more information. # # REQUIRED # Directory where mailboxes reside, _or_ name of file, relative to the # home directory. If you _do_ define both, MAIL_DIR takes precedence. # QMAIL_DIR is for Qmail # #QMAIL_DIR Maildir MAIL_DIR /var/spool/mail #MAIL_FILE .mail # Password aging controls: # # PASS_MAX_DAYS Maximum number of days a password may be used. # PASS_MIN_DAYS Minimum number of days allowed between password changes. # PASS_MIN_LEN Minimum acceptable password length. # PASS_WARN_AGE Number of days warning given before a password expires. # PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 PASS_MIN_LEN 5 PASS_WARN_AGE 7 # # Min/max values for automatic uid selection in useradd # UID_MIN 1000 UID_MAX 60000 # System accounts SYS_UID_MIN 201 SYS_UID_MAX 999

<0, SYS_UID_MIN> system UIDs having shell set oval:ssg-test_shell_defined_reserved_uid_range:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-variable_reserved_range_quad_expr:var:1	799000

<SYS_UID_MIN, SYS_UID_MAX> system UIDS having shell set oval:ssg-test_shell_defined_dynalloc_uid_range:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-variable_dynalloc_range_quad_expr:var:1	799

Direct root Logins Not Allowed

Rule ID	xccdf_org.ssgproject.content_rule_no_direct_root_logins
Result	fail
Multi-check rule	no
OVAL Definition ID	oval:ssg-no_direct_root_logins:def:1
Time	2020-05-28T09:49:14+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-82698-2 References: NT28(R19), 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.1.1, 3.1.6, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-2, CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7
Description	To further limit access to the `root` account, administrators can disable root logins at the console by editing the `/etc/securetty` file. This file lists all devices the root user is allowed to login to. If the file does not exist at all, the root user can login through any communication device on the system, whether via the console or via a raw network interface. This is dangerous as user can login to the system as root via Telnet, which sends the password in plain text over the network. By default, Red Hat OpenShift Container Platform 4's `/etc/securetty` file only allows the root user to login at the console physically attached to the system. To prevent root from logging in, remove the contents of this file. To prevent direct root logins, remove the contents of this file by typing the following command: $ sudo echo > /etc/securetty
Rationale	Disabling direct root logins ensures proper accountability and multifactor authentication to privileged accounts. Users will first login, then escalate to privileged (root) access via su / sudo. This is required for FISMA Low and FISMA Moderate systems.
Remediation Shell script ⇲ `echo > /etc/securetty`
Remediation script ⇲ `apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: config: ignition: version: 2.2.0 storage: files: - contents: source: data:, filesystem: root mode: 0600 path: /etc/securetty`

OVAL test results details

no entries in /etc/securetty oval:ssg-test_no_direct_root_logins:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_no_direct_root_logins:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/securetty	^$	1

/etc/securetty file exists oval:ssg-test_etc_securetty_exists:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_etc_securetty_exists:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/securetty	^.*$	1

Verify Only Root Has UID 0

Rule ID	xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-accounts_no_uid_except_zero:def:1
Time	2020-05-28T09:49:14+00:00
Severity	high
Identifiers and References	Identifiers: CCE-82699-0 References: 1, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.10, 3.1.1, 3.1.5, CCI-000366, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, IA-2, AC-6(5), IA-4(b), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, SRG-OS-000480-GPOS-00227
Description	If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed. If the account is associated with system commands or applications the UID should be changed to one greater than "0" but less than "1000." Otherwise assign a UID greater than "1000" that has not already been assigned.
Rationale	An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner.

OVAL test results details

test that there are no accounts with UID 0 except root in the /etc/passwd file oval:ssg-test_accounts_no_uid_except_root:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_accounts_no_uid_except_root:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/passwd	^(?!root:)[^:]:[^:]:0	1

Set Account Expiration Following Inactivity

Rule ID	xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration
Result	notchecked
Multi-check rule	no
Time	2020-05-28T09:49:14+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-82695-8 References: 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, 5.6.2.1.1, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.6, CCI-000017, CCI-000795, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, A.12.4.1, A.12.4.3, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, IA-4(e), AC-2(3), CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, Req-8.1.4, SRG-OS-000118-GPOS-00060, SRG-OS-000003-VMM-000030, SRG-OS-000118-VMM-000590
Description	To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following lines in `/etc/default/useradd`, substituting `NUM_DAYS` appropriately: INACTIVE=35 A value of 35 is recommended; however, this profile expects that the value is set to `35`. If a password is currently on the verge of expiration, then 35 days remain until the account is automatically disabled. However, if the password will not expire for another 60 days, then 95 days could elapse until the account would be automatically disabled. See the `useradd` man page for more information. Determining the inactivity timeout must be done with careful consideration of the length of a "normal" period of inactivity for users in the particular environment. Setting the timeout too low incurs support costs and also has the potential to impact availability of the system to legitimate users.
Rationale	Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials.
Evaluation messages info No candidate or applicable check found.

Prevent Login to Accounts With Empty Password

Rule ID	xccdf_org.ssgproject.content_rule_no_empty_passwords
Result	fail
Multi-check rule	no
OVAL Definition ID	oval:ssg-no_empty_passwords:def:1
Time	2020-05-28T09:49:14+00:00
Severity	high
Identifiers and References	Identifiers: CCE-82553-9 References: 1, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2, APO01.06, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.10, 3.1.1, 3.1.5, CCI-000366, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, IA-5(1)(a), IA-5(c), CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, FIA_AFL.1, Req-8.2.3, SRG-OS-000480-GPOS-00227
Description	If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the `nullok` option in `/etc/pam.d/system-auth` to prevent logins with empty passwords.
Rationale	If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.
Remediation script ⇲ apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: config: ignition: version: 2.2.0 storage: files: - contents: source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A filesystem: root mode: 0644 path: /etc/pam.d/password-auth - contents: source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A filesystem: root mode: 0644 path: /etc/pam.d/system-auth

OVAL test results details

make sure nullok is not used in /etc/pam.d/system-auth oval:ssg-test_no_empty_passwords:tst:1 false

Following items have been found on the system:

Path	Content
/etc/pam.d/system-auth	auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok

Verify No netrc Files Exist

Rule ID	xccdf_org.ssgproject.content_rule_no_netrc_files
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-no_netrc_files:def:1
Time	2020-05-28T09:49:14+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-82667-7 References: 1, 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10, CCI-000196, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, IA-5(h), IA-5(1)(c), CM-6(a), IA-5(7), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3
Description	The `.netrc` files contain login information used to auto-login into FTP servers and reside in the user's home directory. These files may contain unencrypted passwords to remote FTP servers making them susceptible to access by unauthorized users and should not be used. Any `.netrc` files should be removed.
Rationale	Unencrypted passwords for remote FTP servers may be stored in `.netrc` files.

OVAL test results details

look for .netrc in /home oval:ssg-test_no_netrc_files_home:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_no_netrc_files_home:obj:1 of type file_object

Behaviors	Path	Filename
no value	/home	^\.netrc$

Prevent user from disabling the screen lock

Rule ID	xccdf_org.ssgproject.content_rule_no_tmux_in_shells
Result	notchecked
Multi-check rule	no
Time	2020-05-28T09:49:15+00:00
Severity	medium
Identifiers and References	References: FMT_SMF_EXT.1, SRG-OS-000324-GPOS-00125
Description	The `tmux` terminal multiplexer is used to implement autimatic session locking. It should not be listed in `/etc/shells`.
Rationale	Not listing `tmux` among permitted shells prevents malicious program running as user from lowering security by disabling the screen lock.
Evaluation messages info No candidate or applicable check found.

Disable debug-shell SystemD Service

Rule ID	xccdf_org.ssgproject.content_rule_service_debug-shell_disabled
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-service_debug-shell_disabled:def:1
Time	2020-05-28T09:49:15+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-82496-1 References: 3.4.5, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), FIA_AFL.1, SRG-OS-000324-GPOS-00125
Description	SystemD's `debug-shell` service is intended to diagnose SystemD related boot issues with various `systemctl` commands. Once enabled and following a system reboot, the root shell will be available on `tty9` which is access by pressing `CTRL-ALT-F9`. The `debug-shell` service should only be used for SystemD related issues and should otherwise be disabled. By default, the `debug-shell` SystemD service is already disabled. The `debug-shell` service can be disabled with the following command: $ sudo systemctl disable debug-shell.service The `debug-shell` service can be masked with the following command: $ sudo systemctl mask debug-shell.service
Rationale	This prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted.

OVAL test results details

package systemd is removed oval:ssg-test_service_debug-shell_package_systemd_removed:tst:1 false

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
systemd	x86_64	(none)	27.el8	239	0:239-27.el8	199e2f91fd431d51	systemd-0:239-27.el8.x86_64

Test that the debug-shell service is not running oval:ssg-test_service_not_running_debug-shell:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_service_not_running_debug-shell:obj:1 of type systemdunitproperty_object

Unit	Property
^debug-shell\.(service\|socket)$	ActiveState

Test that the property LoadState from the service debug-shell is masked oval:ssg-test_service_loadstate_is_masked_debug-shell:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_service_loadstate_is_masked_debug-shell:obj:1 of type systemdunitproperty_object

Unit	Property
^debug-shell\.(service\|socket)$	LoadState

Test that the property FragmentPath from the service debug-shell is set to /dev/null oval:ssg-test_service_fragmentpath_is_dev_null_debug-shell:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_service_fragmentpath_is_dev_null_debug-shell:obj:1 of type systemdunitproperty_object

Unit	Property
^debug-shell\.(service\|socket)$	FragmentPath

Verify that Interactive Boot is Disabled

Rule ID	xccdf_org.ssgproject.content_rule_grub2_disable_interactive_boot
Result	fail
Multi-check rule	no
OVAL Definition ID	oval:ssg-grub2_disable_interactive_boot:def:1
Time	2020-05-28T09:49:15+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-82551-3 References: 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06, 3.1.2, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, SC-2(1), CM-6(a), PR.AC-4, PR.AC-6, PR.PT-3, FIA_AFL.1, SRG-OS-000480-GPOS-00227
Description	Red Hat OpenShift Container Platform 4 systems support an "interactive boot" option that can be used to prevent services from being started. On a Red Hat OpenShift Container Platform 4 system, interactive boot can be enabled by providing a `1`, `yes`, `true`, or `on` value to the `systemd.confirm_spawn` kernel argument in `/etc/default/grub`. Remove any instance of systemd.confirm_spawn=(1\|yes\|true\|on) from the kernel arguments in that file to disable interactive boot. It is also required to change the runtime configuration, run: /sbin/grubby --update-kernel=ALL --remove-args="systemd.confirm_spawn"
Rationale	Using interactive boot, the console user could disable auditing, firewalls, or other services, weakening system security.

OVAL test results details

Check systemd.confirm_spawn=(1|true|yes|on) not in GRUB_CMDLINE_LINUX oval:ssg-test_grub2_disable_interactive_boot_grub_cmdline_linux:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_grub2_disable_interactive_boot_grub_cmdline_linux:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/default/grub	^\sGRUB_CMDLINE_LINUX=".systemd.confirm_spawn=(?:1\|yes\|true\|on).*$	1

Check systemd.confirm_spawn=(1|true|yes|on) not in GRUB_CMDLINE_LINUX_DEFAULT oval:ssg-test_grub2_disable_interactive_boot_grub_cmdline_linux_default:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_grub2_disable_interactive_boot_grub_cmdline_linux_default:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/default/grub	^\sGRUB_CMDLINE_LINUX_DEFAULT=".systemd.confirm_spawn=(?:1\|yes\|true\|on).*$	1

Check for GRUB_DISABLE_RECOVERY=true in /etc/default/grub oval:ssg-test_bootloader_disable_recovery_set_to_true:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_bootloader_disable_recovery_argument:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/default/grub	^\sGRUB_DISABLE_RECOVERY=(.)$	1

Require Authentication for Single User Mode

Rule ID xccdf_org.ssgproject.content_rule_require_singleuser_auth

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-require_singleuser_auth:def:1

Time 2020-05-28T09:49:15+00:00

Severity medium

Identifiers and References

Identifiers: CCE-82550-5

References: 1, 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10, 3.1.1, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, IA-2, AC-3, CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3, FIA_AFL.1, SRG-OS-000080-GPOS-00048

Description

Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup. By default, no authentication is performed if single-user mode is selected.

By default, single-user mode is protected by requiring a password and is set in /usr/lib/systemd/system/rescue.service.

Rationale

This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password.

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

- name: require single user mode password
  lineinfile:
    create: true
    dest: /usr/lib/systemd/system/rescue.service
    regexp: ^#?ExecStart=
    line: ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block
      default"
  when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
  tags:
    - require_singleuser_auth
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-82550-5
    - NIST-800-53-IA-2
    - NIST-800-53-AC-3
    - NIST-800-53-CM-6(a)
    - NIST-800-171-3.1.1
    - NIST-800-171-3.4.5

OVAL test results details

Tests that /sbin/sulogin was not removed from the default systemd rescue.service to ensure that a password must be entered to access single user mode oval:ssg-test_require_rescue_service:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_require_rescue_service:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/usr/lib/systemd/system/rescue.service	^ExecStart=\-/bin/sh[\s]+-c[\s]+\"(/usr)?/sbin/sulogin;[\s]+/usr/bin/systemctl[\s]+--fail[\s]+--no-block[\s]+default\"	1

Tests that the systemd rescue.service is in the runlevel1.target oval:ssg-test_require_rescue_service_runlevel1:tst:1 true

Following items have been found on the system:

Path	Content
/usr/lib/systemd/system/runlevel1.target	Requires=sysinit.target rescue.service

look for runlevel1.target in /etc/systemd/system oval:ssg-test_no_custom_runlevel1_target:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_no_custom_runlevel1_target:obj:1 of type file_object

Behaviors	Path	Filename
no value	/etc/systemd/system	^runlevel1.target$

look for rescue.service in /etc/systemd/system oval:ssg-test_no_custom_rescue_service:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_no_custom_rescue_service:obj:1 of type file_object

Behaviors	Path	Filename
no value	/etc/systemd/system	^rescue.service$

Disable Ctrl-Alt-Del Reboot Activation

Rule ID	xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot
Result	fail
Multi-check rule	no
OVAL Definition ID	oval:ssg-disable_ctrlaltdel_reboot:def:1
Time	2020-05-28T09:49:15+00:00
Severity	high
Identifiers and References	Identifiers: CCE-82493-8 References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.4.5, CCI-000366, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227
Description	By default, `SystemD` will reboot the system if the `Ctrl-Alt-Del` key sequence is pressed. To configure the system to ignore the `Ctrl-Alt-Del` key sequence from the command line instead of rebooting the system, do either of the following: ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target or systemctl mask ctrl-alt-del.target Do not simply delete the `/usr/lib/systemd/system/ctrl-alt-del.service` file, as this file may be restored during future system updates.
Rationale	A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot.
Warnings	warning Disabling the `Ctrl-Alt-Del` key sequence in `/etc/init/control-alt-delete.conf` DOES NOT disable the `Ctrl-Alt-Del` key sequence if running in `runlevel 6` (e.g. in GNOME, KDE, etc.)! The `Ctrl-Alt-Del` key sequence will only be disabled if running in the non-graphical `runlevel 3`.

OVAL test results details

Disable Ctrl-Alt-Del key sequence override exists oval:ssg-test_disable_ctrlaltdel_exists:tst:1 false

Following items have been found on the system:

Filepath	Canonical path
/etc/systemd/system/ctrl-alt-del.target	/usr/lib/systemd/system/reboot.target

Disable Ctrl-Alt-Del Burst Action

Rule ID	xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction
Result	fail
Multi-check rule	no
OVAL Definition ID	oval:ssg-disable_ctrlaltdel_burstaction:def:1
Time	2020-05-28T09:49:15+00:00
Severity	high
Identifiers and References	Identifiers: CCE-82495-3 References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.4.5, CCI-000366, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), CM-6(a), PR.AC-4, PR.DS-5, SRG-OS-000324-GPOS-00125
Description	By default, `SystemD` will reboot the system if the `Ctrl-Alt-Del` key sequence is pressed Ctrl-Alt-Delete more than 7 times in 2 seconds. To configure the system to ignore the `CtrlAltDelBurstAction` setting, add or modify the following to `/etc/systemd/system.conf`: CtrlAltDelBurstAction=none
Rationale	A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot.
Warnings	warning Disabling the `Ctrl-Alt-Del` key sequence in `/etc/init/control-alt-delete.conf` DOES NOT disable the `Ctrl-Alt-Del` key sequence if running in `runlevel 6` (e.g. in GNOME, KDE, etc.)! The `Ctrl-Alt-Del` key sequence will only be disabled if running in the non-graphical `runlevel 3`.
Remediation script ⇲ `apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: config: ignition: version: 2.2.0 storage: files: - contents: source: data:,CtrlAltDelBurstAction%3Dnone filesystem: root mode: 0644 path: /etc/systemd/system.conf.d/disable_ctrlaltdelete_burstaction.conf`

OVAL test results details

check if CtrlAltDelBurstAction is set to none oval:ssg-test_disable_ctrlaltdel_burstaction:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_disable_ctrlaltdel_burstaction:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/systemd/system.conf	^[\s]CtrlAltDelBurstAction[\s]=[\s]*none$	1

Modify the System Login Banner

Rule ID	xccdf_org.ssgproject.content_rule_banner_etc_issue
Result	fail
Multi-check rule	no
OVAL Definition ID	oval:ssg-banner_etc_issue:def:1
Time	2020-05-28T09:49:15+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-82555-4 References: 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.9, CCI-000048, CCI-000050, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-8(a), AC-8(c), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007, SRG-OS-000023-VMM-000060, SRG-OS-000024-VMM-000070
Description	To configure the system login banner edit `/etc/issue`. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. OR: `I've read & consent to terms in IS user agreem't.`
Rationale	Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.

OVAL test results details

correct banner in /etc/issue oval:ssg-test_banner_etc_issue:tst:1 false

Following items have been found on the system:

Path	Content
/etc/issue	\S \S{VERSION_ID}

Configure auditd Number of Logs Retained

Rule ID	xccdf_org.ssgproject.content_rule_auditd_data_retention_num_logs
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-auditd_data_retention_num_logs:def:1
Time	2020-05-28T09:49:15+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-82693-3 References: 1, 11, 12, 13, 14, 15, 16, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, 3.3.1, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, AU-11, CM-6(a), DE.AE-3, DE.AE-5, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.7
Description	Determine how many log files `auditd` should retain when it rotates logs. Edit the file `/etc/audit/auditd.conf`. Add or modify the following line, substituting NUMLOGS with the correct value of 5: num_logs = NUMLOGS Set the value to 5 for general-purpose systems. Note that values less than 2 result in no log rotation.
Rationale	The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained.

OVAL test results details

admin space left action oval:ssg-test_auditd_data_retention_num_logs:tst:1 true

Following items have been found on the system:

Path	Content
/etc/audit/auditd.conf	num_logs = 5

Configure auditd space_left on Low Disk Space

Rule ID	xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left
Result	fail
Multi-check rule	no
OVAL Definition ID	oval:ssg-auditd_data_retention_space_left:def:1
Time	2020-05-28T09:49:15+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-82681-8 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, CCI-001855, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.7, SRG-OS-000343-GPOS-00134, SRG-OS-000343-VMM-001240
Description	The `auditd` service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file `/etc/audit/auditd.conf`. Add or modify the following line, substituting SIZE_in_MB appropriately: space_left = SIZE_in_MB Set this value to the appropriate size in Megabytes cause the system to notify the user of an issue.
Rationale	Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.

OVAL test results details

admin space left action oval:ssg-test_auditd_data_retention_space_left:tst:1 false

Following items have been found on the system:

Path	Content
/etc/audit/auditd.conf	space_left = 75

Configure auditd space_left Action on Low Disk Space

Rule ID	xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action
Result	fail
Multi-check rule	no
OVAL Definition ID	oval:ssg-auditd_data_retention_space_left_action:def:1
Time	2020-05-28T09:49:15+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-82678-4 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, 3.3.1, CCI-001855, 164.312(a)(2)(ii), 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.7, SRG-OS-000343-GPOS-00134, SRG-OS-000343-VMM-001240
Description	The `auditd` service can be configured to take an action when disk space starts to run low. Edit the file `/etc/audit/auditd.conf`. Modify the following line, substituting ACTION appropriately: space_left_action = ACTION Possible values for ACTION are described in the `auditd.conf` man page. These include: `syslog` `email` `exec` `suspend` `single` `halt` Set this to `email` (instead of the default, which is `suspend`) as it is more likely to get prompt attention. Acceptable values also include `suspend`, `single`, and `halt`.
Rationale	Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.

OVAL test results details

space left action oval:ssg-test_auditd_data_retention_space_left_action:tst:1 false

Following items have been found on the system:

Path	Content
/etc/audit/auditd.conf	space_left_action = SYSLOG

Set hostname as computer node name in audit logs

Rule ID	xccdf_org.ssgproject.content_rule_auditd_name_format
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-auditd_name_format:def:1
Time	2020-05-28T09:49:15+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-82513-3 References: CCI-001851, FAU_GEN.1, SRG-OS-000039-GPOS-00017, SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224
Description	To configure Audit daemon to use value returned by gethostname syscall as computer node name in the audit events, set `name_format` to `hostname` in `/etc/audit/auditd.conf`.
Rationale	If option `name_format` is left at its default value of `none`, audit events from different computers may be hard to distinguish.

OVAL test results details

tests the value of name_format setting in the /etc/audit/auditd.conf file oval:ssg-test_auditd_name_format:tst:1 true

Following items have been found on the system:

Path	Content
/etc/audit/auditd.conf	name_format = hostname

Configure auditd admin_space_left Action on Low Disk Space

Rule ID	xccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action
Result	fail
Multi-check rule	no
OVAL Definition ID	oval:ssg-auditd_data_retention_admin_space_left_action:def:1
Time	2020-05-28T09:49:15+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-82677-6 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, 3.3.1, CCI-000140, CCI-001343, CCI-001855, 164.312(a)(2)(ii), 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.7, SRG-OS-000343-GPOS-00134
Description	The `auditd` service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file `/etc/audit/auditd.conf`. Add or modify the following line, substituting ACTION appropriately: admin_space_left_action = ACTION Set this value to `single` to cause the system to switch to single user mode for corrective action. Acceptable values also include `suspend` and `halt`. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for ACTION are described in the `auditd.conf` man page.
Rationale	Administrators should be made aware of an inability to record audit records. If a separate partition or logical volume of adequate size is used, running low on space for audit records should never occur.

OVAL test results details

space left action oval:ssg-test_auditd_data_retention_admin_space_left_action:tst:1 false

Following items have been found on the system:

Path	Content
/etc/audit/auditd.conf	admin_space_left_action = SUSPEND

Configure auditd max_log_file_action Upon Reaching Maximum Log Size

Rule ID	xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-auditd_data_retention_max_log_file_action:def:1
Time	2020-05-28T09:49:15+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-82680-0 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, 164.312(a)(2)(ii), 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.7
Description	The default action to take when the logs reach their maximum size is to rotate the log files, discarding the oldest one. To configure the action taken by `auditd`, add or correct the line in `/etc/audit/auditd.conf`: max_log_file_action = ACTION Possible values for ACTION are described in the `auditd.conf` man page. These include: `syslog` `suspend` `rotate` `keep_logs` Set the `ACTION` to `rotate` to ensure log rotation occurs. This is the default. The setting is case-insensitive.
Rationale	Automatically rotating logs (by setting this to `rotate`) minimizes the chances of the system unexpectedly running out of disk space by being overwhelmed with log data. However, for systems that must never discard log data, or which use external processes to transfer it and reclaim space, `keep_logs` can be employed.

OVAL test results details

admin space left action oval:ssg-test_auditd_data_retention_max_log_file_action:tst:1 true

Following items have been found on the system:

Path	Content
/etc/audit/auditd.conf	max_log_file_action = ROTATE

Configure auditd mail_acct Action on Low Disk Space

Rule ID	xccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-auditd_data_retention_action_mail_acct:def:1
Time	2020-05-28T09:49:15+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-82675-0 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, 3.3.1, CCI-000139, CCI-001855, 164.312(a)(2)(ii), 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, IA-5(1), AU-5(a), AU-5(2), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.7.a, SRG-OS-000343-GPOS-00134, SRG-OS-000046-VMM-000210, SRG-OS-000343-VMM-001240
Description	The `auditd` service can be configured to send email to a designated account in certain situations. Add or correct the following line in `/etc/audit/auditd.conf` to ensure that administrators are notified via email for those situations: action_mail_acct = root
Rationale	Email sent to the root account is typically aliased to the administrators of the system, who can take appropriate action.

OVAL test results details

email account for actions oval:ssg-test_auditd_data_retention_action_mail_acct:tst:1 true

Following items have been found on the system:

Path	Content
/etc/audit/auditd.conf	action_mail_acct = root

Configure auditd Max Log File Size

Rule ID	xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-auditd_data_retention_max_log_file:def:1
Time	2020-05-28T09:49:15+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-82694-1 References: 1, 11, 12, 13, 14, 15, 16, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, AU-11, CM-6(a), DE.AE-3, DE.AE-5, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.7
Description	Determine the amount of audit data (in megabytes) which should be retained in each log file. Edit the file `/etc/audit/auditd.conf`. Add or modify the following line, substituting the correct value of 6 for STOREMB: max_log_file = STOREMB Set the value to `6` (MB) or higher for general-purpose systems. Larger values, of course, support retention of even more audit data.
Rationale	The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained.

OVAL test results details

max log file size oval:ssg-test_auditd_data_retention_max_log_file:tst:1 true

Following items have been found on the system:

Path	Content
/etc/audit/auditd.conf	max_log_file = 8

Include Local Events in Audit Logs

Rule ID	xccdf_org.ssgproject.content_rule_auditd_local_events
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-auditd_local_events:def:1
Time	2020-05-28T09:49:15+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-82509-1 References: FAU_GEN.1.1.c, SRG-OS-000062-GPOS-00031
Description	To configure Audit daemon to include local events in Audit logs, set `local_events` to `yes` in `/etc/audit/auditd.conf`. This is the default setting.
Rationale	If option `local_events` isn't set to `yes` only events from network will be aggregated.

OVAL test results details

tests the value of local_events setting in the /etc/audit/auditd.conf file oval:ssg-test_auditd_local_events:tst:1 true

Following items have been found on the system:

Path	Content
/etc/audit/auditd.conf	local_events = yes

tests the absence of local_events setting in the /etc/audit/auditd.conf file oval:ssg-test_auditd_local_events_default_not_overriden:tst:1 false

Following items have been found on the system:

Path	Content
/etc/audit/auditd.conf	local_events =

Configure auditd Disk Error Action on Disk Error

Rule ID	xccdf_org.ssgproject.content_rule_auditd_data_disk_error_action
Result	fail
Multi-check rule	no
OVAL Definition ID	oval:ssg-auditd_data_disk_error_action:def:1
Time	2020-05-28T09:49:15+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-82679-2 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4
Description	The `auditd` service can be configured to take an action when there is a disk error. Edit the file `/etc/audit/auditd.conf`. Add or modify the following line, substituting ACTION appropriately: disk_error_action = ACTION Set this value to `single` to cause the system to switch to single-user mode for corrective action. Acceptable values also include `syslog`, `exec`, `single`, and `halt`. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for ACTION are described in the `auditd.conf` man page.
Rationale	Taking appropriate action in case of disk errors will minimize the possibility of losing audit records.

OVAL test results details

disk full action oval:ssg-test_auditd_data_disk_error_action:tst:1 false

Following items have been found on the system:

Path	Content
/etc/audit/auditd.conf	disk_error_action = SUSPEND

Resolve information before writing to audit logs

Rule ID	xccdf_org.ssgproject.content_rule_auditd_log_format
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-auditd_log_format:def:1
Time	2020-05-28T09:49:15+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-82511-7 References: FAU_GEN.1, SRG-OS-000255-GPOS-00096
Description	To configure Audit daemon to resolve all uid, gid, syscall, architecture, and socket address information before writing the events to disk, set `log_format` to `ENRICHED` in `/etc/audit/auditd.conf`.
Rationale	If option `log_format` isn't set to `ENRICHED`, the audit records will be stored in a format exactly as the kernel sends them.

OVAL test results details

tests the value of log_format setting in the /etc/audit/auditd.conf file oval:ssg-test_auditd_log_format:tst:1 true

Following items have been found on the system:

Path	Content
/etc/audit/auditd.conf	log_format = ENRICHED

Configure auditd flush priority

Rule ID	xccdf_org.ssgproject.content_rule_auditd_data_retention_flush
Result	fail
Multi-check rule	no
OVAL Definition ID	oval:ssg-auditd_data_retention_flush:def:1
Time	2020-05-28T09:49:15+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-82508-3 References: 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, CCI-001576, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-11, CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000480-GPOS-00227
Description	The `auditd` service can be configured to synchronously write audit event data to disk. Add or correct the following line in `/etc/audit/auditd.conf` to ensure that audit event data is fully synchronized with the log files on the disk: flush = incremental_async
Rationale	Audit data should be synchronously written to disk to ensure log integrity. These parameters assure that all audit event data is fully synchronized with the log files on the disk.
Remediation script ⇲ apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: config: ignition: version: 2.2.0 storage: files: - contents: source: data:,%23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20DATA%0Afreq%20%3D%2050%0Amax_log_file%20%3D%208%0Anum_logs%20%3D%205%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20ROTATE%0Aspace_left%20%3D%2075%0Aspace_left_action%20%3D%20SYSLOG%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20root%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20SUSPEND%0Adisk_full_action%20%3D%20SUSPEND%0Adisk_error_action%20%3D%20SUSPEND%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20SYSLOG%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d%0A filesystem: root mode: 0640 path: /etc/audit/auditd.conf

OVAL test results details

test the value of flush parameter in /etc/audit/auditd.conf oval:ssg-test_auditd_data_retention_flush:tst:1 false

Following items have been found on the system:

Path	Content
/etc/audit/auditd.conf	flush = DATA

Write Audit Logs to the Disk

Rule ID	xccdf_org.ssgproject.content_rule_auditd_write_logs
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-auditd_write_logs:def:1
Time	2020-05-28T09:49:15+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-82510-9 References: FAU_GEN.1.1.c, SRG-OS-000480-GPOS-00227
Description	To configure Audit daemon to write Audit logs to the disk, set `write_logs` to `yes` in `/etc/audit/auditd.conf`. This is the default setting.
Rationale	If `write_logs` isn't set to `yes`, the Audit logs will not be written to the disk.

OVAL test results details

tests the value of write_logs setting in the /etc/audit/auditd.conf file oval:ssg-test_auditd_write_logs:tst:1 true

Following items have been found on the system:

Path	Content
/etc/audit/auditd.conf	write_logs = yes

tests the absence of write_logs setting in the /etc/audit/auditd.conf file oval:ssg-test_auditd_write_logs_default_not_overriden:tst:1 false

Following items have been found on the system:

Path	Content
/etc/audit/auditd.conf	write_logs =

Configure auditd Disk Full Action when Disk Space Is Full

Rule ID	xccdf_org.ssgproject.content_rule_auditd_data_disk_full_action
Result	fail
Multi-check rule	no
OVAL Definition ID	oval:ssg-auditd_data_disk_full_action:def:1
Time	2020-05-28T09:49:15+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-82676-8 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4
Description	The `auditd` service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file `/etc/audit/auditd.conf`. Add or modify the following line, substituting ACTION appropriately: disk_full_action = ACTION Set this value to `single` to cause the system to switch to single-user mode for corrective action. Acceptable values also include `syslog`, `exec`, `single`, and `halt`. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for ACTION are described in the `auditd.conf` man page.
Rationale	Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records.

OVAL test results details

disk error action oval:ssg-test_auditd_data_disk_full_action:tst:1 false

Following items have been found on the system:

Path	Content
/etc/audit/auditd.conf	disk_full_action = SUSPEND

Set number of records to cause an explicit flush to audit logs

Rule ID	xccdf_org.ssgproject.content_rule_auditd_freq
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-auditd_freq:def:1
Time	2020-05-28T09:49:15+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-82512-5 References: FAU_GEN.1, SRG-OS-000051-GPOS-00024
Description	To configure Audit daemon to issue an explicit flush to disk command after writing 50 records, set `freq` to `50` in `/etc/audit/auditd.conf`.
Rationale	If option `freq` isn't set to `50`, the flush to disk may happen after higher number of records, increasing the danger of audit loss.

OVAL test results details

tests the value of freq setting in the /etc/audit/auditd.conf file oval:ssg-test_auditd_freq:tst:1 true

Following items have been found on the system:

Path	Content
/etc/audit/auditd.conf	freq = 50

Record Any Attempts to Run restorecon

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_execution_restorecon

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-audit_rules_execution_restorecon:def:1

Time 2020-05-28T09:49:15+00:00

Severity medium

Identifiers and References

Identifiers: CCE-82570-3

References: 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-OS-000463-VMM-001850

Description

At a minimum, the audit system should collect any execution attempt of the restorecon command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:

-a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:

-a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change

Rationale

Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

Remediation script ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable


apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 2.2.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20path%3D/usr/sbin/restorecon%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
        filesystem: root
        mode: 0644
        path: /etc/audit/rules.d/75-usr_sbin_restorecon_execution.rules

OVAL test results details

audit augenrules oval:ssg-test_audit_rules_augenrules:tst:1 true

Following items have been found on the system:

Path	Content
/usr/lib/systemd/system/auditd.service	ExecStartPost=-/sbin/augenrules --load

audit augenrules restorecon oval:ssg-test_audit_rules_execution_restorecon_augenrules:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_audit_rules_execution_restorecon_augenrules:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^/etc/audit/rules\.d/.*\.rules$	^[\s]-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/restorecon[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295\|unset)[\s]+(?:-k[\s]+\|-F[\s]+key=)[\S]+[\s]$	1

audit auditctl oval:ssg-test_audit_rules_auditctl:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/usr/lib/systemd/system/auditd.service	^ExecStartPost=\-\/sbin\/auditctl.*$	1

audit auditctl restorecon oval:ssg-test_audit_rules_execution_restorecon_auditctl:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_audit_rules_execution_restorecon_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/restorecon[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295\|unset)[\s]+(?:-k[\s]+\|-F[\s]+key=)[\S]+[\s]$	1

Record Any Attempts to Run chcon

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-audit_rules_execution_chcon:def:1

Time 2020-05-28T09:49:15+00:00

Severity medium

Identifiers and References

Identifiers: CCE-82569-5

Description

At a minimum, the audit system should collect any execution attempt of the chcon command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:

-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:

-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change

Rationale

Remediation script ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable


apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 2.2.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20path%3D/usr/bin/chcon%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
        filesystem: root
        mode: 0644
        path: /etc/audit/rules.d/75-usr_bin_chcon_execution.rules

OVAL test results details

audit augenrules oval:ssg-test_audit_rules_augenrules:tst:1 true

Following items have been found on the system:

Path	Content
/usr/lib/systemd/system/auditd.service	ExecStartPost=-/sbin/augenrules --load

audit augenrules chcon oval:ssg-test_audit_rules_execution_chcon_augenrules:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_audit_rules_execution_chcon_augenrules:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^/etc/audit/rules\.d/.*\.rules$	^[\s]-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chcon[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295\|unset)[\s]+(?:-k[\s]+\|-F[\s]+key=)[\S]+[\s]$	1

audit auditctl oval:ssg-test_audit_rules_auditctl:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/usr/lib/systemd/system/auditd.service	^ExecStartPost=\-\/sbin\/auditctl.*$	1

audit auditctl chcon oval:ssg-test_audit_rules_execution_chcon_auditctl:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_audit_rules_execution_chcon_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chcon[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295\|unset)[\s]+(?:-k[\s]+\|-F[\s]+key=)[\S]+[\s]$	1

Record Any Attempts to Run setfiles

Rule ID xccdf_org.ssgproject.content_rule_audit_rules_execution_setfiles

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-audit_rules_execution_setfiles:def:1

Time 2020-05-28T09:49:15+00:00

Severity medium

Identifiers and References

Identifiers: CCE-82572-9

References: CCI-000172, CCI-002884, AU-2(d), AU-12(c), AC-6(9), CM-6(a), SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-OS-000463-VMM-001850

Description

At a minimum, the audit system should collect any execution attempt of the setfiles command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:

-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:

-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change

Rationale

Remediation script ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable


apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 2.2.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20path%3D/usr/sbin/setfiles%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
        filesystem: root
        mode: 0644
        path: /etc/audit/rules.d/75-usr_sbin_setfiles_execution.rules

OVAL test results details

audit augenrules oval:ssg-test_audit_rules_augenrules:tst:1 true

Following items have been found on the system:

Path	Content
/usr/lib/systemd/system/auditd.service	ExecStartPost=-/sbin/augenrules --load

audit augenrules setfiles oval:ssg-test_audit_rules_execution_setfiles_augenrules:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_audit_rules_execution_setfiles_augenrules:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
^/etc/audit/rules\.d/.*\.rules$	^[\s]-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/setfiles[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295\|unset)[\s]+(?:-k[\s]+\|-F[\s]+key=)[\S]+[\s]$	1

audit auditctl oval:ssg-test_audit_rules_auditctl:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/usr/lib/systemd/system/auditd.service	^ExecStartPost=\-\/sbin\/auditctl.*$	1

audit auditctl setfiles oval:ssg-test_audit_rules_execution_setfiles_auditctl:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_audit_rules_execution_setfiles_auditctl:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/audit/audit.rules	^[\s]-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/setfiles[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295\|unset)[\s]+(?:-k[\s]+\|-F[\s]+key=)[\S]+[\s]$	1

Record Any Attempts to Run setsebool

Rule ID	xccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool
Result	fail
Multi-check rule	no
OVAL Definition ID	oval:ssg-audit_rules_execution_setsebool:def:1
Time	2020-05-28T09:49:15+00:00
Severity	medium
Identifiers and References	Identifiers: