Result Details Ensure that System Accounts Do Not Run a Shell Upon Loginxccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts mediumCCE-82697-4
Ensure that System Accounts Do Not Run a Shell Upon Login Rule ID xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts Result Multi-check rule no OVAL Definition ID oval:ssg-no_shelllogin_for_systemaccounts:def:1 Time 2020-05-28T09:49:14+00:00 Severity medium Identifiers and References Identifiers:
CCE-82697-4
References:
5.4.2 , 1 , 12 , 13 , 14 , 15 , 16 , 18 , 3 , 5 , 7 , 8 , DSS01.03 , DSS03.05 , DSS05.04 , DSS05.05 , DSS05.07 , DSS06.03 , 4.3.3.2.2 , 4.3.3.5.1 , 4.3.3.5.2 , 4.3.3.7.2 , 4.3.3.7.3 , 4.3.3.7.4 , SR 1.1 , SR 1.2 , SR 1.3 , SR 1.4 , SR 1.5 , SR 1.7 , SR 1.8 , SR 1.9 , SR 2.1 , SR 6.2 , A.12.4.1 , A.12.4.3 , A.6.1.2 , A.7.1.1 , A.9.1.2 , A.9.2.1 , A.9.2.2 , A.9.2.3 , A.9.2.4 , A.9.2.6 , A.9.3.1 , A.9.4.1 , A.9.4.2 , A.9.4.3 , A.9.4.4 , A.9.4.5 , AC-6 , CM-6(a) , DE.CM-1 , DE.CM-3 , PR.AC-1 , PR.AC-4 , PR.AC-6
Description Some accounts are not associated with a human user of the system, and exist to
perform some administrative function. Should an attacker be able to log into
these accounts, they should not be granted access to a shell.
/etc/passwd. System accounts are those user accounts with a user ID
less than UID_MIN, where value of UID_MIN directive is set in
/etc/login.defs configuration file. In the default configuration UID_MIN is set
to 1000, thus system accounts are those user accounts with a user ID less than
1000. The user ID is stored in the third field. If any system account
SYSACCT (other than root) has a login shell, disable it with the
command:
$ sudo usermod -s /sbin/nologin SYSACCT Rationale Ensuring shells are not given to system accounts upon login makes it more
difficult for attackers to make use of system accounts.
Warnings warning
Do not perform the steps in this section on the root account. Doing so might
cause the system to become inaccessible.
OVAL test results details
SYS_UID_MIN not defined in /etc/login.defs
oval:ssg-test_sys_uid_min_not_defined:tst:1
false Following items have been found on the system: Path Content /etc/login.defs #
# Please note that the parameters in this configuration file control the
# behavior of the tools from the shadow-utils component. None of these
# tools uses the PAM mechanism, and the utilities that use PAM (such as the
# passwd command) should therefore be configured elsewhere. Refer to
# /etc/pam.d/system-auth for more information.
#
# *REQUIRED*
# Directory where mailboxes reside, _or_ name of file, relative to the
# home directory. If you _do_ define both, MAIL_DIR takes precedence.
# QMAIL_DIR is for Qmail
#
#QMAIL_DIR Maildir
MAIL_DIR /var/spool/mail
#MAIL_FILE .mail
# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_MIN_LEN 5
PASS_WARN_AGE 7
#
# Min/max values for automatic uid selection in useradd
#
UID_MIN 1000
UID_MAX 60000
# System accounts
SYS_UID_MIN 201
SYS_UID_MAX not defined in /etc/login.defs
oval:ssg-test_sys_uid_max_not_defined:tst:1
false Following items have been found on the system: Path Content /etc/login.defs #
# Please note that the parameters in this configuration file control the
# behavior of the tools from the shadow-utils component. None of these
# tools uses the PAM mechanism, and the utilities that use PAM (such as the
# passwd command) should therefore be configured elsewhere. Refer to
# /etc/pam.d/system-auth for more information.
#
# *REQUIRED*
# Directory where mailboxes reside, _or_ name of file, relative to the
# home directory. If you _do_ define both, MAIL_DIR takes precedence.
# QMAIL_DIR is for Qmail
#
#QMAIL_DIR Maildir
MAIL_DIR /var/spool/mail
#MAIL_FILE .mail
# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_MIN_LEN 5
PASS_WARN_AGE 7
#
# Min/max values for automatic uid selection in useradd
#
UID_MIN 1000
UID_MAX 60000
# System accounts
SYS_UID_MIN 201
SYS_UID_MAX 999
<0, UID_MIN - 1> system UIDs having shell set
oval:ssg-test_shell_defined_default_uid_range:tst:1
true Following items have been found on the system: Var ref Value oval:ssg-variable_default_range_quad_expr:var:1 1000
SYS_UID_MIN not defined in /etc/login.defs
oval:ssg-test_sys_uid_min_not_defined:tst:1
false Following items have been found on the system: Path Content /etc/login.defs #
# Please note that the parameters in this configuration file control the
# behavior of the tools from the shadow-utils component. None of these
# tools uses the PAM mechanism, and the utilities that use PAM (such as the
# passwd command) should therefore be configured elsewhere. Refer to
# /etc/pam.d/system-auth for more information.
#
# *REQUIRED*
# Directory where mailboxes reside, _or_ name of file, relative to the
# home directory. If you _do_ define both, MAIL_DIR takes precedence.
# QMAIL_DIR is for Qmail
#
#QMAIL_DIR Maildir
MAIL_DIR /var/spool/mail
#MAIL_FILE .mail
# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_MIN_LEN 5
PASS_WARN_AGE 7
#
# Min/max values for automatic uid selection in useradd
#
UID_MIN 1000
UID_MAX 60000
# System accounts
SYS_UID_MIN 201
SYS_UID_MAX not defined in /etc/login.defs
oval:ssg-test_sys_uid_max_not_defined:tst:1
false Following items have been found on the system: Path Content /etc/login.defs #
# Please note that the parameters in this configuration file control the
# behavior of the tools from the shadow-utils component. None of these
# tools uses the PAM mechanism, and the utilities that use PAM (such as the
# passwd command) should therefore be configured elsewhere. Refer to
# /etc/pam.d/system-auth for more information.
#
# *REQUIRED*
# Directory where mailboxes reside, _or_ name of file, relative to the
# home directory. If you _do_ define both, MAIL_DIR takes precedence.
# QMAIL_DIR is for Qmail
#
#QMAIL_DIR Maildir
MAIL_DIR /var/spool/mail
#MAIL_FILE .mail
# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_MIN_LEN 5
PASS_WARN_AGE 7
#
# Min/max values for automatic uid selection in useradd
#
UID_MIN 1000
UID_MAX 60000
# System accounts
SYS_UID_MIN 201
SYS_UID_MAX 999
<0, SYS_UID_MIN> system UIDs having shell set
oval:ssg-test_shell_defined_reserved_uid_range:tst:1
true Following items have been found on the system: Var ref Value oval:ssg-variable_reserved_range_quad_expr:var:1 799000
<SYS_UID_MIN, SYS_UID_MAX> system UIDS having shell set
oval:ssg-test_shell_defined_dynalloc_uid_range:tst:1
true Following items have been found on the system: Var ref Value oval:ssg-variable_dynalloc_range_quad_expr:var:1 799
Direct root Logins Not Allowedxccdf_org.ssgproject.content_rule_no_direct_root_logins mediumCCE-82698-2
Direct root Logins Not Allowed Rule ID xccdf_org.ssgproject.content_rule_no_direct_root_logins Result Multi-check rule no OVAL Definition ID oval:ssg-no_direct_root_logins:def:1 Time 2020-05-28T09:49:14+00:00 Severity medium Identifiers and References Identifiers:
CCE-82698-2
References:
NT28(R19) , 1 , 12 , 15 , 16 , 5 , DSS05.04 , DSS05.05 , DSS05.07 , DSS05.10 , DSS06.03 , DSS06.10 , 3.1.1 , 3.1.6 , 164.308(a)(1)(ii)(B) , 164.308(a)(7)(i) , 164.308(a)(7)(ii)(A) , 164.310(a)(1) , 164.310(a)(2)(i) , 164.310(a)(2)(ii) , 164.310(a)(2)(iii) , 164.310(b) , 164.310(c) , 164.310(d)(1) , 164.310(d)(2)(iii) , 4.3.3.2.2 , 4.3.3.5.1 , 4.3.3.5.2 , 4.3.3.6.1 , 4.3.3.6.2 , 4.3.3.6.3 , 4.3.3.6.4 , 4.3.3.6.5 , 4.3.3.6.6 , 4.3.3.6.7 , 4.3.3.6.8 , 4.3.3.6.9 , 4.3.3.7.2 , 4.3.3.7.4 , SR 1.1 , SR 1.10 , SR 1.2 , SR 1.3 , SR 1.4 , SR 1.5 , SR 1.7 , SR 1.8 , SR 1.9 , SR 2.1 , A.18.1.4 , A.7.1.1 , A.9.2.1 , A.9.2.2 , A.9.2.3 , A.9.2.4 , A.9.2.6 , A.9.3.1 , A.9.4.2 , A.9.4.3 , IA-2 , CM-6(a) , PR.AC-1 , PR.AC-6 , PR.AC-7
Description To further limit access to the root account, administrators
can disable root logins at the console by editing the /etc/securetty file.
This file lists all devices the root user is allowed to login to. If the file does
not exist at all, the root user can login through any communication device on the
system, whether via the console or via a raw network interface. This is dangerous
as user can login to the system as root via Telnet, which sends the password in
plain text over the network. By default, Red Hat OpenShift Container Platform 4's
/etc/securetty file only allows the root user to login at the console
physically attached to the system. To prevent root from logging in, remove the
contents of this file. To prevent direct root logins, remove the contents of this
file by typing the following command:
$ sudo echo > /etc/securetty
Rationale Disabling direct root logins ensures proper accountability and multifactor
authentication to privileged accounts. Users will first login, then escalate
to privileged (root) access via su / sudo. This is required for FISMA Low
and FISMA Moderate systems.
OVAL test results details
no entries in /etc/securetty
oval:ssg-test_no_direct_root_logins:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_no_direct_root_logins:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/securetty ^$ 1
/etc/securetty file exists
oval:ssg-test_etc_securetty_exists:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_etc_securetty_exists:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/securetty ^.*$ 1
Verify Only Root Has UID 0xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero highCCE-82699-0
Verify Only Root Has UID 0 Rule ID xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero Result Multi-check rule no OVAL Definition ID oval:ssg-accounts_no_uid_except_zero:def:1 Time 2020-05-28T09:49:14+00:00 Severity high Identifiers and References Identifiers:
CCE-82699-0
References:
1 , 12 , 13 , 14 , 15 , 16 , 18 , 3 , 5 , APO01.06 , DSS05.04 , DSS05.05 , DSS05.07 , DSS05.10 , DSS06.02 , DSS06.03 , DSS06.10 , 3.1.1 , 3.1.5 , CCI-000366 , 4.3.3.2.2 , 4.3.3.5.1 , 4.3.3.5.2 , 4.3.3.6.1 , 4.3.3.6.2 , 4.3.3.6.3 , 4.3.3.6.4 , 4.3.3.6.5 , 4.3.3.6.6 , 4.3.3.6.7 , 4.3.3.6.8 , 4.3.3.6.9 , 4.3.3.7.2 , 4.3.3.7.3 , 4.3.3.7.4 , SR 1.1 , SR 1.10 , SR 1.2 , SR 1.3 , SR 1.4 , SR 1.5 , SR 1.7 , SR 1.8 , SR 1.9 , SR 2.1 , SR 5.2 , A.10.1.1 , A.11.1.4 , A.11.1.5 , A.11.2.1 , A.13.1.1 , A.13.1.3 , A.13.2.1 , A.13.2.3 , A.13.2.4 , A.14.1.2 , A.14.1.3 , A.18.1.4 , A.6.1.2 , A.7.1.1 , A.7.1.2 , A.7.3.1 , A.8.2.2 , A.8.2.3 , A.9.1.1 , A.9.1.2 , A.9.2.1 , A.9.2.2 , A.9.2.3 , A.9.2.4 , A.9.2.6 , A.9.3.1 , A.9.4.1 , A.9.4.2 , A.9.4.3 , A.9.4.4 , A.9.4.5 , IA-2 , AC-6(5) , IA-4(b) , PR.AC-1 , PR.AC-4 , PR.AC-6 , PR.AC-7 , PR.DS-5 , SRG-OS-000480-GPOS-00227
Description If any account other than root has a UID of 0, this misconfiguration should
be investigated and the accounts other than root should be removed or have
their UID changed.
Rationale An account has root authority if it has a UID of 0. Multiple accounts
with a UID of 0 afford more opportunity for potential intruders to
guess a password for a privileged account. Proper configuration of
sudo is recommended to afford multiple system administrators
access to root privileges in an accountable manner.
OVAL test results details
test that there are no accounts with UID 0 except root in the /etc/passwd file
oval:ssg-test_accounts_no_uid_except_root:tst:1
true No items have been found conforming to the following objects: Object oval:ssg-object_accounts_no_uid_except_root:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/passwd ^(?!root:)[^:]*:[^:]*:0 1
Set Account Expiration Following Inactivityxccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration mediumCCE-82695-8
Set Account Expiration Following Inactivity Rule ID xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration Result Multi-check rule no Time 2020-05-28T09:49:14+00:00 Severity medium Identifiers and References Identifiers:
CCE-82695-8
References:
1 , 12 , 13 , 14 , 15 , 16 , 18 , 3 , 5 , 7 , 8 , 5.6.2.1.1 , DSS01.03 , DSS03.05 , DSS05.04 , DSS05.05 , DSS05.07 , DSS05.10 , DSS06.03 , DSS06.10 , 3.5.6 , CCI-000017 , CCI-000795 , 4.3.3.2.2 , 4.3.3.5.1 , 4.3.3.5.2 , 4.3.3.6.1 , 4.3.3.6.2 , 4.3.3.6.3 , 4.3.3.6.4 , 4.3.3.6.5 , 4.3.3.6.6 , 4.3.3.6.7 , 4.3.3.6.8 , 4.3.3.6.9 , 4.3.3.7.2 , 4.3.3.7.3 , 4.3.3.7.4 , SR 1.1 , SR 1.10 , SR 1.2 , SR 1.3 , SR 1.4 , SR 1.5 , SR 1.7 , SR 1.8 , SR 1.9 , SR 2.1 , SR 6.2 , A.12.4.1 , A.12.4.3 , A.18.1.4 , A.6.1.2 , A.7.1.1 , A.9.1.2 , A.9.2.1 , A.9.2.2 , A.9.2.3 , A.9.2.4 , A.9.2.6 , A.9.3.1 , A.9.4.1 , A.9.4.2 , A.9.4.3 , A.9.4.4 , A.9.4.5 , IA-4(e) , AC-2(3) , CM-6(a) , DE.CM-1 , DE.CM-3 , PR.AC-1 , PR.AC-4 , PR.AC-6 , PR.AC-7 , Req-8.1.4 , SRG-OS-000118-GPOS-00060 , SRG-OS-000003-VMM-000030 , SRG-OS-000118-VMM-000590
Description To specify the number of days after a password expires (which
signifies inactivity) until an account is permanently disabled, add or correct
the following lines in /etc/default/useradd, substituting
NUM_DAYS
INACTIVE=35
A value of 35 is recommended; however, this profile expects that the value is set to
35 .
If a password is currently on the
verge of expiration, then 35 days remain until the account is automatically
disabled. However, if the password will not expire for another 60 days, then 95
days could elapse until the account would be automatically disabled. See the
useradd man page for more information. Determining the inactivity
timeout must be done with careful consideration of the length of a "normal"
period of inactivity for users in the particular environment. Setting
the timeout too low incurs support costs and also has the potential to impact
availability of the system to legitimate users.
Rationale Disabling inactive accounts ensures that accounts which may not
have been responsibly removed are not available to attackers
who may have compromised their credentials.
Evaluation messages info
No candidate or applicable check found.
Prevent Login to Accounts With Empty Passwordxccdf_org.ssgproject.content_rule_no_empty_passwords highCCE-82553-9
Prevent Login to Accounts With Empty Password Rule ID xccdf_org.ssgproject.content_rule_no_empty_passwords Result Multi-check rule no OVAL Definition ID oval:ssg-no_empty_passwords:def:1 Time 2020-05-28T09:49:14+00:00 Severity high Identifiers and References Identifiers:
CCE-82553-9
References:
1 , 12 , 13 , 14 , 15 , 16 , 18 , 3 , 5 , 5.5.2 , APO01.06 , DSS05.04 , DSS05.05 , DSS05.07 , DSS05.10 , DSS06.02 , DSS06.03 , DSS06.10 , 3.1.1 , 3.1.5 , CCI-000366 , 164.308(a)(1)(ii)(B) , 164.308(a)(7)(i) , 164.308(a)(7)(ii)(A) , 164.310(a)(1) , 164.310(a)(2)(i) , 164.310(a)(2)(ii) , 164.310(a)(2)(iii) , 164.310(b) , 164.310(c) , 164.310(d)(1) , 164.310(d)(2)(iii) , 4.3.3.2.2 , 4.3.3.5.1 , 4.3.3.5.2 , 4.3.3.6.1 , 4.3.3.6.2 , 4.3.3.6.3 , 4.3.3.6.4 , 4.3.3.6.5 , 4.3.3.6.6 , 4.3.3.6.7 , 4.3.3.6.8 , 4.3.3.6.9 , 4.3.3.7.2 , 4.3.3.7.3 , 4.3.3.7.4 , SR 1.1 , SR 1.10 , SR 1.2 , SR 1.3 , SR 1.4 , SR 1.5 , SR 1.7 , SR 1.8 , SR 1.9 , SR 2.1 , SR 5.2 , A.10.1.1 , A.11.1.4 , A.11.1.5 , A.11.2.1 , A.13.1.1 , A.13.1.3 , A.13.2.1 , A.13.2.3 , A.13.2.4 , A.14.1.2 , A.14.1.3 , A.18.1.4 , A.6.1.2 , A.7.1.1 , A.7.1.2 , A.7.3.1 , A.8.2.2 , A.8.2.3 , A.9.1.1 , A.9.1.2 , A.9.2.1 , A.9.2.2 , A.9.2.3 , A.9.2.4 , A.9.2.6 , A.9.3.1 , A.9.4.1 , A.9.4.2 , A.9.4.3 , A.9.4.4 , A.9.4.5 , IA-5(1)(a) , IA-5(c) , CM-6(a) , PR.AC-1 , PR.AC-4 , PR.AC-6 , PR.AC-7 , PR.DS-5 , FIA_AFL.1 , Req-8.2.3 , SRG-OS-000480-GPOS-00227
Description If an account is configured for password authentication
but does not have an assigned password, it may be possible to log
into the account without authentication. Remove any instances of the nullok
option in /etc/pam.d/system-auth to
prevent logins with empty passwords.
Rationale If an account has an empty password, anyone could log in and
run commands with the privileges of that account. Accounts with
empty passwords should never be used in operational environments.
OVAL test results details
make sure nullok is not used in /etc/pam.d/system-auth
oval:ssg-test_no_empty_passwords:tst:1
false Following items have been found on the system: Path Content /etc/pam.d/system-auth auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
Verify No netrc Files Existxccdf_org.ssgproject.content_rule_no_netrc_files mediumCCE-82667-7
Verify No netrc Files Exist Rule ID xccdf_org.ssgproject.content_rule_no_netrc_files Result Multi-check rule no OVAL Definition ID oval:ssg-no_netrc_files:def:1 Time 2020-05-28T09:49:14+00:00 Severity medium Identifiers and References Identifiers:
CCE-82667-7
References:
1 , 11 , 12 , 14 , 15 , 16 , 18 , 3 , 5 , DSS05.02 , DSS05.04 , DSS05.05 , DSS05.07 , DSS05.10 , DSS06.03 , DSS06.06 , DSS06.10 , CCI-000196 , 4.3.3.2.2 , 4.3.3.5.1 , 4.3.3.5.2 , 4.3.3.5.3 , 4.3.3.5.4 , 4.3.3.5.5 , 4.3.3.5.6 , 4.3.3.5.7 , 4.3.3.5.8 , 4.3.3.6.1 , 4.3.3.6.2 , 4.3.3.6.3 , 4.3.3.6.4 , 4.3.3.6.5 , 4.3.3.6.6 , 4.3.3.6.7 , 4.3.3.6.8 , 4.3.3.6.9 , 4.3.3.7.1 , 4.3.3.7.2 , 4.3.3.7.3 , 4.3.3.7.4 , SR 1.1 , SR 1.10 , SR 1.11 , SR 1.12 , SR 1.13 , SR 1.2 , SR 1.3 , SR 1.4 , SR 1.5 , SR 1.6 , SR 1.7 , SR 1.8 , SR 1.9 , SR 2.1 , SR 2.2 , SR 2.3 , SR 2.4 , SR 2.5 , SR 2.6 , SR 2.7 , A.18.1.4 , A.6.1.2 , A.7.1.1 , A.9.1.2 , A.9.2.1 , A.9.2.2 , A.9.2.3 , A.9.2.4 , A.9.2.6 , A.9.3.1 , A.9.4.1 , A.9.4.2 , A.9.4.3 , A.9.4.4 , A.9.4.5 , IA-5(h) , IA-5(1)(c) , CM-6(a) , IA-5(7) , PR.AC-1 , PR.AC-4 , PR.AC-6 , PR.AC-7 , PR.PT-3
Description The .netrc files contain login information
used to auto-login into FTP servers and reside in the user's home
directory. These files may contain unencrypted passwords to
remote FTP servers making them susceptible to access by unauthorized
users and should not be used. Any .netrc files should be removed.
Rationale Unencrypted passwords for remote FTP servers may be stored in .netrc
files.
OVAL test results details
look for .netrc in /home
oval:ssg-test_no_netrc_files_home:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_no_netrc_files_home:obj:1 file_object Behaviors Path Filename no value /home ^\.netrc$
Prevent user from disabling the screen lockxccdf_org.ssgproject.content_rule_no_tmux_in_shells medium
Prevent user from disabling the screen lock Rule ID xccdf_org.ssgproject.content_rule_no_tmux_in_shells Result Multi-check rule no Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References References:
FMT_SMF_EXT.1 , SRG-OS-000324-GPOS-00125
Description The tmux terminal multiplexer is used to implement
autimatic session locking. It should not be listed in
/etc/shells.
Rationale Not listing tmux among permitted shells
prevents malicious program running as user
from lowering security by disabling the screen lock.
Evaluation messages info
No candidate or applicable check found.
Disable debug-shell SystemD Servicexccdf_org.ssgproject.content_rule_service_debug-shell_disabled mediumCCE-82496-1
Disable debug-shell SystemD Service Rule ID xccdf_org.ssgproject.content_rule_service_debug-shell_disabled Result Multi-check rule no OVAL Definition ID oval:ssg-service_debug-shell_disabled:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82496-1
References:
3.4.5 , 164.308(a)(1)(ii)(B) , 164.308(a)(7)(i) , 164.308(a)(7)(ii)(A) , 164.310(a)(1) , 164.310(a)(2)(i) , 164.310(a)(2)(ii) , 164.310(a)(2)(iii) , 164.310(b) , 164.310(c) , 164.310(d)(1) , 164.310(d)(2)(iii) , FIA_AFL.1 , SRG-OS-000324-GPOS-00125
Description SystemD's debug-shell service is intended to
diagnose SystemD related boot issues with various systemctl
commands. Once enabled and following a system reboot, the root shell
will be available on tty9 which is access by pressing
CTRL-ALT-F9. The debug-shell service should only be used
for SystemD related issues and should otherwise be disabled.
debug-shell SystemD service is already disabled.
The debug-shell service can be disabled with the following command:
$ sudo systemctl disable debug-shell.service
The
debug-shell service can be masked with the following command:
$ sudo systemctl mask debug-shell.service Rationale This prevents attackers with physical access from trivially bypassing security
on the machine through valid troubleshooting configurations and gaining root
access when the system is rebooted.
OVAL test results details
package systemd is removed
oval:ssg-test_service_debug-shell_package_systemd_removed:tst:1
false Following items have been found on the system: Name Arch Epoch Release Version Evr Signature keyid Extended name systemd x86_64 (none) 27.el8 239 0:239-27.el8 199e2f91fd431d51 systemd-0:239-27.el8.x86_64
Test that the debug-shell service is not running
oval:ssg-test_service_not_running_debug-shell:tst:1
true No items have been found conforming to the following objects: Object oval:ssg-obj_service_not_running_debug-shell:obj:1 systemdunitproperty_object Unit Property ^debug-shell\.(service|socket)$ ActiveState
Test that the property LoadState from the service debug-shell is masked
oval:ssg-test_service_loadstate_is_masked_debug-shell:tst:1
true No items have been found conforming to the following objects: Object oval:ssg-obj_service_loadstate_is_masked_debug-shell:obj:1 systemdunitproperty_object Unit Property ^debug-shell\.(service|socket)$ LoadState
Test that the property FragmentPath from the service debug-shell is set to /dev/null
oval:ssg-test_service_fragmentpath_is_dev_null_debug-shell:tst:1
true No items have been found conforming to the following objects: Object oval:ssg-obj_service_fragmentpath_is_dev_null_debug-shell:obj:1 systemdunitproperty_object Unit Property ^debug-shell\.(service|socket)$ FragmentPath
Verify that Interactive Boot is Disabledxccdf_org.ssgproject.content_rule_grub2_disable_interactive_boot mediumCCE-82551-3
Verify that Interactive Boot is Disabled Rule ID xccdf_org.ssgproject.content_rule_grub2_disable_interactive_boot Result Multi-check rule no OVAL Definition ID oval:ssg-grub2_disable_interactive_boot:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82551-3
References:
11 , 12 , 14 , 15 , 16 , 18 , 3 , 5 , DSS05.02 , DSS05.04 , DSS05.05 , DSS05.07 , DSS06.03 , DSS06.06 , 3.1.2 , 3.4.5 , CCI-000213 , 164.308(a)(1)(ii)(B) , 164.308(a)(7)(i) , 164.308(a)(7)(ii)(A) , 164.310(a)(1) , 164.310(a)(2)(i) , 164.310(a)(2)(ii) , 164.310(a)(2)(iii) , 164.310(b) , 164.310(c) , 164.310(d)(1) , 164.310(d)(2)(iii) , 4.3.3.2.2 , 4.3.3.5.1 , 4.3.3.5.2 , 4.3.3.5.3 , 4.3.3.5.4 , 4.3.3.5.5 , 4.3.3.5.6 , 4.3.3.5.7 , 4.3.3.5.8 , 4.3.3.6.1 , 4.3.3.6.2 , 4.3.3.6.3 , 4.3.3.6.4 , 4.3.3.6.5 , 4.3.3.6.6 , 4.3.3.6.7 , 4.3.3.6.8 , 4.3.3.6.9 , 4.3.3.7.1 , 4.3.3.7.2 , 4.3.3.7.3 , 4.3.3.7.4 , SR 1.1 , SR 1.10 , SR 1.11 , SR 1.12 , SR 1.13 , SR 1.2 , SR 1.3 , SR 1.4 , SR 1.5 , SR 1.6 , SR 1.7 , SR 1.8 , SR 1.9 , SR 2.1 , SR 2.2 , SR 2.3 , SR 2.4 , SR 2.5 , SR 2.6 , SR 2.7 , A.6.1.2 , A.7.1.1 , A.9.1.2 , A.9.2.1 , A.9.2.3 , A.9.4.1 , A.9.4.4 , A.9.4.5 , SC-2(1) , CM-6(a) , PR.AC-4 , PR.AC-6 , PR.PT-3 , FIA_AFL.1 , SRG-OS-000480-GPOS-00227
Description Red Hat OpenShift Container Platform 4 systems support an "interactive boot" option that can
be used to prevent services from being started. On a Red Hat OpenShift Container Platform 4
system, interactive boot can be enabled by providing a 1,
yes, true, or on value to the
systemd.confirm_spawn kernel argument in /etc/default/grub.
Remove any instance of
systemd.confirm_spawn=(1|yes|true|on) from
the kernel arguments in that file to disable interactive boot. It is also
required to change the runtime configuration, run:
/sbin/grubby --update-kernel=ALL --remove-args="systemd.confirm_spawn" Rationale Using interactive boot, the console user could disable auditing, firewalls,
or other services, weakening system security.
OVAL test results details
Check systemd.confirm_spawn=(1|true|yes|on) not in GRUB_CMDLINE_LINUX
oval:ssg-test_grub2_disable_interactive_boot_grub_cmdline_linux:tst:1
true No items have been found conforming to the following objects: Object oval:ssg-object_grub2_disable_interactive_boot_grub_cmdline_linux:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/default/grub ^\s*GRUB_CMDLINE_LINUX=".*systemd.confirm_spawn=(?:1|yes|true|on).*$ 1
Check systemd.confirm_spawn=(1|true|yes|on) not in GRUB_CMDLINE_LINUX_DEFAULT
oval:ssg-test_grub2_disable_interactive_boot_grub_cmdline_linux_default:tst:1
true No items have been found conforming to the following objects: Object oval:ssg-object_grub2_disable_interactive_boot_grub_cmdline_linux_default:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/default/grub ^\s*GRUB_CMDLINE_LINUX_DEFAULT=".*systemd.confirm_spawn=(?:1|yes|true|on).*$ 1
Check for GRUB_DISABLE_RECOVERY=true in /etc/default/grub
oval:ssg-test_bootloader_disable_recovery_set_to_true:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_bootloader_disable_recovery_argument:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/default/grub ^\s*GRUB_DISABLE_RECOVERY=(.*)$ 1
Require Authentication for Single User Modexccdf_org.ssgproject.content_rule_require_singleuser_auth mediumCCE-82550-5
Require Authentication for Single User Mode Rule ID xccdf_org.ssgproject.content_rule_require_singleuser_auth Result Multi-check rule no OVAL Definition ID oval:ssg-require_singleuser_auth:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82550-5
References:
1 , 11 , 12 , 14 , 15 , 16 , 18 , 3 , 5 , DSS05.02 , DSS05.04 , DSS05.05 , DSS05.07 , DSS05.10 , DSS06.03 , DSS06.06 , DSS06.10 , 3.1.1 , 3.4.5 , CCI-000213 , 164.308(a)(1)(ii)(B) , 164.308(a)(7)(i) , 164.308(a)(7)(ii)(A) , 164.310(a)(1) , 164.310(a)(2)(i) , 164.310(a)(2)(ii) , 164.310(a)(2)(iii) , 164.310(b) , 164.310(c) , 164.310(d)(1) , 164.310(d)(2)(iii) , 4.3.3.2.2 , 4.3.3.5.1 , 4.3.3.5.2 , 4.3.3.5.3 , 4.3.3.5.4 , 4.3.3.5.5 , 4.3.3.5.6 , 4.3.3.5.7 , 4.3.3.5.8 , 4.3.3.6.1 , 4.3.3.6.2 , 4.3.3.6.3 , 4.3.3.6.4 , 4.3.3.6.5 , 4.3.3.6.6 , 4.3.3.6.7 , 4.3.3.6.8 , 4.3.3.6.9 , 4.3.3.7.1 , 4.3.3.7.2 , 4.3.3.7.3 , 4.3.3.7.4 , SR 1.1 , SR 1.10 , SR 1.11 , SR 1.12 , SR 1.13 , SR 1.2 , SR 1.3 , SR 1.4 , SR 1.5 , SR 1.6 , SR 1.7 , SR 1.8 , SR 1.9 , SR 2.1 , SR 2.2 , SR 2.3 , SR 2.4 , SR 2.5 , SR 2.6 , SR 2.7 , A.18.1.4 , A.6.1.2 , A.7.1.1 , A.9.1.2 , A.9.2.1 , A.9.2.2 , A.9.2.3 , A.9.2.4 , A.9.2.6 , A.9.3.1 , A.9.4.1 , A.9.4.2 , A.9.4.3 , A.9.4.4 , A.9.4.5 , IA-2 , AC-3 , CM-6(a) , PR.AC-1 , PR.AC-4 , PR.AC-6 , PR.AC-7 , PR.PT-3 , FIA_AFL.1 , SRG-OS-000080-GPOS-00048
Description Single-user mode is intended as a system recovery
method, providing a single user root access to the system by
providing a boot option at startup. By default, no authentication
is performed if single-user mode is selected.
/usr/lib/systemd/system/rescue.service.
Rationale This prevents attackers with physical access from trivially bypassing security
on the machine and gaining root access. Such accesses are further prevented
by configuring the bootloader password.
OVAL test results details
Tests that /sbin/sulogin was not removed from the default systemd rescue.service to ensure that a password must be entered to access single user mode
oval:ssg-test_require_rescue_service:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_require_rescue_service:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/rescue.service ^ExecStart=\-/bin/sh[\s]+-c[\s]+\"(/usr)?/sbin/sulogin;[\s]+/usr/bin/systemctl[\s]+--fail[\s]+--no-block[\s]+default\" 1
Tests that the systemd rescue.service is in the runlevel1.target
oval:ssg-test_require_rescue_service_runlevel1:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/runlevel1.target Requires=sysinit.target rescue.service
look for runlevel1.target in /etc/systemd/system
oval:ssg-test_no_custom_runlevel1_target:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_no_custom_runlevel1_target:obj:1 file_object Behaviors Path Filename no value /etc/systemd/system ^runlevel1.target$
look for rescue.service in /etc/systemd/system
oval:ssg-test_no_custom_rescue_service:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_no_custom_rescue_service:obj:1 file_object Behaviors Path Filename no value /etc/systemd/system ^rescue.service$
Disable Ctrl-Alt-Del Reboot Activationxccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot highCCE-82493-8
Disable Ctrl-Alt-Del Reboot Activation Rule ID xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot Result Multi-check rule no OVAL Definition ID oval:ssg-disable_ctrlaltdel_reboot:def:1 Time 2020-05-28T09:49:15+00:00 Severity high Identifiers and References Identifiers:
CCE-82493-8
References:
12 , 13 , 14 , 15 , 16 , 18 , 3 , 5 , APO01.06 , DSS05.04 , DSS05.07 , DSS06.02 , 3.4.5 , CCI-000366 , 164.308(a)(1)(ii)(B) , 164.308(a)(7)(i) , 164.308(a)(7)(ii)(A) , 164.310(a)(1) , 164.310(a)(2)(i) , 164.310(a)(2)(ii) , 164.310(a)(2)(iii) , 164.310(b) , 164.310(c) , 164.310(d)(1) , 164.310(d)(2)(iii) , 4.3.3.7.3 , SR 2.1 , SR 5.2 , A.10.1.1 , A.11.1.4 , A.11.1.5 , A.11.2.1 , A.13.1.1 , A.13.1.3 , A.13.2.1 , A.13.2.3 , A.13.2.4 , A.14.1.2 , A.14.1.3 , A.6.1.2 , A.7.1.1 , A.7.1.2 , A.7.3.1 , A.8.2.2 , A.8.2.3 , A.9.1.1 , A.9.1.2 , A.9.2.3 , A.9.4.1 , A.9.4.4 , A.9.4.5 , CM-6(a) , AC-6(1) , PR.AC-4 , PR.DS-5 , SRG-OS-000324-GPOS-00125 , SRG-OS-000480-GPOS-00227
Description
By default, SystemD will reboot the system if the Ctrl-Alt-Del
key sequence is pressed.
Ctrl-Alt-Del key sequence from the
command line instead of rebooting the system, do either of the following:
ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target
or
systemctl mask ctrl-alt-del.target
Do not simply delete the
/usr/lib/systemd/system/ctrl-alt-del.service file,
as this file may be restored during future system updates.
Rationale A locally logged-in user who presses Ctrl-Alt-Del, when at the console,
can reboot the system. If accidentally pressed, as could happen in
the case of mixed OS environment, this can create the risk of short-term
loss of availability of systems due to unintentional reboot.
Warnings warning
Disabling the Ctrl-Alt-Del key sequence
in /etc/init/control-alt-delete.conf DOES NOT disable the Ctrl-Alt-Del
key sequence if running in runlevel 6 (e.g. in GNOME, KDE, etc.)! The
Ctrl-Alt-Del key sequence will only be disabled if running in
the non-graphical runlevel 3.
OVAL test results details
Disable Ctrl-Alt-Del key sequence override exists
oval:ssg-test_disable_ctrlaltdel_exists:tst:1
false Following items have been found on the system: Filepath Canonical path /etc/systemd/system/ctrl-alt-del.target /usr/lib/systemd/system/reboot.target
Disable Ctrl-Alt-Del Burst Actionxccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction highCCE-82495-3
Disable Ctrl-Alt-Del Burst Action Rule ID xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction Result Multi-check rule no OVAL Definition ID oval:ssg-disable_ctrlaltdel_burstaction:def:1 Time 2020-05-28T09:49:15+00:00 Severity high Identifiers and References Identifiers:
CCE-82495-3
References:
12 , 13 , 14 , 15 , 16 , 18 , 3 , 5 , APO01.06 , DSS05.04 , DSS05.07 , DSS06.02 , 3.4.5 , CCI-000366 , 164.308(a)(1)(ii)(B) , 164.308(a)(7)(i) , 164.308(a)(7)(ii)(A) , 164.310(a)(1) , 164.310(a)(2)(i) , 164.310(a)(2)(ii) , 164.310(a)(2)(iii) , 164.310(b) , 164.310(c) , 164.310(d)(1) , 164.310(d)(2)(iii) , 4.3.3.7.3 , SR 2.1 , SR 5.2 , A.10.1.1 , A.11.1.4 , A.11.1.5 , A.11.2.1 , A.13.1.1 , A.13.1.3 , A.13.2.1 , A.13.2.3 , A.13.2.4 , A.14.1.2 , A.14.1.3 , A.6.1.2 , A.7.1.1 , A.7.1.2 , A.7.3.1 , A.8.2.2 , A.8.2.3 , A.9.1.1 , A.9.1.2 , A.9.2.3 , A.9.4.1 , A.9.4.4 , A.9.4.5 , CM-6(a) , AC-6(1) , CM-6(a) , PR.AC-4 , PR.DS-5 , SRG-OS-000324-GPOS-00125
Description By default, SystemD will reboot the system if the Ctrl-Alt-Del
key sequence is pressed Ctrl-Alt-Delete more than 7 times in 2 seconds.
CtrlAltDelBurstAction
setting, add or modify the following to /etc/systemd/system.conf:
CtrlAltDelBurstAction=none Rationale A locally logged-in user who presses Ctrl-Alt-Del, when at the console,
can reboot the system. If accidentally pressed, as could happen in
the case of mixed OS environment, this can create the risk of short-term
loss of availability of systems due to unintentional reboot.
Warnings warning
Disabling the Ctrl-Alt-Del key sequence
in /etc/init/control-alt-delete.conf DOES NOT disable the Ctrl-Alt-Del
key sequence if running in runlevel 6 (e.g. in GNOME, KDE, etc.)! The
Ctrl-Alt-Del key sequence will only be disabled if running in
the non-graphical runlevel 3.
OVAL test results details
check if CtrlAltDelBurstAction is set to none
oval:ssg-test_disable_ctrlaltdel_burstaction:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_disable_ctrlaltdel_burstaction:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/systemd/system.conf ^[\s]*CtrlAltDelBurstAction[\s]*=[\s]*none$ 1
Modify the System Login Bannerxccdf_org.ssgproject.content_rule_banner_etc_issue mediumCCE-82555-4
Modify the System Login Banner Rule ID xccdf_org.ssgproject.content_rule_banner_etc_issue Result Multi-check rule no OVAL Definition ID oval:ssg-banner_etc_issue:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82555-4
References:
1 , 12 , 15 , 16 , DSS05.04 , DSS05.10 , DSS06.10 , 3.1.9 , CCI-000048 , CCI-000050 , 4.3.3.6.1 , 4.3.3.6.2 , 4.3.3.6.3 , 4.3.3.6.4 , 4.3.3.6.5 , 4.3.3.6.6 , 4.3.3.6.7 , 4.3.3.6.8 , 4.3.3.6.9 , SR 1.1 , SR 1.10 , SR 1.2 , SR 1.5 , SR 1.7 , SR 1.8 , SR 1.9 , A.18.1.4 , A.9.2.1 , A.9.2.4 , A.9.3.1 , A.9.4.2 , A.9.4.3 , AC-8(a) , AC-8(c) , PR.AC-7 , FMT_MOF_EXT.1 , SRG-OS-000023-GPOS-00006 , SRG-OS-000024-GPOS-00007 , SRG-OS-000023-VMM-000060 , SRG-OS-000024-VMM-000070
Description To configure the system login banner edit /etc/issue. Replace the
default text with a message compliant with the local site policy or a legal
disclaimer.
The DoD required text is either:
You are accessing a U.S. Government (USG) Information System (IS) that
is provided for USG-authorized use only. By using this IS (which includes
any device attached to this IS), you consent to the following conditions:
I've read & consent to terms in IS user agreem't.
Rationale Display of a standardized and approved use notification before granting
access to the operating system ensures privacy and security notification
verbiage used is consistent with applicable federal laws, Executive Orders,
directives, policies, regulations, standards, and guidance.
OVAL test results details
correct banner in /etc/issue
oval:ssg-test_banner_etc_issue:tst:1
false Following items have been found on the system: Path Content /etc/issue \S \S{VERSION_ID}
Configure auditd Number of Logs Retainedxccdf_org.ssgproject.content_rule_auditd_data_retention_num_logs mediumCCE-82693-3
Configure auditd Number of Logs Retained Rule ID xccdf_org.ssgproject.content_rule_auditd_data_retention_num_logs Result Multi-check rule no OVAL Definition ID oval:ssg-auditd_data_retention_num_logs:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82693-3
References:
1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 3 , 4 , 5 , 6 , 7 , 8 , 5.4.1.1 , APO11.04 , APO12.06 , BAI03.05 , BAI08.02 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS05.04 , DSS05.07 , MEA02.01 , 3.3.1 , 4.2.3.10 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.8 , SR 2.9 , SR 6.1 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.16.1.4 , A.16.1.5 , A.16.1.7 , AU-11 , CM-6(a) , DE.AE-3 , DE.AE-5 , PR.PT-1 , RS.AN-1 , RS.AN-4 , Req-10.7
Description Determine how many log files
auditd should retain when it rotates logs.
Edit the file /etc/audit/auditd.conf. Add or modify the following
line, substituting NUMLOGS with the correct value of 5 :
num_logs = NUMLOGS
Set the value to 5 for general-purpose systems.
Note that values less than 2 result in no log rotation.
Rationale The total storage for audit log files must be large enough to retain
log information over the period required. This is a function of the maximum log
file size and the number of logs retained.
OVAL test results details
admin space left action
oval:ssg-test_auditd_data_retention_num_logs:tst:1
true Following items have been found on the system: Path Content /etc/audit/auditd.conf num_logs = 5
Configure auditd space_left on Low Disk Spacexccdf_org.ssgproject.content_rule_auditd_data_retention_space_left mediumCCE-82681-8
Configure auditd space_left on Low Disk Space Rule ID xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left Result Multi-check rule no OVAL Definition ID oval:ssg-auditd_data_retention_space_left:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82681-8
References:
1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI04.04 , BAI08.02 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS05.04 , DSS05.07 , MEA02.01 , CCI-001855 , 4.2.3.10 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.8 , SR 2.9 , SR 6.1 , SR 7.1 , SR 7.2 , A.12.1.3 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.17.2.1 , AU-5(b) , AU-5(2) , AU-5(1) , AU-5(4) , CM-6(a) , DE.AE-3 , DE.AE-5 , PR.DS-4 , PR.PT-1 , RS.AN-1 , RS.AN-4 , Req-10.7 , SRG-OS-000343-GPOS-00134 , SRG-OS-000343-VMM-001240
Description The auditd service can be configured to take an action
when disk space is running low but prior to running out of space completely.
Edit the file /etc/audit/auditd.conf. Add or modify the following line,
substituting SIZE_in_MB appropriately:
space_left = SIZE_in_MB
Set this value to the appropriate size in Megabytes cause the system to
notify the user of an issue.
Rationale Notifying administrators of an impending disk space problem may allow them to
take corrective action prior to any disruption.
OVAL test results details
admin space left action
oval:ssg-test_auditd_data_retention_space_left:tst:1
false Following items have been found on the system: Path Content /etc/audit/auditd.conf space_left = 75
Configure auditd space_left Action on Low Disk Spacexccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action mediumCCE-82678-4
Configure auditd space_left Action on Low Disk Space Rule ID xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action Result Multi-check rule no OVAL Definition ID oval:ssg-auditd_data_retention_space_left_action:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82678-4
References:
1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 5.4.1.1 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI04.04 , BAI08.02 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS05.04 , DSS05.07 , MEA02.01 , 3.3.1 , CCI-001855 , 164.312(a)(2)(ii) , 4.2.3.10 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.8 , SR 2.9 , SR 6.1 , SR 7.1 , SR 7.2 , A.12.1.3 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.17.2.1 , AU-5(b) , AU-5(2) , AU-5(1) , AU-5(4) , CM-6(a) , DE.AE-3 , DE.AE-5 , PR.DS-4 , PR.PT-1 , RS.AN-1 , RS.AN-4 , Req-10.7 , SRG-OS-000343-GPOS-00134 , SRG-OS-000343-VMM-001240
Description The auditd service can be configured to take an action
when disk space starts to run low.
Edit the file /etc/audit/auditd.conf. Modify the following line,
substituting ACTION appropriately:
space_left_action = ACTION
Possible values for
ACTION are described in the
auditd.conf man page.
These include:
syslogemailexecsuspendsinglehalt
Set this to
email (instead of the default,
which is
suspend) as it is more likely to get prompt attention. Acceptable values
also include
suspend,
single, and
halt.
Rationale Notifying administrators of an impending disk space problem may
allow them to take corrective action prior to any disruption.
OVAL test results details
space left action
oval:ssg-test_auditd_data_retention_space_left_action:tst:1
false Following items have been found on the system: Path Content /etc/audit/auditd.conf space_left_action = SYSLOG
Set hostname as computer node name in audit logsxccdf_org.ssgproject.content_rule_auditd_name_format mediumCCE-82513-3
Set hostname as computer node name in audit logs Rule ID xccdf_org.ssgproject.content_rule_auditd_name_format Result Multi-check rule no OVAL Definition ID oval:ssg-auditd_name_format:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82513-3
References:
CCI-001851 , FAU_GEN.1 , SRG-OS-000039-GPOS-00017 , SRG-OS-000342-GPOS-00133 , SRG-OS-000479-GPOS-00224
Description To configure Audit daemon to use value returned by gethostname
syscall as computer node name in the audit events,
set name_format to hostname
in /etc/audit/auditd.conf.
Rationale If option name_format is left at its default value of
none, audit events from different computers may be hard
to distinguish.
OVAL test results details
tests the value of name_format setting in the /etc/audit/auditd.conf file
oval:ssg-test_auditd_name_format:tst:1
true Following items have been found on the system: Path Content /etc/audit/auditd.conf name_format = hostname
Configure auditd admin_space_left Action on Low Disk Spacexccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action mediumCCE-82677-6
Configure auditd admin_space_left Action on Low Disk Space Rule ID xccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action Result Multi-check rule no OVAL Definition ID oval:ssg-auditd_data_retention_admin_space_left_action:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82677-6
References:
1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 5.4.1.1 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI04.04 , BAI08.02 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS05.04 , DSS05.07 , MEA02.01 , 3.3.1 , CCI-000140 , CCI-001343 , CCI-001855 , 164.312(a)(2)(ii) , 4.2.3.10 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.8 , SR 2.9 , SR 6.1 , SR 7.1 , SR 7.2 , A.12.1.3 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.17.2.1 , AU-5(b) , AU-5(2) , AU-5(1) , AU-5(4) , CM-6(a) , DE.AE-3 , DE.AE-5 , PR.DS-4 , PR.PT-1 , RS.AN-1 , RS.AN-4 , Req-10.7 , SRG-OS-000343-GPOS-00134
Description The auditd service can be configured to take an action
when disk space is running low but prior to running out of space completely.
Edit the file /etc/audit/auditd.conf. Add or modify the following line,
substituting ACTION appropriately:
admin_space_left_action = ACTION
Set this value to
single to cause the system to switch to single user
mode for corrective action. Acceptable values also include
suspend and
halt. For certain systems, the need for availability
outweighs the need to log all actions, and a different setting should be
determined. Details regarding all possible values for
ACTION are described in the
auditd.conf man page.
Rationale Administrators should be made aware of an inability to record
audit records. If a separate partition or logical volume of adequate size
is used, running low on space for audit records should never occur.
OVAL test results details
space left action
oval:ssg-test_auditd_data_retention_admin_space_left_action:tst:1
false Following items have been found on the system: Path Content /etc/audit/auditd.conf admin_space_left_action = SUSPEND
Configure auditd max_log_file_action Upon Reaching Maximum Log Sizexccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action mediumCCE-82680-0
Configure auditd max_log_file_action Upon Reaching Maximum Log Size Rule ID xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action Result Multi-check rule no OVAL Definition ID oval:ssg-auditd_data_retention_max_log_file_action:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82680-0
References:
1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 5.4.1.1 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI04.04 , BAI08.02 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS05.04 , DSS05.07 , MEA02.01 , 164.312(a)(2)(ii) , 4.2.3.10 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.8 , SR 2.9 , SR 6.1 , SR 7.1 , SR 7.2 , A.12.1.3 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.17.2.1 , AU-5(b) , AU-5(2) , AU-5(1) , AU-5(4) , CM-6(a) , DE.AE-3 , DE.AE-5 , PR.DS-4 , PR.PT-1 , RS.AN-1 , RS.AN-4 , Req-10.7
Description The default action to take when the logs reach their maximum size
is to rotate the log files, discarding the oldest one. To configure the action taken
by auditd, add or correct the line in /etc/audit/auditd.conf:
max_log_file_action = ACTION
Possible values for
ACTION are described in the
auditd.conf man
page. These include:
syslogsuspendrotatekeep_logs
Set the
ACTION to
rotate to ensure log rotation
occurs. This is the default. The setting is case-insensitive.
Rationale Automatically rotating logs (by setting this to rotate)
minimizes the chances of the system unexpectedly running out of disk space by
being overwhelmed with log data. However, for systems that must never discard
log data, or which use external processes to transfer it and reclaim space,
keep_logs can be employed.
OVAL test results details
admin space left action
oval:ssg-test_auditd_data_retention_max_log_file_action:tst:1
true Following items have been found on the system: Path Content /etc/audit/auditd.conf max_log_file_action = ROTATE
Configure auditd mail_acct Action on Low Disk Spacexccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct mediumCCE-82675-0
Configure auditd mail_acct Action on Low Disk Space Rule ID xccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct Result Multi-check rule no OVAL Definition ID oval:ssg-auditd_data_retention_action_mail_acct:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82675-0
References:
1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 5.4.1.1 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI04.04 , BAI08.02 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS05.04 , DSS05.07 , MEA02.01 , 3.3.1 , CCI-000139 , CCI-001855 , 164.312(a)(2)(ii) , 4.2.3.10 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.8 , SR 2.9 , SR 6.1 , SR 7.1 , SR 7.2 , A.12.1.3 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.17.2.1 , IA-5(1) , AU-5(a) , AU-5(2) , CM-6(a) , DE.AE-3 , DE.AE-5 , PR.DS-4 , PR.PT-1 , RS.AN-1 , RS.AN-4 , Req-10.7.a , SRG-OS-000343-GPOS-00134 , SRG-OS-000046-VMM-000210 , SRG-OS-000343-VMM-001240
Description The auditd service can be configured to send email to
a designated account in certain situations. Add or correct the following line
in /etc/audit/auditd.conf to ensure that administrators are notified
via email for those situations:
action_mail_acct = root Rationale Email sent to the root account is typically aliased to the
administrators of the system, who can take appropriate action.
OVAL test results details
email account for actions
oval:ssg-test_auditd_data_retention_action_mail_acct:tst:1
true Following items have been found on the system: Path Content /etc/audit/auditd.conf action_mail_acct = root
Configure auditd Max Log File Sizexccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file mediumCCE-82694-1
Configure auditd Max Log File Size Rule ID xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file Result Multi-check rule no OVAL Definition ID oval:ssg-auditd_data_retention_max_log_file:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82694-1
References:
1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 3 , 4 , 5 , 6 , 7 , 8 , 5.4.1.1 , APO11.04 , APO12.06 , BAI03.05 , BAI08.02 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS05.04 , DSS05.07 , MEA02.01 , 4.2.3.10 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.8 , SR 2.9 , SR 6.1 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.16.1.4 , A.16.1.5 , A.16.1.7 , AU-11 , CM-6(a) , DE.AE-3 , DE.AE-5 , PR.PT-1 , RS.AN-1 , RS.AN-4 , Req-10.7
Description Determine the amount of audit data (in megabytes)
which should be retained in each log file. Edit the file
/etc/audit/auditd.conf. Add or modify the following line, substituting
the correct value of 6 for STOREMB :
max_log_file = STOREMB
Set the value to
6 (MB) or higher for general-purpose systems.
Larger values, of course,
support retention of even more audit data.
Rationale The total storage for audit log files must be large enough to retain
log information over the period required. This is a function of the maximum
log file size and the number of logs retained.
OVAL test results details
max log file size
oval:ssg-test_auditd_data_retention_max_log_file:tst:1
true Following items have been found on the system: Path Content /etc/audit/auditd.conf max_log_file = 8
Include Local Events in Audit Logsxccdf_org.ssgproject.content_rule_auditd_local_events mediumCCE-82509-1
Include Local Events in Audit Logs Rule ID xccdf_org.ssgproject.content_rule_auditd_local_events Result Multi-check rule no OVAL Definition ID oval:ssg-auditd_local_events:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82509-1
References:
FAU_GEN.1.1.c , SRG-OS-000062-GPOS-00031
Description To configure Audit daemon to include local events in Audit logs, set
local_events to yes in /etc/audit/auditd.conf.
This is the default setting.
Rationale If option local_events isn't set to yes only events from
network will be aggregated.
OVAL test results details
tests the value of local_events setting in the /etc/audit/auditd.conf file
oval:ssg-test_auditd_local_events:tst:1
true Following items have been found on the system: Path Content /etc/audit/auditd.conf local_events = yes
tests the absence of local_events setting in the /etc/audit/auditd.conf file
oval:ssg-test_auditd_local_events_default_not_overriden:tst:1
false Following items have been found on the system: Path Content /etc/audit/auditd.conf local_events =
Configure auditd Disk Error Action on Disk Errorxccdf_org.ssgproject.content_rule_auditd_data_disk_error_action mediumCCE-82679-2
Configure auditd Disk Error Action on Disk Error Rule ID xccdf_org.ssgproject.content_rule_auditd_data_disk_error_action Result Multi-check rule no OVAL Definition ID oval:ssg-auditd_data_disk_error_action:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82679-2
References:
1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI04.04 , BAI08.02 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS05.04 , DSS05.07 , MEA02.01 , 4.2.3.10 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.8 , SR 2.9 , SR 6.1 , SR 7.1 , SR 7.2 , A.12.1.3 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.17.2.1 , AU-5(b) , AU-5(2) , AU-5(1) , AU-5(4) , CM-6(a) , DE.AE-3 , DE.AE-5 , PR.DS-4 , PR.PT-1 , RS.AN-1 , RS.AN-4
Description The auditd service can be configured to take an action
when there is a disk error.
Edit the file /etc/audit/auditd.conf. Add or modify the following line,
substituting ACTION appropriately:
disk_error_action = ACTION
Set this value to
single to cause the system to switch to single-user
mode for corrective action. Acceptable values also include
syslog,
exec,
single, and
halt. For certain systems, the need for availability
outweighs the need to log all actions, and a different setting should be
determined. Details regarding all possible values for
ACTION are described in the
auditd.conf man page.
Rationale Taking appropriate action in case of disk errors will minimize the possibility of
losing audit records.
OVAL test results details
disk full action
oval:ssg-test_auditd_data_disk_error_action:tst:1
false Following items have been found on the system: Path Content /etc/audit/auditd.conf disk_error_action = SUSPEND
Resolve information before writing to audit logsxccdf_org.ssgproject.content_rule_auditd_log_format mediumCCE-82511-7
Resolve information before writing to audit logs Rule ID xccdf_org.ssgproject.content_rule_auditd_log_format Result Multi-check rule no OVAL Definition ID oval:ssg-auditd_log_format:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82511-7
References:
FAU_GEN.1 , SRG-OS-000255-GPOS-00096
Description To configure Audit daemon to resolve all uid, gid, syscall,
architecture, and socket address information before writing the
events to disk, set log_format to ENRICHED
in /etc/audit/auditd.conf.
Rationale If option log_format isn't set to ENRICHED, the
audit records will be stored in a format exactly as the kernel sends them.
OVAL test results details
tests the value of log_format setting in the /etc/audit/auditd.conf file
oval:ssg-test_auditd_log_format:tst:1
true Following items have been found on the system: Path Content /etc/audit/auditd.conf log_format = ENRICHED
Configure auditd flush priorityxccdf_org.ssgproject.content_rule_auditd_data_retention_flush mediumCCE-82508-3
Configure auditd flush priority Rule ID xccdf_org.ssgproject.content_rule_auditd_data_retention_flush Result Multi-check rule no OVAL Definition ID oval:ssg-auditd_data_retention_flush:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82508-3
References:
1 , 12 , 13 , 14 , 15 , 16 , 2 , 3 , 5 , 6 , 7 , 8 , 9 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , BAI03.05 , DSS01.03 , DSS03.05 , DSS05.02 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.3.1 , CCI-001576 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.4.4.7 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.8 , SR 2.9 , SR 6.1 , SR 6.2 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.14.2.7 , A.15.2.1 , A.15.2.2 , AU-11 , CM-6(a) , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.PT-1 , SRG-OS-000480-GPOS-00227
Description The auditd service can be configured to
synchronously write audit event data to disk. Add or correct the following
line in /etc/audit/auditd.conf to ensure that audit event data is
fully synchronized with the log files on the disk:
flush = incremental_async Rationale Audit data should be synchronously written to disk to ensure
log integrity. These parameters assure that all audit event data is fully
synchronized with the log files on the disk.
OVAL test results details
test the value of flush parameter in /etc/audit/auditd.conf
oval:ssg-test_auditd_data_retention_flush:tst:1
false Following items have been found on the system: Path Content /etc/audit/auditd.conf flush = DATA
Write Audit Logs to the Diskxccdf_org.ssgproject.content_rule_auditd_write_logs mediumCCE-82510-9
Write Audit Logs to the Disk Rule ID xccdf_org.ssgproject.content_rule_auditd_write_logs Result Multi-check rule no OVAL Definition ID oval:ssg-auditd_write_logs:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82510-9
References:
FAU_GEN.1.1.c , SRG-OS-000480-GPOS-00227
Description To configure Audit daemon to write Audit logs to the disk, set
write_logs to yes in /etc/audit/auditd.conf.
This is the default setting.
Rationale If write_logs isn't set to yes, the Audit logs will
not be written to the disk.
OVAL test results details
tests the value of write_logs setting in the /etc/audit/auditd.conf file
oval:ssg-test_auditd_write_logs:tst:1
true Following items have been found on the system: Path Content /etc/audit/auditd.conf write_logs = yes
tests the absence of write_logs setting in the /etc/audit/auditd.conf file
oval:ssg-test_auditd_write_logs_default_not_overriden:tst:1
false Following items have been found on the system: Path Content /etc/audit/auditd.conf write_logs =
Configure auditd Disk Full Action when Disk Space Is Fullxccdf_org.ssgproject.content_rule_auditd_data_disk_full_action mediumCCE-82676-8
Configure auditd Disk Full Action when Disk Space Is Full Rule ID xccdf_org.ssgproject.content_rule_auditd_data_disk_full_action Result Multi-check rule no OVAL Definition ID oval:ssg-auditd_data_disk_full_action:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82676-8
References:
1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI04.04 , BAI08.02 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS05.04 , DSS05.07 , MEA02.01 , 4.2.3.10 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.8 , SR 2.9 , SR 6.1 , SR 7.1 , SR 7.2 , A.12.1.3 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.17.2.1 , AU-5(b) , AU-5(2) , AU-5(1) , AU-5(4) , CM-6(a) , DE.AE-3 , DE.AE-5 , PR.DS-4 , PR.PT-1 , RS.AN-1 , RS.AN-4
Description The auditd service can be configured to take an action
when disk space is running low but prior to running out of space completely.
Edit the file /etc/audit/auditd.conf. Add or modify the following line,
substituting ACTION appropriately:
disk_full_action = ACTION
Set this value to
single to cause the system to switch to single-user
mode for corrective action. Acceptable values also include
syslog,
exec,
single, and
halt. For certain systems, the need for availability
outweighs the need to log all actions, and a different setting should be
determined. Details regarding all possible values for
ACTION are described in the
auditd.conf man page.
Rationale Taking appropriate action in case of a filled audit storage volume will minimize
the possibility of losing audit records.
OVAL test results details
disk error action
oval:ssg-test_auditd_data_disk_full_action:tst:1
false Following items have been found on the system: Path Content /etc/audit/auditd.conf disk_full_action = SUSPEND
Set number of records to cause an explicit flush to audit logsxccdf_org.ssgproject.content_rule_auditd_freq mediumCCE-82512-5
Set number of records to cause an explicit flush to audit logs Rule ID xccdf_org.ssgproject.content_rule_auditd_freq Result Multi-check rule no OVAL Definition ID oval:ssg-auditd_freq:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82512-5
References:
FAU_GEN.1 , SRG-OS-000051-GPOS-00024
Description To configure Audit daemon to issue an explicit flush to disk command
after writing 50 records, set freq to 50
in /etc/audit/auditd.conf.
Rationale If option freq isn't set to 50, the flush to disk
may happen after higher number of records, increasing the danger
of audit loss.
OVAL test results details
tests the value of freq setting in the /etc/audit/auditd.conf file
oval:ssg-test_auditd_freq:tst:1
true Following items have been found on the system: Path Content /etc/audit/auditd.conf freq = 50
Record Any Attempts to Run restoreconxccdf_org.ssgproject.content_rule_audit_rules_execution_restorecon mediumCCE-82570-3
Record Any Attempts to Run restorecon Rule ID xccdf_org.ssgproject.content_rule_audit_rules_execution_restorecon Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_execution_restorecon:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82570-3
References:
1 , 12 , 13 , 14 , 15 , 16 , 2 , 3 , 5 , 6 , 7 , 8 , 9 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , BAI03.05 , DSS01.03 , DSS03.05 , DSS05.02 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000172 , CCI-002884 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.4.4.7 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.8 , SR 2.9 , SR 6.1 , SR 6.2 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.14.2.7 , A.15.2.1 , A.15.2.2 , AU-2(d) , AU-12(c) , AC-6(9) , CM-6(a) , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.PT-1 , FAU_GEN.1.1.c , SRG-OS-000392-GPOS-00172 , SRG-OS-000463-GPOS-00207 , SRG-OS-000465-GPOS-00209 , SRG-OS-000463-VMM-001850
Description At a minimum, the audit system should collect any execution attempt
of the restorecon command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change Rationale Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules restorecon
oval:ssg-test_audit_rules_execution_restorecon_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_execution_restorecon_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/restorecon[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl restorecon
oval:ssg-test_audit_rules_execution_restorecon_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_execution_restorecon_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/restorecon[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
Record Any Attempts to Run chconxccdf_org.ssgproject.content_rule_audit_rules_execution_chcon mediumCCE-82569-5
Record Any Attempts to Run chcon Rule ID xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_execution_chcon:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82569-5
References:
1 , 12 , 13 , 14 , 15 , 16 , 2 , 3 , 5 , 6 , 7 , 8 , 9 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , BAI03.05 , DSS01.03 , DSS03.05 , DSS05.02 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000172 , CCI-002884 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.4.4.7 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.8 , SR 2.9 , SR 6.1 , SR 6.2 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.14.2.7 , A.15.2.1 , A.15.2.2 , AU-2(d) , AU-12(c) , AC-6(9) , CM-6(a) , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.PT-1 , FAU_GEN.1.1.c , SRG-OS-000392-GPOS-00172 , SRG-OS-000463-GPOS-00207 , SRG-OS-000465-GPOS-00209 , SRG-OS-000463-VMM-001850
Description At a minimum, the audit system should collect any execution attempt
of the chcon command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change Rationale Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules chcon
oval:ssg-test_audit_rules_execution_chcon_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_execution_chcon_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chcon[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl chcon
oval:ssg-test_audit_rules_execution_chcon_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_execution_chcon_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chcon[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
Record Any Attempts to Run setfilesxccdf_org.ssgproject.content_rule_audit_rules_execution_setfiles mediumCCE-82572-9
Record Any Attempts to Run setfiles Rule ID xccdf_org.ssgproject.content_rule_audit_rules_execution_setfiles Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_execution_setfiles:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82572-9
References:
CCI-000172 , CCI-002884 , AU-2(d) , AU-12(c) , AC-6(9) , CM-6(a) , SRG-OS-000392-GPOS-00172 , SRG-OS-000463-GPOS-00207 , SRG-OS-000465-GPOS-00209 , SRG-OS-000463-VMM-001850
Description At a minimum, the audit system should collect any execution attempt
of the setfiles command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change Rationale Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules setfiles
oval:ssg-test_audit_rules_execution_setfiles_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_execution_setfiles_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/setfiles[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl setfiles
oval:ssg-test_audit_rules_execution_setfiles_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_execution_setfiles_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/setfiles[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
Record Any Attempts to Run setseboolxccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool mediumCCE-82573-7
Record Any Attempts to Run setsebool Rule ID xccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_execution_setsebool:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82573-7
References:
1 , 12 , 13 , 14 , 15 , 16 , 2 , 3 , 5 , 6 , 7 , 8 , 9 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , BAI03.05 , DSS01.03 , DSS03.05 , DSS05.02 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000172 , CCI-002884 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.4.4.7 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.8 , SR 2.9 , SR 6.1 , SR 6.2 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.14.2.7 , A.15.2.1 , A.15.2.2 , AU-2(d) , AU-12(c) , AC-6(9) , CM-6(a) , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.PT-1 , FAU_GEN.1.1.c , SRG-OS-000392-GPOS-00172 , SRG-OS-000463-GPOS-00207 , SRG-OS-000465-GPOS-00209 , SRG-OS-000463-VMM-001850
Description At a minimum, the audit system should collect any execution attempt
of the setsebool command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change Rationale Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules setsebool
oval:ssg-test_audit_rules_execution_setsebool_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_execution_setsebool_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/setsebool[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl setsebool
oval:ssg-test_audit_rules_execution_setsebool_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_execution_setsebool_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/setsebool[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
Record Any Attempts to Run seunsharexccdf_org.ssgproject.content_rule_audit_rules_execution_seunshare mediumCCE-82574-5
Record Any Attempts to Run seunshare Rule ID xccdf_org.ssgproject.content_rule_audit_rules_execution_seunshare Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_execution_seunshare:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82574-5
References:
CCI-000172 , AU-2(d) , AU-12(c) , AC-6(9) , CM-6(a) , FAU_GEN.1.1.c , SRG-OS-000463-VMM-001850
Description At a minimum, the audit system should collect any execution attempt
of the seunshare command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change Rationale Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules seunshare
oval:ssg-test_audit_rules_execution_seunshare_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_execution_seunshare_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/seunshare[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl seunshare
oval:ssg-test_audit_rules_execution_seunshare_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_execution_seunshare_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/seunshare[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
Record Any Attempts to Run semanagexccdf_org.ssgproject.content_rule_audit_rules_execution_semanage mediumCCE-82571-1
Record Any Attempts to Run semanage Rule ID xccdf_org.ssgproject.content_rule_audit_rules_execution_semanage Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_execution_semanage:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82571-1
References:
1 , 12 , 13 , 14 , 15 , 16 , 2 , 3 , 5 , 6 , 7 , 8 , 9 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , BAI03.05 , DSS01.03 , DSS03.05 , DSS05.02 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000172 , CCI-002884 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.4.4.7 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.8 , SR 2.9 , SR 6.1 , SR 6.2 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.14.2.7 , A.15.2.1 , A.15.2.2 , AC-2(4) , AU-2(d) , AU-12(c) , AC-6(9) , CM-6(a) , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.PT-1 , FAU_GEN.1.1.c , SRG-OS-000392-GPOS-00172 , SRG-OS-000463-GPOS-00207 , SRG-OS-000465-GPOS-00209 , SRG-OS-000463-VMM-001850
Description At a minimum, the audit system should collect any execution attempt
of the semanage command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change Rationale Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules semanage
oval:ssg-test_audit_rules_execution_semanage_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_execution_semanage_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/semanage[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl semanage
oval:ssg-test_audit_rules_execution_semanage_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_execution_semanage_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/semanage[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
Record Attempts to Alter the localtime Filexccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime mediumCCE-82618-0
Record Attempts to Alter the localtime File Rule ID xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_time_watch_localtime:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82618-0
References:
1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , 5.4.1.1 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI08.02 , DSS01.03 , DSS01.04 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-001487 , CCI-000169 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.2.3.10 , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.3.6.6 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 1.13 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.6 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.1 , SR 6.2 , SR 7.1 , SR 7.6 , A.11.2.6 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.7 , A.15.2.1 , A.15.2.2 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.2.1 , A.6.2.2 , AU-2(d) , AU-12(c) , AC-6(9) , CM-6(a) , DE.AE-3 , DE.AE-5 , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.AC-3 , PR.PT-1 , PR.PT-4 , RS.AN-1 , RS.AN-4 , Req-10.4.2.b
Description If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the default),
add the following line to a file with suffix .rules in the directory
/etc/audit/rules.d:
-w /etc/localtime -p wa -k audit_time_rules
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-w /etc/localtime -p wa -k audit_time_rules
The -k option allows for the specification of a key in string form that can
be used for better reporting capability through ausearch and aureport and
should always be used.
Rationale Arbitrary changes to the system time can be used to obfuscate
nefarious activities in log files, as well as to confuse network services that
are highly dependent upon an accurate system time (such as sshd). All changes
to the system time should be audited.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit /etc/localtime watch augenrules
oval:ssg-test_artw_etc_localtime_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_artw_etc_localtime_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-w[\s]+\/etc\/localtime[\s]+-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit /etc/localtime watch auditctl
oval:ssg-test_artw_etc_localtime_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_artw_etc_localtime_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-w[\s]+\/etc\/localtime[\s]+-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
Record attempts to alter time through settimeofdayxccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday mediumCCE-82616-4
Record attempts to alter time through settimeofday Rule ID xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_time_settimeofday:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82616-4
References:
1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , 5.4.1.1 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI08.02 , DSS01.03 , DSS01.04 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-001487 , CCI-000169 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.2.3.10 , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.3.6.6 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 1.13 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.6 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.1 , SR 6.2 , SR 7.1 , SR 7.6 , A.11.2.6 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.7 , A.15.2.1 , A.15.2.2 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.2.1 , A.6.2.2 , AU-2(d) , AU-12(c) , AC-6(9) , CM-6(a) , DE.AE-3 , DE.AE-5 , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.AC-3 , PR.PT-1 , PR.PT-4 , RS.AN-1 , RS.AN-4 , Req-10.4.2.b
Description If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules
The -k option allows for the specification of a key in string form that can be
used for better reporting capability through ausearch and aureport. Multiple
system calls can be defined on the same line to save space if desired, but is
not required. See an example of multiple combined syscalls:
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules Rationale Arbitrary changes to the system time can be used to obfuscate
nefarious activities in log files, as well as to confuse network services that
are highly dependent upon an accurate system time (such as sshd). All changes
to the system time should be audited.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules 32-bit settimeofday
oval:ssg-test_32bit_art_settimeofday_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_art_settimeofday_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+settimeofday[\s]+|([\s]+|[,])settimeofday([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit augenrules 64-bit settimeofday
oval:ssg-test_64bit_art_settimeofday_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_art_settimeofday_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+settimeofday[\s]+|([\s]+|[,])settimeofday([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl 32-bit settimeofday
oval:ssg-test_32bit_art_settimeofday_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_art_settimeofday_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+settimeofday[\s]+|([\s]+|[,])settimeofday([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit auditctl 64-bit settimeofday
oval:ssg-test_64bit_art_settimeofday_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_art_settimeofday_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+settimeofday[\s]+|([\s]+|[,])settimeofday([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
Record Attempts to Alter Time Through clock_settimexccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime mediumCCE-82615-6
Record Attempts to Alter Time Through clock_settime Rule ID xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_time_clock_settime:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82615-6
References:
1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , 5.4.1.1 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI08.02 , DSS01.03 , DSS01.04 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-001487 , CCI-000169 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.2.3.10 , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.3.6.6 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 1.13 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.6 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.1 , SR 6.2 , SR 7.1 , SR 7.6 , A.11.2.6 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.7 , A.15.2.1 , A.15.2.2 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.2.1 , A.6.2.2 , AU-2(d) , AU-12(c) , AC-6(9) , CM-6(a) , DE.AE-3 , DE.AE-5 , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.AC-3 , PR.PT-1 , PR.PT-4 , RS.AN-1 , RS.AN-4 , Req-10.4.2.b
Description If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
The -k option allows for the specification of a key in string form that can
be used for better reporting capability through ausearch and aureport.
Multiple system calls can be defined on the same line to save space if
desired, but is not required. See an example of multiple combined syscalls:
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules Rationale Arbitrary changes to the system time can be used to obfuscate
nefarious activities in log files, as well as to confuse network services that
are highly dependent upon an accurate system time (such as sshd). All changes
to the system time should be audited.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules 32-bit clock_settime
oval:ssg-test_32bit_art_clock_settime_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_art_clock_settime_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,]))-F[\s]+a0=(?:0x)?0[\s]+(?:-F[\s]+key=|-k[\s]+)[\S]+[\s]*$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit augenrules 64-bit clock_settime
oval:ssg-test_64bit_art_clock_settime_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_art_clock_settime_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,]))-F[\s]+a0=(?:0x)?0[\s]+(?:-F[\s]+key=|-k[\s]+)[\S]+[\s]*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl 32-bit clock_settime
oval:ssg-test_32bit_art_clock_settime_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_art_clock_settime_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,]))-F[\s]+a0=(?:0x)?0[\s]+(?:-F[\s]+key=|-k[\s]+)[\S]+[\s]*$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit auditctl 64-bit clock_settime
oval:ssg-test_64bit_art_clock_settime_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_art_clock_settime_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,]))-F[\s]+a0=(?:0x)?0[\s]+(?:-F[\s]+key=|-k[\s]+)[\S]+[\s]*$ 1
Record Attempts to Alter Time Through stimexccdf_org.ssgproject.content_rule_audit_rules_time_stime mediumCCE-82617-2
Record Attempts to Alter Time Through stime Rule ID xccdf_org.ssgproject.content_rule_audit_rules_time_stime Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_time_stime:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82617-2
References:
1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , 5.4.1.1 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI08.02 , DSS01.03 , DSS01.04 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-001487 , CCI-000169 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.2.3.10 , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.3.6.6 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 1.13 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.6 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.1 , SR 6.2 , SR 7.1 , SR 7.6 , A.11.2.6 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.7 , A.15.2.1 , A.15.2.2 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.2.1 , A.6.2.2 , AU-2(d) , AU-12(c) , AC-6(9) , CM-6(a) , DE.AE-3 , DE.AE-5 , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.AC-3 , PR.PT-1 , PR.PT-4 , RS.AN-1 , RS.AN-4 , Req-10.4.2.b
Description If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d for both 32 bit and 64 bit systems:
-a always,exit -F arch=b32 -S stime -F key=audit_time_rules
Since the 64 bit version of the "stime" system call is not defined in the audit
lookup table, the corresponding "-F arch=b64" form of this rule is not expected
to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule
form itself is sufficient for both 32 bit and 64 bit systems). If the
auditd daemon is configured to use the
auditctl utility to
read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file for both 32 bit and 64 bit systems:
-a always,exit -F arch=b32 -S stime -F key=audit_time_rules
Since the 64 bit version of the "stime" system call is not defined in the audit
lookup table, the corresponding "-F arch=b64" form of this rule is not expected
to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule
form itself is sufficient for both 32 bit and 64 bit systems). The -k option
allows for the specification of a key in string form that can be used for
better reporting capability through ausearch and aureport. Multiple system
calls can be defined on the same line to save space if desired, but is not
required. See an example of multiple combined system calls:
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules Rationale Arbitrary changes to the system time can be used to obfuscate
nefarious activities in log files, as well as to confuse network services that
are highly dependent upon an accurate system time (such as sshd). All changes
to the system time should be audited.
OVAL test results details
32 bit architecture
oval:ssg-test_system_info_architecture_x86:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules 32-bit stime
oval:ssg-test_32bit_art_stime_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_art_stime_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+stime[\s]+|([\s]+|[,])stime([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl 32-bit stime
oval:ssg-test_32bit_art_stime_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_art_stime_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+stime[\s]+|([\s]+|[,])stime([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
Record attempts to alter time through adjtimexxccdf_org.ssgproject.content_rule_audit_rules_time_adjtimex mediumCCE-82614-9
Record attempts to alter time through adjtimex Rule ID xccdf_org.ssgproject.content_rule_audit_rules_time_adjtimex Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_time_adjtimex:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82614-9
References:
1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , 5.4.1.1 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI08.02 , DSS01.03 , DSS01.04 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-001487 , CCI-000169 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.2.3.10 , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.3.6.6 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 1.13 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.6 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.1 , SR 6.2 , SR 7.1 , SR 7.6 , A.11.2.6 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.7 , A.15.2.1 , A.15.2.2 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.2.1 , A.6.2.2 , AU-2(d) , AU-12(c) , AC-6(9) , CM-6(a) , DE.AE-3 , DE.AE-5 , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.AC-3 , PR.PT-1 , PR.PT-4 , RS.AN-1 , RS.AN-4 , Req-10.4.2.b
Description If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules
The -k option allows for the specification of a key in string form that can be
used for better reporting capability through ausearch and aureport. Multiple
system calls can be defined on the same line to save space if desired, but is
not required. See an example of multiple combined syscalls:
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules Rationale Arbitrary changes to the system time can be used to obfuscate
nefarious activities in log files, as well as to confuse network services that
are highly dependent upon an accurate system time (such as sshd). All changes
to the system time should be audited.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules 32-bit adjtimex
oval:ssg-test_32bit_art_adjtimex_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_art_adjtimex_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit augenrules 64-bit adjtimex
oval:ssg-test_64bit_art_adjtimex_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_art_adjtimex_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl 32-bit adjtimex
oval:ssg-test_32bit_art_adjtimex_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_art_adjtimex_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit auditctl 64-bit adjtimex
oval:ssg-test_64bit_art_adjtimex_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_art_adjtimex_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
Ensure auditd Collects Information on the Use of Privileged Commands - passwdxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd mediumCCE-82600-8
Ensure auditd Collects Information on the Use of Privileged Commands - passwd Rule ID xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_privileged_commands_passwd:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82600-8
References:
1 , 12 , 13 , 14 , 15 , 16 , 2 , 3 , 5 , 6 , 7 , 8 , 9 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , BAI03.05 , DSS01.03 , DSS03.05 , DSS05.02 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000135 , CCI-000172 , CCI-002884 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.4.4.7 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.8 , SR 2.9 , SR 6.1 , SR 6.2 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.14.2.7 , A.15.2.1 , A.15.2.2 , AC-2(4) , AU-2(d) , AU-12(c) , AC-6(9) , CM-6(a) , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.PT-1 , FAU_GEN.1.1.c , SRG-OS-000042-GPOS-00020 , SRG-OS-000392-GPOS-00172 , SRG-OS-000471-GPOS-00215 , SRG-OS-000471-VMM-001910
Description At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add a line of the following
form to
/etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes Rationale Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules passwd
oval:ssg-test_audit_rules_privileged_commands_passwd_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_privileged_commands_passwd_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/passwd[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl passwd
oval:ssg-test_audit_rules_privileged_commands_passwd_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_privileged_commands_passwd_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/passwd[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
Ensure auditd Collects Information on the Use of Privileged Commands - atxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_at mediumCCE-82590-1
Ensure auditd Collects Information on the Use of Privileged Commands - at Rule ID xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_at Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_privileged_commands_at:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82590-1
References:
CCI-000172 , AU-2(d) , AU-12(c) , AC-6(9) , CM-6(a) , FAU_GEN.1.1.c , SRG-OS-000471-VMM-001910
Description At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add a line of the following
form to
/etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes Rationale Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules at
oval:ssg-test_audit_rules_privileged_commands_at_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_privileged_commands_at_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/at[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl at
oval:ssg-test_audit_rules_privileged_commands_at_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_privileged_commands_at_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/at[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
Ensure auditd Collects Information on the Use of Privileged Commands - suxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su mediumCCE-82605-7
Ensure auditd Collects Information on the Use of Privileged Commands - su Rule ID xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_privileged_commands_su:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82605-7
References:
1 , 12 , 13 , 14 , 15 , 16 , 2 , 3 , 5 , 6 , 7 , 8 , 9 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , BAI03.05 , DSS01.03 , DSS03.05 , DSS05.02 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000130 , CCI-000135 , CCI-000172 , CCI-002884 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.4.4.7 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.8 , SR 2.9 , SR 6.1 , SR 6.2 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.14.2.7 , A.15.2.1 , A.15.2.2 , AU-2(d) , AU-12(c) , AC-6(9) , CM-6(a) , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.PT-1 , FAU_GEN.1.1.c , SRG-OS-000037-GPOS-00015 , SRG-OS-000042-GPOS-00020 , SRG-OS-000392-GPOS-00172 , SRG-OS-000462-GPOS-00206 , SRG-OS-000471-GPOS-00215 , SRG-OS-000471-VMM-001910
Description At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add a line of the following
form to
/etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes Rationale Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules su
oval:ssg-test_audit_rules_privileged_commands_su_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_privileged_commands_su_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/su[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl su
oval:ssg-test_audit_rules_privileged_commands_su_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_privileged_commands_su_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/su[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_checkxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check mediumCCE-82599-2
Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check Rule ID xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_privileged_commands_pam_timestamp_check:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82599-2
References:
1 , 12 , 13 , 14 , 15 , 16 , 2 , 3 , 5 , 6 , 7 , 8 , 9 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , BAI03.05 , DSS01.03 , DSS03.05 , DSS05.02 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000135 , CCI-000172 , CCI-002884 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.4.4.7 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.8 , SR 2.9 , SR 6.1 , SR 6.2 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.14.2.7 , A.15.2.1 , A.15.2.2 , AU-2(d) , AU-12(c) , AC-6(9) , CM-6(a) , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.PT-1 , SRG-OS-000042-GPOS-00020 , SRG-OS-000392-GPOS-00172 , SRG-OS-000471-GPOS-00215 , SRG-OS-000471-VMM-001910
Description At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add a line of the following
form to
/etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes Rationale Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules pam_timestamp_check
oval:ssg-test_audit_rules_privileged_commands_pam_timestamp_check_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_privileged_commands_pam_timestamp_check_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/pam_timestamp_check[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl pam_timestamp_check
oval:ssg-test_audit_rules_privileged_commands_pam_timestamp_check_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_privileged_commands_pam_timestamp_check_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/pam_timestamp_check[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
Ensure auditd Collects Information on the Use of Privileged Commands - sudoxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo mediumCCE-82606-5
Ensure auditd Collects Information on the Use of Privileged Commands - sudo Rule ID xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_privileged_commands_sudo:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82606-5
References:
1 , 12 , 13 , 14 , 15 , 16 , 2 , 3 , 5 , 6 , 7 , 8 , 9 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , BAI03.05 , DSS01.03 , DSS03.05 , DSS05.02 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000130 , CCI-000135 , CCI-000172 , CCI-002884 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.4.4.7 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.8 , SR 2.9 , SR 6.1 , SR 6.2 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.14.2.7 , A.15.2.1 , A.15.2.2 , AU-2(d) , AU-12(c) , AC-6(9) , CM-6(a) , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.PT-1 , FAU_GEN.1.1.c , SRG-OS-000037-GPOS-00015 , SRG-OS-000042-GPOS-00020 , SRG-OS-000392-GPOS-00172 , SRG-OS-000462-GPOS-00206 , SRG-OS-000471-GPOS-00215 , SRG-OS-000471-VMM-001910
Description At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add a line of the following
form to
/etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes Rationale Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules sudo
oval:ssg-test_audit_rules_privileged_commands_sudo_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_privileged_commands_sudo_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/sudo[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl sudo
oval:ssg-test_audit_rules_privileged_commands_sudo_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_privileged_commands_sudo_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/sudo[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
Ensure auditd Collects Information on the Use of Privileged Commands - newgidmapxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgidmap mediumCCE-82596-8
Ensure auditd Collects Information on the Use of Privileged Commands - newgidmap Rule ID xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgidmap Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_privileged_commands_newgidmap:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82596-8
References:
CCI-000172 , AC-2(4) , AU-2(d) , AU-12(c) , AC-6(9) , CM-6(a) , FAU_GEN.1.1.c , SRG-OS-000471-VMM-001910
Description At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add a line of the following
form to
/etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes Rationale Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules newgidmap
oval:ssg-test_audit_rules_privileged_commands_newgidmap_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_privileged_commands_newgidmap_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/newgidmap[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl newgidmap
oval:ssg-test_audit_rules_privileged_commands_newgidmap_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_privileged_commands_newgidmap_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/newgidmap[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
Ensure auditd Collects Information on the Use of Privileged Commands - postdropxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postdrop mediumCCE-82601-6
Ensure auditd Collects Information on the Use of Privileged Commands - postdrop Rule ID xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postdrop Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_privileged_commands_postdrop:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82601-6
References:
1 , 12 , 13 , 14 , 15 , 16 , 2 , 3 , 5 , 6 , 7 , 8 , 9 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , BAI03.05 , DSS01.03 , DSS03.05 , DSS05.02 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000135 , CCI-000172 , CCI-002884 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.4.4.7 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.8 , SR 2.9 , SR 6.1 , SR 6.2 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.14.2.7 , A.15.2.1 , A.15.2.2 , AU-2(d) , AU-12(c) , AC-6(9) , CM-6(a) , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.PT-1 , SRG-OS-000042-GPOS-00020 , SRG-OS-000392-GPOS-00172 , SRG-OS-000471-GPOS-00215 , SRG-OS-000471-VMM-001910
Description At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add a line of the following
form to
/etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes Rationale Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules postdrop
oval:ssg-test_audit_rules_privileged_commands_postdrop_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_privileged_commands_postdrop_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/postdrop[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl postdrop
oval:ssg-test_audit_rules_privileged_commands_postdrop_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_privileged_commands_postdrop_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/postdrop[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
Ensure auditd Collects Information on the Use of Privileged Commands - mountxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_mount mediumCCE-82595-0
Ensure auditd Collects Information on the Use of Privileged Commands - mount Rule ID xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_mount Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_privileged_commands_mount:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82595-0
References:
CCI-000172 , AU-2(d) , AU-12(c) , AC-6(9) , CM-6(a) , FAU_GEN.1.1.c , SRG-OS-000471-VMM-001910
Description At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add a line of the following
form to
/etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes Rationale Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules mount
oval:ssg-test_audit_rules_privileged_commands_mount_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_privileged_commands_mount_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/mount[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl mount
oval:ssg-test_audit_rules_privileged_commands_mount_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_privileged_commands_mount_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/mount[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
Ensure auditd Collects Information on the Use of Privileged Commands - userhelperxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_userhelper mediumCCE-82610-7
Ensure auditd Collects Information on the Use of Privileged Commands - userhelper Rule ID xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_userhelper Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_privileged_commands_userhelper:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82610-7
References:
1 , 12 , 13 , 14 , 15 , 16 , 2 , 3 , 5 , 6 , 7 , 8 , 9 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , BAI03.05 , DSS01.03 , DSS03.05 , DSS05.02 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000135 , CCI-000172 , CCI-002884 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.4.4.7 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.8 , SR 2.9 , SR 6.1 , SR 6.2 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.14.2.7 , A.15.2.1 , A.15.2.2 , AU-2(d) , AU-12(c) , AC-6(9) , CM-6(a) , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.PT-1 , FAU_GEN.1.1.c , SRG-OS-000042-GPOS-00020 , SRG-OS-000392-GPOS-00172 , SRG-OS-000471-GPOS-00215 , SRG-OS-000471-VMM-001910
Description At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add a line of the following
form to
/etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes Rationale Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules userhelper
oval:ssg-test_audit_rules_privileged_commands_userhelper_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_privileged_commands_userhelper_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/userhelper[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl userhelper
oval:ssg-test_audit_rules_privileged_commands_userhelper_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_privileged_commands_userhelper_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/userhelper[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
Ensure auditd Collects Information on the Use of Privileged Commands - gpasswdxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd mediumCCE-82594-3
Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd Rule ID xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_privileged_commands_gpasswd:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82594-3
References:
1 , 12 , 13 , 14 , 15 , 16 , 2 , 3 , 5 , 6 , 7 , 8 , 9 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , BAI03.05 , DSS01.03 , DSS03.05 , DSS05.02 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000135 , CCI-000172 , CCI-002884 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.4.4.7 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.8 , SR 2.9 , SR 6.1 , SR 6.2 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.14.2.7 , A.15.2.1 , A.15.2.2 , AC-2(4) , AU-2(d) , AU-12(c) , AC-6(9) , CM-6(a) , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.PT-1 , FAU_GEN.1.1.c , SRG-OS-000042-GPOS-00020 , SRG-OS-000392-GPOS-00172 , SRG-OS-000471-GPOS-00215 , SRG-OS-000471-VMM-001910
Description At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add a line of the following
form to
/etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes Rationale Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules gpasswd
oval:ssg-test_audit_rules_privileged_commands_gpasswd_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_privileged_commands_gpasswd_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/gpasswd[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl gpasswd
oval:ssg-test_audit_rules_privileged_commands_gpasswd_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_privileged_commands_gpasswd_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/gpasswd[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
Ensure auditd Collects Information on the Use of Privileged Commands - newuidmapxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newuidmap mediumCCE-82598-4
Ensure auditd Collects Information on the Use of Privileged Commands - newuidmap Rule ID xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newuidmap Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_privileged_commands_newuidmap:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82598-4
References:
CCI-000172 , AC-2(4) , AU-2(d) , AU-12(c) , AC-6(9) , CM-6(a) , FAU_GEN.1.1.c , SRG-OS-000471-VMM-001910
Description At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add a line of the following
form to
/etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes Rationale Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules newuidmap
oval:ssg-test_audit_rules_privileged_commands_newuidmap_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_privileged_commands_newuidmap_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/newuidmap[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl newuidmap
oval:ssg-test_audit_rules_privileged_commands_newuidmap_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_privileged_commands_newuidmap_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/newuidmap[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
Ensure auditd Collects Information on the Use of Privileged Commands - crontabxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab mediumCCE-82593-5
Ensure auditd Collects Information on the Use of Privileged Commands - crontab Rule ID xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_privileged_commands_crontab:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82593-5
References:
1 , 12 , 13 , 14 , 15 , 16 , 2 , 3 , 5 , 6 , 7 , 8 , 9 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , BAI03.05 , DSS01.03 , DSS03.05 , DSS05.02 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000135 , CCI-000172 , CCI-002884 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.4.4.7 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.8 , SR 2.9 , SR 6.1 , SR 6.2 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.14.2.7 , A.15.2.1 , A.15.2.2 , AU-2(d) , AU-12(c) , AC-6(9) , CM-6(a) , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.PT-1 , SRG-OS-000042-GPOS-00020 , SRG-OS-000392-GPOS-00172 , SRG-OS-000471-GPOS-00215 , SRG-OS-000471-VMM-001910
Description At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add a line of the following
form to
/etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes Rationale Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules crontab
oval:ssg-test_audit_rules_privileged_commands_crontab_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_privileged_commands_crontab_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/crontab[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl crontab
oval:ssg-test_audit_rules_privileged_commands_crontab_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_privileged_commands_crontab_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/crontab[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
Ensure auditd Collects Information on the Use of Privileged Commands - postqueuexccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postqueue mediumCCE-82602-4
Ensure auditd Collects Information on the Use of Privileged Commands - postqueue Rule ID xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postqueue Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_privileged_commands_postqueue:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82602-4
References:
1 , 12 , 13 , 14 , 15 , 16 , 2 , 3 , 5 , 6 , 7 , 8 , 9 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , BAI03.05 , DSS01.03 , DSS03.05 , DSS05.02 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000135 , CCI-000172 , CCI-002884 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.4.4.7 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.8 , SR 2.9 , SR 6.1 , SR 6.2 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.14.2.7 , A.15.2.1 , A.15.2.2 , AU-2(d) , AU-12(c) , AC-6(9) , CM-6(a) , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.PT-1 , SRG-OS-000042-GPOS-00020 , SRG-OS-000392-GPOS-00172 , SRG-OS-000471-GPOS-00215 , SRG-OS-000471-VMM-001910
Description At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add a line of the following
form to
/etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes Rationale Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules postqueue
oval:ssg-test_audit_rules_privileged_commands_postqueue_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_privileged_commands_postqueue_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/postqueue[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl postqueue
oval:ssg-test_audit_rules_privileged_commands_postqueue_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_privileged_commands_postqueue_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/postqueue[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysignxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign mediumCCE-82604-0
Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign Rule ID xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_privileged_commands_ssh_keysign:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82604-0
References:
1 , 12 , 13 , 14 , 15 , 16 , 2 , 3 , 5 , 6 , 7 , 8 , 9 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , BAI03.05 , DSS01.03 , DSS03.05 , DSS05.02 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000135 , CCI-000172 , CCI-002884 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.4.4.7 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.8 , SR 2.9 , SR 6.1 , SR 6.2 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.14.2.7 , A.15.2.1 , A.15.2.2 , AU-2(d) , AU-12(c) , AC-6(9) , CM-6(a) , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.PT-1 , FAU_GEN.1.1.c , SRG-OS-000042-GPOS-00020 , SRG-OS-000392-GPOS-00172 , SRG-OS-000471-GPOS-00215 , SRG-OS-000471-VMM-001910
Description At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add a line of the following
form to
/etc/audit/audit.rules:
-a always,exit -F path=/usr/libexec/openssh/key-sign -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes Rationale Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules ssh_keysign
oval:ssg-test_audit_rules_privileged_commands_ssh_keysign_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_privileged_commands_ssh_keysign_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/libexec\/openssh\/ssh-keysign[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl ssh_keysign
oval:ssg-test_audit_rules_privileged_commands_ssh_keysign_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_privileged_commands_ssh_keysign_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/libexec\/openssh\/ssh-keysign[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
Ensure auditd Collects Information on the Use of Privileged Commands - chagexccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage mediumCCE-82591-9
Ensure auditd Collects Information on the Use of Privileged Commands - chage Rule ID xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_privileged_commands_chage:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82591-9
References:
1 , 12 , 13 , 14 , 15 , 16 , 2 , 3 , 5 , 6 , 7 , 8 , 9 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , BAI03.05 , DSS01.03 , DSS03.05 , DSS05.02 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000135 , CCI-000172 , CCI-002884 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.4.4.7 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.8 , SR 2.9 , SR 6.1 , SR 6.2 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.14.2.7 , A.15.2.1 , A.15.2.2 , AC-2(4) , AU-2(d) , AU-12(c) , AC-6(9) , CM-6(a) , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.PT-1 , SRG-OS-000042-GPOS-00020 , SRG-OS-000392-GPOS-00172 , SRG-OS-000471-GPOS-00215 , SRG-OS-000471-VMM-001910
Description At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add a line of the following
form to
/etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes Rationale Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules chage
oval:ssg-test_audit_rules_privileged_commands_chage_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_privileged_commands_chage_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chage[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl chage
oval:ssg-test_audit_rules_privileged_commands_chage_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_privileged_commands_chage_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chage[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
Ensure auditd Collects Information on the Use of Privileged Commands - newgrpxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp mediumCCE-82597-6
Ensure auditd Collects Information on the Use of Privileged Commands - newgrp Rule ID xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_privileged_commands_newgrp:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82597-6
References:
1 , 12 , 13 , 14 , 15 , 16 , 2 , 3 , 5 , 6 , 7 , 8 , 9 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , BAI03.05 , DSS01.03 , DSS03.05 , DSS05.02 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000130 , CCI-000135 , CCI-000172 , CCI-002884 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.4.4.7 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.8 , SR 2.9 , SR 6.1 , SR 6.2 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.14.2.7 , A.15.2.1 , A.15.2.2 , AC-2(4) , AU-2(d) , AU-12(c) , AC-6(9) , CM-6(a) , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.PT-1 , FAU_GEN.1.1.c , SRG-OS-000037-GPOS-00015 , SRG-OS-000042-GPOS-00020 , SRG-OS-000392-GPOS-00172 , SRG-OS-000462-GPOS-00206 , SRG-OS-000471-GPOS-00215 , SRG-OS-000471-VMM-001910
Description At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add a line of the following
form to
/etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes Rationale Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules newgrp
oval:ssg-test_audit_rules_privileged_commands_newgrp_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_privileged_commands_newgrp_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/newgrp[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl newgrp
oval:ssg-test_audit_rules_privileged_commands_newgrp_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_privileged_commands_newgrp_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/newgrp[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
Ensure auditd Collects Information on the Use of Privileged Commands - chshxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh mediumCCE-82592-7
Ensure auditd Collects Information on the Use of Privileged Commands - chsh Rule ID xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_privileged_commands_chsh:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82592-7
References:
1 , 12 , 13 , 14 , 15 , 16 , 2 , 3 , 5 , 6 , 7 , 8 , 9 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , BAI03.05 , DSS01.03 , DSS03.05 , DSS05.02 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000130 , CCI-000135 , CCI-000172 , CCI-002884 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.4.4.7 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.8 , SR 2.9 , SR 6.1 , SR 6.2 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.14.2.7 , A.15.2.1 , A.15.2.2 , AC-2(4) , AU-2(d) , AU-12(c) , AC-6(9) , CM-6(a) , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.PT-1 , SRG-OS-000037-GPOS-00015 , SRG-OS-000042-GPOS-00020 , SRG-OS-000392-GPOS-00172 , SRG-OS-000462-GPOS-00206 , SRG-OS-000471-GPOS-00215 , SRG-OS-000471-VMM-001910
Description At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add a line of the following
form to
/etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes Rationale Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules chsh
oval:ssg-test_audit_rules_privileged_commands_chsh_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_privileged_commands_chsh_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chsh[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl chsh
oval:ssg-test_audit_rules_privileged_commands_chsh_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_privileged_commands_chsh_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chsh[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
Ensure auditd Collects Information on the Use of Privileged Commands - sudoeditxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudoedit mediumCCE-82607-3
Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit Rule ID xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudoedit Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_privileged_commands_sudoedit:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82607-3
References:
1 , 12 , 13 , 14 , 15 , 16 , 2 , 3 , 5 , 6 , 7 , 8 , 9 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , BAI03.05 , DSS01.03 , DSS03.05 , DSS05.02 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000135 , CCI-000172 , CCI-002884 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.4.4.7 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.8 , SR 2.9 , SR 6.1 , SR 6.2 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.14.2.7 , A.15.2.1 , A.15.2.2 , AU-2(d) , AU-12(c) , AC-6(9) , CM-6(a) , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.PT-1 , FAU_GEN.1.1.c , SRG-OS-000042-GPOS-00020 , SRG-OS-000392-GPOS-00172 , SRG-OS-000471-GPOS-00215 , SRG-OS-000471-VMM-001910
Description At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add a line of the following
form to
/etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes Rationale Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules sudoedit
oval:ssg-test_audit_rules_privileged_commands_sudoedit_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_privileged_commands_sudoedit_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/sudoedit[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl sudoedit
oval:ssg-test_audit_rules_privileged_commands_sudoedit_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_privileged_commands_sudoedit_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/sudoedit[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
Ensure auditd Collects Information on the Use of Privileged Commands - umountxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount mediumCCE-82608-1
Ensure auditd Collects Information on the Use of Privileged Commands - umount Rule ID xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_privileged_commands_umount:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82608-1
References:
1 , 12 , 13 , 14 , 15 , 16 , 2 , 3 , 5 , 6 , 7 , 8 , 9 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , BAI03.05 , DSS01.03 , DSS03.05 , DSS05.02 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000135 , CCI-000172 , CCI-002884 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.4.4.7 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.8 , SR 2.9 , SR 6.1 , SR 6.2 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.14.2.7 , A.15.2.1 , A.15.2.2 , AU-2(d) , AU-12(c) , AC-6(9) , CM-6(a) , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.PT-1 , SRG-OS-000042-GPOS-00020 , SRG-OS-000392-GPOS-00172 , SRG-OS-000471-GPOS-00215 , SRG-OS-000471-VMM-001910
Description At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add a line of the following
form to
/etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes Rationale Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules umount
oval:ssg-test_audit_rules_privileged_commands_umount_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_privileged_commands_umount_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/umount[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl umount
oval:ssg-test_audit_rules_privileged_commands_umount_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_privileged_commands_umount_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/umount[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
Ensure auditd Collects Information on the Use of Privileged Commandsxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands mediumCCE-82589-3
Ensure auditd Collects Information on the Use of Privileged Commands Rule ID xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_privileged_commands:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82589-3
References:
5.2.10 , 1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , 5.4.1.1 , APO08.04 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI08.02 , DSS01.03 , DSS01.04 , DSS02.02 , DSS02.04 , DSS02.05 , DSS02.07 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-002234 , 4.2.3.10 , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.3.6.6 , 4.3.4.4.7 , 4.3.4.5.5 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.3.4.5.9 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 1.13 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.6 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 3.9 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.1 , SR 6.2 , SR 7.1 , SR 7.6 , A.11.2.6 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.7 , A.15.2.1 , A.15.2.2 , A.16.1.1 , A.16.1.2 , A.16.1.3 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.1.3 , A.6.2.1 , A.6.2.2 , AC-2(4) , AU-2(d) , AU-12(c) , AC-6(9) , CM-6(a) , DE.AE-2 , DE.AE-3 , DE.AE-5 , DE.CM-1 , DE.CM-3 , DE.CM-7 , DE.DP-4 , ID.SC-4 , PR.AC-3 , PR.PT-1 , PR.PT-4 , RS.AN-1 , RS.AN-4 , RS.CO-2 , Req-10.2.2 , SRG-OS-000327-GPOS-00127 , SRG-OS-000471-VMM-001910
Description At a minimum, the audit system should collect the execution of
privileged commands for all users and root. To find the relevant setuid /
setgid programs, run the following command for each local partition
PART :
$ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null
If the
auditd daemon is configured to use the
augenrules
program to read audit rules during daemon startup (the default), add a line of
the following form to a file with suffix
.rules in the directory
/etc/audit/rules.d for each setuid / setgid program on the system,
replacing the
SETUID_PROG_PATH part with the full path of that setuid /
setgid program in the list:
-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add a line of the following
form to
/etc/audit/audit.rules for each setuid / setgid program on the
system, replacing the
SETUID_PROG_PATH part with the full path of that
setuid / setgid program in the list:
-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes Rationale Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
Warnings warning
This rule checks for multiple syscalls related to privileged commands;
it was written with DISA STIG in mind. Other policies should use a
separate rule for each syscall that needs to be checked. For example:
audit_rules_privileged_commands_suaudit_rules_privileged_commands_umountaudit_rules_privileged_commands_passwd
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules suid sgid
oval:ssg-test_arpc_suid_sgid_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arpc_suid_sgid_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance Filter ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a always,exit (?:-F path=([\S]+) )+-F perm=[r|w]?x -F auid>=1000 -F auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 oval:ssg-state_proper_audit_rule_but_for_unprivileged_command:ste:1
audit augenrules binaries count matches rules count
oval:ssg-test_arpc_bin_count_equals_rules_count_augenrules:tst:1
error Following items have been found on the system: Var ref Value oval:ssg-variable_count_of_suid_sgid_binaries_on_system:var:1 708
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl suid sgid
oval:ssg-test_arpc_suid_sgid_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arpc_suid_sgid_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance Filter /etc/audit/audit.rules ^[\s]*-a always,exit (?:-F path=([\S]+) )+-F perm=[r|w]?x -F auid>=1000 -F auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 oval:ssg-state_proper_audit_rule_but_for_unprivileged_command:ste:1
audit auditctl binaries count matches rules count
oval:ssg-test_arpc_bin_count_equals_rules_count_auditctl:tst:1
error Following items have been found on the system: Var ref Value oval:ssg-variable_count_of_suid_sgid_binaries_on_system:var:1 708
Ensure auditd Collects Information on the Use of Privileged Commands - usernetctlxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_usernetctl mediumCCE-82611-5
Ensure auditd Collects Information on the Use of Privileged Commands - usernetctl Rule ID xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_usernetctl Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_privileged_commands_usernetctl:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82611-5
References:
CCI-000172 , AC-2(4) , AU-2(d) , AU-12(c) , AC-6(9) , CM-6(a) , FAU_GEN.1.1.c , SRG-OS-000471-VMM-001910
Description At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add a line of the following
form to
/etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes Rationale Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules usernetctl
oval:ssg-test_audit_rules_privileged_commands_usernetctl_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_privileged_commands_usernetctl_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/usernetctl[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl usernetctl
oval:ssg-test_audit_rules_privileged_commands_usernetctl_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_privileged_commands_usernetctl_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/usernetctl[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
Ensure auditd Collects Information on the Use of Privileged Commands - pt_chownxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pt_chown mediumCCE-82603-2
Ensure auditd Collects Information on the Use of Privileged Commands - pt_chown Rule ID xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pt_chown Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_privileged_commands_pt_chown:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82603-2
References:
1 , 12 , 13 , 14 , 15 , 16 , 2 , 3 , 5 , 6 , 7 , 8 , 9 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , BAI03.05 , DSS01.03 , DSS03.05 , DSS05.02 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000135 , CCI-000172 , CCI-002884 , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.4.4.7 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.8 , SR 2.9 , SR 6.1 , SR 6.2 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.14.2.7 , A.15.2.1 , A.15.2.2 , AU-2(d) , AU-12(c) , AC-6(9) , CM-6(a) , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.PT-1 , SRG-OS-000042-GPOS-00020 , SRG-OS-000392-GPOS-00172 , SRG-OS-000471-GPOS-00215 , SRG-OS-000471-VMM-001910
Description At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add a line of the following
form to
/etc/audit/audit.rules:
-a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes Rationale Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules pt_chown
oval:ssg-test_audit_rules_privileged_commands_pt_chown_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_privileged_commands_pt_chown_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/libexec\/pt_chown[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl pt_chown
oval:ssg-test_audit_rules_privileged_commands_pt_chown_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_privileged_commands_pt_chown_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/libexec\/pt_chown[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwdxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd mediumCCE-82609-9
Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd Rule ID xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_privileged_commands_unix_chkpwd:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82609-9
References:
1 , 12 , 13 , 14 , 15 , 16 , 2 , 3 , 5 , 6 , 7 , 8 , 9 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , BAI03.05 , DSS01.03 , DSS03.05 , DSS05.02 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000135 , CCI-000172 , CCI-002884 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.4.4.7 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.8 , SR 2.9 , SR 6.1 , SR 6.2 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.14.2.7 , A.15.2.1 , A.15.2.2 , AC-2(4) , AU-2(d) , AU-12(c) , AC-6(9) , CM-6(a) , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.PT-1 , FAU_GEN.1.1.c , SRG-OS-000042-GPOS-00020 , SRG-OS-000392-GPOS-00172 , SRG-OS-000471-GPOS-00215 , SRG-OS-000471-VMM-001910
Description At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add a line of the following
form to
/etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes Rationale Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules unix_chkpwd
oval:ssg-test_audit_rules_privileged_commands_unix_chkpwd_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_privileged_commands_unix_chkpwd_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/unix_chkpwd[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl unix_chkpwd
oval:ssg-test_audit_rules_privileged_commands_unix_chkpwd_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_privileged_commands_unix_chkpwd_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/unix_chkpwd[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
Record Events that Modify the System's Discretionary Access Controls - fchmodxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod mediumCCE-82558-8
Record Events that Modify the System's Discretionary Access Controls - fchmod Rule ID xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_dac_modification_fchmod:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82558-8
References:
5.2.10 , 1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , 5.4.1.1 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI08.02 , DSS01.03 , DSS01.04 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000126 , CCI-000172 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.2.3.10 , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.3.6.6 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 1.13 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.6 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.1 , SR 6.2 , SR 7.1 , SR 7.6 , A.11.2.6 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.7 , A.15.2.1 , A.15.2.2 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.2.1 , A.6.2.2 , AU-2(d) , AU-12(c) , CM-6(a) , DE.AE-3 , DE.AE-5 , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.AC-3 , PR.PT-1 , PR.PT-4 , RS.AN-1 , RS.AN-4 , FAU_GEN.1.1.c , Req-10.5.5 , SRG-OS-000064-GPOS-00033 , SRG-OS-000392-GPOS-00172 , SRG-OS-000458-GPOS-00203 , SRG-OS-000458-VMM-001810 , SRG-OS-000474-VMM-001940
Description At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod Rationale The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.
Warnings warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules 32-bit fchmod
oval:ssg-test_32bit_ardm_fchmod_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_ardm_fchmod_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit augenrules 64-bit fchmod
oval:ssg-test_64bit_ardm_fchmod_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_ardm_fchmod_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl 32-bit fchmod
oval:ssg-test_32bit_ardm_fchmod_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_ardm_fchmod_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit auditctl 64-bit fchmod
oval:ssg-test_64bit_ardm_fchmod_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_ardm_fchmod_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
Record Events that Modify the System's Discretionary Access Controls - removexattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr mediumCCE-82567-9
Record Events that Modify the System's Discretionary Access Controls - removexattr Rule ID xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_dac_modification_removexattr:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82567-9
References:
5.2.10 , 1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , 5.4.1.1 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI08.02 , DSS01.03 , DSS01.04 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000172 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.2.3.10 , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.3.6.6 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 1.13 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.6 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.1 , SR 6.2 , SR 7.1 , SR 7.6 , A.11.2.6 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.7 , A.15.2.1 , A.15.2.2 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.2.1 , A.6.2.2 , AU-2(d) , AU-12(c) , CM-6(a) , DE.AE-3 , DE.AE-5 , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.AC-3 , PR.PT-1 , PR.PT-4 , RS.AN-1 , RS.AN-4 , FAU_GEN.1.1.c , Req-10.5.5 , SRG-OS-000064-GPOS-00033 , SRG-OS-000392-GPOS-00172 , SRG-OS-000458-GPOS-00203 , SRG-OS-000458-VMM-001810 , SRG-OS-000474-VMM-001940
Description At a minimum, the audit system should collect file permission
changes for all users and root.
auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod Rationale The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.
Warnings warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules 32-bit removexattr
oval:ssg-test_32bit_ardm_removexattr_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_ardm_removexattr_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit augenrules 64-bit removexattr
oval:ssg-test_64bit_ardm_removexattr_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_ardm_removexattr_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl 32-bit removexattr
oval:ssg-test_32bit_ardm_removexattr_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_ardm_removexattr_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit auditctl 64-bit removexattr
oval:ssg-test_64bit_ardm_removexattr_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_ardm_removexattr_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
Record Events that Modify the System's Discretionary Access Controls - lsetxattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr mediumCCE-82566-1
Record Events that Modify the System's Discretionary Access Controls - lsetxattr Rule ID xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_dac_modification_lsetxattr:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82566-1
References:
5.2.10 , 1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , 5.4.1.1 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI08.02 , DSS01.03 , DSS01.04 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000126 , CCI-000172 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.2.3.10 , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.3.6.6 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 1.13 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.6 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.1 , SR 6.2 , SR 7.1 , SR 7.6 , A.11.2.6 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.7 , A.15.2.1 , A.15.2.2 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.2.1 , A.6.2.2 , AU-2(d) , AU-12(c) , CM-6(a) , DE.AE-3 , DE.AE-5 , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.AC-3 , PR.PT-1 , PR.PT-4 , RS.AN-1 , RS.AN-4 , FAU_GEN.1.1.c , Req-10.5.5 , SRG-OS-000064-GPOS-00033 , SRG-OS-000392-GPOS-00172 , SRG-OS-000458-GPOS-00203 , SRG-OS-000474-GPOS-00219 , SRG-OS-000458-VMM-001810 , SRG-OS-000474-VMM-001940
Description At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod Rationale The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.
Warnings warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules 32-bit lsetxattr
oval:ssg-test_32bit_ardm_lsetxattr_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_ardm_lsetxattr_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit augenrules 64-bit lsetxattr
oval:ssg-test_64bit_ardm_lsetxattr_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_ardm_lsetxattr_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl 32-bit lsetxattr
oval:ssg-test_32bit_ardm_lsetxattr_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_ardm_lsetxattr_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit auditctl 64-bit lsetxattr
oval:ssg-test_64bit_ardm_lsetxattr_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_ardm_lsetxattr_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
Record Events that Modify the System's Discretionary Access Controls - chmodxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod mediumCCE-82556-2
Record Events that Modify the System's Discretionary Access Controls - chmod Rule ID xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_dac_modification_chmod:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82556-2
References:
5.2.10 , 1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , 5.4.1.1 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI08.02 , DSS01.03 , DSS01.04 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000126 , CCI-000172 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.2.3.10 , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.3.6.6 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 1.13 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.6 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.1 , SR 6.2 , SR 7.1 , SR 7.6 , A.11.2.6 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.7 , A.15.2.1 , A.15.2.2 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.2.1 , A.6.2.2 , AU-2(d) , AU-12(c) , CM-6(a) , DE.AE-3 , DE.AE-5 , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.AC-3 , PR.PT-1 , PR.PT-4 , RS.AN-1 , RS.AN-4 , FAU_GEN.1.1.c , Req-10.5.5 , SRG-OS-000064-GPOS-00033 , SRG-OS-000392-GPOS-00172 , SRG-OS-000458-GPOS-00203 , SRG-OS-000458-VMM-001810 , SRG-OS-000474-VMM-001940
Description At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod Rationale The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.
Warnings warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules 32-bit chmod
oval:ssg-test_32bit_ardm_chmod_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_ardm_chmod_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit augenrules 64-bit chmod
oval:ssg-test_64bit_ardm_chmod_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_ardm_chmod_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl 32-bit chmod
oval:ssg-test_32bit_ardm_chmod_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_ardm_chmod_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit auditctl 64-bit chmod
oval:ssg-test_64bit_ardm_chmod_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_ardm_chmod_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
Record Events that Modify the System's Discretionary Access Controls - lchownxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown mediumCCE-82564-6
Record Events that Modify the System's Discretionary Access Controls - lchown Rule ID xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_dac_modification_lchown:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82564-6
References:
5.2.10 , 1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , 5.4.1.1 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI08.02 , DSS01.03 , DSS01.04 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000126 , CCI-000172 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.2.3.10 , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.3.6.6 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 1.13 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.6 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.1 , SR 6.2 , SR 7.1 , SR 7.6 , A.11.2.6 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.7 , A.15.2.1 , A.15.2.2 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.2.1 , A.6.2.2 , AU-2(d) , AU-12(c) , CM-6(a) , DE.AE-3 , DE.AE-5 , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.AC-3 , PR.PT-1 , PR.PT-4 , RS.AN-1 , RS.AN-4 , FAU_GEN.1.1.c , Req-10.5.5 , SRG-OS-000064-GPOS-00033 , SRG-OS-000392-GPOS-00172 , SRG-OS-000458-GPOS-00203 , SRG-OS-000474-GPOS-00219 , SRG-OS-000458-VMM-001810 , SRG-OS-000474-VMM-001940
Description At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod Rationale The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.
Warnings warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules 32-bit lchown
oval:ssg-test_32bit_ardm_lchown_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_ardm_lchown_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit augenrules 64-bit lchown
oval:ssg-test_64bit_ardm_lchown_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_ardm_lchown_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl 32-bit lchown
oval:ssg-test_32bit_ardm_lchown_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_ardm_lchown_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit auditctl 64-bit lchown
oval:ssg-test_64bit_ardm_lchown_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_ardm_lchown_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
Record Events that Modify the System's Discretionary Access Controls - lremovexattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr mediumCCE-82565-3
Record Events that Modify the System's Discretionary Access Controls - lremovexattr Rule ID xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_dac_modification_lremovexattr:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82565-3
References:
5.2.10 , 1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , 5.4.1.1 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI08.02 , DSS01.03 , DSS01.04 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000172 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.2.3.10 , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.3.6.6 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 1.13 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.6 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.1 , SR 6.2 , SR 7.1 , SR 7.6 , A.11.2.6 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.7 , A.15.2.1 , A.15.2.2 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.2.1 , A.6.2.2 , AU-2(d) , AU-12(c) , CM-6(a) , DE.AE-3 , DE.AE-5 , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.AC-3 , PR.PT-1 , PR.PT-4 , RS.AN-1 , RS.AN-4 , FAU_GEN.1.1.c , Req-10.5.5 , SRG-OS-000064-GPOS-00033 , SRG-OS-000392-GPOS-00172 , SRG-OS-000458-GPOS-00203 , SRG-OS-000458-VMM-001810 , SRG-OS-000474-VMM-001940
Description At a minimum, the audit system should collect file permission
changes for all users and root.
auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod Rationale The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.
Warnings warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules 32-bit lremovexattr
oval:ssg-test_32bit_ardm_lremovexattr_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_ardm_lremovexattr_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit augenrules 64-bit lremovexattr
oval:ssg-test_64bit_ardm_lremovexattr_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_ardm_lremovexattr_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl 32-bit lremovexattr
oval:ssg-test_32bit_ardm_lremovexattr_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_ardm_lremovexattr_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit auditctl 64-bit lremovexattr
oval:ssg-test_64bit_ardm_lremovexattr_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_ardm_lremovexattr_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
Record Events that Modify the System's Discretionary Access Controls - fchownatxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat mediumCCE-82561-2
Record Events that Modify the System's Discretionary Access Controls - fchownat Rule ID xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_dac_modification_fchownat:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82561-2
References:
5.2.10 , 1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , 5.4.1.1 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI08.02 , DSS01.03 , DSS01.04 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000126 , CCI-000172 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.2.3.10 , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.3.6.6 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 1.13 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.6 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.1 , SR 6.2 , SR 7.1 , SR 7.6 , A.11.2.6 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.7 , A.15.2.1 , A.15.2.2 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.2.1 , A.6.2.2 , AU-2(d) , AU-12(c) , CM-6(a) , DE.AE-3 , DE.AE-5 , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.AC-3 , PR.PT-1 , PR.PT-4 , RS.AN-1 , RS.AN-4 , FAU_GEN.1.1.c , Req-10.5.5 , SRG-OS-000064-GPOS-00033 , SRG-OS-000392-GPOS-00172 , SRG-OS-000458-GPOS-00203 , SRG-OS-000474-GPOS-00219 , SRG-OS-000458-VMM-001810 , SRG-OS-000474-VMM-001940
Description At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod Rationale The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.
Warnings warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules 32-bit fchownat
oval:ssg-test_32bit_ardm_fchownat_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_ardm_fchownat_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit augenrules 64-bit fchownat
oval:ssg-test_64bit_ardm_fchownat_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_ardm_fchownat_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl 32-bit fchownat
oval:ssg-test_32bit_ardm_fchownat_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_ardm_fchownat_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit auditctl 64-bit fchownat
oval:ssg-test_64bit_ardm_fchownat_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_ardm_fchownat_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
Record Events that Modify the System's Discretionary Access Controls - chownxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown mediumCCE-82557-0
Record Events that Modify the System's Discretionary Access Controls - chown Rule ID xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_dac_modification_chown:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82557-0
References:
5.2.10 , 1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , 5.4.1.1 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI08.02 , DSS01.03 , DSS01.04 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000126 , CCI-000172 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.2.3.10 , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.3.6.6 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 1.13 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.6 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.1 , SR 6.2 , SR 7.1 , SR 7.6 , A.11.2.6 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.7 , A.15.2.1 , A.15.2.2 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.2.1 , A.6.2.2 , AU-2(d) , AU-12(c) , CM-6(a) , DE.AE-3 , DE.AE-5 , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.AC-3 , PR.PT-1 , PR.PT-4 , RS.AN-1 , RS.AN-4 , FAU_GEN.1.1.c , Req-10.5.5 , SRG-OS-000064-GPOS-00033 , SRG-OS-000392-GPOS-00172 , SRG-OS-000458-GPOS-00203 , SRG-OS-000474-GPOS-00219 , SRG-OS-000458-VMM-001810 , SRG-OS-000474-VMM-001940
Description At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod Rationale The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.
Warnings warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules 32-bit chown
oval:ssg-test_32bit_ardm_chown_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_ardm_chown_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit augenrules 64-bit chown
oval:ssg-test_64bit_ardm_chown_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_ardm_chown_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl 32-bit chown
oval:ssg-test_32bit_ardm_chown_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_ardm_chown_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit auditctl 64-bit chown
oval:ssg-test_64bit_ardm_chown_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_ardm_chown_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
Record Events that Modify the System's Discretionary Access Controls - fchownxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown mediumCCE-82560-4
Record Events that Modify the System's Discretionary Access Controls - fchown Rule ID xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_dac_modification_fchown:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82560-4
References:
5.2.10 , 1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , 5.4.1.1 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI08.02 , DSS01.03 , DSS01.04 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000126 , CCI-000172 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.2.3.10 , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.3.6.6 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 1.13 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.6 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.1 , SR 6.2 , SR 7.1 , SR 7.6 , A.11.2.6 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.7 , A.15.2.1 , A.15.2.2 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.2.1 , A.6.2.2 , AU-2(d) , AU-12(c) , CM-6(a) , DE.AE-3 , DE.AE-5 , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.AC-3 , PR.PT-1 , PR.PT-4 , RS.AN-1 , RS.AN-4 , FAU_GEN.1.1.c , Req-10.5.5 , SRG-OS-000064-GPOS-00033 , SRG-OS-000392-GPOS-00172 , SRG-OS-000458-GPOS-00203 , SRG-OS-000474-GPOS-00219 , SRG-OS-000458-VMM-001810 , SRG-OS-000474-VMM-001940
Description At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod Rationale The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.
Warnings warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules 32-bit fchown
oval:ssg-test_32bit_ardm_fchown_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_ardm_fchown_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit augenrules 64-bit fchown
oval:ssg-test_64bit_ardm_fchown_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_ardm_fchown_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl 32-bit fchown
oval:ssg-test_32bit_ardm_fchown_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_ardm_fchown_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit auditctl 64-bit fchown
oval:ssg-test_64bit_ardm_fchown_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_ardm_fchown_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
Record Events that Modify the System's Discretionary Access Controls - fchmodatxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat mediumCCE-82559-6
Record Events that Modify the System's Discretionary Access Controls - fchmodat Rule ID xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_dac_modification_fchmodat:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82559-6
References:
5.2.10 , 1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , 5.4.1.1 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI08.02 , DSS01.03 , DSS01.04 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000126 , CCI-000172 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.2.3.10 , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.3.6.6 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 1.13 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.6 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.1 , SR 6.2 , SR 7.1 , SR 7.6 , A.11.2.6 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.7 , A.15.2.1 , A.15.2.2 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.2.1 , A.6.2.2 , AU-2(d) , AU-12(c) , CM-6(a) , DE.AE-3 , DE.AE-5 , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.AC-3 , PR.PT-1 , PR.PT-4 , RS.AN-1 , RS.AN-4 , FAU_GEN.1.1.c , Req-10.5.5 , SRG-OS-000064-GPOS-00033 , SRG-OS-000392-GPOS-00172 , SRG-OS-000458-GPOS-00203 , SRG-OS-000458-VMM-001810 , SRG-OS-000474-VMM-001940
Description At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod Rationale The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.
Warnings warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules 32-bit fchmodat
oval:ssg-test_32bit_ardm_fchmodat_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_ardm_fchmodat_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit augenrules 64-bit fchmodat
oval:ssg-test_64bit_ardm_fchmodat_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_ardm_fchmodat_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl 32-bit fchmodat
oval:ssg-test_32bit_ardm_fchmodat_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_ardm_fchmodat_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit auditctl 64-bit fchmodat
oval:ssg-test_64bit_ardm_fchmodat_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_ardm_fchmodat_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
Record Events that Modify the System's Discretionary Access Controls - setxattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr mediumCCE-82568-7
Record Events that Modify the System's Discretionary Access Controls - setxattr Rule ID xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_dac_modification_setxattr:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82568-7
References:
5.2.10 , 1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , 5.4.1.1 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI08.02 , DSS01.03 , DSS01.04 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000126 , CCI-000172 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.2.3.10 , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.3.6.6 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 1.13 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.6 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.1 , SR 6.2 , SR 7.1 , SR 7.6 , A.11.2.6 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.7 , A.15.2.1 , A.15.2.2 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.2.1 , A.6.2.2 , AU-2(d) , AU-12(c) , CM-6(a) , DE.AE-3 , DE.AE-5 , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.AC-3 , PR.PT-1 , PR.PT-4 , RS.AN-1 , RS.AN-4 , FAU_GEN.1.1.c , Req-10.5.5 , SRG-OS-000064-GPOS-00033 , SRG-OS-000392-GPOS-00172 , SRG-OS-000458-GPOS-00203 , SRG-OS-000458-VMM-001810 , SRG-OS-000474-VMM-001940
Description At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod Rationale The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.
Warnings warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules 32-bit setxattr
oval:ssg-test_32bit_ardm_setxattr_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_ardm_setxattr_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit augenrules 64-bit setxattr
oval:ssg-test_64bit_ardm_setxattr_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_ardm_setxattr_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl 32-bit setxattr
oval:ssg-test_32bit_ardm_setxattr_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_ardm_setxattr_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit auditctl 64-bit setxattr
oval:ssg-test_64bit_ardm_setxattr_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_ardm_setxattr_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
Record Events that Modify the System's Discretionary Access Controls - fsetxattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr mediumCCE-82563-8
Record Events that Modify the System's Discretionary Access Controls - fsetxattr Rule ID xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_dac_modification_fsetxattr:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82563-8
References:
5.2.10 , 1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , 5.4.1.1 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI08.02 , DSS01.03 , DSS01.04 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000126 , CCI-000172 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.2.3.10 , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.3.6.6 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 1.13 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.6 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.1 , SR 6.2 , SR 7.1 , SR 7.6 , A.11.2.6 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.7 , A.15.2.1 , A.15.2.2 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.2.1 , A.6.2.2 , AU-2(d) , AU-12(c) , CM-6(a) , DE.AE-3 , DE.AE-5 , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.AC-3 , PR.PT-1 , PR.PT-4 , RS.AN-1 , RS.AN-4 , FAU_GEN.1.1.c , Req-10.5.5 , SRG-OS-000064-GPOS-00033 , SRG-OS-000392-GPOS-00172 , SRG-OS-000458-GPOS-00203 , SRG-OS-000458-VMM-001810 , SRG-OS-000474-VMM-001940
Description At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod Rationale The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.
Warnings warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules 32-bit fsetxattr
oval:ssg-test_32bit_ardm_fsetxattr_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_ardm_fsetxattr_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit augenrules 64-bit fsetxattr
oval:ssg-test_64bit_ardm_fsetxattr_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_ardm_fsetxattr_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl 32-bit fsetxattr
oval:ssg-test_32bit_ardm_fsetxattr_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_ardm_fsetxattr_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit auditctl 64-bit fsetxattr
oval:ssg-test_64bit_ardm_fsetxattr_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_ardm_fsetxattr_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
Record Events that Modify the System's Discretionary Access Controls - fremovexattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr mediumCCE-82562-0
Record Events that Modify the System's Discretionary Access Controls - fremovexattr Rule ID xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_dac_modification_fremovexattr:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82562-0
References:
5.2.10 , 1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , 5.4.1.1 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI08.02 , DSS01.03 , DSS01.04 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000172 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.2.3.10 , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.3.6.6 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 1.13 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.6 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.1 , SR 6.2 , SR 7.1 , SR 7.6 , A.11.2.6 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.7 , A.15.2.1 , A.15.2.2 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.2.1 , A.6.2.2 , AU-2(d) , AU-12(c) , CM-6(a) , DE.AE-3 , DE.AE-5 , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.AC-3 , PR.PT-1 , PR.PT-4 , RS.AN-1 , RS.AN-4 , FAU_GEN.1.1.c , Req-10.5.5 , SRG-OS-000064-GPOS-00033 , SRG-OS-000392-GPOS-00172 , SRG-OS-000458-GPOS-00203 , SRG-OS-000458-VMM-001810 , SRG-OS-000474-VMM-001940
Description At a minimum, the audit system should collect file permission
changes for all users and root.
auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod Rationale The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.
Warnings warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules 32-bit fremovexattr
oval:ssg-test_32bit_ardm_fremovexattr_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_ardm_fremovexattr_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit augenrules 64-bit fremovexattr
oval:ssg-test_64bit_ardm_fremovexattr_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_ardm_fremovexattr_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl 32-bit fremovexattr
oval:ssg-test_32bit_ardm_fremovexattr_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_ardm_fremovexattr_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit auditctl 64-bit fremovexattr
oval:ssg-test_64bit_ardm_fremovexattr_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_ardm_fremovexattr_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
Record Attempts to Alter Logon and Logout Events - tallylogxccdf_org.ssgproject.content_rule_audit_rules_login_events_tallylog mediumCCE-82585-1
Record Attempts to Alter Logon and Logout Events - tallylog Rule ID xccdf_org.ssgproject.content_rule_audit_rules_login_events_tallylog Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_login_events_tallylog:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82585-1
References:
5.2.8 , 1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI08.02 , DSS01.03 , DSS01.04 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000172 , CCI-002884 , CCI-000126 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.2.3.10 , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.3.6.6 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 1.13 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.6 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.1 , SR 6.2 , SR 7.1 , SR 7.6 , A.11.2.6 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.7 , A.15.2.1 , A.15.2.2 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.2.1 , A.6.2.2 , AU-2(d) , AU-12(c) , AC-6(9) , CM-6(a) , DE.AE-3 , DE.AE-5 , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.AC-3 , PR.PT-1 , PR.PT-4 , RS.AN-1 , RS.AN-4 , FAU_GEN.1.1.c , Req-10.2.3 , SRG-OS-000392-GPOS-00172 , SRG-OS-000470-GPOS-00214 , SRG-OS-000473-GPOS-00218 , SRG-OS-000473-VMM-001930 , SRG-OS-000470-VMM-001900
Description The audit system already collects login information for all users
and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d in order to watch for attempted manual
edits of files involved in storing logon events:
-w /var/log/tallylog -p wa -k logins
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file in order to watch for unattempted manual
edits of files involved in storing logon events:
-w /var/log/tallylog -p wa -k logins Rationale Manual editing of these files may indicate nefarious activity, such
as an attacker attempting to remove evidence of an intrusion.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules tallylog
oval:ssg-test_arle_tallylog_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arle_tallylog_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^\-w\s+\/var\/log\/tallylog\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl tallylog
oval:ssg-test_arle_tallylog_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arle_tallylog_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^\-w\s+\/var\/log\/tallylog\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1
Record Attempts to Alter Logon and Logout Events - lastlogxccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog mediumCCE-82584-4
Record Attempts to Alter Logon and Logout Events - lastlog Rule ID xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_login_events_lastlog:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82584-4
References:
1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI08.02 , DSS01.03 , DSS01.04 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000126 , CCI-000172 , CCI-002884 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.2.3.10 , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.3.6.6 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 1.13 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.6 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.1 , SR 6.2 , SR 7.1 , SR 7.6 , A.11.2.6 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.7 , A.15.2.1 , A.15.2.2 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.2.1 , A.6.2.2 , AU-2(d) , AU-12(c) , AC-6(9) , CM-6(a) , DE.AE-3 , DE.AE-5 , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.AC-3 , PR.PT-1 , PR.PT-4 , RS.AN-1 , RS.AN-4 , FAU_GEN.1.1.c , Req-10.2.3 , SRG-OS-000392-GPOS-00172 , SRG-OS-000470-GPOS-00214 , SRG-OS-000473-GPOS-00218 , SRG-OS-000473-VMM-001930 , SRG-OS-000470-VMM-001900
Description The audit system already collects login information for all users
and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d in order to watch for attempted manual
edits of files involved in storing logon events:
-w /var/log/lastlog -p wa -k logins
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file in order to watch for unattempted manual
edits of files involved in storing logon events:
-w /var/log/lastlog -p wa -k logins Rationale Manual editing of these files may indicate nefarious activity, such
as an attacker attempting to remove evidence of an intrusion.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules lastlog
oval:ssg-test_arle_lastlog_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arle_lastlog_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^\-w\s+\/var\/log\/lastlog\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl lastlog
oval:ssg-test_arle_lastlog_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arle_lastlog_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^\-w\s+\/var\/log\/lastlog\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1
Record Attempts to Alter Logon and Logout Events - faillockxccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock mediumCCE-82583-6
Record Attempts to Alter Logon and Logout Events - faillock Rule ID xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_login_events_faillock:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82583-6
References:
1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI08.02 , DSS01.03 , DSS01.04 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000126 , CCI-000172 , CCI-002884 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.2.3.10 , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.3.6.6 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 1.13 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.6 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.1 , SR 6.2 , SR 7.1 , SR 7.6 , A.11.2.6 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.7 , A.15.2.1 , A.15.2.2 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.2.1 , A.6.2.2 , AU-2(d) , AU-12(c) , AC-6(9) , CM-6(a) , DE.AE-3 , DE.AE-5 , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.AC-3 , PR.PT-1 , PR.PT-4 , RS.AN-1 , RS.AN-4 , FAU_GEN.1.1.c , Req-10.2.3 , SRG-OS-000392-GPOS-00172 , SRG-OS-000470-GPOS-00214 , SRG-OS-000473-GPOS-00218 , SRG-OS-000473-VMM-001930 , SRG-OS-000470-VMM-001900
Description The audit system already collects login information for all users
and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d in order to watch for attempted manual
edits of files involved in storing logon events:
-w /var/run/faillock -p wa -k logins
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file in order to watch for unattempted manual
edits of files involved in storing logon events:
-w /var/run/faillock -p wa -k logins Rationale Manual editing of these files may indicate nefarious activity, such
as an attacker attempting to remove evidence of an intrusion.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules faillock
oval:ssg-test_arle_faillock_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arle_faillock_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^\-w\s+\/var\/run\/faillock\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl faillock
oval:ssg-test_arle_faillock_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arle_faillock_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^\-w\s+\/var\/run\/faillock\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1
Ensure auditd Collects File Deletion Events by User - rmdirxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir mediumCCE-82577-8
Ensure auditd Collects File Deletion Events by User - rmdir Rule ID xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_file_deletion_events_rmdir:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82577-8
References:
5.2.14 , 1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI08.02 , DSS01.03 , DSS01.04 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000172 , CCI-000366 , CCI-002884 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.2.3.10 , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.3.6.5 , 4.3.3.6.6 , 4.3.3.6.7 , 4.3.3.6.8 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 1.13 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.6 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.1 , SR 6.2 , SR 7.1 , SR 7.6 , A.11.2.4 , A.11.2.6 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.7 , A.15.1.1 , A.15.2.1 , A.15.2.2 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.2.1 , A.6.2.2 , AU-2(d) , AU-12(c) , CM-6(a) , DE.AE-3 , DE.AE-5 , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.AC-3 , PR.MA-2 , PR.PT-1 , PR.PT-4 , RS.AN-1 , RS.AN-4 , FAU_GEN.1.1.c , Req-10.2.7 , SRG-OS-000466-GPOS-00210 , SRG-OS-000467-GPOS-00210 , SRG-OS-000468-GPOS-00212 , SRG-OS-000392-GPOS-00172 , SRG-OS-000466-VMM-001870 , SRG-OS-000468-VMM-001890
Description At a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete Rationale Auditing file deletions will create an audit trail for files that are removed
from the system. The audit trail could aid in system troubleshooting, as well as, detecting
malicious processes that attempt to delete log files to conceal their presence.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules 32-bit rmdir
oval:ssg-test_32bit_ardm_rmdir_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_ardm_rmdir_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rmdir[\s]+|([\s]+|[,])rmdir([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit augenrules 64-bit rmdir
oval:ssg-test_64bit_ardm_rmdir_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_ardm_rmdir_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rmdir[\s]+|([\s]+|[,])rmdir([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl 32-bit rmdir
oval:ssg-test_32bit_ardm_rmdir_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_ardm_rmdir_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rmdir[\s]+|([\s]+|[,])rmdir([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit auditctl 64-bit rmdir
oval:ssg-test_64bit_ardm_rmdir_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_ardm_rmdir_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rmdir[\s]+|([\s]+|[,])rmdir([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
Ensure auditd Collects File Deletion Events by User - renamexccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename mediumCCE-82575-2
Ensure auditd Collects File Deletion Events by User - rename Rule ID xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_file_deletion_events_rename:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82575-2
References:
5.2.14 , 1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI08.02 , DSS01.03 , DSS01.04 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000172 , CCI-000366 , CCI-002884 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.2.3.10 , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.3.6.5 , 4.3.3.6.6 , 4.3.3.6.7 , 4.3.3.6.8 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 1.13 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.6 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.1 , SR 6.2 , SR 7.1 , SR 7.6 , A.11.2.4 , A.11.2.6 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.7 , A.15.1.1 , A.15.2.1 , A.15.2.2 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.2.1 , A.6.2.2 , AU-2(d) , AU-12(c) , CM-6(a) , DE.AE-3 , DE.AE-5 , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.AC-3 , PR.MA-2 , PR.PT-1 , PR.PT-4 , RS.AN-1 , RS.AN-4 , FAU_GEN.1.1.c , Req-10.2.7 , SRG-OS-000466-GPOS-00210 , SRG-OS-000467-GPOS-00210 , SRG-OS-000468-GPOS-00212 , SRG-OS-000392-GPOS-00172 , SRG-OS-000466-VMM-001870 , SRG-OS-000468-VMM-001890
Description At a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete Rationale Auditing file deletions will create an audit trail for files that are removed
from the system. The audit trail could aid in system troubleshooting, as well as, detecting
malicious processes that attempt to delete log files to conceal their presence.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules 32-bit rename
oval:ssg-test_32bit_ardm_rename_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_ardm_rename_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit augenrules 64-bit rename
oval:ssg-test_64bit_ardm_rename_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_ardm_rename_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl 32-bit rename
oval:ssg-test_32bit_ardm_rename_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_ardm_rename_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit auditctl 64-bit rename
oval:ssg-test_64bit_ardm_rename_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_ardm_rename_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
Ensure auditd Collects File Deletion Events by User - unlinkatxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat mediumCCE-82579-4
Ensure auditd Collects File Deletion Events by User - unlinkat Rule ID xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_file_deletion_events_unlinkat:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82579-4
References:
5.2.14 , 1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI08.02 , DSS01.03 , DSS01.04 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000172 , CCI-000366 , CCI-002884 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.2.3.10 , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.3.6.5 , 4.3.3.6.6 , 4.3.3.6.7 , 4.3.3.6.8 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 1.13 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.6 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.1 , SR 6.2 , SR 7.1 , SR 7.6 , A.11.2.4 , A.11.2.6 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.7 , A.15.1.1 , A.15.2.1 , A.15.2.2 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.2.1 , A.6.2.2 , AU-2(d) , AU-12(c) , CM-6(a) , DE.AE-3 , DE.AE-5 , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.AC-3 , PR.MA-2 , PR.PT-1 , PR.PT-4 , RS.AN-1 , RS.AN-4 , FAU_GEN.1.1.c , Req-10.2.7 , SRG-OS-000466-GPOS-00210 , SRG-OS-000467-GPOS-00210 , SRG-OS-000468-GPOS-00212 , SRG-OS-000392-GPOS-00172 , SRG-OS-000466-VMM-001870 , SRG-OS-000468-VMM-001890
Description At a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete Rationale Auditing file deletions will create an audit trail for files that are removed
from the system. The audit trail could aid in system troubleshooting, as well as, detecting
malicious processes that attempt to delete log files to conceal their presence.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules 32-bit unlinkat
oval:ssg-test_32bit_ardm_unlinkat_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_ardm_unlinkat_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit augenrules 64-bit unlinkat
oval:ssg-test_64bit_ardm_unlinkat_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_ardm_unlinkat_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl 32-bit unlinkat
oval:ssg-test_32bit_ardm_unlinkat_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_ardm_unlinkat_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit auditctl 64-bit unlinkat
oval:ssg-test_64bit_ardm_unlinkat_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_ardm_unlinkat_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
Ensure auditd Collects File Deletion Events by User - unlinkxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink mediumCCE-82578-6
Ensure auditd Collects File Deletion Events by User - unlink Rule ID xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_file_deletion_events_unlink:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82578-6
References:
5.2.14 , 1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI08.02 , DSS01.03 , DSS01.04 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000172 , CCI-000366 , CCI-002884 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.2.3.10 , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.3.6.5 , 4.3.3.6.6 , 4.3.3.6.7 , 4.3.3.6.8 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 1.13 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.6 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.1 , SR 6.2 , SR 7.1 , SR 7.6 , A.11.2.4 , A.11.2.6 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.7 , A.15.1.1 , A.15.2.1 , A.15.2.2 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.2.1 , A.6.2.2 , AU-2(d) , AU-12(c) , CM-6(a) , DE.AE-3 , DE.AE-5 , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.AC-3 , PR.MA-2 , PR.PT-1 , PR.PT-4 , RS.AN-1 , RS.AN-4 , FAU_GEN.1.1.c , Req-10.2.7 , SRG-OS-000466-GPOS-00210 , SRG-OS-000467-GPOS-00210 , SRG-OS-000468-GPOS-00212 , SRG-OS-000392-GPOS-00172 , SRG-OS-000466-VMM-001870 , SRG-OS-000468-VMM-001890
Description At a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete Rationale Auditing file deletions will create an audit trail for files that are removed
from the system. The audit trail could aid in system troubleshooting, as well as, detecting
malicious processes that attempt to delete log files to conceal their presence.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules 32-bit unlink
oval:ssg-test_32bit_ardm_unlink_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_ardm_unlink_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit augenrules 64-bit unlink
oval:ssg-test_64bit_ardm_unlink_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_ardm_unlink_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl 32-bit unlink
oval:ssg-test_32bit_ardm_unlink_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_ardm_unlink_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit auditctl 64-bit unlink
oval:ssg-test_64bit_ardm_unlink_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_ardm_unlink_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
Ensure auditd Collects File Deletion Events by User - renameatxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat mediumCCE-82576-0
Ensure auditd Collects File Deletion Events by User - renameat Rule ID xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_file_deletion_events_renameat:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82576-0
References:
5.2.14 , 1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI08.02 , DSS01.03 , DSS01.04 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000172 , CCI-000366 , CCI-002884 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.2.3.10 , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.3.6.5 , 4.3.3.6.6 , 4.3.3.6.7 , 4.3.3.6.8 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 1.13 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.6 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.1 , SR 6.2 , SR 7.1 , SR 7.6 , A.11.2.4 , A.11.2.6 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.7 , A.15.1.1 , A.15.2.1 , A.15.2.2 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.2.1 , A.6.2.2 , AU-2(d) , AU-12(c) , CM-6(a) , DE.AE-3 , DE.AE-5 , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.AC-3 , PR.MA-2 , PR.PT-1 , PR.PT-4 , RS.AN-1 , RS.AN-4 , FAU_GEN.1.1.c , Req-10.2.7 , SRG-OS-000466-GPOS-00210 , SRG-OS-000467-GPOS-00210 , SRG-OS-000468-GPOS-00212 , SRG-OS-000392-GPOS-00172 , SRG-OS-000466-VMM-001870 , SRG-OS-000468-VMM-001890
Description At a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete Rationale Auditing file deletions will create an audit trail for files that are removed
from the system. The audit trail could aid in system troubleshooting, as well as, detecting
malicious processes that attempt to delete log files to conceal their presence.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules 32-bit renameat
oval:ssg-test_32bit_ardm_renameat_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_ardm_renameat_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit augenrules 64-bit renameat
oval:ssg-test_64bit_ardm_renameat_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_ardm_renameat_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl 32-bit renameat
oval:ssg-test_32bit_ardm_renameat_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_ardm_renameat_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit auditctl 64-bit renameat
oval:ssg-test_64bit_ardm_renameat_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_ardm_renameat_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
Record Unsuccessul Ownership Changes to Files - chownxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_chown mediumCCE-82620-6
Record Unsuccessul Ownership Changes to Files - chown Rule ID xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_chown Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_unsuccessful_file_modification_chown:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82620-6
References:
CCI-000172 , AU-2(d) , AU-12(c) , CM-6(a) , SRG-OS-000458-VMM-001810 , SRG-OS-000461-VMM-001830
Description The audit system should collect unsuccessful file ownership change
attempts for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Rationale Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.
Warnings warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_chown_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eacces_chown_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
^/etc/audit/rules\.d/.*\.rules$ 1
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_chown_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eperm_chown_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
^/etc/audit/rules\.d/.*\.rules$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_chown_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eacces_chown_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
^/etc/audit/rules\.d/.*\.rules$ 1
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_chown_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eperm_chown_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
^/etc/audit/rules\.d/.*\.rules$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_chown_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eacces_chown_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
/etc/audit/audit.rules 1
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_chown_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eperm_chown_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
/etc/audit/audit.rules 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_chown_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eacces_chown_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
/etc/audit/audit.rules 1
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_chown_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eperm_chown_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
/etc/audit/audit.rules 1
Ensure auditd Rules For Unauthorized Attempts To open Are Ordered Correctlyxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_rule_order mediumCCE-82646-1
Ensure auditd Rules For Unauthorized Attempts To open Are Ordered Correctly Rule ID xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_rule_order Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_unsuccessful_file_modification_open_rule_order:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82646-1
References:
5.2.10 , 1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI08.02 , DSS01.03 , DSS01.04 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000172 , CCI-002884 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.2.3.10 , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.3.6.6 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 1.13 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.6 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.1 , SR 6.2 , SR 7.1 , SR 7.6 , A.11.2.6 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.7 , A.15.2.1 , A.15.2.2 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.2.1 , A.6.2.2 , AU-2(d) , AU-12(c) , CM-6(a) , DE.AE-3 , DE.AE-5 , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.AC-3 , PR.PT-1 , PR.PT-4 , RS.AN-1 , RS.AN-4 , FAU_GEN.1.1.c , Req-10.2.4 , Req-10.2.1 , SRG-OS-000064-GPOS-00033 , SRG-OS-000458-GPOS-00203 , SRG-OS-000461-GPOS-00205 , SRG-OS-000392-GPOS-00172 , SRG-OS-000458-VMM-001810 , SRG-OS-000461-VMM-001830
Description The audit system should collect detailed unauthorized file
accesses for all users and root.
To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access
of files via open syscall the audit rules collecting these events need to be in certain order.
The more specific rules need to come before the less specific rules. The reason for that is that more
specific rules cover a subset of events covered in the less specific rules, thus, they need to come
before to not be overshadowed by less specific rules, which match a bigger set of events.
Make sure that rules for unsuccessful calls of open syscall are in the order shown below.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), check the order of
rules below in a file with suffix .rules in the directory
/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, check the order of rules below in
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
Rationale The more specific rules cover a subset of events covered by the less specific rules.
By ordering them from more specific to less specific, it is assured that the less specific
rule will not catch events better recorded by the more specific rule.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
defined audit rule must exist
oval:ssg-test_arufm_open_order_32bit_eacces_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_open_order_32bit_eacces_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
Referenced variable has no values (oval:ssg-var_arufm_rule_order_32bit_open_eacces_augenrules_regex^/etc/audit/rules\.d/.*\.rules$ 1
defined audit rule must exist
oval:ssg-test_arufm_open_order_32bit_eperm_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_open_order_32bit_eperm_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
Referenced variable has no values (oval:ssg-var_arufm_rule_order_32bit_open_eperm_augenrules_regex:^/etc/audit/rules\.d/.*\.rules$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
defined audit rule must exist
oval:ssg-test_arufm_open_order_64bit_eacces_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_open_order_64bit_eacces_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
Referenced variable has no values (oval:ssg-var_arufm_rule_order_64bit_open_eacces_augenrules_regex^/etc/audit/rules\.d/.*\.rules$ 1
defined audit rule must exist
oval:ssg-test_arufm_open_order_64bit_eperm_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_open_order_64bit_eperm_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
Referenced variable has no values (oval:ssg-var_arufm_rule_order_64bit_open_eperm_augenrules_regex:^/etc/audit/rules\.d/.*\.rules$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
defined audit rule must exist
oval:ssg-test_arufm_open_order_32bit_eacces_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_open_order_32bit_eacces_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
Referenced variable has no values (oval:ssg-var_arufm_rule_order_32bit_open_auditctl_eacces_regex:v^/etc/audit/rules\.d/.*\.rules$ 1
Test order of audit 32bit auditctl eperm rules order
oval:ssg-test_arufm_open_order_32bit_eperm_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_open_order_32bit_eperm_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
Referenced variable has no values (oval:ssg-var_arufm_rule_order_32bit_open_auditctl_eperm_regex:va^/etc/audit/rules\.d/.*\.rules$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
defined audit rule must exist
oval:ssg-test_arufm_open_order_64bit_eacces_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_open_order_64bit_eacces_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
Referenced variable has no values (oval:ssg-var_arufm_open_order_64bit_auditctl_eacces_regex:var:1)^/etc/audit/rules\.d/.*\.rules$ 1
defined audit rule must exist
oval:ssg-test_arufm_open_order_64bit_eperm_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_open_order_64bit_eperm_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
Referenced variable has no values (oval:ssg-var_arufm_rule_order_64bit_open_auditctl_eperm_regex:va^/etc/audit/rules\.d/.*\.rules$ 1
Record Unsuccessul Permission Changes to Files - chmodxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_chmod mediumCCE-82619-8
Record Unsuccessul Permission Changes to Files - chmod Rule ID xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_chmod Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_unsuccessful_file_modification_chmod:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82619-8
References:
CCI-000172 , AU-2(d) , AU-12(c) , CM-6(a) , SRG-OS-000458-VMM-001810 , SRG-OS-000461-VMM-001830
Description The audit system should collect unsuccessful file permission change
attempts for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S chmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S chmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S chmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S chmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Rationale Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.
Warnings warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_chmod_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eacces_chmod_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
^/etc/audit/rules\.d/.*\.rules$ 1
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_chmod_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eperm_chmod_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
^/etc/audit/rules\.d/.*\.rules$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_chmod_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eacces_chmod_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
^/etc/audit/rules\.d/.*\.rules$ 1
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_chmod_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eperm_chmod_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
^/etc/audit/rules\.d/.*\.rules$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_chmod_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eacces_chmod_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
/etc/audit/audit.rules 1
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_chmod_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eperm_chmod_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
/etc/audit/audit.rules 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_chmod_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eacces_chmod_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
/etc/audit/audit.rules 1
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_chmod_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eperm_chmod_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
/etc/audit/audit.rules 1
Record Unsuccessul Permission Changes to Files - fchmodatxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fchmodat mediumCCE-82624-8
Record Unsuccessul Permission Changes to Files - fchmodat Rule ID xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fchmodat Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_unsuccessful_file_modification_fchmodat:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82624-8
References:
CCI-000172 , AU-2(d) , AU-12(c) , CM-6(a) , SRG-OS-000458-VMM-001810 , SRG-OS-000461-VMM-001830
Description The audit system should collect unsuccessful file permission change
attempts for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Rationale Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.
Warnings warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_fchmodat_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eacces_fchmodat_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_fchmodat_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eperm_fchmodat_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_fchmodat_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eacces_fchmodat_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_fchmodat_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eperm_fchmodat_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_fchmodat_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eacces_fchmodat_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_fchmodat_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eperm_fchmodat_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_fchmodat_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eacces_fchmodat_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_fchmodat_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eperm_fchmodat_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
Record Unsuccessul Permission Changes to Files - removexattrxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_removexattr mediumCCE-82647-9
Record Unsuccessul Permission Changes to Files - removexattr Rule ID xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_removexattr Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_unsuccessful_file_modification_removexattr:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82647-9
References:
CCI-000172 , AU-2(d) , AU-12(c) , CM-6(a) , SRG-OS-000458-VMM-001810 , SRG-OS-000461-VMM-001830
Description The audit system should collect unsuccessful file permission change
attempts for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S removexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S removexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S removexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S removexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Rationale Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.
Warnings warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_removexattr_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eacces_removexattr_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_removexattr_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eperm_removexattr_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_removexattr_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eacces_removexattr_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_removexattr_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eperm_removexattr_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_removexattr_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eacces_removexattr_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_removexattr_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eperm_removexattr_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_removexattr_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eacces_removexattr_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_removexattr_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eperm_removexattr_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
Record Unsuccessful Creation Attempts to Files - open O_CREATxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_o_creat mediumCCE-82644-6
Record Unsuccessful Creation Attempts to Files - open O_CREAT Rule ID xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_o_creat Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_unsuccessful_file_modification_open_o_creat:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82644-6
References:
5.2.10 , 1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI08.02 , DSS01.03 , DSS01.04 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000172 , CCI-002884 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.2.3.10 , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.3.6.6 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 1.13 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.6 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.1 , SR 6.2 , SR 7.1 , SR 7.6 , A.11.2.6 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.7 , A.15.2.1 , A.15.2.2 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.2.1 , A.6.2.2 , AU-2(d) , AU-12(c) , CM-6(a) , DE.AE-3 , DE.AE-5 , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.AC-3 , PR.PT-1 , PR.PT-4 , RS.AN-1 , RS.AN-4 , FAU_GEN.1.1.c , Req-10.2.4 , Req-10.2.1 , SRG-OS-000064-GPOS-00033 , SRG-OS-000458-GPOS-00203 , SRG-OS-000461-GPOS-00205 , SRG-OS-000392-GPOS-00172 , SRG-OS-000458-VMM-001810 , SRG-OS-000461-VMM-001830
Description The audit system should collect unauthorized file accesses for
all users and root. The open syscall can be used to create new files
when O_CREAT flag is specified.
The following auidt rules will asure that unsuccessful attempts to create a
file via open syscall are collected.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
rules below to a file with suffix .rules in the directory
/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the rules below to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
Rationale Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.
Warnings warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
defined audit rule must exist
oval:ssg-test_arufm_open_o_creat_32bit_a20100_eacces_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_open_o_creat_32bit_a20100_eacces_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
defined audit rule must exist
oval:ssg-test_arufm_open_o_creat_32bit_a20100_eperm_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_open_o_creat_32bit_a20100_eperm_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
defined audit rule must exist
oval:ssg-test_arufm_open_o_creat_64bit_a20100_eacces_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_open_o_creat_64bit_a20100_eacces_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
defined audit rule must exist
oval:ssg-test_arufm_open_o_creat_64bit_a20100_eperm_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_open_o_creat_64bit_a20100_eperm_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
defined audit rule must exist
oval:ssg-test_arufm_open_o_creat_32bit_a20100_eacces_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_open_o_creat_32bit_a20100_eacces_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
defined audit rule must exist
oval:ssg-test_arufm_open_o_creat_32bit_a20100_eperm_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_open_o_creat_32bit_a20100_eperm_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
defined audit rule must exist
oval:ssg-test_arufm_open_o_creat_64bit_a20100_eacces_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_open_o_creat_64bit_a20100_eacces_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
defined audit rule must exist
oval:ssg-test_arufm_open_o_creat_64bit_a20100_eperm_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_open_o_creat_64bit_a20100_eperm_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
Record Unsuccessul Delete Attempts to Files - renameatxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_renameat mediumCCE-82649-5
Record Unsuccessul Delete Attempts to Files - renameat Rule ID xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_renameat Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_unsuccessful_file_modification_renameat:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82649-5
References:
5.2.10 , 1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI08.02 , DSS01.03 , DSS01.04 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000172 , CCI-002884 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.2.3.10 , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.3.6.6 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 1.13 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.6 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.1 , SR 6.2 , SR 7.1 , SR 7.6 , A.11.2.6 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.7 , A.15.2.1 , A.15.2.2 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.2.1 , A.6.2.2 , AU-2(d) , AU-12(c) , CM-6(a) , DE.AE-3 , DE.AE-5 , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.AC-3 , PR.PT-1 , PR.PT-4 , RS.AN-1 , RS.AN-4 , FAU_GEN.1.1.c , Req-10.2.4 , Req-10.2.1 , SRG-OS-000064-GPOS-00033 , SRG-OS-000458-GPOS-00203 , SRG-OS-000461-GPOS-00205 , SRG-OS-000392-GPOS-00172 , SRG-OS-000458-VMM-001810 , SRG-OS-000461-VMM-001830
Description The audit system should collect unsuccessful file deletion
attempts for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b32 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b64 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete Rationale Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.
Warnings warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_renameat_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eacces_renameat_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_renameat_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eperm_renameat_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_renameat_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eacces_renameat_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_renameat_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eperm_renameat_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_renameat_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eacces_renameat_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_renameat_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eperm_renameat_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_renameat_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eacces_renameat_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_renameat_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eperm_renameat_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
Record Unsuccessul Ownership Changes to Files - fchownxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fchown mediumCCE-82625-5
Record Unsuccessul Ownership Changes to Files - fchown Rule ID xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fchown Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_unsuccessful_file_modification_fchown:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82625-5
References:
CCI-000172 , AU-2(d) , AU-12(c) , CM-6(a) , SRG-OS-000458-VMM-001810 , SRG-OS-000461-VMM-001830
Description The audit system should collect unsuccessful file ownership change
attempts for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S fchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S fchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S fchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S fchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Rationale Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.
Warnings warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_fchown_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eacces_fchown_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_fchown_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eperm_fchown_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_fchown_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eacces_fchown_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_fchown_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eperm_fchown_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_fchown_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eacces_fchown_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_fchown_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eperm_fchown_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_fchown_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eacces_fchown_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_fchown_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eperm_fchown_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
Record Unsuccessful Access Attempts to Files - creatxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat mediumCCE-82621-4
Record Unsuccessful Access Attempts to Files - creat Rule ID xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_unsuccessful_file_modification_creat:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82621-4
References:
5.2.10 , 1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI08.02 , DSS01.03 , DSS01.04 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000172 , CCI-002884 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.2.3.10 , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.3.6.6 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 1.13 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.6 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.1 , SR 6.2 , SR 7.1 , SR 7.6 , A.11.2.6 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.7 , A.15.2.1 , A.15.2.2 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.2.1 , A.6.2.2 , AU-2(d) , AU-12(c) , CM-6(a) , DE.AE-3 , DE.AE-5 , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.AC-3 , PR.PT-1 , PR.PT-4 , RS.AN-1 , RS.AN-4 , FAU_GEN.1.1.c , Req-10.2.4 , Req-10.2.1 , SRG-OS-000064-GPOS-00033 , SRG-OS-000458-GPOS-00203 , SRG-OS-000461-GPOS-00205 , SRG-OS-000392-GPOS-00172 , SRG-OS-000458-VMM-001810 , SRG-OS-000461-VMM-001830
Description At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access Rationale Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.
Warnings warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_creat_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eacces_creat_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
^/etc/audit/rules\.d/.*\.rules$ 1
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_creat_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eperm_creat_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
^/etc/audit/rules\.d/.*\.rules$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_creat_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eacces_creat_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
^/etc/audit/rules\.d/.*\.rules$ 1
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_creat_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eperm_creat_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
^/etc/audit/rules\.d/.*\.rules$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_creat_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eacces_creat_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
/etc/audit/audit.rules 1
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_creat_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eperm_creat_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
/etc/audit/audit.rules 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_creat_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eacces_creat_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
/etc/audit/audit.rules 1
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_creat_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eperm_creat_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
/etc/audit/audit.rules 1
Ensure auditd Unauthorized Access Attempts To open_by_handle_at Are Ordered Correctlyxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order mediumCCE-82643-8
Ensure auditd Unauthorized Access Attempts To open_by_handle_at Are Ordered Correctly Rule ID xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82643-8
References:
5.2.10 , 1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI08.02 , DSS01.03 , DSS01.04 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000172 , CCI-002884 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.2.3.10 , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.3.6.6 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 1.13 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.6 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.1 , SR 6.2 , SR 7.1 , SR 7.6 , A.11.2.6 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.7 , A.15.2.1 , A.15.2.2 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.2.1 , A.6.2.2 , AU-2(d) , AU-12(c) , CM-6(a) , DE.AE-3 , DE.AE-5 , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.AC-3 , PR.PT-1 , PR.PT-4 , RS.AN-1 , RS.AN-4 , FAU_GEN.1.1.c , Req-10.2.4 , Req-10.2.1 , SRG-OS-000064-GPOS-00033 , SRG-OS-000458-GPOS-00203 , SRG-OS-000461-GPOS-00205 , SRG-OS-000392-GPOS-00172 , SRG-OS-000458-VMM-001810 , SRG-OS-000461-VMM-001830
Description The audit system should collect detailed unauthorized file
accesses for all users and root.
To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access
of files via open_by_handle_at syscall the audit rules collecting these events need to be in certain order.
The more specific rules need to come before the less specific rules. The reason for that is that more
specific rules cover a subset of events covered in the less specific rules, thus, they need to come
before to not be overshadowed by less specific rules, which match a bigger set of events.
Make sure that rules for unsuccessful calls of open_by_handle_at syscall are in the order shown below.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), check the order of
rules below in a file with suffix .rules in the directory
/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, check the order of rules below in
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
Rationale The more specific rules cover a subset of events covered by the less specific rules.
By ordering them from more specific to less specific, it is assured that the less specific
rule will not catch events better recorded by the more specific rule.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_order_32bit_eacces_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_open_by_handle_at_order_32bit_eacces_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
Referenced variable has no values (oval:ssg-var_arufm_rule_order_32bit_open_by_handle_at_eacces_aug^/etc/audit/rules\.d/.*\.rules$ 1
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_order_32bit_eperm_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_open_by_handle_at_order_32bit_eperm_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
Referenced variable has no values (oval:ssg-var_arufm_rule_order_32bit_open_by_handle_at_eperm_auge^/etc/audit/rules\.d/.*\.rules$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_order_64bit_eacces_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_open_by_handle_at_order_64bit_eacces_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
Referenced variable has no values (oval:ssg-var_arufm_rule_order_64bit_open_by_handle_at_eacces_aug^/etc/audit/rules\.d/.*\.rules$ 1
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_order_64bit_eperm_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_open_by_handle_at_order_64bit_eperm_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
Referenced variable has no values (oval:ssg-var_arufm_rule_order_64bit_open_by_handle_at_eperm_auge^/etc/audit/rules\.d/.*\.rules$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_order_32bit_eacces_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_open_by_handle_at_order_32bit_eacces_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
Referenced variable has no values (oval:ssg-var_arufm_rule_order_32bit_open_by_handle_at_auditctl_e^/etc/audit/rules\.d/.*\.rules$ 1
Test order of audit 32bit auditctl eperm rules order
oval:ssg-test_arufm_open_by_handle_at_order_32bit_eperm_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_open_by_handle_at_order_32bit_eperm_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
Referenced variable has no values (oval:ssg-var_arufm_rule_order_32bit_open_by_handle_at_auditctl_e^/etc/audit/rules\.d/.*\.rules$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_order_64bit_eacces_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_open_by_handle_at_order_64bit_eacces_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
Referenced variable has no values (oval:ssg-var_arufm_open_by_handle_at_order_64bit_auditctl_eacces^/etc/audit/rules\.d/.*\.rules$ 1
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_order_64bit_eperm_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_open_by_handle_at_order_64bit_eperm_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
Referenced variable has no values (oval:ssg-var_arufm_rule_order_64bit_open_by_handle_at_auditctl_e^/etc/audit/rules\.d/.*\.rules$ 1
Record Unsuccessul Permission Changes to Files - lremovexattrxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_lremovexattr mediumCCE-82631-3
Record Unsuccessul Permission Changes to Files - lremovexattr Rule ID xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_lremovexattr Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_unsuccessful_file_modification_lremovexattr:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82631-3
References:
CCI-000172 , AU-2(d) , AU-12(c) , CM-6(a) , SRG-OS-000458-VMM-001810 , SRG-OS-000461-VMM-001830
Description The audit system should collect unsuccessful file permission change
attempts for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S lremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S lremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S lremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S lremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Rationale Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.
Warnings warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_lremovexattr_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eacces_lremovexattr_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_lremovexattr_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eperm_lremovexattr_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_lremovexattr_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eacces_lremovexattr_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_lremovexattr_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eperm_lremovexattr_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_lremovexattr_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eacces_lremovexattr_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_lremovexattr_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eperm_lremovexattr_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_lremovexattr_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eacces_lremovexattr_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_lremovexattr_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eperm_lremovexattr_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
Record Unsuccessful Access Attempts to Files - ftruncatexccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate mediumCCE-82629-7
Record Unsuccessful Access Attempts to Files - ftruncate Rule ID xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_unsuccessful_file_modification_ftruncate:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82629-7
References:
5.2.10 , 1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI08.02 , DSS01.03 , DSS01.04 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000172 , CCI-002884 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.2.3.10 , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.3.6.6 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 1.13 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.6 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.1 , SR 6.2 , SR 7.1 , SR 7.6 , A.11.2.6 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.7 , A.15.2.1 , A.15.2.2 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.2.1 , A.6.2.2 , AU-2(d) , AU-12(c) , CM-6(a) , DE.AE-3 , DE.AE-5 , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.AC-3 , PR.PT-1 , PR.PT-4 , RS.AN-1 , RS.AN-4 , FAU_GEN.1.1.c , Req-10.2.4 , Req-10.2.1 , SRG-OS-000064-GPOS-00033 , SRG-OS-000458-GPOS-00203 , SRG-OS-000461-GPOS-00205 , SRG-OS-000392-GPOS-00172 , SRG-OS-000458-VMM-001810 , SRG-OS-000461-VMM-001830
Description At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S ftruncate -F exiu=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access Rationale Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.
Warnings warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_ftruncate_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eacces_ftruncate_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_ftruncate_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eperm_ftruncate_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_ftruncate_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eacces_ftruncate_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_ftruncate_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eperm_ftruncate_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_ftruncate_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eacces_ftruncate_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_ftruncate_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eperm_ftruncate_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_ftruncate_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eacces_ftruncate_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_ftruncate_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eperm_ftruncate_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
Record Unsuccessul Permission Changes to Files - setxattrxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_setxattr mediumCCE-82650-3
Record Unsuccessul Permission Changes to Files - setxattr Rule ID xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_setxattr Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_unsuccessful_file_modification_setxattr:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82650-3
References:
CCI-000172 , AU-2(d) , AU-12(c) , CM-6(a) , SRG-OS-000458-VMM-001810 , SRG-OS-000461-VMM-001830
Description The audit system should collect unsuccessful file permission change
attempts for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S setxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S setxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S setxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S setxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Rationale Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.
Warnings warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_setxattr_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eacces_setxattr_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_setxattr_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eperm_setxattr_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_setxattr_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eacces_setxattr_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_setxattr_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eperm_setxattr_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_setxattr_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eacces_setxattr_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_setxattr_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eperm_setxattr_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_setxattr_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eacces_setxattr_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_setxattr_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eperm_setxattr_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
Record Unsuccessul Ownership Changes to Files - fchownatxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fchownat mediumCCE-82626-3
Record Unsuccessul Ownership Changes to Files - fchownat Rule ID xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fchownat Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_unsuccessful_file_modification_fchownat:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82626-3
References:
CCI-000172 , AU-2(d) , AU-12(c) , CM-6(a) , SRG-OS-000458-VMM-001810 , SRG-OS-000461-VMM-001830
Description The audit system should collect unsuccessful file ownership change
attempts for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Rationale Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.
Warnings warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_fchownat_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eacces_fchownat_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_fchownat_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eperm_fchownat_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_fchownat_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eacces_fchownat_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_fchownat_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eperm_fchownat_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_fchownat_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eacces_fchownat_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_fchownat_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eperm_fchownat_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_fchownat_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eacces_fchownat_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_fchownat_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eperm_fchownat_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
Record Unsuccessul Permission Changes to Files - fsetxattrxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fsetxattr mediumCCE-82628-9
Record Unsuccessul Permission Changes to Files - fsetxattr Rule ID xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fsetxattr Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_unsuccessful_file_modification_fsetxattr:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82628-9
References:
CCI-000172 , AU-2(d) , AU-12(c) , CM-6(a) , SRG-OS-000458-VMM-001810 , SRG-OS-000461-VMM-001830
Description The audit system should collect unsuccessful file permission change
attempts for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Rationale Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.
Warnings warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_fsetxattr_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eacces_fsetxattr_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_fsetxattr_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eperm_fsetxattr_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_fsetxattr_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eacces_fsetxattr_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_fsetxattr_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eperm_fsetxattr_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_fsetxattr_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eacces_fsetxattr_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_fsetxattr_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eperm_fsetxattr_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_fsetxattr_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eacces_fsetxattr_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_fsetxattr_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eperm_fsetxattr_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
Record Unsuccessful Access Attempts to Files - openxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open mediumCCE-82633-9
Record Unsuccessful Access Attempts to Files - open Rule ID xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_unsuccessful_file_modification_open:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82633-9
References:
5.2.10 , 1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI08.02 , DSS01.03 , DSS01.04 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000172 , CCI-002884 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.2.3.10 , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.3.6.6 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 1.13 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.6 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.1 , SR 6.2 , SR 7.1 , SR 7.6 , A.11.2.6 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.7 , A.15.2.1 , A.15.2.2 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.2.1 , A.6.2.2 , AU-2(d) , AU-12(c) , CM-6(a) , DE.AE-3 , DE.AE-5 , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.AC-3 , PR.PT-1 , PR.PT-4 , RS.AN-1 , RS.AN-4 , FAU_GEN.1.1.c , Req-10.2.4 , Req-10.2.1 , SRG-OS-000064-GPOS-00033 , SRG-OS-000458-GPOS-00203 , SRG-OS-000461-GPOS-00205 , SRG-OS-000392-GPOS-00172 , SRG-OS-000458-VMM-001810 , SRG-OS-000461-VMM-001830
Description At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access Rationale Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.
Warnings warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_open_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eacces_open_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_open_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eperm_open_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_open_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eacces_open_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_open_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eperm_open_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_open_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eacces_open_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_open_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eperm_open_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_open_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eacces_open_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_open_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eperm_open_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
Record Unsuccessul Delete Attempts to Files - unlinkxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_unlink mediumCCE-82652-9
Record Unsuccessul Delete Attempts to Files - unlink Rule ID xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_unlink Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_unsuccessful_file_modification_unlink:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82652-9
References:
5.2.10 , 1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI08.02 , DSS01.03 , DSS01.04 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000172 , CCI-002884 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.2.3.10 , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.3.6.6 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 1.13 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.6 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.1 , SR 6.2 , SR 7.1 , SR 7.6 , A.11.2.6 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.7 , A.15.2.1 , A.15.2.2 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.2.1 , A.6.2.2 , AU-2(d) , AU-12(c) , CM-6(a) , DE.AE-3 , DE.AE-5 , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.AC-3 , PR.PT-1 , PR.PT-4 , RS.AN-1 , RS.AN-4 , FAU_GEN.1.1.c , Req-10.2.4 , Req-10.2.1 , SRG-OS-000064-GPOS-00033 , SRG-OS-000458-GPOS-00203 , SRG-OS-000461-GPOS-00205 , SRG-OS-000392-GPOS-00172 , SRG-OS-000458-VMM-001810 , SRG-OS-000461-VMM-001830
Description The audit system should collect unsuccessful file deletion
attempts for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b32 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b64 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete Rationale Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.
Warnings warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_unlink_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eacces_unlink_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_unlink_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eperm_unlink_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_unlink_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eacces_unlink_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_unlink_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eperm_unlink_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_unlink_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eacces_unlink_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_unlink_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eperm_unlink_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_unlink_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eacces_unlink_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_unlink_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eperm_unlink_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
Ensure auditd Rules For Unauthorized Attempts To openat Are Ordered Correctlyxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat_rule_order mediumCCE-82639-6
Ensure auditd Rules For Unauthorized Attempts To openat Are Ordered Correctly Rule ID xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat_rule_order Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_unsuccessful_file_modification_openat_rule_order:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82639-6
References:
5.2.10 , 1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI08.02 , DSS01.03 , DSS01.04 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000172 , CCI-002884 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.2.3.10 , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.3.6.6 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 1.13 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.6 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.1 , SR 6.2 , SR 7.1 , SR 7.6 , A.11.2.6 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.7 , A.15.2.1 , A.15.2.2 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.2.1 , A.6.2.2 , AU-2(d) , AU-12(c) , CM-6(a) , DE.AE-3 , DE.AE-5 , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.AC-3 , PR.PT-1 , PR.PT-4 , RS.AN-1 , RS.AN-4 , FAU_GEN.1.1.c , Req-10.2.4 , Req-10.2.1 , SRG-OS-000064-GPOS-00033 , SRG-OS-000458-GPOS-00203 , SRG-OS-000461-GPOS-00205 , SRG-OS-000392-GPOS-00172 , SRG-OS-000458-VMM-001810 , SRG-OS-000461-VMM-001830
Description The audit system should collect detailed unauthorized file
accesses for all users and root.
To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access
of files via openat syscall the audit rules collecting these events need to be in certain order.
The more specific rules need to come before the less specific rules. The reason for that is that more
specific rules cover a subset of events covered in the less specific rules, thus, they need to come
before to not be overshadowed by less specific rules, which match a bigger set of events.
Make sure that rules for unsuccessful calls of openat syscall are in the order shown below.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), check the order of
rules below in a file with suffix .rules in the directory
/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, check the order of rules below in
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
Rationale The more specific rules cover a subset of events covered by the less specific rules.
By ordering them from more specific to less specific, it is assured that the less specific
rule will not catch events better recorded by the more specific rule.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
defined audit rule must exist
oval:ssg-test_arufm_openat_order_32bit_eacces_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_openat_order_32bit_eacces_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
Referenced variable has no values (oval:ssg-var_arufm_rule_order_32bit_openat_eacces_augenrules_reg^/etc/audit/rules\.d/.*\.rules$ 1
defined audit rule must exist
oval:ssg-test_arufm_openat_order_32bit_eperm_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_openat_order_32bit_eperm_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
Referenced variable has no values (oval:ssg-var_arufm_rule_order_32bit_openat_eperm_augenrules_rege^/etc/audit/rules\.d/.*\.rules$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
defined audit rule must exist
oval:ssg-test_arufm_openat_order_64bit_eacces_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_openat_order_64bit_eacces_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
Referenced variable has no values (oval:ssg-var_arufm_rule_order_64bit_openat_eacces_augenrules_reg^/etc/audit/rules\.d/.*\.rules$ 1
defined audit rule must exist
oval:ssg-test_arufm_openat_order_64bit_eperm_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_openat_order_64bit_eperm_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
Referenced variable has no values (oval:ssg-var_arufm_rule_order_64bit_openat_eperm_augenrules_rege^/etc/audit/rules\.d/.*\.rules$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
defined audit rule must exist
oval:ssg-test_arufm_openat_order_32bit_eacces_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_openat_order_32bit_eacces_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
Referenced variable has no values (oval:ssg-var_arufm_rule_order_32bit_openat_auditctl_eacces_regex^/etc/audit/rules\.d/.*\.rules$ 1
Test order of audit 32bit auditctl eperm rules order
oval:ssg-test_arufm_openat_order_32bit_eperm_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_openat_order_32bit_eperm_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
Referenced variable has no values (oval:ssg-var_arufm_rule_order_32bit_openat_auditctl_eperm_regex:^/etc/audit/rules\.d/.*\.rules$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
defined audit rule must exist
oval:ssg-test_arufm_openat_order_64bit_eacces_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_openat_order_64bit_eacces_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
Referenced variable has no values (oval:ssg-var_arufm_openat_order_64bit_auditctl_eacces_regex:var:^/etc/audit/rules\.d/.*\.rules$ 1
defined audit rule must exist
oval:ssg-test_arufm_openat_order_64bit_eperm_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_openat_order_64bit_eperm_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
Referenced variable has no values (oval:ssg-var_arufm_rule_order_64bit_openat_auditctl_eperm_regex:^/etc/audit/rules\.d/.*\.rules$ 1
Record Unsuccessful Creation Attempts to Files - openat O_CREATxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat_o_creat mediumCCE-82635-4
Record Unsuccessful Creation Attempts to Files - openat O_CREAT Rule ID xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat_o_creat Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_unsuccessful_file_modification_openat_o_creat:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82635-4
References:
5.2.10 , 1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI08.02 , DSS01.03 , DSS01.04 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000172 , CCI-002884 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.2.3.10 , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.3.6.6 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 1.13 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.6 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.1 , SR 6.2 , SR 7.1 , SR 7.6 , A.11.2.6 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.7 , A.15.2.1 , A.15.2.2 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.2.1 , A.6.2.2 , AU-2(d) , AU-12(c) , CM-6(a) , DE.AE-3 , DE.AE-5 , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.AC-3 , PR.PT-1 , PR.PT-4 , RS.AN-1 , RS.AN-4 , FAU_GEN.1.1.c , Req-10.2.4 , Req-10.2.1 , SRG-OS-000064-GPOS-00033 , SRG-OS-000458-GPOS-00203 , SRG-OS-000461-GPOS-00205 , SRG-OS-000392-GPOS-00172 , SRG-OS-000458-VMM-001810 , SRG-OS-000461-VMM-001830
Description The audit system should collect unauthorized file accesses for
all users and root. The openat syscall can be used to create new files
when O_CREAT flag is specified.
The following auidt rules will asure that unsuccessful attempts to create a
file via openat syscall are collected.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
rules below to a file with suffix .rules in the directory
/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the rules below to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
Rationale Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.
Warnings warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
defined audit rule must exist
oval:ssg-test_arufm_openat_o_creat_32bit_a20100_eacces_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_openat_o_creat_32bit_a20100_eacces_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
defined audit rule must exist
oval:ssg-test_arufm_openat_o_creat_32bit_a20100_eperm_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_openat_o_creat_32bit_a20100_eperm_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
defined audit rule must exist
oval:ssg-test_arufm_openat_o_creat_64bit_a20100_eacces_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_openat_o_creat_64bit_a20100_eacces_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
defined audit rule must exist
oval:ssg-test_arufm_openat_o_creat_64bit_a20100_eperm_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_openat_o_creat_64bit_a20100_eperm_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
defined audit rule must exist
oval:ssg-test_arufm_openat_o_creat_32bit_a20100_eacces_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_openat_o_creat_32bit_a20100_eacces_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
defined audit rule must exist
oval:ssg-test_arufm_openat_o_creat_32bit_a20100_eperm_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_openat_o_creat_32bit_a20100_eperm_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
defined audit rule must exist
oval:ssg-test_arufm_openat_o_creat_64bit_a20100_eacces_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_openat_o_creat_64bit_a20100_eacces_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
defined audit rule must exist
oval:ssg-test_arufm_openat_o_creat_64bit_a20100_eperm_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_openat_o_creat_64bit_a20100_eperm_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
Record Unsuccessul Permission Changes to Files - fchmodxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fchmod mediumCCE-82622-2
Record Unsuccessul Permission Changes to Files - fchmod Rule ID xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fchmod Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_unsuccessful_file_modification_fchmod:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82622-2
References:
CCI-000172 , AU-2(d) , AU-12(c) , CM-6(a) , SRG-OS-000458-VMM-001810 , SRG-OS-000461-VMM-001830
Description The audit system should collect unsuccessful file permission change
attempts for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S fchmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S fchmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S fchmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S fchmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Rationale Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.
Warnings warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_fchmod_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eacces_fchmod_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_fchmod_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eperm_fchmod_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_fchmod_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eacces_fchmod_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_fchmod_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eperm_fchmod_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_fchmod_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eacces_fchmod_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_fchmod_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eperm_fchmod_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_fchmod_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eacces_fchmod_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_fchmod_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eperm_fchmod_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
Record Unsuccessul Permission Changes to Files - lsetxattrxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_lsetxattr mediumCCE-82632-1
Record Unsuccessul Permission Changes to Files - lsetxattr Rule ID xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_lsetxattr Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_unsuccessful_file_modification_lsetxattr:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82632-1
References:
CCI-000172 , AU-2(d) , AU-12(c) , CM-6(a) , SRG-OS-000458-VMM-001810 , SRG-OS-000461-VMM-001830
Description The audit system should collect unsuccessful file permission change
attempts for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S lsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S lsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S lsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S lsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Rationale Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.
Warnings warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_lsetxattr_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eacces_lsetxattr_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_lsetxattr_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eperm_lsetxattr_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_lsetxattr_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eacces_lsetxattr_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_lsetxattr_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eperm_lsetxattr_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_lsetxattr_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eacces_lsetxattr_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_lsetxattr_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eperm_lsetxattr_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_lsetxattr_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eacces_lsetxattr_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_lsetxattr_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eperm_lsetxattr_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
Record Unsuccessful Modification Attempts to Files - open O_TRUNC_WRITExccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_o_trunc_write mediumCCE-82645-3
Record Unsuccessful Modification Attempts to Files - open O_TRUNC_WRITE Rule ID xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_o_trunc_write Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_unsuccessful_file_modification_open_o_trunc_write:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82645-3
References:
5.2.10 , 1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI08.02 , DSS01.03 , DSS01.04 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000172 , CCI-002884 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.2.3.10 , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.3.6.6 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 1.13 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.6 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.1 , SR 6.2 , SR 7.1 , SR 7.6 , A.11.2.6 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.7 , A.15.2.1 , A.15.2.2 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.2.1 , A.6.2.2 , AU-2(d) , AU-12(c) , CM-6(a) , DE.AE-3 , DE.AE-5 , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.AC-3 , PR.PT-1 , PR.PT-4 , RS.AN-1 , RS.AN-4 , FAU_GEN.1.1.c , Req-10.2.4 , Req-10.2.1 , SRG-OS-000064-GPOS-00033 , SRG-OS-000458-GPOS-00203 , SRG-OS-000461-GPOS-00205 , SRG-OS-000392-GPOS-00172 , SRG-OS-000458-VMM-001810 , SRG-OS-000461-VMM-001830
Description The audit system should collect detailed unauthorized file accesses for
all users and root. The open syscall can be used to modify files
if called for write operation of with O_TRUNC_WRITE flag.
The following auidt rules will asure that unsuccessful attempts to modify a
file via open syscall are collected.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
rules below to a file with suffix .rules in the directory
/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the rules below to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
Rationale Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.
Warnings warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
defined audit rule must exist
oval:ssg-test_arufm_open_o_trunc_32bit_a201003_eacces_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_open_o_trunc_32bit_a201003_eacces_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
defined audit rule must exist
oval:ssg-test_arufm_open_o_trunc_32bit_a201003_eperm_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_open_o_trunc_32bit_a201003_eperm_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
defined audit rule must exist
oval:ssg-test_arufm_open_o_trunc_64bit_a201003_eacces_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_open_o_trunc_64bit_a201003_eacces_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
defined audit rule must exist
oval:ssg-test_arufm_open_o_trunc_64bit_a201003_eperm_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_open_o_trunc_64bit_a201003_eperm_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
defined audit rule must exist
oval:ssg-test_arufm_open_o_trunc_32bit_a201003_eacces_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_open_o_trunc_32bit_a201003_eacces_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
defined audit rule must exist
oval:ssg-test_arufm_open_o_trunc_32bit_a201003_eperm_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_open_o_trunc_32bit_a201003_eperm_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
defined audit rule must exist
oval:ssg-test_arufm_open_o_trunc_64bit_a201003_eacces_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_open_o_trunc_64bit_a201003_eacces_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
defined audit rule must exist
oval:ssg-test_arufm_open_o_trunc_64bit_a201003_eperm_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_open_o_trunc_64bit_a201003_eperm_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
Record Unsuccessul Delete Attempts to Files - renamexccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_rename mediumCCE-82648-7
Record Unsuccessul Delete Attempts to Files - rename Rule ID xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_rename Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_unsuccessful_file_modification_rename:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82648-7
References:
5.2.10 , 1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI08.02 , DSS01.03 , DSS01.04 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000172 , CCI-002884 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.2.3.10 , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.3.6.6 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 1.13 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.6 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.1 , SR 6.2 , SR 7.1 , SR 7.6 , A.11.2.6 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.7 , A.15.2.1 , A.15.2.2 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.2.1 , A.6.2.2 , AU-2(d) , AU-12(c) , CM-6(a) , DE.AE-3 , DE.AE-5 , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.AC-3 , PR.PT-1 , PR.PT-4 , RS.AN-1 , RS.AN-4 , FAU_GEN.1.1.c , Req-10.2.4 , Req-10.2.1 , SRG-OS-000064-GPOS-00033 , SRG-OS-000458-GPOS-00203 , SRG-OS-000461-GPOS-00205 , SRG-OS-000392-GPOS-00172 , SRG-OS-000458-VMM-001810 , SRG-OS-000461-VMM-001830
Description The audit system should collect unsuccessful file deletion
attempts for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b32 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b64 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete Rationale Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.
Warnings warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_rename_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eacces_rename_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_rename_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eperm_rename_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_rename_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eacces_rename_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_rename_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eperm_rename_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_rename_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eacces_rename_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_rename_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eperm_rename_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_rename_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eacces_rename_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_rename_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eperm_rename_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
Record Unsuccessful Access Attempts to Files - open_by_handle_atxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at mediumCCE-82640-4
Record Unsuccessful Access Attempts to Files - open_by_handle_at Rule ID xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82640-4
References:
5.2.10 , 1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI08.02 , DSS01.03 , DSS01.04 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000172 , CCI-002884 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.2.3.10 , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.3.6.6 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 1.13 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.6 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.1 , SR 6.2 , SR 7.1 , SR 7.6 , A.11.2.6 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.7 , A.15.2.1 , A.15.2.2 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.2.1 , A.6.2.2 , AU-2(d) , AU-12(c) , CM-6(a) , DE.AE-3 , DE.AE-5 , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.AC-3 , PR.PT-1 , PR.PT-4 , RS.AN-1 , RS.AN-4 , FAU_GEN.1.1.c , Req-10.2.4 , Req-10.2.1 , SRG-OS-000064-GPOS-00033 , SRG-OS-000458-GPOS-00203 , SRG-OS-000461-GPOS-00205 , SRG-OS-000392-GPOS-00172 , SRG-OS-000458-VMM-001810 , SRG-OS-000461-VMM-001830
Description At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access Rationale Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.
Warnings warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_open_by_handle_at_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eacces_open_by_handle_at_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_open_by_handle_at_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eperm_open_by_handle_at_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_open_by_handle_at_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eacces_open_by_handle_at_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_open_by_handle_at_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eperm_open_by_handle_at_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_open_by_handle_at_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eacces_open_by_handle_at_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_open_by_handle_at_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eperm_open_by_handle_at_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_open_by_handle_at_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eacces_open_by_handle_at_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_open_by_handle_at_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eperm_open_by_handle_at_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
Record Unsuccessful Access Attempts to Files - truncatexccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate mediumCCE-82651-1
Record Unsuccessful Access Attempts to Files - truncate Rule ID xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_unsuccessful_file_modification_truncate:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82651-1
References:
5.2.10 , 1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI08.02 , DSS01.03 , DSS01.04 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000172 , CCI-002884 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.2.3.10 , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.3.6.6 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 1.13 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.6 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.1 , SR 6.2 , SR 7.1 , SR 7.6 , A.11.2.6 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.7 , A.15.2.1 , A.15.2.2 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.2.1 , A.6.2.2 , AU-2(d) , AU-12(c) , CM-6(a) , DE.AE-3 , DE.AE-5 , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.AC-3 , PR.PT-1 , PR.PT-4 , RS.AN-1 , RS.AN-4 , FAU_GEN.1.1.c , Req-10.2.4 , Req-10.2.1 , SRG-OS-000064-GPOS-00033 , SRG-OS-000458-GPOS-00203 , SRG-OS-000461-GPOS-00205 , SRG-OS-000392-GPOS-00172 , SRG-OS-000458-VMM-001810 , SRG-OS-000461-VMM-001830
Description At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access Rationale Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.
Warnings warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_truncate_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eacces_truncate_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_truncate_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eperm_truncate_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_truncate_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eacces_truncate_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_truncate_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eperm_truncate_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_truncate_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eacces_truncate_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_truncate_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eperm_truncate_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_truncate_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eacces_truncate_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_truncate_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eperm_truncate_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
Record Unsuccessful Creation Attempts to Files - open_by_handle_at O_CREATxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat mediumCCE-82641-2
Record Unsuccessful Creation Attempts to Files - open_by_handle_at O_CREAT Rule ID xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82641-2
References:
5.2.10 , 1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI08.02 , DSS01.03 , DSS01.04 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000172 , CCI-002884 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.2.3.10 , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.3.6.6 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 1.13 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.6 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.1 , SR 6.2 , SR 7.1 , SR 7.6 , A.11.2.6 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.7 , A.15.2.1 , A.15.2.2 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.2.1 , A.6.2.2 , AU-2(d) , AU-12(c) , CM-6(a) , DE.AE-3 , DE.AE-5 , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.AC-3 , PR.PT-1 , PR.PT-4 , RS.AN-1 , RS.AN-4 , FAU_GEN.1.1.c , Req-10.2.4 , Req-10.2.1 , SRG-OS-000064-GPOS-00033 , SRG-OS-000458-GPOS-00203 , SRG-OS-000461-GPOS-00205 , SRG-OS-000392-GPOS-00172 , SRG-OS-000458-VMM-001810 , SRG-OS-000461-VMM-001830
Description The audit system should collect unauthorized file accesses for
all users and root. The open_by_handle_at syscall can be used to create new files
when O_CREAT flag is specified.
The following auidt rules will asure that unsuccessful attempts to create a
file via open_by_handle_at syscall are collected.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
rules below to a file with suffix .rules in the directory
/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the rules below to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
Rationale Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.
Warnings warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_o_creat_32bit_a20100_eacces_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_open_by_handle_at_o_creat_32bit_a20100_eacces_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_o_creat_32bit_a20100_eperm_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_open_by_handle_at_o_creat_32bit_a20100_eperm_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_o_creat_64bit_a20100_eacces_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_open_by_handle_at_o_creat_64bit_a20100_eacces_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_o_creat_64bit_a20100_eperm_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_open_by_handle_at_o_creat_64bit_a20100_eperm_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_o_creat_32bit_a20100_eacces_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_open_by_handle_at_o_creat_32bit_a20100_eacces_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_o_creat_32bit_a20100_eperm_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_open_by_handle_at_o_creat_32bit_a20100_eperm_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_o_creat_64bit_a20100_eacces_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_open_by_handle_at_o_creat_64bit_a20100_eacces_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_o_creat_64bit_a20100_eperm_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_open_by_handle_at_o_creat_64bit_a20100_eperm_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
Record Unsuccessul Delete Attempts to Files - unlinkatxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_unlinkat mediumCCE-82653-7
Record Unsuccessul Delete Attempts to Files - unlinkat Rule ID xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_unlinkat Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_unsuccessful_file_modification_unlinkat:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82653-7
References:
5.2.10 , 1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI08.02 , DSS01.03 , DSS01.04 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000172 , CCI-002884 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.2.3.10 , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.3.6.6 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 1.13 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.6 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.1 , SR 6.2 , SR 7.1 , SR 7.6 , A.11.2.6 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.7 , A.15.2.1 , A.15.2.2 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.2.1 , A.6.2.2 , AU-2(d) , AU-12(c) , CM-6(a) , DE.AE-3 , DE.AE-5 , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.AC-3 , PR.PT-1 , PR.PT-4 , RS.AN-1 , RS.AN-4 , FAU_GEN.1.1.c , Req-10.2.4 , Req-10.2.1 , SRG-OS-000064-GPOS-00033 , SRG-OS-000458-GPOS-00203 , SRG-OS-000461-GPOS-00205 , SRG-OS-000392-GPOS-00172 , SRG-OS-000458-VMM-001810 , SRG-OS-000461-VMM-001830
Description The audit system should collect unsuccessful file deletion
attempts for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b32 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b64 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete Rationale Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.
Warnings warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_unlinkat_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eacces_unlinkat_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_unlinkat_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eperm_unlinkat_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_unlinkat_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eacces_unlinkat_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_unlinkat_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eperm_unlinkat_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_unlinkat_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eacces_unlinkat_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_unlinkat_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eperm_unlinkat_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_unlinkat_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eacces_unlinkat_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_unlinkat_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eperm_unlinkat_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
Record Unsuccessul Permission Changes to Files - fremovexattrxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fremovexattr mediumCCE-82627-1
Record Unsuccessul Permission Changes to Files - fremovexattr Rule ID xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fremovexattr Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_unsuccessful_file_modification_fremovexattr:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82627-1
References:
CCI-000172 , AU-2(d) , AU-12(c) , CM-6(a) , SRG-OS-000458-VMM-001810 , SRG-OS-000461-VMM-001830
Description The audit system should collect unsuccessful file permission change
attempts for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Rationale Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.
Warnings warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_fremovexattr_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eacces_fremovexattr_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_fremovexattr_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eperm_fremovexattr_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_fremovexattr_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eacces_fremovexattr_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_fremovexattr_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eperm_fremovexattr_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_fremovexattr_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eacces_fremovexattr_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_fremovexattr_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eperm_fremovexattr_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_fremovexattr_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eacces_fremovexattr_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_fremovexattr_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eperm_fremovexattr_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
Record Unsuccessul Ownership Changes to Files - lchownxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_lchown mediumCCE-82630-5
Record Unsuccessul Ownership Changes to Files - lchown Rule ID xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_lchown Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_unsuccessful_file_modification_lchown:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82630-5
References:
CCI-000172 , AU-2(d) , AU-12(c) , CM-6(a) , SRG-OS-000458-VMM-001810 , SRG-OS-000461-VMM-001830
Description The audit system should collect unsuccessful file ownership change
attempts for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change Rationale Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.
Warnings warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_lchown_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eacces_lchown_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_lchown_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eperm_lchown_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_lchown_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eacces_lchown_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_lchown_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eperm_lchown_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_lchown_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eacces_lchown_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_lchown_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eperm_lchown_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_lchown_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eacces_lchown_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_lchown_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eperm_lchown_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
Record Unsuccessful Access Attempts to Files - openatxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat mediumCCE-82634-7
Record Unsuccessful Access Attempts to Files - openat Rule ID xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_unsuccessful_file_modification_openat:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82634-7
References:
5.2.10 , 1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI08.02 , DSS01.03 , DSS01.04 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000172 , CCI-002884 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.2.3.10 , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.3.6.6 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 1.13 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.6 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.1 , SR 6.2 , SR 7.1 , SR 7.6 , A.11.2.6 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.7 , A.15.2.1 , A.15.2.2 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.2.1 , A.6.2.2 , AU-2(d) , AU-12(c) , CM-6(a) , DE.AE-3 , DE.AE-5 , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.AC-3 , PR.PT-1 , PR.PT-4 , RS.AN-1 , RS.AN-4 , FAU_GEN.1.1.c , Req-10.2.4 , Req-10.2.1 , SRG-OS-000064-GPOS-00033 , SRG-OS-000458-GPOS-00203 , SRG-OS-000461-GPOS-00205 , SRG-OS-000392-GPOS-00172 , SRG-OS-000458-VMM-001810 , SRG-OS-000461-VMM-001830
Description At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access Rationale Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.
Warnings warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_openat_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eacces_openat_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_openat_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eperm_openat_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_openat_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eacces_openat_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_openat_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eperm_openat_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_openat_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eacces_openat_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_openat_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_arufm_eperm_openat_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_openat_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eacces_openat_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_openat_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_arufm_eperm_openat_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
/etc/audit/audit.rules 1
Record Unsuccessful Modification Attempts to Files - open_by_handle_at O_TRUNC_WRITExccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write mediumCCE-82642-0
Record Unsuccessful Modification Attempts to Files - open_by_handle_at O_TRUNC_WRITE Rule ID xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82642-0
References:
5.2.10 , 1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI08.02 , DSS01.03 , DSS01.04 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000172 , CCI-002884 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.2.3.10 , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.3.6.6 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 1.13 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.6 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.1 , SR 6.2 , SR 7.1 , SR 7.6 , A.11.2.6 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.7 , A.15.2.1 , A.15.2.2 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.2.1 , A.6.2.2 , AU-2(d) , AU-12(c) , CM-6(a) , DE.AE-3 , DE.AE-5 , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.AC-3 , PR.PT-1 , PR.PT-4 , RS.AN-1 , RS.AN-4 , FAU_GEN.1.1.c , Req-10.2.4 , Req-10.2.1 , SRG-OS-000064-GPOS-00033 , SRG-OS-000458-GPOS-00203 , SRG-OS-000461-GPOS-00205 , SRG-OS-000392-GPOS-00172 , SRG-OS-000458-VMM-001810 , SRG-OS-000461-VMM-001830
Description The audit system should collect detailed unauthorized file accesses for
all users and root. The open_by_handle_at syscall can be used to modify files
if called for write operation of with O_TRUNC_WRITE flag.
The following auidt rules will asure that unsuccessful attempts to modify a
file via open_by_handle_at syscall are collected.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
rules below to a file with suffix .rules in the directory
/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the rules below to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
Rationale Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.
Warnings warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_o_trunc_32bit_a201003_eacces_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_open_by_handle_at_o_trunc_32bit_a201003_eacces_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_o_trunc_32bit_a201003_eperm_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_open_by_handle_at_o_trunc_32bit_a201003_eperm_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_o_trunc_64bit_a201003_eacces_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_open_by_handle_at_o_trunc_64bit_a201003_eacces_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_o_trunc_64bit_a201003_eperm_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_open_by_handle_at_o_trunc_64bit_a201003_eperm_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_o_trunc_32bit_a201003_eacces_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_open_by_handle_at_o_trunc_32bit_a201003_eacces_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_o_trunc_32bit_a201003_eperm_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_open_by_handle_at_o_trunc_32bit_a201003_eperm_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_o_trunc_64bit_a201003_eacces_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_open_by_handle_at_o_trunc_64bit_a201003_eacces_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_o_trunc_64bit_a201003_eperm_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_open_by_handle_at_o_trunc_64bit_a201003_eperm_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
Record Unsuccessful Modification Attempts to Files - openat O_TRUNC_WRITExccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat_o_trunc_write mediumCCE-82636-2
Record Unsuccessful Modification Attempts to Files - openat O_TRUNC_WRITE Rule ID xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat_o_trunc_write Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_unsuccessful_file_modification_openat_o_trunc_write:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82636-2
References:
5.2.10 , 1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI08.02 , DSS01.03 , DSS01.04 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000172 , CCI-002884 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.2.3.10 , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.3.6.6 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 1.13 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.6 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.1 , SR 6.2 , SR 7.1 , SR 7.6 , A.11.2.6 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.7 , A.15.2.1 , A.15.2.2 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.2.1 , A.6.2.2 , AU-2(d) , AU-12(c) , CM-6(a) , DE.AE-3 , DE.AE-5 , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.AC-3 , PR.PT-1 , PR.PT-4 , RS.AN-1 , RS.AN-4 , FAU_GEN.1.1.c , Req-10.2.4 , Req-10.2.1 , SRG-OS-000064-GPOS-00033 , SRG-OS-000458-GPOS-00203 , SRG-OS-000461-GPOS-00205 , SRG-OS-000392-GPOS-00172 , SRG-OS-000458-VMM-001810 , SRG-OS-000461-VMM-001830
Description The audit system should collect detailed unauthorized file accesses for
all users and root. The openat syscall can be used to modify files
if called for write operation of with O_TRUNC_WRITE flag.
The following auidt rules will asure that unsuccessful attempts to modify a
file via openat syscall are collected.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
rules below to a file with suffix .rules in the directory
/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the rules below to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
Rationale Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.
Warnings warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
defined audit rule must exist
oval:ssg-test_arufm_openat_o_trunc_32bit_a201003_eacces_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_openat_o_trunc_32bit_a201003_eacces_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
defined audit rule must exist
oval:ssg-test_arufm_openat_o_trunc_32bit_a201003_eperm_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_openat_o_trunc_32bit_a201003_eperm_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
defined audit rule must exist
oval:ssg-test_arufm_openat_o_trunc_64bit_a201003_eacces_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_openat_o_trunc_64bit_a201003_eacces_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
defined audit rule must exist
oval:ssg-test_arufm_openat_o_trunc_64bit_a201003_eperm_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_openat_o_trunc_64bit_a201003_eperm_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
defined audit rule must exist
oval:ssg-test_arufm_openat_o_trunc_32bit_a201003_eacces_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_openat_o_trunc_32bit_a201003_eacces_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
defined audit rule must exist
oval:ssg-test_arufm_openat_o_trunc_32bit_a201003_eperm_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_openat_o_trunc_32bit_a201003_eperm_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
defined audit rule must exist
oval:ssg-test_arufm_openat_o_trunc_64bit_a201003_eacces_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_openat_o_trunc_64bit_a201003_eacces_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
defined audit rule must exist
oval:ssg-test_arufm_openat_o_trunc_64bit_a201003_eperm_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arufm_openat_o_trunc_64bit_a201003_eperm_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
^/etc/audit/rules\.d/.*\.rules$ 1
Ensure auditd Collects Information on Kernel Module Loading - init_modulexccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init mediumCCE-82582-8
Ensure auditd Collects Information on Kernel Module Loading - init_module Rule ID xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_kernel_module_loading_init:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82582-8
References:
5.2.17 , 1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI08.02 , DSS01.03 , DSS01.04 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000172 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.2.3.10 , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.3.6.6 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 1.13 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.6 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.1 , SR 6.2 , SR 7.1 , SR 7.6 , A.11.2.6 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.7 , A.15.2.1 , A.15.2.2 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.2.1 , A.6.2.2 , AU-2(d) , AU-12(c) , AC-6(9) , CM-6(a) , DE.AE-3 , DE.AE-5 , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.AC-3 , PR.PT-1 , PR.PT-4 , RS.AN-1 , RS.AN-4 , FAU_GEN.1.1.c , Req-10.2.7 , SRG-OS-000471-GPOS-00216 , SRG-OS-000477-GPOS-00222 , SRG-OS-000477-VMM-001970
Description To capture kernel module loading events, use following line, setting ARCH to
either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S init_module -F key=modules
Place to add the line depends on a way
auditd daemon is configured. If it is configured
to use the
augenrules program (the default), add the line to a file with suffix
.rules in the directory
/etc/audit/rules.d.
If the
auditd daemon is configured to use the
auditctl utility,
add the line to file
/etc/audit/audit.rules.
Rationale The addition of kernel modules can be used to alter the behavior of
the kernel and potentially introduce malicious code into kernel space. It is important
to have an audit trail of modules that have been introduced into the kernel.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules 32-bit init_module
oval:ssg-test_32bit_ardm_init_module_augenrules:tst:1
true Following items have been found on the system: Path Content /etc/audit/rules.d/75-audit_rules_kernel_module_loading.rules -a always,exit -F arch=b32 -S init_module -S delete_module -S finit_module -k modules
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit augenrules 64-bit init_module
oval:ssg-test_64bit_ardm_init_module_augenrules:tst:1
true Following items have been found on the system: Path Content /etc/audit/rules.d/75-audit_rules_kernel_module_loading.rules -a always,exit -F arch=b64 -S init_module -S delete_module -S finit_module -k modules
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl 32-bit init_module
oval:ssg-test_32bit_ardm_init_module_auditctl:tst:1
true Following items have been found on the system: Path Content /etc/audit/audit.rules
-a always,exit -F arch=b32 -S init_module -S delete_module -S finit_module -k modules
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit auditctl 64-bit init_module
oval:ssg-test_64bit_ardm_init_module_auditctl:tst:1
true Following items have been found on the system: Path Content /etc/audit/audit.rules -a always,exit -F arch=b64 -S init_module -S delete_module -S finit_module -k modules
Ensure auditd Collects Information on Kernel Module Unloading - delete_modulexccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete mediumCCE-82580-2
Ensure auditd Collects Information on Kernel Module Unloading - delete_module Rule ID xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_kernel_module_loading_delete:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82580-2
References:
5.2.17 , 1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI08.02 , DSS01.03 , DSS01.04 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000172 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.2.3.10 , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.3.6.6 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 1.13 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.6 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.1 , SR 6.2 , SR 7.1 , SR 7.6 , A.11.2.6 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.7 , A.15.2.1 , A.15.2.2 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.2.1 , A.6.2.2 , AU-2(d) , AU-12(c) , AC-6(9) , CM-6(a) , DE.AE-3 , DE.AE-5 , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.AC-3 , PR.PT-1 , PR.PT-4 , RS.AN-1 , RS.AN-4 , FAU_GEN.1.1.c , Req-10.2.7 , SRG-OS-000471-GPOS-00216 , SRG-OS-000477-GPOS-00222 , SRG-OS-000477-VMM-001970
Description To capture kernel module unloading events, use following line, setting ARCH to
either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S delete_module -F key=modules
Place to add the line depends on a way
auditd daemon is configured. If it is configured
to use the
augenrules program (the default), add the line to a file with suffix
.rules in the directory
/etc/audit/rules.d.
If the
auditd daemon is configured to use the
auditctl utility,
add the line to file
/etc/audit/audit.rules.
Rationale The removal of kernel modules can be used to alter the behavior of
the kernel and potentially introduce malicious code into kernel space. It is important
to have an audit trail of modules that have been introduced into the kernel.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules 32-bit delete_module
oval:ssg-test_32bit_ardm_delete_module_augenrules:tst:1
true Following items have been found on the system: Path Content /etc/audit/rules.d/75-audit_rules_kernel_module_loading.rules -a always,exit -F arch=b32 -S init_module -S delete_module -S finit_module -k modules
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit augenrules 64-bit delete_module
oval:ssg-test_64bit_ardm_delete_module_augenrules:tst:1
true Following items have been found on the system: Path Content /etc/audit/rules.d/75-audit_rules_kernel_module_loading.rules -a always,exit -F arch=b64 -S init_module -S delete_module -S finit_module -k modules
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl 32-bit delete_module
oval:ssg-test_32bit_ardm_delete_module_auditctl:tst:1
true Following items have been found on the system: Path Content /etc/audit/audit.rules
-a always,exit -F arch=b32 -S init_module -S delete_module -S finit_module -k modules
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit auditctl 64-bit delete_module
oval:ssg-test_64bit_ardm_delete_module_auditctl:tst:1
true Following items have been found on the system: Path Content /etc/audit/audit.rules -a always,exit -F arch=b64 -S init_module -S delete_module -S finit_module -k modules
Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_modulexccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit mediumCCE-82581-0
Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module Rule ID xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_kernel_module_loading_finit:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82581-0
References:
5.2.17 , 1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI08.02 , DSS01.03 , DSS01.04 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000172 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.2.3.10 , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.3.6.6 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 1.13 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.6 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.1 , SR 6.2 , SR 7.1 , SR 7.6 , A.11.2.6 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.7 , A.15.2.1 , A.15.2.2 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.2.1 , A.6.2.2 , AU-2(d) , AU-12(c) , AC-6(9) , CM-6(a) , DE.AE-3 , DE.AE-5 , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.AC-3 , PR.PT-1 , PR.PT-4 , RS.AN-1 , RS.AN-4 , FAU_GEN.1.1.c , Req-10.2.7 , SRG-OS-000471-GPOS-00216 , SRG-OS-000477-GPOS-00222 , SRG-OS-000477-VMM-001970
Description If the auditd daemon is configured to use the augenrules program
to read audit rules during daemon startup (the default), add the following lines to a file
with suffix .rules in the directory /etc/audit/rules.d to capture kernel module
loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S finit_module -F key=modules
If the
auditd daemon is configured to use the
auditctl utility to read audit
rules during daemon startup, add the following lines to
/etc/audit/audit.rules file
in order to capture kernel module loading and unloading events, setting ARCH to either b32 or
b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S finit_module -F key=modules Rationale The addition/removal of kernel modules can be used to alter the behavior of
the kernel and potentially introduce malicious code into kernel space. It is important
to have an audit trail of modules that have been introduced into the kernel.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules 32-bit finit_module
oval:ssg-test_32bit_ardm_finit_module_augenrules:tst:1
true Following items have been found on the system: Path Content /etc/audit/rules.d/75-audit_rules_kernel_module_loading.rules -a always,exit -F arch=b32 -S init_module -S delete_module -S finit_module -k modules
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit augenrules 64-bit finit_module
oval:ssg-test_64bit_ardm_finit_module_augenrules:tst:1
true Following items have been found on the system: Path Content /etc/audit/rules.d/75-audit_rules_kernel_module_loading.rules -a always,exit -F arch=b64 -S init_module -S delete_module -S finit_module -k modules
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl 32-bit finit_module
oval:ssg-test_32bit_ardm_finit_module_auditctl:tst:1
true Following items have been found on the system: Path Content /etc/audit/audit.rules
-a always,exit -F arch=b32 -S init_module -S delete_module -S finit_module -k modules
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit auditctl 64-bit finit_module
oval:ssg-test_64bit_ardm_finit_module_auditctl:tst:1
true Following items have been found on the system: Path Content /etc/audit/audit.rules -a always,exit -F arch=b64 -S init_module -S delete_module -S finit_module -k modules
Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/groupxccdf_org.ssgproject.content_rule_audit_rules_etc_group_open_by_handle_at mediumCCE-82702-2
Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/group Rule ID xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open_by_handle_at Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_etc_group_open_by_handle_at:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82702-2
References:
AC-2(4) , AU-2(d) , AU-12(c) , AC-6(9) , CM-6(a) , FAU_GEN.1.1.c
Description The audit system should collect write events to /etc/group file for all group and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify Rationale Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system.
Auditing these events could serve as evidence of potential system compromise.
Warnings warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
defined audit rule must exist
oval:ssg-test_audit_rules_etc_group_open_by_handle_at_32bit_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_etc_group_open_by_handle_at_32bit_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^/etc/audit/rules\.d/.*\.rules$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
defined audit rule must exist
oval:ssg-test_audit_rules_etc_group_open_by_handle_at_64bit_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_etc_group_open_by_handle_at_64bit_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^/etc/audit/rules\.d/.*\.rules$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
defined audit rule must exist
oval:ssg-test_audit_rules_etc_group_open_by_handle_at_32bit_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_etc_group_open_by_handle_at_32bit_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ /etc/audit/audit.rules 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
defined audit rule must exist
oval:ssg-test_audit_rules_etc_group_open_by_handle_at_64bit_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_etc_group_open_by_handle_at_64bit_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ /etc/audit/audit.rules 1
Make the auditd Configuration Immutablexccdf_org.ssgproject.content_rule_audit_rules_immutable mediumCCE-82668-5
Make the auditd Configuration Immutable Rule ID xccdf_org.ssgproject.content_rule_audit_rules_immutable Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_immutable:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82668-5
References:
4.1.18 , 1 , 11 , 12 , 13 , 14 , 15 , 16 , 18 , 19 , 3 , 4 , 5 , 6 , 7 , 8 , 5.4.1.1 , APO01.06 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , APO12.06 , BAI03.05 , BAI08.02 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS05.04 , DSS05.07 , DSS06.02 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.3.1 , 3.4.3 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.310(a)(2)(iv) , 164.312(d) , 164.310(d)(2)(iii) , 164.312(b) , 164.312(e) , 4.2.3.10 , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.3.7.3 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 2.1 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.8 , SR 2.9 , SR 5.2 , SR 6.1 , A.10.1.1 , A.11.1.4 , A.11.1.5 , A.11.2.1 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.1.3 , A.13.2.1 , A.13.2.3 , A.13.2.4 , A.14.1.2 , A.14.1.3 , A.15.2.1 , A.15.2.2 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.1.2 , A.7.1.1 , A.7.1.2 , A.7.3.1 , A.8.2.2 , A.8.2.3 , A.9.1.1 , A.9.1.2 , A.9.2.3 , A.9.4.1 , A.9.4.4 , A.9.4.5 , AC-6(9) , CM-6(a) , DE.AE-3 , DE.AE-5 , ID.SC-4 , PR.AC-4 , PR.DS-5 , PR.PT-1 , RS.AN-1 , RS.AN-4 , Req-10.5.2
Description If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d in order to make the auditd configuration
immutable:
-e 2
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file in order to make the auditd configuration
immutable:
-e 2
With this setting, a reboot will be required to change any audit rules.
Rationale Making the audit configuration immutable prevents accidental as
well as malicious modification of the audit rules, although it may be
problematic if legitimate changes are needed during system
operation
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules configuration locked
oval:ssg-test_ari_locked_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_ari_locked_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^\-e\s+2\s*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl configuration locked
oval:ssg-test_ari_locked_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_ari_locked_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^\-e\s+2\s*$ 1
Record Events that Modify User/Group Information via openat syscall - /etc/shadowxccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_openat mediumCCE-82710-5
Record Events that Modify User/Group Information via openat syscall - /etc/shadow Rule ID xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_openat Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_etc_shadow_openat:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82710-5
References:
AC-2(4) , AU-2(d) , AU-12(c) , AC-6(9) , CM-6(a) , FAU_GEN.1.1.c
Description The audit system should collect write events to /etc/shadow file for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify Rationale Creation of users through direct edition of /etc/shadow could be an indicator of malicious activity on a system.
Auditing these events could serve as evidence of potential system compromise.
Warnings warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
defined audit rule must exist
oval:ssg-test_audit_rules_etc_shadow_openat_32bit_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_etc_shadow_openat_32bit_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^/etc/audit/rules\.d/.*\.rules$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
defined audit rule must exist
oval:ssg-test_audit_rules_etc_shadow_openat_64bit_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_etc_shadow_openat_64bit_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^/etc/audit/rules\.d/.*\.rules$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
defined audit rule must exist
oval:ssg-test_audit_rules_etc_shadow_openat_32bit_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_etc_shadow_openat_32bit_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ /etc/audit/audit.rules 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
defined audit rule must exist
oval:ssg-test_audit_rules_etc_shadow_openat_64bit_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_etc_shadow_openat_64bit_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ /etc/audit/audit.rules 1
Ensure auditd Collects Information on Exporting to Media (successful)xccdf_org.ssgproject.content_rule_audit_rules_media_export mediumCCE-82587-7
Ensure auditd Collects Information on Exporting to Media (successful) Rule ID xccdf_org.ssgproject.content_rule_audit_rules_media_export Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_media_export:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82587-7
References:
5.2.13 , 1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , 5.4.1.1 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI08.02 , DSS01.03 , DSS01.04 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000135 , CCI-002884 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.2.3.10 , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.3.6.6 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 1.13 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.6 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.1 , SR 6.2 , SR 7.1 , SR 7.6 , A.11.2.6 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.7 , A.15.2.1 , A.15.2.2 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.2.1 , A.6.2.2 , AU-2(d) , AU-12(c) , AC-6(9) , CM-6(a) , DE.AE-3 , DE.AE-5 , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.AC-3 , PR.PT-1 , PR.PT-4 , RS.AN-1 , RS.AN-4 , Req-10.2.7 , SRG-OS-000042-GPOS-00020 , SRG-OS-000392-GPOS-00172
Description At a minimum, the audit system should collect media exportation
events for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export Rationale The unauthorized exportation of data to external media could result in an information leak
where classified information, Privacy Act information, and intellectual property could be lost. An audit
trail should be created each time a filesystem is mounted to help identify and guard against information
loss.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules mount 32-bit
oval:ssg-test_audit_rules_media_export_mount_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_media_export_mount_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^\-a\s+always,exit\s+(\-F\s+arch=b32\s+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid>=1000\s+\-F\s+auid!=(?:4294967295|unset)\s+)(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit augenrules mount 64-bit
oval:ssg-test_64bit_ardm_media_export_mount_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_ardm_media_export_mount_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^\-a\s+always,exit\s+(\-F\s+arch=b64\s+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid>=1000\s+\-F\s+auid!=(?:4294967295|unset)\s+)(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl mount 32-bit
oval:ssg-test_audit_rules_media_export_mount_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_media_export_mount_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^\-a\s+always,exit\s+(\-F\s+arch=b32\s+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid>=1000\s+\-F\s+auid!=(?:4294967295|unset)\s+)(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit auditctl mount 64-bit
oval:ssg-test_64bit_ardm_media_export_mount_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_ardm_media_export_mount_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^\-a\s+always,exit\s+(\-F\s+arch=b64\s+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid>=1000\s+\-F\s+auid!=(?:4294967295|unset)\s+)(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1
Record Attempts to Alter Process and Session Initiation Informationxccdf_org.ssgproject.content_rule_audit_rules_session_events mediumCCE-82612-3
Record Attempts to Alter Process and Session Initiation Information Rule ID xccdf_org.ssgproject.content_rule_audit_rules_session_events Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_session_events:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82612-3
References:
1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , 5.4.1.1 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI08.02 , DSS01.03 , DSS01.04 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.2.3.10 , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.3.6.6 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 1.13 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.6 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.1 , SR 6.2 , SR 7.1 , SR 7.6 , A.11.2.6 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.7 , A.15.2.1 , A.15.2.2 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.2.1 , A.6.2.2 , AU-2(d) , AU-12(c) , CM-6(a) , DE.AE-3 , DE.AE-5 , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.AC-3 , PR.PT-1 , PR.PT-4 , RS.AN-1 , RS.AN-4 , FAU_GEN.1.1.c , Req-10.2.3
Description The audit system already collects process information for all
users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d in order to watch for attempted manual
edits of files involved in storing such process information:
-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file in order to watch for attempted manual
edits of files involved in storing such process information:
-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session Rationale Manual editing of these files may indicate nefarious activity, such
as an attacker attempting to remove evidence of an intrusion.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules utmp
oval:ssg-test_arse_utmp_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arse_utmp_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^\-w\s+/var/run/utmp\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1
audit augenrules btmp
oval:ssg-test_arse_btmp_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arse_btmp_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^\-w\s+/var/log/btmp\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1
audit augenrules wtmp
oval:ssg-test_arse_wtmp_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arse_wtmp_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^\-w\s+/var/log/wtmp\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl utmp
oval:ssg-test_arse_utmp_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arse_utmp_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^\-w\s+/var/run/utmp\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1
audit auditctl btmp
oval:ssg-test_arse_btmp_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arse_btmp_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^\-w\s+/var/log/btmp\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1
audit auditctl wtmp
oval:ssg-test_arse_wtmp_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arse_wtmp_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^\-w\s+/var/log/wtmp\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1
Ensure auditd Collects System Administrator Actionsxccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions mediumCCE-82613-1
Ensure auditd Collects System Administrator Actions Rule ID xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_sysadmin_actions:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82613-1
References:
1 , 11 , 12 , 13 , 14 , 15 , 16 , 18 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , 5.4.1.1 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI08.02 , DSS01.03 , DSS01.04 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , DSS06.03 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000126 , CCI-000130 , CCI-000135 , CCI-000172 , CCI-002884 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.2.3.10 , 4.3.2.6.7 , 4.3.3.2.2 , 4.3.3.3.9 , 4.3.3.5.1 , 4.3.3.5.2 , 4.3.3.5.8 , 4.3.3.6.6 , 4.3.3.7.2 , 4.3.3.7.3 , 4.3.3.7.4 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 1.1 , SR 1.13 , SR 1.2 , SR 1.3 , SR 1.4 , SR 1.5 , SR 1.7 , SR 1.8 , SR 1.9 , SR 2.1 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.6 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.1 , SR 6.2 , SR 7.1 , SR 7.6 , A.11.2.6 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.7 , A.15.2.1 , A.15.2.2 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.1.2 , A.6.2.1 , A.6.2.2 , A.7.1.1 , A.9.1.2 , A.9.2.1 , A.9.2.2 , A.9.2.3 , A.9.2.4 , A.9.2.6 , A.9.3.1 , A.9.4.1 , A.9.4.2 , A.9.4.3 , A.9.4.4 , A.9.4.5 , AC-2(7)(b) , AU-2(d) , AU-12(c) , AC-6(9) , CM-6(a) , DE.AE-3 , DE.AE-5 , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.AC-1 , PR.AC-3 , PR.AC-4 , PR.AC-6 , PR.PT-1 , PR.PT-4 , RS.AN-1 , RS.AN-4 , FAU_GEN.1.1.c , Req-10.2.2 , Req-10.2.5.b , SRG-OS-000037-GPOS-00015 , SRG-OS-000042-GPOS-00020 , SRG-OS-000392-GPOS-00172 , SRG-OS-000462-GPOS-00206 , SRG-OS-000471-GPOS-00215 , SRG-OS-000462-VMM-001840 , SRG-OS-000471-VMM-001910
Description At a minimum, the audit system should collect administrator actions
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the default),
add the following line to a file with suffix .rules in the directory
/etc/audit/rules.d:
-w /etc/sudoers -p wa -k actions
-w /etc/sudoers.d/ -p wa -k actions
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-w /etc/sudoers -p wa -k actions
-w /etc/sudoers.d/ -p wa -k actions Rationale The actions taken by system administrators should be audited to keep a record
of what was executed on the system, as well as, for accountability purposes.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules sudoers
oval:ssg-test_audit_rules_sysadmin_actions_sudoers_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_sysadmin_actions_sudoers_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^\-w[\s]+/etc/sudoers[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1
audit augenrules sudoers
oval:ssg-test_audit_rules_sysadmin_actions_sudoers_d_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_sysadmin_actions_sudoers_d_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^\-w[\s]+/etc/sudoers\.d/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl sudoers
oval:ssg-test_audit_rules_sysadmin_actions_sudoers_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_sysadmin_actions_sudoers_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^\-w[\s]+/etc/sudoers[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1
audit auditctl sudoers
oval:ssg-test_audit_rules_sysadmin_actions_sudoers_d_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_sysadmin_actions_sudoers_d_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^\-w[\s]+/etc/sudoers\.d/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1
System Audit Logs Must Have Mode 0750 or Less Permissivexccdf_org.ssgproject.content_rule_directory_permissions_var_log_audit unknownCCE-82692-5
System Audit Logs Must Have Mode 0750 or Less Permissive Rule ID xccdf_org.ssgproject.content_rule_directory_permissions_var_log_audit Result Multi-check rule no OVAL Definition ID oval:ssg-directory_permissions_var_log_audit:def:1 Time 2020-05-28T09:49:15+00:00 Severity unknown Identifiers and References Identifiers:
CCE-82692-5
References:
1 , 11 , 12 , 13 , 14 , 15 , 16 , 18 , 19 , 3 , 4 , 5 , 6 , 7 , 8 , APO01.06 , APO11.04 , APO12.06 , BAI03.05 , BAI08.02 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS05.04 , DSS05.07 , DSS06.02 , MEA02.01 , 4.2.3.10 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.3.7.3 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 2.1 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.8 , SR 2.9 , SR 5.2 , SR 6.1 , A.10.1.1 , A.11.1.4 , A.11.1.5 , A.11.2.1 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.1.3 , A.13.2.1 , A.13.2.3 , A.13.2.4 , A.14.1.2 , A.14.1.3 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.1.2 , A.7.1.1 , A.7.1.2 , A.7.3.1 , A.8.2.2 , A.8.2.3 , A.9.1.1 , A.9.1.2 , A.9.2.3 , A.9.4.1 , A.9.4.4 , A.9.4.5 , CM-6(a) , AC-6(1) , AU-9 , DE.AE-3 , DE.AE-5 , PR.AC-4 , PR.DS-5 , PR.PT-1 , RS.AN-1 , RS.AN-4
Description If log_group in /etc/audit/auditd.conf is set to a group other than the root
group account, change the mode of the audit log files with the following command:
$ sudo chmod 0750 /var/log/audit
Otherwise, change the mode of the audit log files with the following command:
$ sudo chmod 0700 /var/log/audit Rationale If users can write to audit logs, audit trails can be modified or destroyed.
OVAL test results details
/var/log/audit mode 0700
oval:ssg-test_dir_permissions_var_log_audit:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_var_log_audit_directory:obj:1 file_object Behaviors Path Filename Filter no value /var/log/audit ^.*$ oval:ssg-state_not_mode_0700:ste:1
log_group = root
oval:ssg-test_auditd_conf_log_group_not_root:tst:1
false Following items have been found on the system: Path Content /etc/audit/auditd.conf log_group = root
/var/log/audit files mode 0750
oval:ssg-test_dir_permissions_var_log_audit-non_root:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_var_log_audit_directory-non_root:obj:1 file_object Behaviors Path Filename Filter no value /var/log/audit ^.*$ oval:ssg-state_not_mode_0750:ste:1
Record Events that Modify User/Group Information via open syscall - /etc/gshadowxccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open mediumCCE-82703-0
Record Events that Modify User/Group Information via open syscall - /etc/gshadow Rule ID xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_etc_gshadow_open:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82703-0
References:
AC-2(4) , AU-2(d) , AU-12(c) , AC-6(9) , CM-6(a) , FAU_GEN.1.1.c
Description The audit system should collect write events to /etc/gshadow file for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify Rationale Creation of users through direct edition of /etc/gshadow could be an indicator of malicious activity on a system.
Auditing these events could serve as evidence of potential system compromise.
Warnings warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
defined audit rule must exist
oval:ssg-test_audit_rules_etc_gshadow_open_32bit_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_etc_gshadow_open_32bit_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^/etc/audit/rules\.d/.*\.rules$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
defined audit rule must exist
oval:ssg-test_audit_rules_etc_gshadow_open_64bit_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_etc_gshadow_open_64bit_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^/etc/audit/rules\.d/.*\.rules$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
defined audit rule must exist
oval:ssg-test_audit_rules_etc_gshadow_open_32bit_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_etc_gshadow_open_32bit_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ /etc/audit/audit.rules 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
defined audit rule must exist
oval:ssg-test_audit_rules_etc_gshadow_open_64bit_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_etc_gshadow_open_64bit_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ /etc/audit/audit.rules 1
Record Events that Modify User/Group Information via openat syscall - /etc/groupxccdf_org.ssgproject.content_rule_audit_rules_etc_group_openat mediumCCE-82701-4
Record Events that Modify User/Group Information via openat syscall - /etc/group Rule ID xccdf_org.ssgproject.content_rule_audit_rules_etc_group_openat Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_etc_group_openat:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82701-4
References:
AC-2(4) , AU-2(d) , AU-12(c) , AC-6(9) , CM-6(a) , FAU_GEN.1.1.c
Description The audit system should collect write events to /etc/group file for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify Rationale Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system.
Auditing these events could serve as evidence of potential system compromise.
Warnings warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
defined audit rule must exist
oval:ssg-test_audit_rules_etc_group_openat_32bit_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_etc_group_openat_32bit_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^/etc/audit/rules\.d/.*\.rules$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
defined audit rule must exist
oval:ssg-test_audit_rules_etc_group_openat_64bit_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_etc_group_openat_64bit_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^/etc/audit/rules\.d/.*\.rules$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
defined audit rule must exist
oval:ssg-test_audit_rules_etc_group_openat_32bit_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_etc_group_openat_32bit_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ /etc/audit/audit.rules 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
defined audit rule must exist
oval:ssg-test_audit_rules_etc_group_openat_64bit_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_etc_group_openat_64bit_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ /etc/audit/audit.rules 1
Record Events that Modify User/Group Information via openat syscall - /etc/gshadowxccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_openat mediumCCE-82704-8
Record Events that Modify User/Group Information via openat syscall - /etc/gshadow Rule ID xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_openat Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_etc_gshadow_openat:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82704-8
References:
AC-2(4) , AU-2(d) , AU-12(c) , AC-6(9) , CM-6(a) , FAU_GEN.1.1.c
Description The audit system should collect write events to /etc/gshadow file for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify Rationale Creation of users through direct edition of /etc/gshadow could be an indicator of malicious activity on a system.
Auditing these events could serve as evidence of potential system compromise.
Warnings warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
defined audit rule must exist
oval:ssg-test_audit_rules_etc_gshadow_openat_32bit_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_etc_gshadow_openat_32bit_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^/etc/audit/rules\.d/.*\.rules$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
defined audit rule must exist
oval:ssg-test_audit_rules_etc_gshadow_openat_64bit_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_etc_gshadow_openat_64bit_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^/etc/audit/rules\.d/.*\.rules$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
defined audit rule must exist
oval:ssg-test_audit_rules_etc_gshadow_openat_32bit_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_etc_gshadow_openat_32bit_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ /etc/audit/audit.rules 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
defined audit rule must exist
oval:ssg-test_audit_rules_etc_gshadow_openat_64bit_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_etc_gshadow_openat_64bit_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ /etc/audit/audit.rules 1
Record Access Events to Audit Log Directoryxccdf_org.ssgproject.content_rule_directory_access_var_log_audit mediumCCE-82712-1
Record Access Events to Audit Log Directory Rule ID xccdf_org.ssgproject.content_rule_directory_access_var_log_audit Result Multi-check rule no OVAL Definition ID oval:ssg-directory_access_var_log_audit:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82712-1
References:
AU-2(d) , AU-12(c) , AC-6(9) , CM-6(a) , FAU_GEN.1.1.c
Description The audit system should collect access events to read audit log directory.
The following audit rule will assure that access to audit log directory are
collected.
-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
If the
auditd daemon is configured to use the
augenrules
program to read audit rules during daemon startup (the default), add the
rule to a file with suffix
.rules in the directory
/etc/audit/rules.d.
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add the rule to
/etc/audit/audit.rules file.
Rationale Attempts to read the logs should be recorded, suspicious access to audit log files could be an indicator of malicious activity on a system.
Auditing these events could serve as evidence of potential system compromise.'
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
defined audit rule must exist
oval:ssg-test_directory_acccess_var_log_audit_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_directory_acccess_var_log_audit_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+dir=/var/log/audit/)[\s]+(?:-F[\s]+perm=r)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^/etc/audit/rules\.d/.*\.rules$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
defined audit rule must exist
oval:ssg-test_directory_acccess_var_log_audit_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_directory_acccess_var_log_audit_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+dir=/var/log/audit/)[\s]+(?:-F[\s]+perm=r)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ /etc/audit/audit.rules 1
Record Events that Modify User/Group Information - /etc/passwdxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd mediumCCE-82657-8
Record Events that Modify User/Group Information - /etc/passwd Rule ID xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_usergroup_modification_passwd:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82657-8
References:
5.2.5 , 1 , 11 , 12 , 13 , 14 , 15 , 16 , 18 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , 5.4.1.1 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI08.02 , DSS01.03 , DSS01.04 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , DSS06.03 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000018 , CCI-000172 , CCI-001403 , CCI-001404 , CCI-001405 , CCI-001683 , CCI-001684 , CCI-001685 , CCI-001686 , CCI-002130 , CCI-002132 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.2.3.10 , 4.3.2.6.7 , 4.3.3.2.2 , 4.3.3.3.9 , 4.3.3.5.1 , 4.3.3.5.2 , 4.3.3.5.8 , 4.3.3.6.6 , 4.3.3.7.2 , 4.3.3.7.3 , 4.3.3.7.4 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 1.1 , SR 1.13 , SR 1.2 , SR 1.3 , SR 1.4 , SR 1.5 , SR 1.7 , SR 1.8 , SR 1.9 , SR 2.1 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.6 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.1 , SR 6.2 , SR 7.1 , SR 7.6 , A.11.2.6 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.7 , A.15.2.1 , A.15.2.2 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.1.2 , A.6.2.1 , A.6.2.2 , A.7.1.1 , A.9.1.2 , A.9.2.1 , A.9.2.2 , A.9.2.3 , A.9.2.4 , A.9.2.6 , A.9.3.1 , A.9.4.1 , A.9.4.2 , A.9.4.3 , A.9.4.4 , A.9.4.5 , AC-2(4) , AU-2(d) , AU-12(c) , AC-6(9) , CM-6(a) , DE.AE-3 , DE.AE-5 , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.AC-1 , PR.AC-3 , PR.AC-4 , PR.AC-6 , PR.PT-1 , PR.PT-4 , RS.AN-1 , RS.AN-4 , FAU_GEN.1.1.c , Req-10.2.5 , SRG-OS-000004-GPOS-00004 , SRG-OS-000239-GPOS-00089 , SRG-OS-000240-GPOS-00090 , SRG-OS-000241-GPOS-00091 , SRG-OS-000274-GPOS-00104 , SRG-OS-000275-GPOS-00105 , SRG-OS-000276-GPOS-00106 , SRG-OS-000277-GPOS-00107 , SRG-OS-000303-GPOS-00120 , SRG-OS-000476-GPOS-00221 , SRG-OS-000004-VMM-000040 , SRG-OS-000239-VMM-000810 , SRG-OS-000240-VMM-000820 , SRG-OS-000241-VMM-000830 , SRG-OS-000274-VMM-000960 , SRG-OS-000275-VMM-000970 , SRG-OS-000276-VMM-000980 , SRG-OS-000277-VMM-000990 , SRG-OS-000303-VMM-001090 , SRG-OS-000304-VMM-001100 , SRG-OS-000476-VMM-001960
Description If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d, in order to capture events that modify
account changes:
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:
-w /etc/passwd -p wa -k audit_rules_usergroup_modification Rationale In addition to auditing new user and group accounts, these watches
will alert the system administrator(s) to any modifications. Any unexpected
users, groups, or modifications should be investigated for legitimacy.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules passwd
oval:ssg-test_audit_rules_usergroup_modification_passwd_augen:tst:1
true Following items have been found on the system: Path Content /etc/audit/rules.d/75-audit_rules_usergroup_modification.rules -w /etc/passwd -p wa -k audit_rules_usergroup_modification
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit passwd
oval:ssg-test_audit_rules_usergroup_modification_passwd_auditctl:tst:1
true Following items have been found on the system: Path Content /etc/audit/audit.rules -w /etc/passwd -p wa -k audit_rules_usergroup_modification
System Audit Logs Must Have Mode 0640 or Less Permissivexccdf_org.ssgproject.content_rule_file_permissions_var_log_audit mediumCCE-82690-9
System Audit Logs Must Have Mode 0640 or Less Permissive Rule ID xccdf_org.ssgproject.content_rule_file_permissions_var_log_audit Result Multi-check rule no OVAL Definition ID oval:ssg-file_permissions_var_log_audit:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82690-9
References:
1 , 11 , 12 , 13 , 14 , 15 , 16 , 18 , 19 , 3 , 4 , 5 , 6 , 7 , 8 , 5.4.1.1 , APO01.06 , APO11.04 , APO12.06 , BAI03.05 , BAI08.02 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS05.04 , DSS05.07 , DSS06.02 , MEA02.01 , 3.3.1 , CCI-000162 , CCI-000163 , CCI-000164 , CCI-001314 , 4.2.3.10 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.3.7.3 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 2.1 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.8 , SR 2.9 , SR 5.2 , SR 6.1 , A.10.1.1 , A.11.1.4 , A.11.1.5 , A.11.2.1 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.1.3 , A.13.2.1 , A.13.2.3 , A.13.2.4 , A.14.1.2 , A.14.1.3 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.1.2 , A.7.1.1 , A.7.1.2 , A.7.3.1 , A.8.2.2 , A.8.2.3 , A.9.1.1 , A.9.1.2 , A.9.2.3 , A.9.4.1 , A.9.4.4 , A.9.4.5 , CM-6(a) , AC-6(1) , AU-9(4) , DE.AE-3 , DE.AE-5 , PR.AC-4 , PR.DS-5 , PR.PT-1 , RS.AN-1 , RS.AN-4 , Req-10.5 , SRG-OS-000057-GPOS-00027 , SRG-OS-000058-GPOS-00028 , SRG-OS-000059-GPOS-00029 , SRG-OS-000206-GPOS-00084
Description If log_group in /etc/audit/auditd.conf is set to a group other than the root
group account, change the mode of the audit log files with the following command:
$ sudo chmod 0640 audit_file
Otherwise, change the mode of the audit log files with the following command:
$ sudo chmod 0600 audit_file Rationale If users can write to audit logs, audit trails can be modified or destroyed.
OVAL test results details
/var/log/audit files mode 0600
oval:ssg-test_file_permissions_var_log_audit:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_var_log_audit_files:obj:1 file_object Behaviors Path Filename Filter no value /var/log/audit ^.*$ oval:ssg-state_not_mode_0600:ste:1
log_group = root
oval:ssg-test_auditd_conf_log_group_not_root:tst:1
false Following items have been found on the system: Path Content /etc/audit/auditd.conf log_group = root
/var/log/audit files mode 0640
oval:ssg-test_file_permissions_var_log_audit-non_root:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_var_log_audit_files-non_root:obj:1 file_object Behaviors Path Filename Filter no value /var/log/audit ^.*$ oval:ssg-state_not_mode_0640:ste:1
Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/shadowxccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open_by_handle_at mediumCCE-82711-3
Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/shadow Rule ID xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open_by_handle_at Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_etc_shadow_open_by_handle_at:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82711-3
References:
AC-2(4) , AU-2(d) , AU-12(c) , AC-6(9) , CM-6(a) , FAU_GEN.1.1.c
Description The audit system should collect write events to /etc/shadow file for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify Rationale Creation of users through direct edition of /etc/shadow could be an indicator of malicious activity on a system.
Auditing these events could serve as evidence of potential system compromise.
Warnings warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
defined audit rule must exist
oval:ssg-test_audit_rules_etc_shadow_open_by_handle_at_32bit_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_etc_shadow_open_by_handle_at_32bit_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^/etc/audit/rules\.d/.*\.rules$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
defined audit rule must exist
oval:ssg-test_audit_rules_etc_shadow_open_by_handle_at_64bit_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_etc_shadow_open_by_handle_at_64bit_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^/etc/audit/rules\.d/.*\.rules$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
defined audit rule must exist
oval:ssg-test_audit_rules_etc_shadow_open_by_handle_at_32bit_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_etc_shadow_open_by_handle_at_32bit_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ /etc/audit/audit.rules 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
defined audit rule must exist
oval:ssg-test_audit_rules_etc_shadow_open_by_handle_at_64bit_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_etc_shadow_open_by_handle_at_64bit_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ /etc/audit/audit.rules 1
Record Events that Modify User/Group Information - /etc/security/opasswdxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd mediumCCE-82656-0
Record Events that Modify User/Group Information - /etc/security/opasswd Rule ID xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_usergroup_modification_opasswd:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82656-0
References:
5.2.5 , 1 , 11 , 12 , 13 , 14 , 15 , 16 , 18 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , 5.4.1.1 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI08.02 , DSS01.03 , DSS01.04 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , DSS06.03 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000018 , CCI-000172 , CCI-001403 , CCI-001404 , CCI-001405 , CCI-001683 , CCI-001684 , CCI-001685 , CCI-001686 , CCI-002130 , CCI-002132 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.2.3.10 , 4.3.2.6.7 , 4.3.3.2.2 , 4.3.3.3.9 , 4.3.3.5.1 , 4.3.3.5.2 , 4.3.3.5.8 , 4.3.3.6.6 , 4.3.3.7.2 , 4.3.3.7.3 , 4.3.3.7.4 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 1.1 , SR 1.13 , SR 1.2 , SR 1.3 , SR 1.4 , SR 1.5 , SR 1.7 , SR 1.8 , SR 1.9 , SR 2.1 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.6 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.1 , SR 6.2 , SR 7.1 , SR 7.6 , A.11.2.6 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.7 , A.15.2.1 , A.15.2.2 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.1.2 , A.6.2.1 , A.6.2.2 , A.7.1.1 , A.9.1.2 , A.9.2.1 , A.9.2.2 , A.9.2.3 , A.9.2.4 , A.9.2.6 , A.9.3.1 , A.9.4.1 , A.9.4.2 , A.9.4.3 , A.9.4.4 , A.9.4.5 , AC-2(4) , AU-2(d) , AU-12(c) , AC-6(9) , CM-6(a) , DE.AE-3 , DE.AE-5 , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.AC-1 , PR.AC-3 , PR.AC-4 , PR.AC-6 , PR.PT-1 , PR.PT-4 , RS.AN-1 , RS.AN-4 , FAU_GEN.1.1.c , Req-10.2.5 , SRG-OS-000003-GPOS-00004 , SRG-OS-000004-GPOS-00004 , SRG-OS-000004-VMM-000040 , SRG-OS-000239-VMM-000810 , SRG-OS-000240-VMM-000820 , SRG-OS-000241-VMM-000830 , SRG-OS-000274-VMM-000960 , SRG-OS-000275-VMM-000970 , SRG-OS-000276-VMM-000980 , SRG-OS-000277-VMM-000990 , SRG-OS-000303-VMM-001090 , SRG-OS-000304-VMM-001100 , SRG-OS-000476-VMM-001960
Description If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d, in order to capture events that modify
account changes:
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification Rationale In addition to auditing new user and group accounts, these watches
will alert the system administrator(s) to any modifications. Any unexpected
users, groups, or modifications should be investigated for legitimacy.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules opasswd
oval:ssg-test_audit_rules_usergroup_modification_opasswd_augen:tst:1
true Following items have been found on the system: Path Content /etc/audit/rules.d/75-audit_rules_usergroup_modification.rules -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit opasswd
oval:ssg-test_audit_rules_usergroup_modification_opasswd_auditctl:tst:1
true Following items have been found on the system: Path Content /etc/audit/audit.rules -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
Record Events that Modify User/Group Information - /etc/gshadowxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow mediumCCE-82655-2
Record Events that Modify User/Group Information - /etc/gshadow Rule ID xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_usergroup_modification_gshadow:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82655-2
References:
5.2.5 , 1 , 11 , 12 , 13 , 14 , 15 , 16 , 18 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , 5.4.1.1 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI08.02 , DSS01.03 , DSS01.04 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , DSS06.03 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000018 , CCI-000172 , CCI-001403 , CCI-001404 , CCI-001405 , CCI-001683 , CCI-001684 , CCI-001685 , CCI-001686 , CCI-002130 , CCI-002132 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.2.3.10 , 4.3.2.6.7 , 4.3.3.2.2 , 4.3.3.3.9 , 4.3.3.5.1 , 4.3.3.5.2 , 4.3.3.5.8 , 4.3.3.6.6 , 4.3.3.7.2 , 4.3.3.7.3 , 4.3.3.7.4 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 1.1 , SR 1.13 , SR 1.2 , SR 1.3 , SR 1.4 , SR 1.5 , SR 1.7 , SR 1.8 , SR 1.9 , SR 2.1 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.6 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.1 , SR 6.2 , SR 7.1 , SR 7.6 , A.11.2.6 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.7 , A.15.2.1 , A.15.2.2 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.1.2 , A.6.2.1 , A.6.2.2 , A.7.1.1 , A.9.1.2 , A.9.2.1 , A.9.2.2 , A.9.2.3 , A.9.2.4 , A.9.2.6 , A.9.3.1 , A.9.4.1 , A.9.4.2 , A.9.4.3 , A.9.4.4 , A.9.4.5 , AC-2(4) , AU-2(d) , AU-12(c) , AC-6(9) , CM-6(a) , DE.AE-3 , DE.AE-5 , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.AC-1 , PR.AC-3 , PR.AC-4 , PR.AC-6 , PR.PT-1 , PR.PT-4 , RS.AN-1 , RS.AN-4 , FAU_GEN.1.1.c , Req-10.2.5 , SRG-OS-000004-GPOS-00004 , SRG-OS-000004-VMM-000040 , SRG-OS-000239-VMM-000810 , SRG-OS-000240-VMM-000820 , SRG-OS-000241-VMM-000830 , SRG-OS-000274-VMM-000960 , SRG-OS-000275-VMM-000970 , SRG-OS-000276-VMM-000980 , SRG-OS-000277-VMM-000990 , SRG-OS-000303-VMM-001090 , SRG-OS-000304-VMM-001100 , SRG-OS-000476-VMM-001960
Description If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d, in order to capture events that modify
account changes:
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification Rationale In addition to auditing new user and group accounts, these watches
will alert the system administrator(s) to any modifications. Any unexpected
users, groups, or modifications should be investigated for legitimacy.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules gshadow
oval:ssg-test_audit_rules_usergroup_modification_gshadow_augen:tst:1
true Following items have been found on the system: Path Content /etc/audit/rules.d/75-audit_rules_usergroup_modification.rules -w /etc/gshadow -p wa -k audit_rules_usergroup_modification
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit gshadow
oval:ssg-test_audit_rules_usergroup_modification_gshadow_auditctl:tst:1
true Following items have been found on the system: Path Content /etc/audit/audit.rules -w /etc/gshadow -p wa -k audit_rules_usergroup_modification
Record Events that Modify User/Group Information via open syscall - /etc/groupxccdf_org.ssgproject.content_rule_audit_rules_etc_group_open mediumCCE-82700-6
Record Events that Modify User/Group Information via open syscall - /etc/group Rule ID xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_etc_group_open:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82700-6
References:
AC-2(4) , AU-2(d) , AU-12(c) , AC-6(9) , CM-6(a) , FAU_GEN.1.1.c
Description The audit system should collect write events to /etc/group file for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify Rationale Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system.
Auditing these events could serve as evidence of potential system compromise.
Warnings warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
defined audit rule must exist
oval:ssg-test_audit_rules_etc_group_open_32bit_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_etc_group_open_32bit_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^/etc/audit/rules\.d/.*\.rules$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
defined audit rule must exist
oval:ssg-test_audit_rules_etc_group_open_64bit_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_etc_group_open_64bit_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^/etc/audit/rules\.d/.*\.rules$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
defined audit rule must exist
oval:ssg-test_audit_rules_etc_group_open_32bit_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_etc_group_open_32bit_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ /etc/audit/audit.rules 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
defined audit rule must exist
oval:ssg-test_audit_rules_etc_group_open_64bit_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_etc_group_open_64bit_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ /etc/audit/audit.rules 1
Record Events that Modify the System's Mandatory Access Controlsxccdf_org.ssgproject.content_rule_audit_rules_mac_modification mediumCCE-82586-9
Record Events that Modify the System's Mandatory Access Controls Rule ID xccdf_org.ssgproject.content_rule_audit_rules_mac_modification Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_mac_modification:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82586-9
References:
1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , 5.4.1.1 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI08.02 , DSS01.03 , DSS01.04 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.8 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.2.3.10 , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.3.6.6 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 1.13 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.6 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.1 , SR 6.2 , SR 7.1 , SR 7.6 , A.11.2.6 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.7 , A.15.2.1 , A.15.2.2 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.2.1 , A.6.2.2 , AU-2(d) , AU-12(c) , CM-6(a) , DE.AE-3 , DE.AE-5 , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.AC-3 , PR.PT-1 , PR.PT-4 , RS.AN-1 , RS.AN-4 , FAU_GEN.1.1.c , Req-10.5.5
Description If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d:
-w /etc/selinux/ -p wa -k MAC-policy
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-w /etc/selinux/ -p wa -k MAC-policy Rationale The system's mandatory access policy (SELinux) should not be
arbitrarily changed by anything other than administrator action. All changes to
MAC policy should be audited.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit selinux changes augenrules
oval:ssg-test_armm_selinux_watch_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_armm_selinux_watch_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^\-w[\s]+/etc/selinux/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit selinux changes auditctl
oval:ssg-test_armm_selinux_watch_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_armm_selinux_watch_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^\-w[\s]+/etc/selinux/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1
System Audit Logs Must Be Owned By Rootxccdf_org.ssgproject.content_rule_file_ownership_var_log_audit mediumCCE-82691-7
System Audit Logs Must Be Owned By Root Rule ID xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit Result Multi-check rule no OVAL Definition ID oval:ssg-file_ownership_var_log_audit:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82691-7
References:
1 , 11 , 12 , 13 , 14 , 15 , 16 , 18 , 19 , 3 , 4 , 5 , 6 , 7 , 8 , 5.4.1.1 , APO01.06 , APO11.04 , APO12.06 , BAI03.05 , BAI08.02 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS05.04 , DSS05.07 , DSS06.02 , MEA02.01 , 3.3.1 , CCI-000162 , CCI-000163 , CCI-000164 , CCI-001314 , 4.2.3.10 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.3.7.3 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 2.1 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.8 , SR 2.9 , SR 5.2 , SR 6.1 , A.10.1.1 , A.11.1.4 , A.11.1.5 , A.11.2.1 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.1.3 , A.13.2.1 , A.13.2.3 , A.13.2.4 , A.14.1.2 , A.14.1.3 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.1.2 , A.7.1.1 , A.7.1.2 , A.7.3.1 , A.8.2.2 , A.8.2.3 , A.9.1.1 , A.9.1.2 , A.9.2.3 , A.9.4.1 , A.9.4.4 , A.9.4.5 , CM-6(a) , AC-6(1) , AU-9(4) , DE.AE-3 , DE.AE-5 , PR.AC-4 , PR.DS-5 , PR.PT-1 , RS.AN-1 , RS.AN-4 , Req-10.5.1 , SRG-OS-000057-GPOS-00027 , SRG-OS-000058-GPOS-00028 , SRG-OS-000059-GPOS-00029 , SRG-OS-000206-GPOS-00084
Description All audit logs must be owned by root user and group. By default, the path for audit log is
/var/log/audit/ .
To properly set the owner of
/var/log/audit, run the command:
$ sudo chown root /var/log/audit
To properly set the owner of
/var/log/audit/*, run the command:
$ sudo chown root /var/log/audit/* Rationale Unauthorized disclosure of audit records can reveal system and configuration data to
attackers, thus compromising its confidentiality.
OVAL test results details
/var/log/audit files uid root gid root
oval:ssg-test_ownership_var_log_audit_files:tst:1
true No items have been found conforming to the following objects: Object oval:ssg-object_ownership_var_log_audit_files:obj:1 file_object Behaviors Path Filename Filter no value /var/log/audit ^.*$ oval:ssg-state_owner_not_root_root_var_log_audit:ste:1
/var/log/audit directories uid root gid root
oval:ssg-test_ownership_var_log_audit_directories:tst:1
true No items have been found conforming to the following objects: Object oval:ssg-object_ownership_var_log_audit_directories:obj:1 file_object Behaviors Path Filename Filter no value /var/log/audit no value oval:ssg-state_owner_not_root_root_var_log_audit:ste:1
log_group = root
oval:ssg-test_auditd_conf_log_group_not_root:tst:1
false Following items have been found on the system: Path Content /etc/audit/auditd.conf log_group = root
/var/log/audit files uid root gid root
oval:ssg-test_ownership_var_log_audit_files-non_root:tst:1
true Following items have been found on the system: Path Type UID GID Size (B) Permissions /var/log/audit/audit.log regular 0 0 1077949 rw-------
/var/log/audit directories uid root gid root
oval:ssg-test_ownership_var_log_audit_directories-non_root:tst:1
true Following items have been found on the system: Path Type UID GID Size (B) Permissions /var/log/audit/ directory 0 0 23 rwx------
Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/passwdxccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open_by_handle_at mediumCCE-82708-9
Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/passwd Rule ID xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open_by_handle_at Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_etc_passwd_open_by_handle_at:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82708-9
References:
AC-2(4) , AU-2(d) , AU-12(c) , AC-6(9) , CM-6(a) , FAU_GEN.1.1.c
Description The audit system should collect write events to /etc/passwd file for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify Rationale Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system.
Auditing these events could serve as evidence of potential system compromise.
Warnings warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
defined audit rule must exist
oval:ssg-test_audit_rules_etc_passwd_open_by_handle_at_32bit_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_etc_passwd_open_by_handle_at_32bit_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^/etc/audit/rules\.d/.*\.rules$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
defined audit rule must exist
oval:ssg-test_audit_rules_etc_passwd_open_by_handle_at_64bit_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_etc_passwd_open_by_handle_at_64bit_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^/etc/audit/rules\.d/.*\.rules$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
defined audit rule must exist
oval:ssg-test_audit_rules_etc_passwd_open_by_handle_at_32bit_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_etc_passwd_open_by_handle_at_32bit_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ /etc/audit/audit.rules 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
defined audit rule must exist
oval:ssg-test_audit_rules_etc_passwd_open_by_handle_at_64bit_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_etc_passwd_open_by_handle_at_64bit_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ /etc/audit/audit.rules 1
Record Events that Modify User/Group Information via open syscall - /etc/shadowxccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open mediumCCE-82709-7
Record Events that Modify User/Group Information via open syscall - /etc/shadow Rule ID xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_etc_shadow_open:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82709-7
References:
AC-2(4) , AU-2(d) , AU-12(c) , AC-6(9) , CM-6(a) , FAU_GEN.1.1.c
Description The audit system should collect write events to /etc/shadow file for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify Rationale Creation of users through direct edition of /etc/shadow could be an indicator of malicious activity on a system.
Auditing these events could serve as evidence of potential system compromise.
Warnings warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
defined audit rule must exist
oval:ssg-test_audit_rules_etc_shadow_open_32bit_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_etc_shadow_open_32bit_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^/etc/audit/rules\.d/.*\.rules$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
defined audit rule must exist
oval:ssg-test_audit_rules_etc_shadow_open_64bit_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_etc_shadow_open_64bit_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^/etc/audit/rules\.d/.*\.rules$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
defined audit rule must exist
oval:ssg-test_audit_rules_etc_shadow_open_32bit_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_etc_shadow_open_32bit_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ /etc/audit/audit.rules 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
defined audit rule must exist
oval:ssg-test_audit_rules_etc_shadow_open_64bit_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_etc_shadow_open_64bit_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ /etc/audit/audit.rules 1
Record Events that Modify User/Group Information via openat syscall - /etc/passwdxccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_openat mediumCCE-82707-1
Record Events that Modify User/Group Information via openat syscall - /etc/passwd Rule ID xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_openat Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_etc_passwd_openat:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82707-1
References:
AC-2(4) , AU-2(d) , AU-12(c) , AC-6(9) , CM-6(a) , FAU_GEN.1.1.c
Description The audit system should collect write events to /etc/passwd file for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify Rationale Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system.
Auditing these events could serve as evidence of potential system compromise.
Warnings warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
defined audit rule must exist
oval:ssg-test_audit_rules_etc_passwd_openat_32bit_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_etc_passwd_openat_32bit_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^/etc/audit/rules\.d/.*\.rules$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
defined audit rule must exist
oval:ssg-test_audit_rules_etc_passwd_openat_64bit_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_etc_passwd_openat_64bit_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^/etc/audit/rules\.d/.*\.rules$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
defined audit rule must exist
oval:ssg-test_audit_rules_etc_passwd_openat_32bit_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_etc_passwd_openat_32bit_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ /etc/audit/audit.rules 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
defined audit rule must exist
oval:ssg-test_audit_rules_etc_passwd_openat_64bit_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_etc_passwd_openat_64bit_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ /etc/audit/audit.rules 1
Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/gshadowxccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open_by_handle_at mediumCCE-82705-5
Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/gshadow Rule ID xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open_by_handle_at Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_etc_gshadow_open_by_handle_at:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82705-5
References:
AC-2(4) , AU-2(d) , AU-12(c) , AC-6(9) , CM-6(a) , FAU_GEN.1.1.c
Description The audit system should collect write events to /etc/gshadow file for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify Rationale Creation of users through direct edition of /etc/gshadow could be an indicator of malicious activity on a system.
Auditing these events could serve as evidence of potential system compromise.
Warnings warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
defined audit rule must exist
oval:ssg-test_audit_rules_etc_gshadow_open_by_handle_at_32bit_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_etc_gshadow_open_by_handle_at_32bit_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^/etc/audit/rules\.d/.*\.rules$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
defined audit rule must exist
oval:ssg-test_audit_rules_etc_gshadow_open_by_handle_at_64bit_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_etc_gshadow_open_by_handle_at_64bit_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^/etc/audit/rules\.d/.*\.rules$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
defined audit rule must exist
oval:ssg-test_audit_rules_etc_gshadow_open_by_handle_at_32bit_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_etc_gshadow_open_by_handle_at_32bit_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ /etc/audit/audit.rules 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
defined audit rule must exist
oval:ssg-test_audit_rules_etc_gshadow_open_by_handle_at_64bit_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_etc_gshadow_open_by_handle_at_64bit_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ /etc/audit/audit.rules 1
Record Events that Modify the System's Network Environmentxccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification mediumCCE-82588-5
Record Events that Modify the System's Network Environment Rule ID xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_networkconfig_modification:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82588-5
References:
1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , 5.4.1.1 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI08.02 , DSS01.03 , DSS01.04 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.2.3.10 , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.3.6.6 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 1.13 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.6 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.1 , SR 6.2 , SR 7.1 , SR 7.6 , A.11.2.6 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.7 , A.15.2.1 , A.15.2.2 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.2.1 , A.6.2.2 , AU-2(d) , AU-12(c) , AC-6(9) , CM-6(a) , DE.AE-3 , DE.AE-5 , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.AC-3 , PR.PT-1 , PR.PT-4 , RS.AN-1 , RS.AN-4 , Req-10.5.5
Description If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
-w /etc/issue -p wa -k audit_rules_networkconfig_modification
-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
-w /etc/hosts -p wa -k audit_rules_networkconfig_modification
-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
-w /etc/issue -p wa -k audit_rules_networkconfig_modification
-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
-w /etc/hosts -p wa -k audit_rules_networkconfig_modification
-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification Rationale The network environment should not be modified by anything other
than administrator action. Any change to network parameters should be
audited.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit /etc/issue augenrules
oval:ssg-test_arnm_etc_issue_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arnm_etc_issue_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^\-w[\s]+/etc/issue[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1
audit /etc/issue.net augenrules
oval:ssg-test_arnm_etc_issue_net_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arnm_etc_issue_net_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^\-w[\s]+/etc/issue\.net[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1
audit /etc/hosts augenrules
oval:ssg-test_arnm_etc_hosts_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arnm_etc_hosts_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^\-w[\s]+/etc/hosts[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1
audit /etc/sysconfig/network augenrules
oval:ssg-test_arnm_etc_sysconfig_network_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arnm_etc_sysconfig_network_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^\-w[\s]+/etc/sysconfig/network[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules 32-bit sethostname
oval:ssg-test_32bit_ardm_sethostname_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_ardm_sethostname_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit augenrules 64-bit sethostname
oval:ssg-test_64bit_ardm_sethostname_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_ardm_sethostname_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl 32-bit sethostname
oval:ssg-test_32bit_ardm_sethostname_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_ardm_sethostname_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit auditctl 64-bit sethostname
oval:ssg-test_64bit_ardm_sethostname_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_ardm_sethostname_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules 32-bit setdomainname
oval:ssg-test_32bit_ardm_setdomainname_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_ardm_setdomainname_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit augenrules 64-bit setdomainname
oval:ssg-test_64bit_ardm_setdomainname_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_ardm_setdomainname_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl 32-bit setdomainname
oval:ssg-test_32bit_ardm_setdomainname_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_ardm_setdomainname_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit auditctl 64-bit setdomainname
oval:ssg-test_64bit_ardm_setdomainname_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_ardm_setdomainname_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit /etc/issue auditctl
oval:ssg-test_arnm_etc_issue_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arnm_etc_issue_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^\-w[\s]+/etc/issue[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1
audit /etc/issue.net auditctl
oval:ssg-test_arnm_etc_issue_net_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arnm_etc_issue_net_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^\-w[\s]+/etc/issue\.net[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1
audit /etc/hosts auditctl
oval:ssg-test_arnm_etc_hosts_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arnm_etc_hosts_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^\-w[\s]+/etc/hosts[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1
audit /etc/sysconfig/network auditctl
oval:ssg-test_arnm_etc_sysconfig_network_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_arnm_etc_sysconfig_network_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^\-w[\s]+/etc/sysconfig/network[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules 32-bit sethostname
oval:ssg-test_32bit_ardm_sethostname_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_ardm_sethostname_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit augenrules 64-bit sethostname
oval:ssg-test_64bit_ardm_sethostname_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_ardm_sethostname_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl 32-bit sethostname
oval:ssg-test_32bit_ardm_sethostname_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_ardm_sethostname_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit auditctl 64-bit sethostname
oval:ssg-test_64bit_ardm_sethostname_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_ardm_sethostname_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules 32-bit setdomainname
oval:ssg-test_32bit_ardm_setdomainname_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_ardm_setdomainname_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit augenrules 64-bit setdomainname
oval:ssg-test_64bit_ardm_setdomainname_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_ardm_setdomainname_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit auditctl 32-bit setdomainname
oval:ssg-test_32bit_ardm_setdomainname_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_32bit_ardm_setdomainname_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
audit auditctl 64-bit setdomainname
oval:ssg-test_64bit_ardm_setdomainname_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_64bit_ardm_setdomainname_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1
Record Events that Modify User/Group Information via open syscall - /etc/passwdxccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open mediumCCE-82706-3
Record Events that Modify User/Group Information via open syscall - /etc/passwd Rule ID xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_etc_passwd_open:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82706-3
References:
AC-2(4) , AU-2(d) , AU-12(c) , AC-6(9) , CM-6(a) , FAU_GEN.1.1.c
Description The audit system should collect write events to /etc/passwd file for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify Rationale Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system.
Auditing these events could serve as evidence of potential system compromise.
Warnings warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
defined audit rule must exist
oval:ssg-test_audit_rules_etc_passwd_open_32bit_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_etc_passwd_open_32bit_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^/etc/audit/rules\.d/.*\.rules$ 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
defined audit rule must exist
oval:ssg-test_audit_rules_etc_passwd_open_64bit_augenrules:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_etc_passwd_open_64bit_augenrules:obj:1 textfilecontent54_object Filepath Pattern Instance ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ^/etc/audit/rules\.d/.*\.rules$ 1
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
defined audit rule must exist
oval:ssg-test_audit_rules_etc_passwd_open_32bit_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_etc_passwd_open_32bit_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ /etc/audit/audit.rules 1
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_x86_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 uname_object
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 uname_object
defined audit rule must exist
oval:ssg-test_audit_rules_etc_passwd_open_64bit_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_etc_passwd_open_64bit_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ /etc/audit/audit.rules 1
Record Events that Modify User/Group Information - /etc/groupxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group mediumCCE-82654-5
Record Events that Modify User/Group Information - /etc/group Rule ID xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_usergroup_modification_group:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82654-5
References:
5.2.5 , 1 , 11 , 12 , 13 , 14 , 15 , 16 , 18 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , 5.4.1.1 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI08.02 , DSS01.03 , DSS01.04 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , DSS06.03 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000018 , CCI-000172 , CCI-001403 , CCI-001404 , CCI-001405 , CCI-001683 , CCI-001684 , CCI-001685 , CCI-001686 , CCI-002130 , CCI-002132 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.2.3.10 , 4.3.2.6.7 , 4.3.3.2.2 , 4.3.3.3.9 , 4.3.3.5.1 , 4.3.3.5.2 , 4.3.3.5.8 , 4.3.3.6.6 , 4.3.3.7.2 , 4.3.3.7.3 , 4.3.3.7.4 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 1.1 , SR 1.13 , SR 1.2 , SR 1.3 , SR 1.4 , SR 1.5 , SR 1.7 , SR 1.8 , SR 1.9 , SR 2.1 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.6 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.1 , SR 6.2 , SR 7.1 , SR 7.6 , A.11.2.6 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.7 , A.15.2.1 , A.15.2.2 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.1.2 , A.6.2.1 , A.6.2.2 , A.7.1.1 , A.9.1.2 , A.9.2.1 , A.9.2.2 , A.9.2.3 , A.9.2.4 , A.9.2.6 , A.9.3.1 , A.9.4.1 , A.9.4.2 , A.9.4.3 , A.9.4.4 , A.9.4.5 , AC-2(4) , AU-2(d) , AU-12(c) , AC-6(9) , CM-6(a) , DE.AE-3 , DE.AE-5 , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.AC-1 , PR.AC-3 , PR.AC-4 , PR.AC-6 , PR.PT-1 , PR.PT-4 , RS.AN-1 , RS.AN-4 , FAU_GEN.1.1.c , Req-10.2.5 , SRG-OS-000004-GPOS-00004 , SRG-OS-000004-VMM-000040 , SRG-OS-000239-VMM-000810 , SRG-OS-000240-VMM-000820 , SRG-OS-000241-VMM-000830 , SRG-OS-000274-VMM-000960 , SRG-OS-000275-VMM-000970 , SRG-OS-000276-VMM-000980 , SRG-OS-000277-VMM-000990 , SRG-OS-000303-VMM-001090 , SRG-OS-000304-VMM-001100 , SRG-OS-000476-VMM-001960
Description If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d, in order to capture events that modify
account changes:
-w /etc/group -p wa -k audit_rules_usergroup_modification
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:
-w /etc/group -p wa -k audit_rules_usergroup_modification Rationale In addition to auditing new user and group accounts, these watches
will alert the system administrator(s) to any modifications. Any unexpected
users, groups, or modifications should be investigated for legitimacy.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules group
oval:ssg-test_audit_rules_usergroup_modification_group_augen:tst:1
true Following items have been found on the system: Path Content /etc/audit/rules.d/75-audit_rules_usergroup_modification.rules -w /etc/group -p wa -k audit_rules_usergroup_modification
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit group
oval:ssg-test_audit_rules_usergroup_modification_group_auditctl:tst:1
true Following items have been found on the system: Path Content /etc/audit/audit.rules -w /etc/group -p wa -k audit_rules_usergroup_modification
Record Events that Modify User/Group Information - /etc/shadowxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow mediumCCE-82658-6
Record Events that Modify User/Group Information - /etc/shadow Rule ID xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow Result Multi-check rule no OVAL Definition ID oval:ssg-audit_rules_usergroup_modification_shadow:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82658-6
References:
5.2.5 , 1 , 11 , 12 , 13 , 14 , 15 , 16 , 18 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , 5.4.1.1 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI08.02 , DSS01.03 , DSS01.04 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , DSS06.03 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.1.7 , CCI-000018 , CCI-000172 , CCI-001403 , CCI-001404 , CCI-001405 , CCI-001683 , CCI-001684 , CCI-001685 , CCI-001686 , CCI-002130 , CCI-002132 , 164.308(a)(1)(ii)(D) , 164.308(a)(3)(ii)(A) , 164.308(a)(5)(ii)(C) , 164.312(a)(2)(i) , 164.312(b) , 164.312(d) , 164.312(e) , 4.2.3.10 , 4.3.2.6.7 , 4.3.3.2.2 , 4.3.3.3.9 , 4.3.3.5.1 , 4.3.3.5.2 , 4.3.3.5.8 , 4.3.3.6.6 , 4.3.3.7.2 , 4.3.3.7.3 , 4.3.3.7.4 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 1.1 , SR 1.13 , SR 1.2 , SR 1.3 , SR 1.4 , SR 1.5 , SR 1.7 , SR 1.8 , SR 1.9 , SR 2.1 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.6 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.1 , SR 6.2 , SR 7.1 , SR 7.6 , A.11.2.6 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.7 , A.15.2.1 , A.15.2.2 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.1.2 , A.6.2.1 , A.6.2.2 , A.7.1.1 , A.9.1.2 , A.9.2.1 , A.9.2.2 , A.9.2.3 , A.9.2.4 , A.9.2.6 , A.9.3.1 , A.9.4.1 , A.9.4.2 , A.9.4.3 , A.9.4.4 , A.9.4.5 , AC-2(4) , AU-2(d) , AU-12(c) , AC-6(9) , CM-6(a) , DE.AE-3 , DE.AE-5 , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.AC-1 , PR.AC-3 , PR.AC-4 , PR.AC-6 , PR.PT-1 , PR.PT-4 , RS.AN-1 , RS.AN-4 , FAU_GEN.1.1.c , Req-10.2.5 , SRG-OS-000004-GPOS-00004 , SRG-OS-000004-VMM-000040 , SRG-OS-000239-VMM-000810 , SRG-OS-000240-VMM-000820 , SRG-OS-000241-VMM-000830 , SRG-OS-000274-VMM-000960 , SRG-OS-000275-VMM-000970 , SRG-OS-000276-VMM-000980 , SRG-OS-000277-VMM-000990 , SRG-OS-000303-VMM-001090 , SRG-OS-000304-VMM-001100 , SRG-OS-000476-VMM-001960
Description If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d, in order to capture events that modify
account changes:
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
If the
auditd daemon is configured to use the
auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:
-w /etc/shadow -p wa -k audit_rules_usergroup_modification Rationale In addition to auditing new user and group accounts, these watches
will alert the system administrator(s) to any modifications. Any unexpected
users, groups, or modifications should be investigated for legitimacy.
OVAL test results details
audit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true Following items have been found on the system: Path Content /usr/lib/systemd/system/auditd.service ExecStartPost=-/sbin/augenrules --load
audit augenrules shadow
oval:ssg-test_audit_rules_usergroup_modification_shadow_augen:tst:1
true Following items have been found on the system: Path Content /etc/audit/rules.d/75-audit_rules_usergroup_modification.rules -w /etc/shadow -p wa -k audit_rules_usergroup_modification
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_audit_rules_auditctl:obj:1 textfilecontent54_object Filepath Pattern Instance /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1
audit shadow
oval:ssg-test_audit_rules_usergroup_modification_shadow_auditctl:tst:1
true Following items have been found on the system: Path Content /etc/audit/audit.rules -w /etc/shadow -p wa -k audit_rules_usergroup_modification
Ensure the audit Subsystem is Installedxccdf_org.ssgproject.content_rule_package_audit_installed mediumCCE-82669-3
Ensure the audit Subsystem is Installed Rule ID xccdf_org.ssgproject.content_rule_package_audit_installed Result Multi-check rule no OVAL Definition ID oval:ssg-package_audit_installed:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82669-3
References:
NT28(R50) , AC-7(a) , AU-7(1) , AU-7(2) , AU-14 , AU-12(2) , AU-2(a) , CM-6(a) , SRG-OS-000480-GPOS-00227 , SRG-OS-000122-GPOS-00063
Description The audit package should be installed.
Rationale The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy.
OVAL test results details
package audit is installed
oval:ssg-test_package_audit_installed:tst:1
true Following items have been found on the system: Name Arch Epoch Release Version Evr Signature keyid Extended name audit x86_64 (none) 0.13.20190507gitf58ec40.el8 3.0 0:3.0-0.13.20190507gitf58ec40.el8 199e2f91fd431d51 audit-0:3.0-0.13.20190507gitf58ec40.el8.x86_64
Enable auditd Servicexccdf_org.ssgproject.content_rule_service_auditd_enabled highCCE-82463-1
Enable auditd Service Rule ID xccdf_org.ssgproject.content_rule_service_auditd_enabled Result Multi-check rule no OVAL Definition ID oval:ssg-service_auditd_enabled:def:1 Time 2020-05-28T09:49:15+00:00 Severity high Identifiers and References Identifiers:
CCE-82463-1
References:
1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , 5.4.1.1 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI08.02 , DSS01.03 , DSS01.04 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.3.1 , 3.3.2 , 3.3.6 , CCI-000126 , CCI-000130 , CCI-000131 , CCI-000132 , CCI-000133 , CCI-000134 , CCI-000135 , CCI-001464 , CCI-001487 , CCI-001814 , 164.308(a)(1)(ii)(D) , 164.308(a)(5)(ii)(C) , 164.310(a)(2)(iv) , 164.310(d)(2)(iii) , 164.312(b) , 4.2.3.10 , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.3.6.6 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 1.13 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.6 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.1 , SR 6.2 , SR 7.1 , SR 7.6 , A.11.2.6 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.7 , A.15.2.1 , A.15.2.2 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.2.1 , A.6.2.2 , AC-2(g) , AU-3 , AU-10 , AU-2(d) , AU-12(c) , AU-14(1) , AC-6(9) , CM-6(a) , DE.AE-3 , DE.AE-5 , DE.CM-1 , DE.CM-3 , DE.CM-7 , ID.SC-4 , PR.AC-3 , PR.PT-1 , PR.PT-4 , RS.AN-1 , RS.AN-4 , Req-10.1 , SRG-OS-000037-GPOS-00015 , SRG-OS-000038-GPOS-00016 , SRG-OS-000039-GPOS-00017 , SRG-OS-000040-GPOS-00018 , SRG-OS-000042-GPOS-00021 , SRG-OS-000254-GPOS-00095 , SRG-OS-000255-GPOS-00096 , SRG-OS-000365-GPOS-00152 , SRG-OS-000037-VMM-000150 , SRG-OS-000063-VMM-000310 , SRG-OS-000038-VMM-000160 , SRG-OS-000039-VMM-000170 , SRG-OS-000040-VMM-000180 , SRG-OS-000041-VMM-000190
Description The auditd service is an essential userspace component of
the Linux Auditing System, as it is responsible for writing audit records to
disk.
The auditd service can be enabled with the following command:
$ sudo systemctl enable auditd.service Rationale Without establishing what type of events occurred, it would be difficult
to establish, correlate, and investigate the events leading up to an outage or attack.
Ensuring the auditd service is active ensures audit records
generated by the kernel are appropriately recorded.
OVAL test results details
package audit is installed
oval:ssg-test_service_auditd_package_audit_installed:tst:1
true Following items have been found on the system: Name Arch Epoch Release Version Evr Signature keyid Extended name audit x86_64 (none) 0.13.20190507gitf58ec40.el8 3.0 0:3.0-0.13.20190507gitf58ec40.el8 199e2f91fd431d51 audit-0:3.0-0.13.20190507gitf58ec40.el8.x86_64
Test that the auditd service is running
oval:ssg-test_service_running_auditd:tst:1
true Following items have been found on the system: Unit Property Value auditd.service ActiveState active
systemd test
oval:ssg-test_multi_user_wants_auditd:tst:1
true Following items have been found on the system: Unit Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency multi-user.target basic.target var.mount sysinit.target systemd-sysusers.service dracut-shutdown.service lvm2-lvmpolld.socket multipathd.service systemd-ask-password-console.path systemd-tmpfiles-setup-dev.service systemd-journal-catalog-update.service sys-kernel-debug.mount systemd-udevd.service dev-hugepages.mount selinux-autorelabel-mark.service systemd-journald.service proc-sys-fs-binfmt_misc.automount systemd-update-utmp.service sys-fs-fuse-connections.mount local-fs.target ostree-remount.service systemd-remount-fs.service boot-efi.mount boot.mount systemd-udev-trigger.service cryptsetup.target systemd-tmpfiles-setup.service systemd-update-done.service dev-mqueue.mount systemd-machine-id-commit.service swap.target systemd-random-seed.service systemd-modules-load.service ldconfig.service systemd-binfmt.service kmod-static-nodes.service systemd-sysctl.service systemd-hwdb-update.service sys-kernel-config.mount lvm2-monitor.service systemd-journal-flush.service sockets.target systemd-coredump.socket dm-event.socket systemd-udevd-kernel.socket systemd-initctl.socket systemd-udevd-control.socket systemd-journald.socket multipathd.socket systemd-journald-dev-log.socket dbus.socket slices.target system.slice -.slice timers.target systemd-tmpfiles-clean.timer unbound-anchor.timer microcode.service ignition-firstboot-complete.service coreos-update-ca-trust.service paths.target afterburn-sshkeys@core.service ostree-finalize-staged.path systemd-ask-password-wall.path remote-fs.target irqbalance.service remote-cryptsetup.target afterburn-checkin.service NetworkManager.service sshd.service sssd.service dbus.service mcd-write-pivot-reboot.service systemd-user-sessions.service gcp-routes.service systemd-logind.service console-login-helper-messages-issuegen.service vmtoolsd.service mdmonitor.service machine-config-daemon-firstboot.service afterburn-firstboot-checkin.service coreos-regenerate-iscsi-initiatorname.service systemd-update-utmp-runlevel.service rhcos-growpart.service kubelet.service chronyd.service auditd.service getty.target getty@tty1.service serial-getty@ttyS0.service
systemd test
oval:ssg-test_multi_user_wants_auditd_socket:tst:1
false Following items have been found on the system: Unit Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency multi-user.target basic.target var.mount sysinit.target systemd-sysusers.service dracut-shutdown.service lvm2-lvmpolld.socket multipathd.service systemd-ask-password-console.path systemd-tmpfiles-setup-dev.service systemd-journal-catalog-update.service sys-kernel-debug.mount systemd-udevd.service dev-hugepages.mount selinux-autorelabel-mark.service systemd-journald.service proc-sys-fs-binfmt_misc.automount systemd-update-utmp.service sys-fs-fuse-connections.mount local-fs.target ostree-remount.service systemd-remount-fs.service boot-efi.mount boot.mount systemd-udev-trigger.service cryptsetup.target systemd-tmpfiles-setup.service systemd-update-done.service dev-mqueue.mount systemd-machine-id-commit.service swap.target systemd-random-seed.service systemd-modules-load.service ldconfig.service systemd-binfmt.service kmod-static-nodes.service systemd-sysctl.service systemd-hwdb-update.service sys-kernel-config.mount lvm2-monitor.service systemd-journal-flush.service sockets.target systemd-coredump.socket dm-event.socket systemd-udevd-kernel.socket systemd-initctl.socket systemd-udevd-control.socket systemd-journald.socket multipathd.socket systemd-journald-dev-log.socket dbus.socket slices.target system.slice -.slice timers.target systemd-tmpfiles-clean.timer unbound-anchor.timer microcode.service ignition-firstboot-complete.service coreos-update-ca-trust.service paths.target afterburn-sshkeys@core.service ostree-finalize-staged.path systemd-ask-password-wall.path remote-fs.target irqbalance.service remote-cryptsetup.target afterburn-checkin.service NetworkManager.service sshd.service sssd.service dbus.service mcd-write-pivot-reboot.service systemd-user-sessions.service gcp-routes.service systemd-logind.service console-login-helper-messages-issuegen.service vmtoolsd.service mdmonitor.service machine-config-daemon-firstboot.service afterburn-firstboot-checkin.service coreos-regenerate-iscsi-initiatorname.service systemd-update-utmp-runlevel.service rhcos-growpart.service kubelet.service chronyd.service auditd.service getty.target getty@tty1.service serial-getty@ttyS0.service
Enable Auditing for Processes Which Start Prior to the Audit Daemonxccdf_org.ssgproject.content_rule_grub2_audit_argument mediumCCE-82670-1
Enable Auditing for Processes Which Start Prior to the Audit Daemon Rule ID xccdf_org.ssgproject.content_rule_grub2_audit_argument Result Multi-check rule no OVAL Definition ID oval:ssg-grub2_audit_argument:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82670-1
References:
1 , 11 , 12 , 13 , 14 , 15 , 16 , 19 , 3 , 4 , 5 , 6 , 7 , 8 , 5.4.1.1 , APO10.01 , APO10.03 , APO10.04 , APO10.05 , APO11.04 , APO12.06 , APO13.01 , BAI03.05 , BAI08.02 , DSS01.04 , DSS02.02 , DSS02.04 , DSS02.07 , DSS03.01 , DSS05.02 , DSS05.03 , DSS05.04 , DSS05.07 , MEA01.01 , MEA01.02 , MEA01.03 , MEA01.04 , MEA01.05 , MEA02.01 , 3.3.1 , CCI-001464 , CCI-000130 , 164.308(a)(1)(ii)(D) , 164.308(a)(5)(ii)(C) , 164.310(a)(2)(iv) , 164.310(d)(2)(iii) , 164.312(b) , 4.2.3.10 , 4.3.2.6.7 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.3.6.6 , 4.3.4.4.7 , 4.3.4.5.6 , 4.3.4.5.7 , 4.3.4.5.8 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 1.13 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.6 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.1 , SR 7.1 , SR 7.6 , A.11.2.6 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.15.2.1 , A.15.2.2 , A.16.1.4 , A.16.1.5 , A.16.1.7 , A.6.2.1 , A.6.2.2 , AC-17(1) , AU-14(1) , AU-10 , CM-6(a) , IR-5(1) , DE.AE-3 , DE.AE-5 , ID.SC-4 , PR.AC-3 , PR.PT-1 , PR.PT-4 , RS.AN-1 , RS.AN-4 , Req-10.3 , SRG-OS-000254-GPOS-00095 , SRG-OS-000254-VMM-000880
Description To ensure all processes can be audited, even those which start
prior to the audit daemon, add the argument audit=1 to the default
GRUB 2 command line for the Linux operating system in
/boot/grub2/grubenv, in the manner below:
# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) audit=1" Rationale Each process on the system carries an "auditable" flag which indicates whether
its activities can be audited. Although auditd takes care of enabling
this for all processes which launch after it does, adding the kernel argument
ensures it is set for every process during boot.
Warnings warning
The GRUB 2 configuration file,
grub.cfg,
is automatically updated each time a new kernel is installed. Note that any
changes to
/etc/default/grub require rebuilding the
grub.cfg
file. To update the GRUB 2 configuration file manually, use the
grub2-mkconfig -o command as follows:
OVAL test results details
check forkernel command line parameters audit=1 in /boot/grub2/grubenv for all kernels
oval:ssg-test_grub2_audit_argument_grub_env:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_grub2_audit_argument_grub_env:obj:1 textfilecontent54_object Filepath Pattern Instance /boot/grub2/grubenv ^kernelopts=(.*)$ 1
Extend Audit Backlog Limit for the Audit Daemonxccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument mediumCCE-82671-9
Extend Audit Backlog Limit for the Audit Daemon Rule ID xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument Result Multi-check rule no OVAL Definition ID oval:ssg-grub2_audit_backlog_limit_argument:def:1 Time 2020-05-28T09:49:15+00:00 Severity medium Identifiers and References Identifiers:
CCE-82671-9
References:
CM-6(a) , SRG-OS-000254-GPOS-00095
Description To improve the kernel capacity to queue all log events, even those which occurred
prior to the audit daemon, add the argument audit_backlog_limit=8192 to the default
GRUB 2 command line for the Linux operating system in
/etc/default/grub, in the manner below:
GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap rhgb quiet rd.shell=0 audit=1 audit_backlog_limit=8192" Rationale audit_backlog_limit sets the queue length for audit events awaiting transfer
to the audit daemon. Until the audit daemon is up and running, all log messages
are stored in this queue. If the queue is overrun during boot process, the action
defined by audit failure flag is taken.
Warnings warning
The GRUB 2 configuration file,
grub.cfg,
is automatically updated each time a new kernel is installed. Note that any
changes to
/etc/default/grub require rebuilding the
grub.cfg
file. To update the GRUB 2 configuration file manually, use the
grub2-mkconfig -o command as follows:
OVAL test results details
check forkernel command line parameters audit_backlog_limit=8192 in /boot/grub2/grubenv for all kernels
oval:ssg-test_grub2_audit_backlog_limit_argument_grub_env:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_grub2_audit_backlog_limit_argument_grub_env:obj:1 textfilecontent54_object Filepath Pattern Instance /boot/grub2/grubenv ^kernelopts=(.*)$ 1
Verify and Correct Ownership with RPMxccdf_org.ssgproject.content_rule_rpm_verify_ownership highCCE-82686-7
Verify and Correct Ownership with RPM Rule ID xccdf_org.ssgproject.content_rule_rpm_verify_ownership Result Multi-check rule no Time 2020-05-28T09:50:18+00:00 Severity high Identifiers and References Identifiers:
CCE-82686-7
References:
1 , 11 , 12 , 13 , 14 , 15 , 16 , 18 , 3 , 5 , 6 , 9 , 5.10.4.1 , APO01.06 , APO11.04 , BAI03.05 , BAI10.01 , BAI10.02 , BAI10.03 , BAI10.05 , DSS05.04 , DSS05.07 , DSS06.02 , MEA02.01 , 3.3.8 , 3.4.1 , CCI-001494 , CCI-001496 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.3.7.3 , 4.3.4.3.2 , 4.3.4.3.3 , 4.3.4.4.7 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 2.1 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.8 , SR 2.9 , SR 5.2 , SR 7.6 , A.10.1.1 , A.11.1.4 , A.11.1.5 , A.11.2.1 , A.12.1.2 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.5.1 , A.12.6.2 , A.12.7.1 , A.13.1.1 , A.13.1.3 , A.13.2.1 , A.13.2.3 , A.13.2.4 , A.14.1.2 , A.14.1.3 , A.14.2.2 , A.14.2.3 , A.14.2.4 , A.6.1.2 , A.7.1.1 , A.7.1.2 , A.7.3.1 , A.8.2.2 , A.8.2.3 , A.9.1.1 , A.9.1.2 , A.9.2.3 , A.9.4.1 , A.9.4.4 , A.9.4.5 , CM-6(d) , CM-6(c) , SI-7 , SI-7(1) , SI-7(6) , AU-9(3) , PR.AC-4 , PR.DS-5 , PR.IP-1 , PR.PT-1 , Req-11.5 , SRG-OS-000257-GPOS-00098 , SRG-OS-000278-GPOS-00108
Description The RPM package management system can check file ownership
permissions of installed software packages, including many that are
important to system security. After locating a file with incorrect
permissions, which can be found with
rpm -Va | awk '{ if (substr($0,6,1)=="U" || substr($0,7,1)=="G") print $NF }'
run the following command to determine which package owns it:
$ rpm -qf FILENAME
Next, run the following command to reset its permissions to
the correct values:
$ sudo rpm --setugids PACKAGENAME Rationale Ownership of binaries and configuration files that is incorrect
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated.
Warnings warning
Profiles may require that specific files be owned by root while the default owner defined
by the vendor is different.
Such files will be reported as a finding and need to be evaluated according to your policy
and deployment environment.
Evaluation messages info
No candidate or applicable check found.
Verify and Correct File Permissions with RPMxccdf_org.ssgproject.content_rule_rpm_verify_permissions highCCE-82687-5
Verify and Correct File Permissions with RPM Rule ID xccdf_org.ssgproject.content_rule_rpm_verify_permissions Result Multi-check rule no Time 2020-05-28T09:50:18+00:00 Severity high Identifiers and References Identifiers:
CCE-82687-5
References:
1 , 11 , 12 , 13 , 14 , 15 , 16 , 18 , 3 , 5 , 6 , 9 , 5.10.4.1 , APO01.06 , APO11.04 , BAI03.05 , BAI10.01 , BAI10.02 , BAI10.03 , BAI10.05 , DSS05.04 , DSS05.07 , DSS06.02 , MEA02.01 , 3.3.8 , 3.4.1 , CCI-001493 , CCI-001494 , CCI-001495 , CCI-001496 , 164.308(a)(1)(ii)(D) , 164.312(b) , 164.312(c)(1) , 164.312(c)(2) , 164.312(e)(2)(i) , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.3.7.3 , 4.3.4.3.2 , 4.3.4.3.3 , 4.3.4.4.7 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 2.1 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.8 , SR 2.9 , SR 5.2 , SR 7.6 , A.10.1.1 , A.11.1.4 , A.11.1.5 , A.11.2.1 , A.12.1.2 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.5.1 , A.12.6.2 , A.12.7.1 , A.13.1.1 , A.13.1.3 , A.13.2.1 , A.13.2.3 , A.13.2.4 , A.14.1.2 , A.14.1.3 , A.14.2.2 , A.14.2.3 , A.14.2.4 , A.6.1.2 , A.7.1.1 , A.7.1.2 , A.7.3.1 , A.8.2.2 , A.8.2.3 , A.9.1.1 , A.9.1.2 , A.9.2.3 , A.9.4.1 , A.9.4.4 , A.9.4.5 , CM-6(d) , CM-6(c) , SI-7 , SI-7(1) , SI-7(6) , AU-9(3) , CM-6(a) , PR.AC-4 , PR.DS-5 , PR.IP-1 , PR.PT-1 , Req-11.5 , SRG-OS-000256-GPOS-00097 , SRG-OS-000257-GPOS-00098 , SRG-OS-000258-GPOS-00099 , SRG-OS-000278-GPOS-00108
Description The RPM package management system can check file access permissions
of installed software packages, including many that are important
to system security.
Verify that the file permissions of system files
and commands match vendor values. Check the file permissions
with the following command:
$ sudo rpm -Va | awk '{ if (substr($0,2,1)=="M") print $NF }'
Output indicates files that do not match vendor defaults.
After locating a file with incorrect permissions,
run the following command to determine which package owns it:
$ rpm -qf FILENAME
Next, run the following command to reset its permissions to
the correct values:
$ sudo rpm --setperms PACKAGENAME Rationale Permissions on system binaries and configuration files that are too generous
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated.
Warnings warning
Profiles may require that specific files have stricter file permissions than defined by the
vendor.
Such files will be reported as a finding and need to be evaluated according to your policy
and deployment environment.
Evaluation messages info
No candidate or applicable check found.
Enable FIPS Modexccdf_org.ssgproject.content_rule_enable_fips_mode highCCE-82540-6
Enable FIPS Mode Rule ID xccdf_org.ssgproject.content_rule_enable_fips_mode Result Multi-check rule no OVAL Definition ID oval:ssg-enable_fips_mode:def:1 Time 2020-05-28T09:50:18+00:00 Severity high Identifiers and References Identifiers:
CCE-82540-6
References:
CCI-000068 , CCI-000803 , CCI-002450 , SC-12(2) , SC-12(3) , IA-7 , SC-13 , CM-6(a) , SC-12 , SRG-OS-000478-GPOS-00223 , SRG-OS-000396-GPOS-00176 , SRG-OS-000120-VMM-000600 , SRG-OS-000478-VMM-001980 , SRG-OS-000396-VMM-001590
Description To enable FIPS mode, run the following command:
fips-mode-setup --enable
The
fips-mode-setup command will configure the system in
FIPS mode by automatically configuring the following:
Setting the kernel FIPS mode flag (/proc/sys/crypto/fips_enabled) to 1 Creating /etc/system-fips Setting the system crypto policy in /etc/crypto-policies/config to FIPS Loading the Dracut fips module
Furthermore, the system running in FIPS mode should be FIPS certified by NIST.
Rationale Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated.
Warnings warning
The system needs to be rebooted for these changes to take effect.
warning
System Crypto Modules must be provided by a vendor that undergoes
FIPS-140 certifications.
FIPS-140 is applicable to all Federal agencies that use
cryptographic-based security systems to protect sensitive information
in computer and telecommunication systems (including voice systems) as
defined in Section 5131 of the Information Technology Management Reform
Act of 1996, Public Law 104-106. This standard shall be used in
designing and implementing cryptographic modules that Federal
departments and agencies operate or are operated for them under
contract. See
https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf
To meet this, the system has to have cryptographic software provided by
a vendor that has undergone this certification. This means providing
documentation, test results, design information, and independent third
party review by an accredited lab. While open source software is
capable of meeting this, it does not meet FIPS-140 unless the vendor
submits to this process.
OVAL test results details
/etc/system-fips exists
oval:ssg-test_etc_system_fips:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_etc_system_fips:obj:1 file_object
kernel runtime parameter crypto.fips_enabled set to 1
oval:ssg-test_sysctl_crypto_fips_enabled:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_sysctl_crypto_fips_enabled:obj:1 sysctl_object
add_dracutmodules contains fips
oval:ssg-test_enable_dracut_fips_module:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_enable_dracut_fips_module:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/dracut.conf.d/40-fips.conf ^\s*add_dracutmodules\+="\s*(\w*)\s*"\s*(?:#.*)?$ 1
check for crypto policy correctly configured in /etc/crypto-policies/config
oval:ssg-test_configure_crypto_policy:tst:1
false Following items have been found on the system: Path Content /etc/crypto-policies/config DEFAULT
check for crypto policy correctly configured in /etc/crypto-policies/state/current
oval:ssg-test_configure_crypto_policy_current:tst:1
false Following items have been found on the system: Path Content /etc/crypto-policies/state/current DEFAULT
Check if update-crypto-policies has been run
oval:ssg-test_crypto_policies_updated:tst:1
true Following items have been found on the system: Var ref Value oval:ssg-variable_crypto_policies_config_file_age:var:1 1446
Check if /etc/crypto-policies/back-ends/nss.config exists
oval:ssg-test_crypto_policy_nss_config:tst:1
true Following items have been found on the system: Path Type UID GID Size (B) Permissions /etc/crypto-policies/back-ends/nss.config symbolic link 0 0 42 rwxrwxrwx
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true Following items have been found on the system: Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
not evaluated No items have been found conforming to the following objects: Object oval:ssg-object_unix_family:obj:1 family_object
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true Following items have been found on the system: Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
not evaluated No items have been found conforming to the following objects: Object oval:ssg-object_unix_family:obj:1 family_object
redhat-release-client is version 6
oval:ssg-test_rhel_client:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_rhel_client:obj:1 rpminfo_object Name redhat-release-client
redhat-release-client is version 6
oval:ssg-test_rhel_client:tst:1
not evaluated No items have been found conforming to the following objects: Object oval:ssg-obj_rhel_client:obj:1 rpminfo_object Name redhat-release-client
redhat-release-workstation is version 6
oval:ssg-test_rhel_workstation:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_rhel_workstation:obj:1 rpminfo_object Name redhat-release-workstation
redhat-release-workstation is version 6
oval:ssg-test_rhel_workstation:tst:1
not evaluated No items have been found conforming to the following objects: Object oval:ssg-obj_rhel_workstation:obj:1 rpminfo_object Name redhat-release-workstation
redhat-release-server is version 6
oval:ssg-test_rhel_server:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_rhel_server:obj:1 rpminfo_object Name redhat-release-server
redhat-release-server is version 6
oval:ssg-test_rhel_server:tst:1
not evaluated No items have been found conforming to the following objects: Object oval:ssg-obj_rhel_server:obj:1 rpminfo_object Name redhat-release-server
redhat-release-computenode is version 6
oval:ssg-test_rhel_computenode:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_rhel_computenode:obj:1 rpminfo_object Name redhat-release-computenode
redhat-release-computenode is version 6
oval:ssg-test_rhel_computenode:tst:1
not evaluated No items have been found conforming to the following objects: Object oval:ssg-obj_rhel_computenode:obj:1 rpminfo_object Name redhat-release-computenode
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true Following items have been found on the system: Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
not evaluated No items have been found conforming to the following objects: Object oval:ssg-object_unix_family:obj:1 family_object
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true Following items have been found on the system: Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
not evaluated No items have been found conforming to the following objects: Object oval:ssg-object_unix_family:obj:1 family_object
redhat-release-client is version 6
oval:ssg-test_rhel_client:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_rhel_client:obj:1 rpminfo_object Name redhat-release-client
redhat-release-client is version 6
oval:ssg-test_rhel_client:tst:1
not evaluated No items have been found conforming to the following objects: Object oval:ssg-obj_rhel_client:obj:1 rpminfo_object Name redhat-release-client
redhat-release-workstation is version 6
oval:ssg-test_rhel_workstation:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_rhel_workstation:obj:1 rpminfo_object Name redhat-release-workstation
redhat-release-workstation is version 6
oval:ssg-test_rhel_workstation:tst:1
not evaluated No items have been found conforming to the following objects: Object oval:ssg-obj_rhel_workstation:obj:1 rpminfo_object Name redhat-release-workstation
redhat-release-server is version 6
oval:ssg-test_rhel_server:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_rhel_server:obj:1 rpminfo_object Name redhat-release-server
redhat-release-server is version 6
oval:ssg-test_rhel_server:tst:1
not evaluated No items have been found conforming to the following objects: Object oval:ssg-obj_rhel_server:obj:1 rpminfo_object Name redhat-release-server
redhat-release-computenode is version 6
oval:ssg-test_rhel_computenode:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_rhel_computenode:obj:1 rpminfo_object Name redhat-release-computenode
redhat-release-computenode is version 6
oval:ssg-test_rhel_computenode:tst:1
not evaluated No items have been found conforming to the following objects: Object oval:ssg-obj_rhel_computenode:obj:1 rpminfo_object Name redhat-release-computenode
installed OS part of unix family
oval:ssg-test_rhel7_unix_family:tst:1
true Following items have been found on the system: installed OS part of unix family
oval:ssg-test_rhel7_unix_family:tst:1
not evaluated No items have been found conforming to the following objects: Object oval:ssg-obj_rhel7_unix_family:obj:1 family_object
redhat-release-client is version 7
oval:ssg-test_rhel7_client:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_rhel7_client:obj:1 rpminfo_object Name redhat-release-client
redhat-release-client is version 7
oval:ssg-test_rhel7_client:tst:1
not evaluated No items have been found conforming to the following objects: Object oval:ssg-obj_rhel7_client:obj:1 rpminfo_object Name redhat-release-client
redhat-release-workstation is version 7
oval:ssg-test_rhel7_workstation:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_rhel7_workstation:obj:1 rpminfo_object Name redhat-release-workstation
redhat-release-workstation is version 7
oval:ssg-test_rhel7_workstation:tst:1
not evaluated No items have been found conforming to the following objects: Object oval:ssg-obj_rhel7_workstation:obj:1 rpminfo_object Name redhat-release-workstation
redhat-release-server is version 7
oval:ssg-test_rhel7_server:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_rhel7_server:obj:1 rpminfo_object Name redhat-release-server
redhat-release-server is version 7
oval:ssg-test_rhel7_server:tst:1
not evaluated No items have been found conforming to the following objects: Object oval:ssg-obj_rhel7_server:obj:1 rpminfo_object Name redhat-release-server
redhat-release-computenode is version 7
oval:ssg-test_rhel7_computenode:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_rhel7_computenode:obj:1 rpminfo_object Name redhat-release-computenode
redhat-release-computenode is version 7
oval:ssg-test_rhel7_computenode:tst:1
not evaluated No items have been found conforming to the following objects: Object oval:ssg-obj_rhel7_computenode:obj:1 rpminfo_object Name redhat-release-computenode
redhat-release-virtualization-host RPM package is installed
oval:ssg-test_rhvh4_version:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_rhvh4_version:obj:1 rpminfo_object Name redhat-release-virtualization-host
redhat-release-virtualization-host RPM package is installed
oval:ssg-test_rhvh4_version:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_rhvh4_version:obj:1 rpminfo_object Name redhat-release-virtualization-host
RHEVH base RHEL is version 7
oval:ssg-test_rhevh_rhel7_version:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_rhevh_rhel7_version:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/redhat-release ^Red Hat Enterprise Linux release (\d)\.\d+$ 1
RHEVH base RHEL is version 7
oval:ssg-test_rhevh_rhel7_version:tst:1
not evaluated No items have been found conforming to the following objects: Object oval:ssg-obj_rhevh_rhel7_version:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/redhat-release ^Red Hat Enterprise Linux release (\d)\.\d+$ 1
installed OS part of unix family
oval:ssg-test_rhel7_unix_family:tst:1
true Following items have been found on the system: installed OS part of unix family
oval:ssg-test_rhel7_unix_family:tst:1
not evaluated No items have been found conforming to the following objects: Object oval:ssg-obj_rhel7_unix_family:obj:1 family_object
redhat-release-client is version 7
oval:ssg-test_rhel7_client:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_rhel7_client:obj:1 rpminfo_object Name redhat-release-client
redhat-release-client is version 7
oval:ssg-test_rhel7_client:tst:1
not evaluated No items have been found conforming to the following objects: Object oval:ssg-obj_rhel7_client:obj:1 rpminfo_object Name redhat-release-client
redhat-release-workstation is version 7
oval:ssg-test_rhel7_workstation:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_rhel7_workstation:obj:1 rpminfo_object Name redhat-release-workstation
redhat-release-workstation is version 7
oval:ssg-test_rhel7_workstation:tst:1
not evaluated No items have been found conforming to the following objects: Object oval:ssg-obj_rhel7_workstation:obj:1 rpminfo_object Name redhat-release-workstation
redhat-release-server is version 7
oval:ssg-test_rhel7_server:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_rhel7_server:obj:1 rpminfo_object Name redhat-release-server
redhat-release-server is version 7
oval:ssg-test_rhel7_server:tst:1
not evaluated No items have been found conforming to the following objects: Object oval:ssg-obj_rhel7_server:obj:1 rpminfo_object Name redhat-release-server
redhat-release-computenode is version 7
oval:ssg-test_rhel7_computenode:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_rhel7_computenode:obj:1 rpminfo_object Name redhat-release-computenode
redhat-release-computenode is version 7
oval:ssg-test_rhel7_computenode:tst:1
not evaluated No items have been found conforming to the following objects: Object oval:ssg-obj_rhel7_computenode:obj:1 rpminfo_object Name redhat-release-computenode
redhat-release-virtualization-host RPM package is installed
oval:ssg-test_rhvh4_version:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_rhvh4_version:obj:1 rpminfo_object Name redhat-release-virtualization-host
redhat-release-virtualization-host RPM package is installed
oval:ssg-test_rhvh4_version:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_rhvh4_version:obj:1 rpminfo_object Name redhat-release-virtualization-host
RHEVH base RHEL is version 7
oval:ssg-test_rhevh_rhel7_version:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_rhevh_rhel7_version:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/redhat-release ^Red Hat Enterprise Linux release (\d)\.\d+$ 1
RHEVH base RHEL is version 7
oval:ssg-test_rhevh_rhel7_version:tst:1
not evaluated No items have been found conforming to the following objects: Object oval:ssg-obj_rhevh_rhel7_version:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/redhat-release ^Red Hat Enterprise Linux release (\d)\.\d+$ 1
installed OS part of unix family
oval:ssg-test_rhel8_unix_family:tst:1
true Following items have been found on the system: installed OS part of unix family
oval:ssg-test_rhel8_unix_family:tst:1
true Following items have been found on the system:
redhat-release is version 8
oval:ssg-test_rhel8:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_rhel8:obj:1 rpminfo_object redhat-release is version 8
oval:ssg-test_rhel8:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_rhel8:obj:1 rpminfo_object
redhat-release-coreos is version 8
oval:ssg-test_rhel8_coreos:tst:1
true Following items have been found on the system: Path Content /etc/os-release PRETTY_NAME="Red Hat Enterprise Linux CoreOS 45.81.202004020816-0 (Ootpa)"
redhat-release-coreos is version 8
oval:ssg-test_rhel8_coreos:tst:1
true Following items have been found on the system: Path Content /etc/os-release PRETTY_NAME="Red Hat Enterprise Linux CoreOS 45.81.202004020816-0 (Ootpa)"
redhat-release-virtualization-host RPM package is installed
oval:ssg-test_rhvh4_version:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_rhvh4_version:obj:1 rpminfo_object Name redhat-release-virtualization-host
redhat-release-virtualization-host RPM package is installed
oval:ssg-test_rhvh4_version:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_rhvh4_version:obj:1 rpminfo_object Name redhat-release-virtualization-host
RHEVH base RHEL is version 8
oval:ssg-test_rhevh_rhel8_version:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_rhevh_rhel8_version:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/redhat-release ^Red Hat Enterprise Linux release (\d)\.\d+$ 1
RHEVH base RHEL is version 8
oval:ssg-test_rhevh_rhel8_version:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_rhevh_rhel8_version:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/redhat-release ^Red Hat Enterprise Linux release (\d)\.\d+$ 1
installed OS part of unix family
oval:ssg-test_rhel8_unix_family:tst:1
true Following items have been found on the system: installed OS part of unix family
oval:ssg-test_rhel8_unix_family:tst:1
true Following items have been found on the system:
redhat-release is version 8
oval:ssg-test_rhel8:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_rhel8:obj:1 rpminfo_object redhat-release is version 8
oval:ssg-test_rhel8:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_rhel8:obj:1 rpminfo_object
redhat-release-coreos is version 8
oval:ssg-test_rhel8_coreos:tst:1
true Following items have been found on the system: Path Content /etc/os-release PRETTY_NAME="Red Hat Enterprise Linux CoreOS 45.81.202004020816-0 (Ootpa)"
redhat-release-coreos is version 8
oval:ssg-test_rhel8_coreos:tst:1
true Following items have been found on the system: Path Content /etc/os-release PRETTY_NAME="Red Hat Enterprise Linux CoreOS 45.81.202004020816-0 (Ootpa)"
redhat-release-virtualization-host RPM package is installed
oval:ssg-test_rhvh4_version:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_rhvh4_version:obj:1 rpminfo_object Name redhat-release-virtualization-host
redhat-release-virtualization-host RPM package is installed
oval:ssg-test_rhvh4_version:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_rhvh4_version:obj:1 rpminfo_object Name redhat-release-virtualization-host
RHEVH base RHEL is version 8
oval:ssg-test_rhevh_rhel8_version:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_rhevh_rhel8_version:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/redhat-release ^Red Hat Enterprise Linux release (\d)\.\d+$ 1
RHEVH base RHEL is version 8
oval:ssg-test_rhevh_rhel8_version:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_rhevh_rhel8_version:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/redhat-release ^Red Hat Enterprise Linux release (\d)\.\d+$ 1
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true Following items have been found on the system: Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
not evaluated No items have been found conforming to the following objects: Object oval:ssg-object_unix_family:obj:1 family_object
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true Following items have been found on the system: Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
not evaluated No items have been found conforming to the following objects: Object oval:ssg-object_unix_family:obj:1 family_object
oraclelinux-release is version 7
oval:ssg-test_ol7_system:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_ol7_system:obj:1 rpminfo_object oraclelinux-release is version 7
oval:ssg-test_ol7_system:tst:1
not evaluated No items have been found conforming to the following objects: Object oval:ssg-obj_ol7_system:obj:1 rpminfo_object
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true Following items have been found on the system: Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
not evaluated No items have been found conforming to the following objects: Object oval:ssg-object_unix_family:obj:1 family_object
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true Following items have been found on the system: Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
not evaluated No items have been found conforming to the following objects: Object oval:ssg-object_unix_family:obj:1 family_object
oraclelinux-release is version 7
oval:ssg-test_ol7_system:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_ol7_system:obj:1 rpminfo_object oraclelinux-release is version 7
oval:ssg-test_ol7_system:tst:1
not evaluated No items have been found conforming to the following objects: Object oval:ssg-obj_ol7_system:obj:1 rpminfo_object
tests if var_system_crypto_policy is set to FIPS
oval:ssg-test_system_crypto_policy_value:tst:1
true Following items have been found on the system: Var ref Value oval:ssg-var_system_crypto_policy:var:1 FIPS
Enable Dracut FIPS Modulexccdf_org.ssgproject.content_rule_enable_dracut_fips_module mediumCCE-82548-9
Enable Dracut FIPS Module Rule ID xccdf_org.ssgproject.content_rule_enable_dracut_fips_module Result Multi-check rule no OVAL Definition ID oval:ssg-enable_dracut_fips_module:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82548-9
References:
CCI-000068 , CCI-000803 , CCI-002450 , SC-12(2) , SC-12(3) , IA-7 , SC-13 , CM-6(a) , SC-12 , SRG-OS-000478-GPOS-00223 , SRG-OS-000120-VMM-000600 , SRG-OS-000478-VMM-001980 , SRG-OS-000396-VMM-001590
Description To enable FIPS mode, run the following command:
fips-mode-setup --enable
To enable FIPS, the system requires that the
fips module is added in
dracut configuration.
Check if
/etc/dracut.conf.d/40-fips.conf contain
add_dracutmodules+=" fips "Rationale Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated.
Warnings warning
The system needs to be rebooted for these changes to take effect.
warning
System Crypto Modules must be provided by a vendor that undergoes
FIPS-140 certifications.
FIPS-140 is applicable to all Federal agencies that use
cryptographic-based security systems to protect sensitive information
in computer and telecommunication systems (including voice systems) as
defined in Section 5131 of the Information Technology Management Reform
Act of 1996, Public Law 104-106. This standard shall be used in
designing and implementing cryptographic modules that Federal
departments and agencies operate or are operated for them under
contract. See
https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf
To meet this, the system has to have cryptographic software provided by
a vendor that has undergone this certification. This means providing
documentation, test results, design information, and independent third
party review by an accredited lab. While open source software is
capable of meeting this, it does not meet FIPS-140 unless the vendor
submits to this process.
OVAL test results details
add_dracutmodules contains fips
oval:ssg-test_enable_dracut_fips_module:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_enable_dracut_fips_module:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/dracut.conf.d/40-fips.conf ^\s*add_dracutmodules\+="\s*(\w*)\s*"\s*(?:#.*)?$ 1
Harden SSHD Crypto Policyxccdf_org.ssgproject.content_rule_harden_sshd_crypto_policy mediumCCE-82542-2
Harden SSHD Crypto Policy Rule ID xccdf_org.ssgproject.content_rule_harden_sshd_crypto_policy Result Multi-check rule no OVAL Definition ID oval:ssg-harden_sshd_crypto_policy:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82542-2
References:
AC-17(a) , AC-17(2) , CM-6(a) , MA-4(6) , SC-13 , SC-12(2) , SC-12(3) , FCS_SSHS_EXT.1 , SRG-OS-000250-GPOS-00093 , SRG-OS-000033-GPOS-00014 , SRG-OS-000120-GPOS-00061
Description Crypto Policies are means of enforcing certain cryptographic settings for selected applications including OpenSSH server.
The SSHD service is by default configured to modify its configuration based on currently configured Crypto-Policy. However, in certain cases it might be needed to override the Crypto Policy specific to OpenSSH Server and leave rest of the Crypto Policy intact.
This can be done by dropping a file named opensshserver-xxx.config, replacing xxx with arbitrary identifier, into /etc/crypto-policies/local.d. This has to be followed by running update-crypto-policies so that changes are applied.
Changes are propagated into /etc/crypto-policies/back-ends/opensshserver.config. This rule checks if this file contains predefined CRYPTO_POLICY environment variable configured with predefined value.
Rationale The Common Criteria requirements specify that certain parameters for OpenSSH Server are configured e.g. supported ciphers, accepted host key algorithms, public key types, key exchange algorithms, HMACs and GSSAPI key exchange is disabled. Currently particular requirements specified by CC are stricter compared to any existing Crypto Policy.
OVAL test results details
Verify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false Following items have been found on the system: Var ref Value oval:ssg-sshd_required:var:1 0
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true Following items have been found on the system: Var ref Value oval:ssg-sshd_required:var:1 0
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false Following items have been found on the system: Name Arch Epoch Release Version Evr Signature keyid Extended name openssh-server x86_64 (none) 4.el8_1 8.0p1 0:8.0p1-4.el8_1 199e2f91fd431d51 openssh-server-0:8.0p1-4.el8_1.x86_64
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false Following items have been found on the system: Var ref Value oval:ssg-sshd_required:var:1 0
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true Following items have been found on the system: Var ref Value oval:ssg-sshd_required:var:1 0
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true Following items have been found on the system: Name Arch Epoch Release Version Evr Signature keyid Extended name openssh-server x86_64 (none) 4.el8_1 8.0p1 0:8.0p1-4.el8_1 199e2f91fd431d51 openssh-server-0:8.0p1-4.el8_1.x86_64
tests the value of CRYPTO_POLICY setting in the /etc/crypto-policies/back-ends/opensshserver.config file
oval:ssg-test_harden_sshd_crypto_policy:tst:1
false Following items have been found on the system: Path Content /etc/crypto-policies/back-ends/opensshserver.config CRYPTO_POLICY='-oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oCASignatureAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,rsa-sha2-512,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa'
Configure OpenSSL library to use System Crypto Policyxccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy mediumCCE-82545-5
Configure OpenSSL library to use System Crypto Policy Rule ID xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy Result Multi-check rule no OVAL Definition ID oval:ssg-configure_openssl_crypto_policy:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82545-5
References:
AC-17(a) , AC-17(2) , CM-6(a) , MA-4(6) , SC-13 , SC-12(2) , SC-12(3) , SRG-OS-000250-GPOS-00093
Description Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
OpenSSL is supported by crypto policy, but the OpenSSL configuration may be
set up to ignore it.
To check that Crypto Policies settings are configured correctly, you have to examine the OpenSSL config file
available under /etc/pki/tls/openssl.cnf.
This file has the ini format, and it enables crypto policy support
if there is a [ crypto_policy ] section that contains the .include /etc/crypto-policies/back-ends/openssl.config directive.
Rationale Overriding the system crypto policy makes the behavior of the Java runtime violates expectations,
and makes system configuration more fragmented.
OVAL test results details
Check that the configuration mandates usage of system-wide crypto policies.
oval:ssg-test_configure_openssl_crypto_policy:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_configure_openssl_crypto_policy:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/pki/tls/openssl.cnf ^\s*\[\s*crypto_policy\s*\]\s*\n*\s*\.include\s*/etc/crypto-policies/back-ends/openssl.config\s*$ 1
Harden SSH client Crypto Policyxccdf_org.ssgproject.content_rule_harden_ssh_client_crypto_policy mediumCCE-82543-0
Harden SSH client Crypto Policy Rule ID xccdf_org.ssgproject.content_rule_harden_ssh_client_crypto_policy Result Multi-check rule no OVAL Definition ID oval:ssg-harden_ssh_client_crypto_policy:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82543-0
References:
AC-17(a) , AC-17(2) , CM-6(a) , MA-4(6) , SC-13 , FCS_SSHC_EXT.1 , SRG-OS-000033-GPOS-00014 , SRG-OS-000250-GPOS-00093 , SRG-OS-000393-GPOS-00173 , SRG-OS-000394-GPOS-00174
Description Crypto Policies are means of enforcing certain cryptographic settings for selected applications including OpenSSH client.
To override the system wide crypto policy for Openssh client, place a file in the /etc/ssh/ssh_config.d/ so that it is loaded before the 05-redhat.conf. In this case it is file named 02-ospp.conf containing parameters which need to be changed with respect to the crypto policy.
This rule checks if the file exists and if it contains required parameters and values which modify the Crypto Policy.
During the parsing process, as soon as Openssh client parses some configuration option and its value, it remembers it and ignores any subsequent overrides. The customization mechanism provided by crypto policies appends eventual customizations at the end of the system wide crypto policy. Therefore, if the crypto policy customization overrides some parameter which is already configured in the system wide crypto policy, the SSH client will not honor that customized parameter.
Rationale The Common Criteria requirements specify how certain parameters for OpenSSH Client are configured. Particular parameters are RekeyLimit, GSSAPIAuthentication, Ciphers, PubkeyAcceptedKeyTypes, MACs and KexAlgorithms. Currently particular requirements specified by CC are stricter compared to any existing Crypto Policy.
OVAL test results details
tests the absence of Match setting in the /etc/ssh/ssh_config.d/02-ospp.conf file
oval:ssg-test_harden_ssh_client_crypto_policy_Match:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_harden_ssh_client_crypto_policy_Match:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/ssh/ssh_config.d/02-ospp.conf ^[ \t]*Match[\s]+(.+?)[ \t]*(?:$|#) 1
tests the absence of RekeyLimit setting in the /etc/ssh/ssh_config.d/02-ospp.conf file
oval:ssg-test_harden_ssh_client_crypto_policy_RekeyLimit:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_harden_ssh_client_crypto_policy_RekeyLimit:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/ssh/ssh_config.d/02-ospp.conf ^Match final all(?:.*
)*?\s*RekeyLimit[\s]+(.+?)[ \t]*(?:$|#) 1
tests the absence of GSSAPIAuthentication setting in the /etc/ssh/ssh_config.d/02-ospp.conf file
oval:ssg-test_harden_ssh_client_crypto_policy_GSSAPIAuthentication:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_harden_ssh_client_crypto_policy_GSSAPIAuthentication:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/ssh/ssh_config.d/02-ospp.conf ^Match final all(?:.*
)*?\s*GSSAPIAuthentication[\s]+(.+?)[ \t]*(?:$|#) 1
tests the absence of Ciphers setting in the /etc/ssh/ssh_config.d/02-ospp.conf file
oval:ssg-test_harden_ssh_client_crypto_policy_Ciphers:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_harden_ssh_client_crypto_policy_Ciphers:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/ssh/ssh_config.d/02-ospp.conf ^Match final all(?:.*
)*?\s*Ciphers[\s]+(.+?)[ \t]*(?:$|#) 1
tests the absence of PubkeyAcceptedKeyTypes setting in the /etc/ssh/ssh_config.d/02-ospp.conf file
oval:ssg-test_harden_ssh_client_crypto_policy_PubkeyAcceptedKeyTypes:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_harden_ssh_client_crypto_policy_PubkeyAcceptedKeyTypes:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/ssh/ssh_config.d/02-ospp.conf ^Match final all(?:.*
)*?\s*PubkeyAcceptedKeyTypes[\s]+(.+?)[ \t]*(?:$|#) 1
tests the absence of MACs setting in the /etc/ssh/ssh_config.d/02-ospp.conf file
oval:ssg-test_harden_ssh_client_crypto_policy_MACs:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_harden_ssh_client_crypto_policy_MACs:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/ssh/ssh_config.d/02-ospp.conf ^Match final all(?:.*
)*?\s*MACs[\s]+(.+?)[ \t]*(?:$|#) 1
tests the absence of KexAlgorithms setting in the /etc/ssh/ssh_config.d/02-ospp.conf file
oval:ssg-test_harden_ssh_client_crypto_policy_KexAlgorithms:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_harden_ssh_client_crypto_policy_KexAlgorithms:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/ssh/ssh_config.d/02-ospp.conf ^Match final all(?:.*
)*?\s*KexAlgorithms[\s]+(.+?)[ \t]*(?:$|#) 1
Configure SSH to use System Crypto Policyxccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy medium
Configure SSH to use System Crypto Policy Rule ID xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy Result Multi-check rule no OVAL Definition ID oval:ssg-configure_ssh_crypto_policy:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References References:
AC-17(a) , AC-17(2) , CM-6(a) , MA-4(6) , SC-13
Description Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
SSH is supported by crypto policy, but the SSH configuration may be
set up to ignore it.
To check that Crypto Policies settings are configured correctly, ensure that
the CRYPTO_POLICY variable is either commented or not set at all
in the /etc/sysconfig/sshd.
Rationale Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented.
OVAL test results details
Check that the SSH configuration mandates usage of system-wide crypto policies.
oval:ssg-test_configure_ssh_crypto_policy:tst:1
true No items have been found conforming to the following objects: Object oval:ssg-object_configure_ssh_crypto_policy:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/sysconfig/sshd ^\s*CRYPTO_POLICY\s*=.*$ 1
Configure Kerberos to use System Crypto Policyxccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy mediumCCE-82547-1
Configure Kerberos to use System Crypto Policy Rule ID xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy Result Multi-check rule no OVAL Definition ID oval:ssg-configure_kerberos_crypto_policy:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82547-1
References:
SC-13 , SC-12(2) , SC-12(3) , SRG-OS-000120-GPOS-00061
Description Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
Kerberos is supported by crypto policy, but it's configuration may be
set up to ignore it.
To check that Crypto Policies settings for Kerberos are configured correctly, examine that there is a symlink at
/etc/krb5.conf.d/crypto-policies targeting /etc/cypto-policies/back-ends/krb5.config.
If the symlink exists, kerberos is configured to use the system-wide crypto policy settings.
Rationale Overriding the system crypto policy makes the behavior of Kerberos violate expectations,
and makes system configuration more fragmented.
OVAL test results details
Check if kerberos configuration symlink and crypto policy kerberos backend symlink point to same file
oval:ssg-test_configure_kerberos_crypto_policy_symlink:tst:1
true Following items have been found on the system: Var ref Value oval:ssg-var_symlink_kerberos_crypto_policy_configuration:var:1 /usr/share/crypto-policies/DEFAULT/krb5.txt
Check if kerberos configuration symlink links to the crypto-policy backend file
oval:ssg-test_configure_kerberos_crypto_policy_nosymlink:tst:1
false Following items have been found on the system: Var ref Value oval:ssg-var_symlink_kerberos_crypto_policy_configuration:var:1 /usr/share/crypto-policies/DEFAULT/krb5.txt
Configure System Cryptography Policyxccdf_org.ssgproject.content_rule_configure_crypto_policy highCCE-82541-4
Configure System Cryptography Policy Rule ID xccdf_org.ssgproject.content_rule_configure_crypto_policy Result Multi-check rule no OVAL Definition ID oval:ssg-configure_crypto_policy:def:1 Time 2020-05-28T09:50:18+00:00 Severity high Identifiers and References Identifiers:
CCE-82541-4
References:
AC-17(a) , AC-17(2) , CM-6(a) , MA-4(6) , SC-13 , SC-12(2) , SC-12(3) , SRG-OS-000396-GPOS-00176 , SRG-OS-000393-GPOS-00173 , SRG-OS-000394-GPOS-00174
Description To configure the system cryptography policy to use ciphers only from the FIPS
$ sudo update-crypto-policies --set FIPS
The rule checks if settings for selected crypto policy are configured as expected. Configuration files in the
/etc/crypto-policies/back-ends are either symlinks to correct files provided by Crypto-policies package or they are regular files in case crypto policy customizations are applied.
Crypto policies may be customized by crypto policy modules, in which case it is delimited from the base policy using a colon.
Rationale Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data.
Warnings warning
The system needs to be rebooted for these changes to take effect.
warning
System Crypto Modules must be provided by a vendor that undergoes
FIPS-140 certifications.
FIPS-140 is applicable to all Federal agencies that use
cryptographic-based security systems to protect sensitive information
in computer and telecommunication systems (including voice systems) as
defined in Section 5131 of the Information Technology Management Reform
Act of 1996, Public Law 104-106. This standard shall be used in
designing and implementing cryptographic modules that Federal
departments and agencies operate or are operated for them under
contract. See
https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf
To meet this, the system has to have cryptographic software provided by
a vendor that has undergone this certification. This means providing
documentation, test results, design information, and independent third
party review by an accredited lab. While open source software is
capable of meeting this, it does not meet FIPS-140 unless the vendor
submits to this process.
OVAL test results details
check for crypto policy correctly configured in /etc/crypto-policies/config
oval:ssg-test_configure_crypto_policy:tst:1
false Following items have been found on the system: Path Content /etc/crypto-policies/config DEFAULT
check for crypto policy correctly configured in /etc/crypto-policies/state/current
oval:ssg-test_configure_crypto_policy_current:tst:1
false Following items have been found on the system: Path Content /etc/crypto-policies/state/current DEFAULT
Check if update-crypto-policies has been run
oval:ssg-test_crypto_policies_updated:tst:1
true Following items have been found on the system: Var ref Value oval:ssg-variable_crypto_policies_config_file_age:var:1 1446
Check if /etc/crypto-policies/back-ends/nss.config exists
oval:ssg-test_crypto_policy_nss_config:tst:1
true Following items have been found on the system: Path Type UID GID Size (B) Permissions /etc/crypto-policies/back-ends/nss.config symbolic link 0 0 42 rwxrwxrwx
Install sudo Packagexccdf_org.ssgproject.content_rule_package_sudo_installed mediumCCE-82523-2
Install sudo Package Rule ID xccdf_org.ssgproject.content_rule_package_sudo_installed Result Multi-check rule no OVAL Definition ID oval:ssg-package_sudo_installed:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82523-2
References:
CM-6(a) , SRG-OS-000324-GPOS-00125
Description The sudo package can be installed with the following command:
Rationale sudo is a program designed to allow a system administrator to give
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done.
OVAL test results details
package sudo is installed
oval:ssg-test_package_sudo_installed:tst:1
true Following items have been found on the system: Name Arch Epoch Release Version Evr Signature keyid Extended name sudo x86_64 (none) 8.el8_1.1 1.8.25p1 0:1.8.25p1-8.el8_1.1 199e2f91fd431d51 sudo-0:1.8.25p1-8.el8_1.1.x86_64
Enable Kernel Page-Table Isolation (KPTI)xccdf_org.ssgproject.content_rule_grub2_pti_argument highCCE-82497-9
Enable Kernel Page-Table Isolation (KPTI) Rule ID xccdf_org.ssgproject.content_rule_grub2_pti_argument Result Multi-check rule no OVAL Definition ID oval:ssg-grub2_pti_argument:def:1 Time 2020-05-28T09:50:18+00:00 Severity high Identifiers and References Identifiers:
CCE-82497-9
References:
SI-16 , SRG-OS-000433-GPOS-00193
Description To enable Kernel page-table isolation,
add the argument pti=on to the default
GRUB 2 command line for the Linux operating system in
/etc/default/grub, in the manner below:
GRUB_CMDLINE_LINUX="pti=on" Rationale Kernel page-table isolation is a kernel feature that mitigates
the Meltdown security vulnerability and hardens the kernel
against attempts to bypass kernel address space layout
randomization (KASLR).
Warnings warning
The GRUB 2 configuration file,
grub.cfg,
is automatically updated each time a new kernel is installed. Note that any
changes to
/etc/default/grub require rebuilding the
grub.cfg
file. To update the GRUB 2 configuration file manually, use the
grub2-mkconfig -o command as follows:
OVAL test results details
check forkernel command line parameters pti=on in /boot/grub2/grubenv for all kernels
oval:ssg-test_grub2_pti_argument_grub_env:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_grub2_pti_argument_grub_env:obj:1 textfilecontent54_object Filepath Pattern Instance /boot/grub2/grubenv ^kernelopts=(.*)$ 1
Set the UEFI Boot Loader Passwordxccdf_org.ssgproject.content_rule_grub2_uefi_password mediumCCE-82552-1
Set the UEFI Boot Loader Password Rule ID xccdf_org.ssgproject.content_rule_grub2_uefi_password Result Multi-check rule no OVAL Definition ID oval:ssg-grub2_uefi_password:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82552-1
References:
NT28(R17) , 1.4.2 , 11 , 12 , 14 , 15 , 16 , 18 , 3 , 5 , DSS05.02 , DSS05.04 , DSS05.05 , DSS05.07 , DSS06.03 , DSS06.06 , 3.4.5 , CCI-000213 , 164.308(a)(1)(ii)(B) , 164.308(a)(7)(i) , 164.308(a)(7)(ii)(A) , 164.310(a)(1) , 164.310(a)(2)(i) , 164.310(a)(2)(ii) , 164.310(a)(2)(iii) , 164.310(b) , 164.310(c) , 164.310(d)(1) , 164.310(d)(2)(iii) , 4.3.3.2.2 , 4.3.3.5.1 , 4.3.3.5.2 , 4.3.3.5.3 , 4.3.3.5.4 , 4.3.3.5.5 , 4.3.3.5.6 , 4.3.3.5.7 , 4.3.3.5.8 , 4.3.3.6.1 , 4.3.3.6.2 , 4.3.3.6.3 , 4.3.3.6.4 , 4.3.3.6.5 , 4.3.3.6.6 , 4.3.3.6.7 , 4.3.3.6.8 , 4.3.3.6.9 , 4.3.3.7.1 , 4.3.3.7.2 , 4.3.3.7.3 , 4.3.3.7.4 , SR 1.1 , SR 1.10 , SR 1.11 , SR 1.12 , SR 1.13 , SR 1.2 , SR 1.3 , SR 1.4 , SR 1.5 , SR 1.6 , SR 1.7 , SR 1.8 , SR 1.9 , SR 2.1 , SR 2.2 , SR 2.3 , SR 2.4 , SR 2.5 , SR 2.6 , SR 2.7 , A.6.1.2 , A.7.1.1 , A.9.1.2 , A.9.2.1 , A.9.2.3 , A.9.4.1 , A.9.4.4 , A.9.4.5 , CM-6(a) , PR.AC-4 , PR.AC-6 , PR.PT-3 , FIA_AFL.1 , SRG-OS-000080-GPOS-00048
Description The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
$ grub2-setpassword
When prompted, enter the password that was selected.
Once the superuser password has been added,
update the
grub.cfg file by running:
grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg Rationale Password protection on the boot loader configuration ensures
users with physical access cannot trivially alter
important bootloader settings. These include which kernel to use,
and whether to enter single-user mode.
Warnings warning
To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation
must be automated as a component of machine provisioning, or followed manually as outlined above.
Also, do NOT manually add the superuser account and password to the
grub.cfg file as the grub2-mkconfig command overwrites this file.
OVAL test results details
/boot/efi/EFI/redhat/grub.cfg does not exist
oval:ssg-test_grub2_uefi_password_grub_cfg:tst:1
false Following items have been found on the system: Path Type UID GID Size (B) Permissions /boot/efi/EFI/redhat/grub.cfg regular 0 0 93 rwxr-xr-x
make sure a password is defined in /boot/efi/EFI/redhat/user.cfg
oval:ssg-test_grub2_uefi_password_usercfg:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_grub2_uefi_password_usercfg:obj:1 textfilecontent54_object Filepath Pattern Instance /boot/efi/EFI/redhat/user.cfg ^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$ 1
make sure a password is defined in /boot/efi/EFI/redhat/grub.cfg
oval:ssg-test_grub2_uefi_password_grubcfg:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_grub2_uefi_password_grubcfg:obj:1 textfilecontent54_object Filepath Pattern Instance /boot/efi/EFI/redhat/grub.cfg ^[\s]*password_pbkdf2[\s]+.*[\s]+grub\.pbkdf2\.sha512.*$ 1
superuser is defined in /boot/efi/EFI/redhat/grub.cfg.
oval:ssg-test_bootloader_uefi_superuser:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_bootloader_uefi_superuser:obj:1 textfilecontent54_object Filepath Pattern Instance /boot/efi/EFI/redhat/grub.cfg ^[\s]*set[\s]+superusers=("?)[a-zA-Z_]+\1$ 1
Disable Accepting ICMP Redirects for All IPv6 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects mediumCCE-82471-4
Disable Accepting ICMP Redirects for All IPv6 Interfaces Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects Result Multi-check rule no OVAL Definition ID oval:ssg-sysctl_net_ipv6_conf_all_accept_redirects:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82471-4
References:
NT28(R22) , 11 , 14 , 3 , 9 , BAI10.01 , BAI10.02 , BAI10.03 , BAI10.05 , DSS05.02 , DSS05.05 , DSS06.06 , 3.1.20 , CCI-001551 , 4.3.3.5.1 , 4.3.3.5.2 , 4.3.3.5.3 , 4.3.3.5.4 , 4.3.3.5.5 , 4.3.3.5.6 , 4.3.3.5.7 , 4.3.3.5.8 , 4.3.3.6.1 , 4.3.3.6.2 , 4.3.3.6.3 , 4.3.3.6.4 , 4.3.3.6.5 , 4.3.3.6.6 , 4.3.3.6.7 , 4.3.3.6.8 , 4.3.3.6.9 , 4.3.3.7.1 , 4.3.3.7.2 , 4.3.3.7.3 , 4.3.3.7.4 , 4.3.4.3.2 , 4.3.4.3.3 , SR 1.1 , SR 1.10 , SR 1.11 , SR 1.12 , SR 1.13 , SR 1.2 , SR 1.3 , SR 1.4 , SR 1.5 , SR 1.6 , SR 1.7 , SR 1.8 , SR 1.9 , SR 2.1 , SR 2.2 , SR 2.3 , SR 2.4 , SR 2.5 , SR 2.6 , SR 2.7 , SR 7.6 , A.12.1.2 , A.12.5.1 , A.12.6.2 , A.14.2.2 , A.14.2.3 , A.14.2.4 , A.9.1.2 , CM-7(a) , CM-7(b) , CM-6(a) , PR.IP-1 , PR.PT-3 , SRG-OS-000480-GPOS-00227
Description To set the runtime status of the net.ipv6.conf.all.accept_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory
/etc/sysctl.d:
net.ipv6.conf.all.accept_redirects = 0 Rationale An illicit ICMP redirect message could result in a man-in-the-middle attack.
OVAL test results details
net.ipv6.conf.all.disable_ipv6 static configuration
oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/sysctl.conf ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ 1
net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/sysctl.d ^.*\.conf$ ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ 1
net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/sysctl.d ^.*\.conf$ ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ 1
net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 textfilecontent54_object Path Filename Pattern Instance /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ 1
kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1
oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:obj:1 sysctl_object Name net.ipv6.conf.all.disable_ipv6
net.ipv6.conf.all.accept_redirects static configuration
oval:ssg-test_static_sysctl_net_ipv6_conf_all_accept_redirects:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_sysctl_net_ipv6_conf_all_accept_redirects:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1
net.ipv6.conf.all.accept_redirects static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_accept_redirects:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_accept_redirects:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1
net.ipv6.conf.all.accept_redirects static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_accept_redirects:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_accept_redirects:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1
net.ipv6.conf.all.accept_redirects static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_accept_redirects:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_accept_redirects:obj:1 textfilecontent54_object Path Filename Pattern Instance /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1
kernel runtime parameter net.ipv6.conf.all.accept_redirects set to the appropriate value
oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_accept_redirects:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_sysctl_runtime_net_ipv6_conf_all_accept_redirects:obj:1 sysctl_object Name net.ipv6.conf.all.accept_redirects
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route mediumCCE-82480-5
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route Result Multi-check rule no OVAL Definition ID oval:ssg-sysctl_net_ipv6_conf_all_accept_source_route:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82480-5
References:
NT28(R22) , 1 , 12 , 13 , 14 , 15 , 16 , 18 , 4 , 6 , 8 , 9 , APO01.06 , APO13.01 , DSS01.05 , DSS03.01 , DSS05.02 , DSS05.04 , DSS05.07 , DSS06.02 , 3.1.20 , CCI-000366 , 4.2.3.4 , 4.3.3.4 , 4.4.3.3 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 7.1 , SR 7.6 , A.10.1.1 , A.11.1.4 , A.11.1.5 , A.11.2.1 , A.12.1.1 , A.12.1.2 , A.13.1.1 , A.13.1.2 , A.13.1.3 , A.13.2.1 , A.13.2.2 , A.13.2.3 , A.13.2.4 , A.14.1.2 , A.14.1.3 , A.6.1.2 , A.7.1.1 , A.7.1.2 , A.7.3.1 , A.8.2.2 , A.8.2.3 , A.9.1.1 , A.9.1.2 , A.9.2.3 , A.9.4.1 , A.9.4.4 , A.9.4.5 , CM-7(a) , CM-7(b) , CM-6(a) , DE.AE-1 , ID.AM-3 , PR.AC-5 , PR.DS-5 , PR.PT-4 , SRG-OS-000480-GPOS-00227
Description To set the runtime status of the net.ipv6.conf.all.accept_source_route kernel parameter, run the following command:
$ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory
/etc/sysctl.d:
net.ipv6.conf.all.accept_source_route = 0 Rationale Source-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router, which can
be used to bypass network security measures. This requirement applies only to the
forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and
the system is functioning as a router.
OVAL test results details
net.ipv6.conf.all.disable_ipv6 static configuration
oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/sysctl.conf ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ 1
net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/sysctl.d ^.*\.conf$ ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ 1
net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/sysctl.d ^.*\.conf$ ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ 1
net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 textfilecontent54_object Path Filename Pattern Instance /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ 1
kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1
oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:obj:1 sysctl_object Name net.ipv6.conf.all.disable_ipv6
net.ipv6.conf.all.accept_source_route static configuration
oval:ssg-test_static_sysctl_net_ipv6_conf_all_accept_source_route:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_sysctl_net_ipv6_conf_all_accept_source_route:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n 1
net.ipv6.conf.all.accept_source_route static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_accept_source_route:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_accept_source_route:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n 1
net.ipv6.conf.all.accept_source_route static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_accept_source_route:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_accept_source_route:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n 1
net.ipv6.conf.all.accept_source_route static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_accept_source_route:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_accept_source_route:obj:1 textfilecontent54_object Path Filename Pattern Instance /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n 1
kernel runtime parameter net.ipv6.conf.all.accept_source_route set to the appropriate value
oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_accept_source_route:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_sysctl_runtime_net_ipv6_conf_all_accept_source_route:obj:1 sysctl_object Name net.ipv6.conf.all.accept_source_route
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route mediumCCE-82481-3
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route Result Multi-check rule no OVAL Definition ID oval:ssg-sysctl_net_ipv6_conf_default_accept_source_route:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82481-3
References:
NT28(R22) , 1 , 12 , 13 , 14 , 15 , 16 , 18 , 4 , 6 , 8 , 9 , APO01.06 , APO13.01 , DSS01.05 , DSS03.01 , DSS05.02 , DSS05.04 , DSS05.07 , DSS06.02 , 3.1.20 , CCI-000366 , 4.2.3.4 , 4.3.3.4 , 4.4.3.3 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 7.1 , SR 7.6 , A.10.1.1 , A.11.1.4 , A.11.1.5 , A.11.2.1 , A.12.1.1 , A.12.1.2 , A.13.1.1 , A.13.1.2 , A.13.1.3 , A.13.2.1 , A.13.2.2 , A.13.2.3 , A.13.2.4 , A.14.1.2 , A.14.1.3 , A.6.1.2 , A.7.1.1 , A.7.1.2 , A.7.3.1 , A.8.2.2 , A.8.2.3 , A.9.1.1 , A.9.1.2 , A.9.2.3 , A.9.4.1 , A.9.4.4 , A.9.4.5 , CM-7(a) , CM-7(b) , CM-6(a) , DE.AE-1 , ID.AM-3 , PR.AC-5 , PR.DS-5 , PR.PT-4 , SRG-OS-000480-GPOS-00227
Description To set the runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter, run the following command:
$ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory
/etc/sysctl.d:
net.ipv6.conf.default.accept_source_route = 0 Rationale Source-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router, which can
be used to bypass network security measures. This requirement applies only to the
forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and
the system is functioning as a router.
Accepting source-routed packets in the IPv6 protocol has few legitimate
uses. It should be disabled unless it is absolutely required.
OVAL test results details
net.ipv6.conf.all.disable_ipv6 static configuration
oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/sysctl.conf ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ 1
net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/sysctl.d ^.*\.conf$ ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ 1
net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/sysctl.d ^.*\.conf$ ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ 1
net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 textfilecontent54_object Path Filename Pattern Instance /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ 1
kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1
oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:obj:1 sysctl_object Name net.ipv6.conf.all.disable_ipv6
net.ipv6.conf.default.accept_source_route static configuration
oval:ssg-test_static_sysctl_net_ipv6_conf_default_accept_source_route:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_sysctl_net_ipv6_conf_default_accept_source_route:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n 1
net.ipv6.conf.default.accept_source_route static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_net_ipv6_conf_default_accept_source_route:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_etc_sysctld_net_ipv6_conf_default_accept_source_route:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n 1
net.ipv6.conf.default.accept_source_route static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_net_ipv6_conf_default_accept_source_route:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_default_accept_source_route:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n 1
net.ipv6.conf.default.accept_source_route static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_default_accept_source_route:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_default_accept_source_route:obj:1 textfilecontent54_object Path Filename Pattern Instance /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n 1
kernel runtime parameter net.ipv6.conf.default.accept_source_route set to the appropriate value
oval:ssg-test_sysctl_runtime_net_ipv6_conf_default_accept_source_route:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_sysctl_runtime_net_ipv6_conf_default_accept_source_route:obj:1 sysctl_object Name net.ipv6.conf.default.accept_source_route
Disable Accepting Router Advertisements on all IPv6 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra unknownCCE-82468-0
Disable Accepting Router Advertisements on all IPv6 Interfaces by Default Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra Result Multi-check rule no OVAL Definition ID oval:ssg-sysctl_net_ipv6_conf_default_accept_ra:def:1 Time 2020-05-28T09:50:18+00:00 Severity unknown Identifiers and References Identifiers:
CCE-82468-0
References:
11 , 14 , 3 , 9 , BAI10.01 , BAI10.02 , BAI10.03 , BAI10.05 , DSS05.02 , DSS05.05 , DSS06.06 , 3.1.20 , 4.3.3.5.1 , 4.3.3.5.2 , 4.3.3.5.3 , 4.3.3.5.4 , 4.3.3.5.5 , 4.3.3.5.6 , 4.3.3.5.7 , 4.3.3.5.8 , 4.3.3.6.1 , 4.3.3.6.2 , 4.3.3.6.3 , 4.3.3.6.4 , 4.3.3.6.5 , 4.3.3.6.6 , 4.3.3.6.7 , 4.3.3.6.8 , 4.3.3.6.9 , 4.3.3.7.1 , 4.3.3.7.2 , 4.3.3.7.3 , 4.3.3.7.4 , 4.3.4.3.2 , 4.3.4.3.3 , SR 1.1 , SR 1.10 , SR 1.11 , SR 1.12 , SR 1.13 , SR 1.2 , SR 1.3 , SR 1.4 , SR 1.5 , SR 1.6 , SR 1.7 , SR 1.8 , SR 1.9 , SR 2.1 , SR 2.2 , SR 2.3 , SR 2.4 , SR 2.5 , SR 2.6 , SR 2.7 , SR 7.6 , A.12.1.2 , A.12.5.1 , A.12.6.2 , A.14.2.2 , A.14.2.3 , A.14.2.4 , A.9.1.2 , CM-7(a) , CM-7(b) , CM-6(a) , PR.IP-1 , PR.PT-3 , SRG-OS-000480-GPOS-00227
Description To set the runtime status of the net.ipv6.conf.default.accept_ra kernel parameter, run the following command:
$ sudo sysctl -w net.ipv6.conf.default.accept_ra=0
To make sure that the setting is persistent, add the following line to a file in the directory
/etc/sysctl.d:
net.ipv6.conf.default.accept_ra = 0 Rationale An illicit router advertisement message could result in a man-in-the-middle attack.
OVAL test results details
net.ipv6.conf.all.disable_ipv6 static configuration
oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/sysctl.conf ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ 1
net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/sysctl.d ^.*\.conf$ ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ 1
net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/sysctl.d ^.*\.conf$ ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ 1
net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 textfilecontent54_object Path Filename Pattern Instance /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ 1
kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1
oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:obj:1 sysctl_object Name net.ipv6.conf.all.disable_ipv6
net.ipv6.conf.default.accept_ra static configuration
oval:ssg-test_static_sysctl_net_ipv6_conf_default_accept_ra:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_sysctl_net_ipv6_conf_default_accept_ra:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra[\s]*=[\s]*(\d+)[\s]*\n 1
net.ipv6.conf.default.accept_ra static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_net_ipv6_conf_default_accept_ra:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_etc_sysctld_net_ipv6_conf_default_accept_ra:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra[\s]*=[\s]*(\d+)[\s]*\n 1
net.ipv6.conf.default.accept_ra static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_net_ipv6_conf_default_accept_ra:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_default_accept_ra:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra[\s]*=[\s]*(\d+)[\s]*\n 1
net.ipv6.conf.default.accept_ra static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_default_accept_ra:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_default_accept_ra:obj:1 textfilecontent54_object Path Filename Pattern Instance /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra[\s]*=[\s]*(\d+)[\s]*\n 1
kernel runtime parameter net.ipv6.conf.default.accept_ra set to the appropriate value
oval:ssg-test_sysctl_runtime_net_ipv6_conf_default_accept_ra:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_sysctl_runtime_net_ipv6_conf_default_accept_ra:obj:1 sysctl_object Name net.ipv6.conf.default.accept_ra
Configure Accepting Router Advertisements on All IPv6 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra unknownCCE-82467-2
Configure Accepting Router Advertisements on All IPv6 Interfaces Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra Result Multi-check rule no OVAL Definition ID oval:ssg-sysctl_net_ipv6_conf_all_accept_ra:def:1 Time 2020-05-28T09:50:18+00:00 Severity unknown Identifiers and References Identifiers:
CCE-82467-2
References:
11 , 14 , 3 , 9 , BAI10.01 , BAI10.02 , BAI10.03 , BAI10.05 , DSS05.02 , DSS05.05 , DSS06.06 , 3.1.20 , 4.3.3.5.1 , 4.3.3.5.2 , 4.3.3.5.3 , 4.3.3.5.4 , 4.3.3.5.5 , 4.3.3.5.6 , 4.3.3.5.7 , 4.3.3.5.8 , 4.3.3.6.1 , 4.3.3.6.2 , 4.3.3.6.3 , 4.3.3.6.4 , 4.3.3.6.5 , 4.3.3.6.6 , 4.3.3.6.7 , 4.3.3.6.8 , 4.3.3.6.9 , 4.3.3.7.1 , 4.3.3.7.2 , 4.3.3.7.3 , 4.3.3.7.4 , 4.3.4.3.2 , 4.3.4.3.3 , SR 1.1 , SR 1.10 , SR 1.11 , SR 1.12 , SR 1.13 , SR 1.2 , SR 1.3 , SR 1.4 , SR 1.5 , SR 1.6 , SR 1.7 , SR 1.8 , SR 1.9 , SR 2.1 , SR 2.2 , SR 2.3 , SR 2.4 , SR 2.5 , SR 2.6 , SR 2.7 , SR 7.6 , A.12.1.2 , A.12.5.1 , A.12.6.2 , A.14.2.2 , A.14.2.3 , A.14.2.4 , A.9.1.2 , CM-7(a) , CM-7(b) , CM-6(a) , PR.IP-1 , PR.PT-3 , SRG-OS-000480-GPOS-00227
Description To set the runtime status of the net.ipv6.conf.all.accept_ra kernel parameter, run the following command:
$ sudo sysctl -w net.ipv6.conf.all.accept_ra=0
To make sure that the setting is persistent, add the following line to a file in the directory
/etc/sysctl.d:
net.ipv6.conf.all.accept_ra = 0 Rationale An illicit router advertisement message could result in a man-in-the-middle attack.
OVAL test results details
net.ipv6.conf.all.disable_ipv6 static configuration
oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/sysctl.conf ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ 1
net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/sysctl.d ^.*\.conf$ ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ 1
net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/sysctl.d ^.*\.conf$ ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ 1
net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 textfilecontent54_object Path Filename Pattern Instance /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ 1
kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1
oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:obj:1 sysctl_object Name net.ipv6.conf.all.disable_ipv6
net.ipv6.conf.all.accept_ra static configuration
oval:ssg-test_static_sysctl_net_ipv6_conf_all_accept_ra:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_sysctl_net_ipv6_conf_all_accept_ra:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_ra[\s]*=[\s]*(\d+)[\s]*\n 1
net.ipv6.conf.all.accept_ra static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_accept_ra:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_accept_ra:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_ra[\s]*=[\s]*(\d+)[\s]*\n 1
net.ipv6.conf.all.accept_ra static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_accept_ra:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_accept_ra:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_ra[\s]*=[\s]*(\d+)[\s]*\n 1
net.ipv6.conf.all.accept_ra static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_accept_ra:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_accept_ra:obj:1 textfilecontent54_object Path Filename Pattern Instance /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_ra[\s]*=[\s]*(\d+)[\s]*\n 1
kernel runtime parameter net.ipv6.conf.all.accept_ra set to the appropriate value
oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_accept_ra:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_sysctl_runtime_net_ipv6_conf_all_accept_ra:obj:1 sysctl_object Name net.ipv6.conf.all.accept_ra
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects mediumCCE-82477-1
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects Result Multi-check rule no OVAL Definition ID oval:ssg-sysctl_net_ipv6_conf_default_accept_redirects:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82477-1
References:
NT28(R22) , 3.3.2 , 11 , 14 , 3 , 9 , BAI10.01 , BAI10.02 , BAI10.03 , BAI10.05 , DSS05.02 , DSS05.05 , DSS06.06 , 3.1.20 , CCI-001551 , 4.3.3.5.1 , 4.3.3.5.2 , 4.3.3.5.3 , 4.3.3.5.4 , 4.3.3.5.5 , 4.3.3.5.6 , 4.3.3.5.7 , 4.3.3.5.8 , 4.3.3.6.1 , 4.3.3.6.2 , 4.3.3.6.3 , 4.3.3.6.4 , 4.3.3.6.5 , 4.3.3.6.6 , 4.3.3.6.7 , 4.3.3.6.8 , 4.3.3.6.9 , 4.3.3.7.1 , 4.3.3.7.2 , 4.3.3.7.3 , 4.3.3.7.4 , 4.3.4.3.2 , 4.3.4.3.3 , SR 1.1 , SR 1.10 , SR 1.11 , SR 1.12 , SR 1.13 , SR 1.2 , SR 1.3 , SR 1.4 , SR 1.5 , SR 1.6 , SR 1.7 , SR 1.8 , SR 1.9 , SR 2.1 , SR 2.2 , SR 2.3 , SR 2.4 , SR 2.5 , SR 2.6 , SR 2.7 , SR 7.6 , A.12.1.2 , A.12.5.1 , A.12.6.2 , A.14.2.2 , A.14.2.3 , A.14.2.4 , A.9.1.2 , CM-7(a) , CM-7(b) , CM-6(a) , PR.IP-1 , PR.PT-3 , SRG-OS-000480-GPOS-00227
Description To set the runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory
/etc/sysctl.d:
net.ipv6.conf.default.accept_redirects = 0 Rationale An illicit ICMP redirect message could result in a man-in-the-middle attack.
OVAL test results details
net.ipv6.conf.all.disable_ipv6 static configuration
oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/sysctl.conf ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ 1
net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/sysctl.d ^.*\.conf$ ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ 1
net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/sysctl.d ^.*\.conf$ ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ 1
net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 textfilecontent54_object Path Filename Pattern Instance /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ 1
kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1
oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:obj:1 sysctl_object Name net.ipv6.conf.all.disable_ipv6
net.ipv6.conf.default.accept_redirects static configuration
oval:ssg-test_static_sysctl_net_ipv6_conf_default_accept_redirects:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_sysctl_net_ipv6_conf_default_accept_redirects:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1
net.ipv6.conf.default.accept_redirects static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_net_ipv6_conf_default_accept_redirects:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_etc_sysctld_net_ipv6_conf_default_accept_redirects:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1
net.ipv6.conf.default.accept_redirects static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_net_ipv6_conf_default_accept_redirects:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_default_accept_redirects:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1
net.ipv6.conf.default.accept_redirects static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_default_accept_redirects:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_default_accept_redirects:obj:1 textfilecontent54_object Path Filename Pattern Instance /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1
kernel runtime parameter net.ipv6.conf.default.accept_redirects set to the appropriate value
oval:ssg-test_sysctl_runtime_net_ipv6_conf_default_accept_redirects:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_sysctl_runtime_net_ipv6_conf_default_accept_redirects:obj:1 sysctl_object Name net.ipv6.conf.default.accept_redirects
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects mediumCCE-82484-7
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects Result Multi-check rule no OVAL Definition ID oval:ssg-sysctl_net_ipv4_conf_all_send_redirects:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82484-7
References:
NT28(R22) , 1 , 11 , 12 , 13 , 14 , 15 , 16 , 18 , 2 , 3 , 4 , 6 , 7 , 8 , 9 , 5.10.1.1 , APO01.06 , APO13.01 , BAI04.04 , BAI10.01 , BAI10.02 , BAI10.03 , BAI10.05 , DSS01.03 , DSS01.05 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.04 , DSS05.05 , DSS05.07 , DSS06.02 , DSS06.06 , 3.1.20 , CCI-000366 , 4.2.3.4 , 4.3.3.4 , 4.3.3.5.1 , 4.3.3.5.2 , 4.3.3.5.3 , 4.3.3.5.4 , 4.3.3.5.5 , 4.3.3.5.6 , 4.3.3.5.7 , 4.3.3.5.8 , 4.3.3.6.1 , 4.3.3.6.2 , 4.3.3.6.3 , 4.3.3.6.4 , 4.3.3.6.5 , 4.3.3.6.6 , 4.3.3.6.7 , 4.3.3.6.8 , 4.3.3.6.9 , 4.3.3.7.1 , 4.3.3.7.2 , 4.3.3.7.3 , 4.3.3.7.4 , 4.3.4.3.2 , 4.3.4.3.3 , 4.4.3.3 , SR 1.1 , SR 1.10 , SR 1.11 , SR 1.12 , SR 1.13 , SR 1.2 , SR 1.3 , SR 1.4 , SR 1.5 , SR 1.6 , SR 1.7 , SR 1.8 , SR 1.9 , SR 2.1 , SR 2.2 , SR 2.3 , SR 2.4 , SR 2.5 , SR 2.6 , SR 2.7 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.2 , SR 7.1 , SR 7.2 , SR 7.6 , A.10.1.1 , A.11.1.4 , A.11.1.5 , A.11.2.1 , A.12.1.1 , A.12.1.2 , A.12.1.3 , A.12.5.1 , A.12.6.2 , A.13.1.1 , A.13.1.2 , A.13.1.3 , A.13.2.1 , A.13.2.2 , A.13.2.3 , A.13.2.4 , A.14.1.2 , A.14.1.3 , A.14.2.2 , A.14.2.3 , A.14.2.4 , A.17.2.1 , A.6.1.2 , A.7.1.1 , A.7.1.2 , A.7.3.1 , A.8.2.2 , A.8.2.3 , A.9.1.1 , A.9.1.2 , A.9.2.3 , A.9.4.1 , A.9.4.4 , A.9.4.5 , CM-7(a) , CM-7(b) , SC-5CM-6(a) , SC-7(a) , DE.AE-1 , DE.CM-1 , ID.AM-3 , PR.AC-5 , PR.DS-4 , PR.DS-5 , PR.IP-1 , PR.PT-3 , PR.PT-4 , SRG-OS-000480-GPOS-00227
Description To set the runtime status of the net.ipv4.conf.all.send_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.all.send_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory
/etc/sysctl.d:
net.ipv4.conf.all.send_redirects = 0 Rationale ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages contain information
from the system's route table possibly revealing portions of the network topology.
OVAL test results details
net.ipv4.conf.all.send_redirects static configuration
oval:ssg-test_static_sysctl_net_ipv4_conf_all_send_redirects:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_sysctl_net_ipv4_conf_all_send_redirects:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/sysctl.conf ^[\s]*net.ipv4.conf.all.send_redirects[\s]*=[\s]*0[\s]*$ 1
net.ipv4.conf.all.send_redirects static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_net_ipv4_conf_all_send_redirects:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_etc_sysctld_net_ipv4_conf_all_send_redirects:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.all.send_redirects[\s]*=[\s]*0[\s]*$ 1
net.ipv4.conf.all.send_redirects static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_net_ipv4_conf_all_send_redirects:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_run_sysctld_net_ipv4_conf_all_send_redirects:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.all.send_redirects[\s]*=[\s]*0[\s]*$ 1
net.ipv4.conf.all.send_redirects static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_all_send_redirects:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_all_send_redirects:obj:1 textfilecontent54_object Path Filename Pattern Instance /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.all.send_redirects[\s]*=[\s]*0[\s]*$ 1
kernel runtime parameter net.ipv4.conf.all.send_redirects set to 0
oval:ssg-test_sysctl_runtime_net_ipv4_conf_all_send_redirects:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_sysctl_runtime_net_ipv4_conf_all_send_redirects:obj:1 sysctl_object Name net.ipv4.conf.all.send_redirects
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects mediumCCE-82485-4
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects Result Multi-check rule no OVAL Definition ID oval:ssg-sysctl_net_ipv4_conf_default_send_redirects:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82485-4
References:
NT28(R22) , 1 , 11 , 12 , 13 , 14 , 15 , 16 , 18 , 2 , 3 , 4 , 6 , 7 , 8 , 9 , 5.10.1.1 , APO01.06 , APO13.01 , BAI04.04 , BAI10.01 , BAI10.02 , BAI10.03 , BAI10.05 , DSS01.03 , DSS01.05 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.04 , DSS05.05 , DSS05.07 , DSS06.02 , DSS06.06 , 3.1.20 , CCI-000366 , 4.2.3.4 , 4.3.3.4 , 4.3.3.5.1 , 4.3.3.5.2 , 4.3.3.5.3 , 4.3.3.5.4 , 4.3.3.5.5 , 4.3.3.5.6 , 4.3.3.5.7 , 4.3.3.5.8 , 4.3.3.6.1 , 4.3.3.6.2 , 4.3.3.6.3 , 4.3.3.6.4 , 4.3.3.6.5 , 4.3.3.6.6 , 4.3.3.6.7 , 4.3.3.6.8 , 4.3.3.6.9 , 4.3.3.7.1 , 4.3.3.7.2 , 4.3.3.7.3 , 4.3.3.7.4 , 4.3.4.3.2 , 4.3.4.3.3 , 4.4.3.3 , SR 1.1 , SR 1.10 , SR 1.11 , SR 1.12 , SR 1.13 , SR 1.2 , SR 1.3 , SR 1.4 , SR 1.5 , SR 1.6 , SR 1.7 , SR 1.8 , SR 1.9 , SR 2.1 , SR 2.2 , SR 2.3 , SR 2.4 , SR 2.5 , SR 2.6 , SR 2.7 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.2 , SR 7.1 , SR 7.2 , SR 7.6 , A.10.1.1 , A.11.1.4 , A.11.1.5 , A.11.2.1 , A.12.1.1 , A.12.1.2 , A.12.1.3 , A.12.5.1 , A.12.6.2 , A.13.1.1 , A.13.1.2 , A.13.1.3 , A.13.2.1 , A.13.2.2 , A.13.2.3 , A.13.2.4 , A.14.1.2 , A.14.1.3 , A.14.2.2 , A.14.2.3 , A.14.2.4 , A.17.2.1 , A.6.1.2 , A.7.1.1 , A.7.1.2 , A.7.3.1 , A.8.2.2 , A.8.2.3 , A.9.1.1 , A.9.1.2 , A.9.2.3 , A.9.4.1 , A.9.4.4 , A.9.4.5 , CM-7(a) , CM-7(b) , SC-5CM-6(a) , SC-7(a) , DE.AE-1 , DE.CM-1 , ID.AM-3 , PR.AC-5 , PR.DS-4 , PR.DS-5 , PR.IP-1 , PR.PT-3 , PR.PT-4 , SRG-OS-000480-GPOS-00227
Description To set the runtime status of the net.ipv4.conf.default.send_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.default.send_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory
/etc/sysctl.d:
net.ipv4.conf.default.send_redirects = 0 Rationale ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages contain information
from the system's route table possibly revealing portions of the network topology.
OVAL test results details
net.ipv4.conf.default.send_redirects static configuration
oval:ssg-test_static_sysctl_net_ipv4_conf_default_send_redirects:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_sysctl_net_ipv4_conf_default_send_redirects:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/sysctl.conf ^[\s]*net.ipv4.conf.default.send_redirects[\s]*=[\s]*0[\s]*$ 1
net.ipv4.conf.default.send_redirects static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_net_ipv4_conf_default_send_redirects:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_etc_sysctld_net_ipv4_conf_default_send_redirects:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.default.send_redirects[\s]*=[\s]*0[\s]*$ 1
net.ipv4.conf.default.send_redirects static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_net_ipv4_conf_default_send_redirects:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_run_sysctld_net_ipv4_conf_default_send_redirects:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.default.send_redirects[\s]*=[\s]*0[\s]*$ 1
net.ipv4.conf.default.send_redirects static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_default_send_redirects:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_default_send_redirects:obj:1 textfilecontent54_object Path Filename Pattern Instance /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.default.send_redirects[\s]*=[\s]*0[\s]*$ 1
kernel runtime parameter net.ipv4.conf.default.send_redirects set to 0
oval:ssg-test_sysctl_runtime_net_ipv4_conf_default_send_redirects:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_sysctl_runtime_net_ipv4_conf_default_send_redirects:obj:1 sysctl_object Name net.ipv4.conf.default.send_redirects
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route mediumCCE-82478-9
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route Result Multi-check rule no OVAL Definition ID oval:ssg-sysctl_net_ipv4_conf_all_accept_source_route:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82478-9
References:
NT28(R22) , 1 , 11 , 12 , 13 , 14 , 15 , 16 , 18 , 2 , 3 , 4 , 6 , 7 , 8 , 9 , APO01.06 , APO13.01 , BAI04.04 , BAI10.01 , BAI10.02 , BAI10.03 , BAI10.05 , DSS01.03 , DSS01.05 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.04 , DSS05.05 , DSS05.07 , DSS06.02 , DSS06.06 , 3.1.20 , CCI-000366 , 4.2.3.4 , 4.3.3.4 , 4.3.3.5.1 , 4.3.3.5.2 , 4.3.3.5.3 , 4.3.3.5.4 , 4.3.3.5.5 , 4.3.3.5.6 , 4.3.3.5.7 , 4.3.3.5.8 , 4.3.3.6.1 , 4.3.3.6.2 , 4.3.3.6.3 , 4.3.3.6.4 , 4.3.3.6.5 , 4.3.3.6.6 , 4.3.3.6.7 , 4.3.3.6.8 , 4.3.3.6.9 , 4.3.3.7.1 , 4.3.3.7.2 , 4.3.3.7.3 , 4.3.3.7.4 , 4.3.4.3.2 , 4.3.4.3.3 , 4.4.3.3 , SR 1.1 , SR 1.10 , SR 1.11 , SR 1.12 , SR 1.13 , SR 1.2 , SR 1.3 , SR 1.4 , SR 1.5 , SR 1.6 , SR 1.7 , SR 1.8 , SR 1.9 , SR 2.1 , SR 2.2 , SR 2.3 , SR 2.4 , SR 2.5 , SR 2.6 , SR 2.7 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.2 , SR 7.1 , SR 7.2 , SR 7.6 , A.10.1.1 , A.11.1.4 , A.11.1.5 , A.11.2.1 , A.12.1.1 , A.12.1.2 , A.12.1.3 , A.12.5.1 , A.12.6.2 , A.13.1.1 , A.13.1.2 , A.13.1.3 , A.13.2.1 , A.13.2.2 , A.13.2.3 , A.13.2.4 , A.14.1.2 , A.14.1.3 , A.14.2.2 , A.14.2.3 , A.14.2.4 , A.17.2.1 , A.6.1.2 , A.7.1.1 , A.7.1.2 , A.7.3.1 , A.8.2.2 , A.8.2.3 , A.9.1.1 , A.9.1.2 , A.9.2.3 , A.9.4.1 , A.9.4.4 , A.9.4.5 , CM-7(a) , CM-7(b) , SC-5CM-6(a) , SC-7(a) , DE.AE-1 , DE.CM-1 , ID.AM-3 , PR.AC-5 , PR.DS-4 , PR.DS-5 , PR.IP-1 , PR.PT-3 , PR.PT-4 , SRG-OS-000480-GPOS-00227
Description To set the runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory
/etc/sysctl.d:
net.ipv4.conf.all.accept_source_route = 0 Rationale Source-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router,
which can be used to bypass network security measures. This requirement
applies only to the forwarding of source-routerd traffic, such as when IPv4
forwarding is enabled and the system is functioning as a router.
OVAL test results details
net.ipv4.conf.all.accept_source_route static configuration
oval:ssg-test_static_sysctl_net_ipv4_conf_all_accept_source_route:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_sysctl_net_ipv4_conf_all_accept_source_route:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv4.conf.all.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n 1
net.ipv4.conf.all.accept_source_route static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_net_ipv4_conf_all_accept_source_route:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_etc_sysctld_net_ipv4_conf_all_accept_source_route:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.all.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n 1
net.ipv4.conf.all.accept_source_route static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_net_ipv4_conf_all_accept_source_route:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_run_sysctld_net_ipv4_conf_all_accept_source_route:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.all.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n 1
net.ipv4.conf.all.accept_source_route static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_all_accept_source_route:tst:1
true Following items have been found on the system: Path Content /usr/lib/sysctl.d/50-default.conf # Do not accept source routing
net.ipv4.conf.all.accept_source_route = 0
kernel runtime parameter net.ipv4.conf.all.accept_source_route set to the appropriate value
oval:ssg-test_sysctl_runtime_net_ipv4_conf_all_accept_source_route:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_sysctl_runtime_net_ipv4_conf_all_accept_source_route:obj:1 sysctl_object Name net.ipv4.conf.all.accept_source_route
Disable Accepting ICMP Redirects for All IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects mediumCCE-82469-8
Disable Accepting ICMP Redirects for All IPv4 Interfaces Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects Result Multi-check rule no OVAL Definition ID oval:ssg-sysctl_net_ipv4_conf_all_accept_redirects:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82469-8
References:
NT28(R22) , 1 , 11 , 12 , 13 , 14 , 15 , 16 , 2 , 3 , 7 , 8 , 9 , 5.10.1.1 , APO13.01 , BAI04.04 , BAI10.01 , BAI10.02 , BAI10.03 , BAI10.05 , DSS01.03 , DSS03.05 , DSS05.02 , DSS05.05 , DSS05.07 , DSS06.06 , 3.1.20 , CCI-000366 , CCI-001503 , CCI-001551 , 4.3.3.5.1 , 4.3.3.5.2 , 4.3.3.5.3 , 4.3.3.5.4 , 4.3.3.5.5 , 4.3.3.5.6 , 4.3.3.5.7 , 4.3.3.5.8 , 4.3.3.6.1 , 4.3.3.6.2 , 4.3.3.6.3 , 4.3.3.6.4 , 4.3.3.6.5 , 4.3.3.6.6 , 4.3.3.6.7 , 4.3.3.6.8 , 4.3.3.6.9 , 4.3.3.7.1 , 4.3.3.7.2 , 4.3.3.7.3 , 4.3.3.7.4 , 4.3.4.3.2 , 4.3.4.3.3 , SR 1.1 , SR 1.10 , SR 1.11 , SR 1.12 , SR 1.13 , SR 1.2 , SR 1.3 , SR 1.4 , SR 1.5 , SR 1.6 , SR 1.7 , SR 1.8 , SR 1.9 , SR 2.1 , SR 2.2 , SR 2.3 , SR 2.4 , SR 2.5 , SR 2.6 , SR 2.7 , SR 6.2 , SR 7.1 , SR 7.2 , SR 7.6 , A.12.1.2 , A.12.1.3 , A.12.5.1 , A.12.6.2 , A.14.2.2 , A.14.2.3 , A.14.2.4 , A.17.2.1 , A.9.1.2 , CM-7(a) , CM-7(b) , CM-6(a) , SC-7(a) , DE.CM-1 , PR.DS-4 , PR.IP-1 , PR.PT-3 , SRG-OS-000480-GPOS-00227
Description To set the runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory
/etc/sysctl.d:
net.ipv4.conf.all.accept_redirects = 0 Rationale ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages modify the
host's route table and are unauthenticated. An illicit ICMP redirect
message could result in a man-in-the-middle attack.
OVAL test results details
net.ipv4.conf.all.accept_redirects static configuration
oval:ssg-test_static_sysctl_net_ipv4_conf_all_accept_redirects:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_sysctl_net_ipv4_conf_all_accept_redirects:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv4.conf.all.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1
net.ipv4.conf.all.accept_redirects static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_net_ipv4_conf_all_accept_redirects:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_etc_sysctld_net_ipv4_conf_all_accept_redirects:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.all.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1
net.ipv4.conf.all.accept_redirects static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_net_ipv4_conf_all_accept_redirects:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_run_sysctld_net_ipv4_conf_all_accept_redirects:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.all.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1
net.ipv4.conf.all.accept_redirects static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_all_accept_redirects:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_all_accept_redirects:obj:1 textfilecontent54_object Path Filename Pattern Instance /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.all.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1
kernel runtime parameter net.ipv4.conf.all.accept_redirects set to the appropriate value
oval:ssg-test_sysctl_runtime_net_ipv4_conf_all_accept_redirects:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_sysctl_runtime_net_ipv4_conf_all_accept_redirects:obj:1 sysctl_object Name net.ipv4.conf.all.accept_redirects
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter mediumCCE-82489-6
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter Result Multi-check rule no OVAL Definition ID oval:ssg-sysctl_net_ipv4_conf_default_rp_filter:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82489-6
References:
NT28(R22) , 1 , 12 , 13 , 14 , 15 , 16 , 18 , 2 , 4 , 6 , 7 , 8 , 9 , APO01.06 , APO13.01 , BAI04.04 , DSS01.03 , DSS01.05 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.04 , DSS05.07 , DSS06.02 , 3.1.20 , CCI-000366 , 4.2.3.4 , 4.3.3.4 , 4.4.3.3 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.2 , SR 7.1 , SR 7.2 , SR 7.6 , A.10.1.1 , A.11.1.4 , A.11.1.5 , A.11.2.1 , A.12.1.1 , A.12.1.2 , A.12.1.3 , A.13.1.1 , A.13.1.2 , A.13.1.3 , A.13.2.1 , A.13.2.2 , A.13.2.3 , A.13.2.4 , A.14.1.2 , A.14.1.3 , A.17.2.1 , A.6.1.2 , A.7.1.1 , A.7.1.2 , A.7.3.1 , A.8.2.2 , A.8.2.3 , A.9.1.1 , A.9.1.2 , A.9.2.3 , A.9.4.1 , A.9.4.4 , A.9.4.5 , CM-7(a) , CM-7(b) , CM-6(a) , SC-7(a) , DE.AE-1 , DE.CM-1 , ID.AM-3 , PR.AC-5 , PR.DS-4 , PR.DS-5 , PR.PT-4 , SRG-OS-000480-GPOS-00227
Description To set the runtime status of the net.ipv4.conf.default.rp_filter kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.default.rp_filter=1
To make sure that the setting is persistent, add the following line to a file in the directory
/etc/sysctl.d:
net.ipv4.conf.default.rp_filter = 1 Rationale Enabling reverse path filtering drops packets with source addresses
that should not have been able to be received on the interface they were
received on. It should not be used on systems which are routers for
complicated networks, but is helpful for end hosts and routers serving small
networks.
OVAL test results details
net.ipv4.conf.default.rp_filter static configuration
oval:ssg-test_static_sysctl_net_ipv4_conf_default_rp_filter:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_sysctl_net_ipv4_conf_default_rp_filter:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv4.conf.default.rp_filter[\s]*=[\s]*(\d+)[\s]*\n 1
net.ipv4.conf.default.rp_filter static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_net_ipv4_conf_default_rp_filter:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_etc_sysctld_net_ipv4_conf_default_rp_filter:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.default.rp_filter[\s]*=[\s]*(\d+)[\s]*\n 1
net.ipv4.conf.default.rp_filter static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_net_ipv4_conf_default_rp_filter:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_run_sysctld_net_ipv4_conf_default_rp_filter:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.default.rp_filter[\s]*=[\s]*(\d+)[\s]*\n 1
net.ipv4.conf.default.rp_filter static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_default_rp_filter:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_default_rp_filter:obj:1 textfilecontent54_object Path Filename Pattern Instance /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.default.rp_filter[\s]*=[\s]*(\d+)[\s]*\n 1
kernel runtime parameter net.ipv4.conf.default.rp_filter set to the appropriate value
oval:ssg-test_sysctl_runtime_net_ipv4_conf_default_rp_filter:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_sysctl_runtime_net_ipv4_conf_default_rp_filter:obj:1 sysctl_object Name net.ipv4.conf.default.rp_filter
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter mediumCCE-82488-8
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter Result Multi-check rule no OVAL Definition ID oval:ssg-sysctl_net_ipv4_conf_all_rp_filter:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82488-8
References:
NT28(R22) , 1 , 12 , 13 , 14 , 15 , 16 , 18 , 2 , 4 , 6 , 7 , 8 , 9 , APO01.06 , APO13.01 , BAI04.04 , DSS01.03 , DSS01.05 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.04 , DSS05.07 , DSS06.02 , 3.1.20 , CCI-000366 , CCI-001551 , 4.2.3.4 , 4.3.3.4 , 4.4.3.3 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.2 , SR 7.1 , SR 7.2 , SR 7.6 , A.10.1.1 , A.11.1.4 , A.11.1.5 , A.11.2.1 , A.12.1.1 , A.12.1.2 , A.12.1.3 , A.13.1.1 , A.13.1.2 , A.13.1.3 , A.13.2.1 , A.13.2.2 , A.13.2.3 , A.13.2.4 , A.14.1.2 , A.14.1.3 , A.17.2.1 , A.6.1.2 , A.7.1.1 , A.7.1.2 , A.7.3.1 , A.8.2.2 , A.8.2.3 , A.9.1.1 , A.9.1.2 , A.9.2.3 , A.9.4.1 , A.9.4.4 , A.9.4.5 , CM-7(a) , CM-7(b) , CM-6(a) , SC-7(a) , DE.AE-1 , DE.CM-1 , ID.AM-3 , PR.AC-5 , PR.DS-4 , PR.DS-5 , PR.PT-4 , SRG-OS-000480-GPOS-00227
Description To set the runtime status of the net.ipv4.conf.all.rp_filter kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.all.rp_filter=1
To make sure that the setting is persistent, add the following line to a file in the directory
/etc/sysctl.d:
net.ipv4.conf.all.rp_filter = 1 Rationale Enabling reverse path filtering drops packets with source addresses
that should not have been able to be received on the interface they were
received on. It should not be used on systems which are routers for
complicated networks, but is helpful for end hosts and routers serving small
networks.
OVAL test results details
net.ipv4.conf.all.rp_filter static configuration
oval:ssg-test_static_sysctl_net_ipv4_conf_all_rp_filter:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_sysctl_net_ipv4_conf_all_rp_filter:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv4.conf.all.rp_filter[\s]*=[\s]*(\d+)[\s]*\n 1
net.ipv4.conf.all.rp_filter static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_net_ipv4_conf_all_rp_filter:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_etc_sysctld_net_ipv4_conf_all_rp_filter:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.all.rp_filter[\s]*=[\s]*(\d+)[\s]*\n 1
net.ipv4.conf.all.rp_filter static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_net_ipv4_conf_all_rp_filter:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_run_sysctld_net_ipv4_conf_all_rp_filter:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.all.rp_filter[\s]*=[\s]*(\d+)[\s]*\n 1
net.ipv4.conf.all.rp_filter static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_all_rp_filter:tst:1
true Following items have been found on the system: Path Content /usr/lib/sysctl.d/50-default.conf # Source route verification
net.ipv4.conf.all.rp_filter = 1
kernel runtime parameter net.ipv4.conf.all.rp_filter set to the appropriate value
oval:ssg-test_sysctl_runtime_net_ipv4_conf_all_rp_filter:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_sysctl_runtime_net_ipv4_conf_all_rp_filter:obj:1 sysctl_object Name net.ipv4.conf.all.rp_filter
Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians unknownCCE-82486-2
Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians Result Multi-check rule no OVAL Definition ID oval:ssg-sysctl_net_ipv4_conf_all_log_martians:def:1 Time 2020-05-28T09:50:18+00:00 Severity unknown Identifiers and References Identifiers:
CCE-82486-2
References:
NT28(R22) , 1 , 11 , 12 , 13 , 14 , 15 , 16 , 2 , 3 , 7 , 8 , 9 , APO13.01 , BAI04.04 , BAI10.01 , BAI10.02 , BAI10.03 , BAI10.05 , DSS01.03 , DSS01.04 , DSS03.05 , DSS05.02 , DSS05.03 , DSS05.05 , DSS05.07 , DSS06.06 , 3.1.20 , CCI-000126 , 4.3.3.5.1 , 4.3.3.5.2 , 4.3.3.5.3 , 4.3.3.5.4 , 4.3.3.5.5 , 4.3.3.5.6 , 4.3.3.5.7 , 4.3.3.5.8 , 4.3.3.6.1 , 4.3.3.6.2 , 4.3.3.6.3 , 4.3.3.6.4 , 4.3.3.6.5 , 4.3.3.6.6 , 4.3.3.6.7 , 4.3.3.6.8 , 4.3.3.6.9 , 4.3.3.7.1 , 4.3.3.7.2 , 4.3.3.7.3 , 4.3.3.7.4 , 4.3.4.3.2 , 4.3.4.3.3 , SR 1.1 , SR 1.10 , SR 1.11 , SR 1.12 , SR 1.13 , SR 1.2 , SR 1.3 , SR 1.4 , SR 1.5 , SR 1.6 , SR 1.7 , SR 1.8 , SR 1.9 , SR 2.1 , SR 2.2 , SR 2.3 , SR 2.4 , SR 2.5 , SR 2.6 , SR 2.7 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.2 , SR 7.1 , SR 7.2 , SR 7.6 , A.11.2.6 , A.12.1.2 , A.12.1.3 , A.12.5.1 , A.12.6.2 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.2 , A.14.2.3 , A.14.2.4 , A.17.2.1 , A.6.2.1 , A.6.2.2 , A.9.1.2 , CM-7(a) , CM-7(b) , SC-5(3)(a) , DE.CM-1 , PR.AC-3 , PR.DS-4 , PR.IP-1 , PR.PT-3 , PR.PT-4 , SRG-OS-000480-GPOS-00227
Description To set the runtime status of the net.ipv4.conf.all.log_martians kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.all.log_martians=1
To make sure that the setting is persistent, add the following line to a file in the directory
/etc/sysctl.d:
net.ipv4.conf.all.log_martians = 1 Rationale The presence of "martian" packets (which have impossible addresses)
as well as spoofed packets, source-routed packets, and redirects could be a
sign of nefarious network activity. Logging these packets enables this activity
to be detected.
OVAL test results details
net.ipv4.conf.all.log_martians static configuration
oval:ssg-test_static_sysctl_net_ipv4_conf_all_log_martians:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_sysctl_net_ipv4_conf_all_log_martians:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv4.conf.all.log_martians[\s]*=[\s]*(\d+)[\s]*\n 1
net.ipv4.conf.all.log_martians static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_net_ipv4_conf_all_log_martians:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_etc_sysctld_net_ipv4_conf_all_log_martians:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.all.log_martians[\s]*=[\s]*(\d+)[\s]*\n 1
net.ipv4.conf.all.log_martians static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_net_ipv4_conf_all_log_martians:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_run_sysctld_net_ipv4_conf_all_log_martians:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.all.log_martians[\s]*=[\s]*(\d+)[\s]*\n 1
net.ipv4.conf.all.log_martians static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_all_log_martians:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_all_log_martians:obj:1 textfilecontent54_object Path Filename Pattern Instance /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.all.log_martians[\s]*=[\s]*(\d+)[\s]*\n 1
kernel runtime parameter net.ipv4.conf.all.log_martians set to the appropriate value
oval:ssg-test_sysctl_runtime_net_ipv4_conf_all_log_martians:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_sysctl_runtime_net_ipv4_conf_all_log_martians:obj:1 sysctl_object Name net.ipv4.conf.all.log_martians
Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses unknownCCE-82490-4
Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses Result Multi-check rule no OVAL Definition ID oval:ssg-sysctl_net_ipv4_icmp_ignore_bogus_error_responses:def:1 Time 2020-05-28T09:50:18+00:00 Severity unknown Identifiers and References Identifiers:
CCE-82490-4
References:
NT28(R22) , 1 , 11 , 12 , 13 , 14 , 15 , 16 , 2 , 3 , 7 , 8 , 9 , APO13.01 , BAI04.04 , BAI10.01 , BAI10.02 , BAI10.03 , BAI10.05 , DSS01.03 , DSS03.05 , DSS05.02 , DSS05.05 , DSS05.07 , DSS06.06 , 3.1.20 , 4.3.3.5.1 , 4.3.3.5.2 , 4.3.3.5.3 , 4.3.3.5.4 , 4.3.3.5.5 , 4.3.3.5.6 , 4.3.3.5.7 , 4.3.3.5.8 , 4.3.3.6.1 , 4.3.3.6.2 , 4.3.3.6.3 , 4.3.3.6.4 , 4.3.3.6.5 , 4.3.3.6.6 , 4.3.3.6.7 , 4.3.3.6.8 , 4.3.3.6.9 , 4.3.3.7.1 , 4.3.3.7.2 , 4.3.3.7.3 , 4.3.3.7.4 , 4.3.4.3.2 , 4.3.4.3.3 , SR 1.1 , SR 1.10 , SR 1.11 , SR 1.12 , SR 1.13 , SR 1.2 , SR 1.3 , SR 1.4 , SR 1.5 , SR 1.6 , SR 1.7 , SR 1.8 , SR 1.9 , SR 2.1 , SR 2.2 , SR 2.3 , SR 2.4 , SR 2.5 , SR 2.6 , SR 2.7 , SR 6.2 , SR 7.1 , SR 7.2 , SR 7.6 , A.12.1.2 , A.12.1.3 , A.12.5.1 , A.12.6.2 , A.14.2.2 , A.14.2.3 , A.14.2.4 , A.17.2.1 , A.9.1.2 , CM-7(a) , CM-7(b) , SC-5 , DE.CM-1 , PR.DS-4 , PR.IP-1 , PR.PT-3 , SRG-OS-000480-GPOS-00227
Description To set the runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
To make sure that the setting is persistent, add the following line to a file in the directory
/etc/sysctl.d:
net.ipv4.icmp_ignore_bogus_error_responses = 1 Rationale Ignoring bogus ICMP error responses reduces
log size, although some activity would not be logged.
OVAL test results details
net.ipv4.icmp_ignore_bogus_error_responses static configuration
oval:ssg-test_static_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv4.icmp_ignore_bogus_error_responses[\s]*=[\s]*(\d+)[\s]*\n 1
net.ipv4.icmp_ignore_bogus_error_responses static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_net_ipv4_icmp_ignore_bogus_error_responses:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_etc_sysctld_net_ipv4_icmp_ignore_bogus_error_responses:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.icmp_ignore_bogus_error_responses[\s]*=[\s]*(\d+)[\s]*\n 1
net.ipv4.icmp_ignore_bogus_error_responses static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_net_ipv4_icmp_ignore_bogus_error_responses:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_run_sysctld_net_ipv4_icmp_ignore_bogus_error_responses:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.icmp_ignore_bogus_error_responses[\s]*=[\s]*(\d+)[\s]*\n 1
net.ipv4.icmp_ignore_bogus_error_responses static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_net_ipv4_icmp_ignore_bogus_error_responses:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_usr_lib_sysctld_net_ipv4_icmp_ignore_bogus_error_responses:obj:1 textfilecontent54_object Path Filename Pattern Instance /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.icmp_ignore_bogus_error_responses[\s]*=[\s]*(\d+)[\s]*\n 1
kernel runtime parameter net.ipv4.icmp_ignore_bogus_error_responses set to the appropriate value
oval:ssg-test_sysctl_runtime_net_ipv4_icmp_ignore_bogus_error_responses:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_sysctl_runtime_net_ipv4_icmp_ignore_bogus_error_responses:obj:1 sysctl_object Name net.ipv4.icmp_ignore_bogus_error_responses
Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects mediumCCE-82482-1
Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects Result Multi-check rule no OVAL Definition ID oval:ssg-sysctl_net_ipv4_conf_all_secure_redirects:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82482-1
References:
NT28(R22) , 1 , 11 , 12 , 13 , 14 , 15 , 16 , 18 , 2 , 3 , 4 , 6 , 7 , 8 , 9 , APO01.06 , APO13.01 , BAI04.04 , BAI10.01 , BAI10.02 , BAI10.03 , BAI10.05 , DSS01.03 , DSS01.05 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.04 , DSS05.05 , DSS05.07 , DSS06.02 , DSS06.06 , 3.1.20 , CCI-001503 , CCI-001551 , 4.2.3.4 , 4.3.3.4 , 4.3.3.5.1 , 4.3.3.5.2 , 4.3.3.5.3 , 4.3.3.5.4 , 4.3.3.5.5 , 4.3.3.5.6 , 4.3.3.5.7 , 4.3.3.5.8 , 4.3.3.6.1 , 4.3.3.6.2 , 4.3.3.6.3 , 4.3.3.6.4 , 4.3.3.6.5 , 4.3.3.6.6 , 4.3.3.6.7 , 4.3.3.6.8 , 4.3.3.6.9 , 4.3.3.7.1 , 4.3.3.7.2 , 4.3.3.7.3 , 4.3.3.7.4 , 4.3.4.3.2 , 4.3.4.3.3 , 4.4.3.3 , SR 1.1 , SR 1.10 , SR 1.11 , SR 1.12 , SR 1.13 , SR 1.2 , SR 1.3 , SR 1.4 , SR 1.5 , SR 1.6 , SR 1.7 , SR 1.8 , SR 1.9 , SR 2.1 , SR 2.2 , SR 2.3 , SR 2.4 , SR 2.5 , SR 2.6 , SR 2.7 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.2 , SR 7.1 , SR 7.2 , SR 7.6 , A.10.1.1 , A.11.1.4 , A.11.1.5 , A.11.2.1 , A.12.1.1 , A.12.1.2 , A.12.1.3 , A.12.5.1 , A.12.6.2 , A.13.1.1 , A.13.1.2 , A.13.1.3 , A.13.2.1 , A.13.2.2 , A.13.2.3 , A.13.2.4 , A.14.1.2 , A.14.1.3 , A.14.2.2 , A.14.2.3 , A.14.2.4 , A.17.2.1 , A.6.1.2 , A.7.1.1 , A.7.1.2 , A.7.3.1 , A.8.2.2 , A.8.2.3 , A.9.1.1 , A.9.1.2 , A.9.2.3 , A.9.4.1 , A.9.4.4 , A.9.4.5 , CM-7(a) , CM-7(b) , CM-6(a) , SC-7(a) , DE.AE-1 , DE.CM-1 , ID.AM-3 , PR.AC-5 , PR.DS-4 , PR.DS-5 , PR.IP-1 , PR.PT-3 , PR.PT-4 , SRG-OS-000480-GPOS-00227
Description To set the runtime status of the net.ipv4.conf.all.secure_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.all.secure_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory
/etc/sysctl.d:
net.ipv4.conf.all.secure_redirects = 0 Rationale Accepting "secure" ICMP redirects (from those gateways listed as
default gateways) has few legitimate uses. It should be disabled unless it is
absolutely required.
OVAL test results details
net.ipv4.conf.all.secure_redirects static configuration
oval:ssg-test_static_sysctl_net_ipv4_conf_all_secure_redirects:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_sysctl_net_ipv4_conf_all_secure_redirects:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv4.conf.all.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n 1
net.ipv4.conf.all.secure_redirects static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_net_ipv4_conf_all_secure_redirects:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_etc_sysctld_net_ipv4_conf_all_secure_redirects:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.all.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n 1
net.ipv4.conf.all.secure_redirects static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_net_ipv4_conf_all_secure_redirects:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_run_sysctld_net_ipv4_conf_all_secure_redirects:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.all.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n 1
net.ipv4.conf.all.secure_redirects static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_all_secure_redirects:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_all_secure_redirects:obj:1 textfilecontent54_object Path Filename Pattern Instance /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.all.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n 1
kernel runtime parameter net.ipv4.conf.all.secure_redirects set to the appropriate value
oval:ssg-test_sysctl_runtime_net_ipv4_conf_all_secure_redirects:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_sysctl_runtime_net_ipv4_conf_all_secure_redirects:obj:1 sysctl_object Name net.ipv4.conf.all.secure_redirects
Configure Kernel Parameter for Accepting Secure Redirects By Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects mediumCCE-82483-9
Configure Kernel Parameter for Accepting Secure Redirects By Default Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects Result Multi-check rule no OVAL Definition ID oval:ssg-sysctl_net_ipv4_conf_default_secure_redirects:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82483-9
References:
NT28(R22) , 3.2.3 , 1 , 11 , 12 , 13 , 14 , 15 , 16 , 18 , 2 , 3 , 4 , 6 , 7 , 8 , 9 , APO01.06 , APO13.01 , BAI04.04 , BAI10.01 , BAI10.02 , BAI10.03 , BAI10.05 , DSS01.03 , DSS01.05 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.04 , DSS05.05 , DSS05.07 , DSS06.02 , DSS06.06 , 3.1.20 , CCI-001551 , 4.2.3.4 , 4.3.3.4 , 4.3.3.5.1 , 4.3.3.5.2 , 4.3.3.5.3 , 4.3.3.5.4 , 4.3.3.5.5 , 4.3.3.5.6 , 4.3.3.5.7 , 4.3.3.5.8 , 4.3.3.6.1 , 4.3.3.6.2 , 4.3.3.6.3 , 4.3.3.6.4 , 4.3.3.6.5 , 4.3.3.6.6 , 4.3.3.6.7 , 4.3.3.6.8 , 4.3.3.6.9 , 4.3.3.7.1 , 4.3.3.7.2 , 4.3.3.7.3 , 4.3.3.7.4 , 4.3.4.3.2 , 4.3.4.3.3 , 4.4.3.3 , SR 1.1 , SR 1.10 , SR 1.11 , SR 1.12 , SR 1.13 , SR 1.2 , SR 1.3 , SR 1.4 , SR 1.5 , SR 1.6 , SR 1.7 , SR 1.8 , SR 1.9 , SR 2.1 , SR 2.2 , SR 2.3 , SR 2.4 , SR 2.5 , SR 2.6 , SR 2.7 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.2 , SR 7.1 , SR 7.2 , SR 7.6 , A.10.1.1 , A.11.1.4 , A.11.1.5 , A.11.2.1 , A.12.1.1 , A.12.1.2 , A.12.1.3 , A.12.5.1 , A.12.6.2 , A.13.1.1 , A.13.1.2 , A.13.1.3 , A.13.2.1 , A.13.2.2 , A.13.2.3 , A.13.2.4 , A.14.1.2 , A.14.1.3 , A.14.2.2 , A.14.2.3 , A.14.2.4 , A.17.2.1 , A.6.1.2 , A.7.1.1 , A.7.1.2 , A.7.3.1 , A.8.2.2 , A.8.2.3 , A.9.1.1 , A.9.1.2 , A.9.2.3 , A.9.4.1 , A.9.4.4 , A.9.4.5 , CM-7(a) , CM-7(b) , SC-5 , SC-7(a) , DE.AE-1 , DE.CM-1 , ID.AM-3 , PR.AC-5 , PR.DS-4 , PR.DS-5 , PR.IP-1 , PR.PT-3 , PR.PT-4 , SRG-OS-000480-GPOS-00227
Description To set the runtime status of the net.ipv4.conf.default.secure_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.default.secure_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory
/etc/sysctl.d:
net.ipv4.conf.default.secure_redirects = 0 Rationale Accepting "secure" ICMP redirects (from those gateways listed as
default gateways) has few legitimate uses. It should be disabled unless it is
absolutely required.
OVAL test results details
net.ipv4.conf.default.secure_redirects static configuration
oval:ssg-test_static_sysctl_net_ipv4_conf_default_secure_redirects:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_sysctl_net_ipv4_conf_default_secure_redirects:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv4.conf.default.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n 1
net.ipv4.conf.default.secure_redirects static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_net_ipv4_conf_default_secure_redirects:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_etc_sysctld_net_ipv4_conf_default_secure_redirects:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.default.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n 1
net.ipv4.conf.default.secure_redirects static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_net_ipv4_conf_default_secure_redirects:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_run_sysctld_net_ipv4_conf_default_secure_redirects:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.default.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n 1
net.ipv4.conf.default.secure_redirects static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_default_secure_redirects:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_default_secure_redirects:obj:1 textfilecontent54_object Path Filename Pattern Instance /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.default.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n 1
kernel runtime parameter net.ipv4.conf.default.secure_redirects set to the appropriate value
oval:ssg-test_sysctl_runtime_net_ipv4_conf_default_secure_redirects:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_sysctl_runtime_net_ipv4_conf_default_secure_redirects:obj:1 sysctl_object Name net.ipv4.conf.default.secure_redirects
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route mediumCCE-82479-7
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route Result Multi-check rule no OVAL Definition ID oval:ssg-sysctl_net_ipv4_conf_default_accept_source_route:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82479-7
References:
NT28(R22) , 1 , 11 , 12 , 13 , 14 , 15 , 16 , 18 , 2 , 3 , 4 , 6 , 7 , 8 , 9 , 5.10.1.1 , APO01.06 , APO13.01 , BAI04.04 , BAI10.01 , BAI10.02 , BAI10.03 , BAI10.05 , DSS01.03 , DSS01.05 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.04 , DSS05.05 , DSS05.07 , DSS06.02 , DSS06.06 , 3.1.20 , CCI-000366 , CCI-001551 , 4.2.3.4 , 4.3.3.4 , 4.3.3.5.1 , 4.3.3.5.2 , 4.3.3.5.3 , 4.3.3.5.4 , 4.3.3.5.5 , 4.3.3.5.6 , 4.3.3.5.7 , 4.3.3.5.8 , 4.3.3.6.1 , 4.3.3.6.2 , 4.3.3.6.3 , 4.3.3.6.4 , 4.3.3.6.5 , 4.3.3.6.6 , 4.3.3.6.7 , 4.3.3.6.8 , 4.3.3.6.9 , 4.3.3.7.1 , 4.3.3.7.2 , 4.3.3.7.3 , 4.3.3.7.4 , 4.3.4.3.2 , 4.3.4.3.3 , 4.4.3.3 , SR 1.1 , SR 1.10 , SR 1.11 , SR 1.12 , SR 1.13 , SR 1.2 , SR 1.3 , SR 1.4 , SR 1.5 , SR 1.6 , SR 1.7 , SR 1.8 , SR 1.9 , SR 2.1 , SR 2.2 , SR 2.3 , SR 2.4 , SR 2.5 , SR 2.6 , SR 2.7 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.2 , SR 7.1 , SR 7.2 , SR 7.6 , A.10.1.1 , A.11.1.4 , A.11.1.5 , A.11.2.1 , A.12.1.1 , A.12.1.2 , A.12.1.3 , A.12.5.1 , A.12.6.2 , A.13.1.1 , A.13.1.2 , A.13.1.3 , A.13.2.1 , A.13.2.2 , A.13.2.3 , A.13.2.4 , A.14.1.2 , A.14.1.3 , A.14.2.2 , A.14.2.3 , A.14.2.4 , A.17.2.1 , A.6.1.2 , A.7.1.1 , A.7.1.2 , A.7.3.1 , A.8.2.2 , A.8.2.3 , A.9.1.1 , A.9.1.2 , A.9.2.3 , A.9.4.1 , A.9.4.4 , A.9.4.5 , CM-7(a) , CM-7(b) , SC-5 , SC-7(a) , DE.AE-1 , DE.CM-1 , ID.AM-3 , PR.AC-5 , PR.DS-4 , PR.DS-5 , PR.IP-1 , PR.PT-3 , PR.PT-4 , SRG-OS-000480-GPOS-00227
Description To set the runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory
/etc/sysctl.d:
net.ipv4.conf.default.accept_source_route = 0 Rationale Source-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router,
which can be used to bypass network security measures.
OVAL test results details
net.ipv4.conf.default.accept_source_route static configuration
oval:ssg-test_static_sysctl_net_ipv4_conf_default_accept_source_route:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_sysctl_net_ipv4_conf_default_accept_source_route:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv4.conf.default.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n 1
net.ipv4.conf.default.accept_source_route static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_net_ipv4_conf_default_accept_source_route:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_etc_sysctld_net_ipv4_conf_default_accept_source_route:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.default.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n 1
net.ipv4.conf.default.accept_source_route static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_net_ipv4_conf_default_accept_source_route:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_run_sysctld_net_ipv4_conf_default_accept_source_route:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.default.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n 1
net.ipv4.conf.default.accept_source_route static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_default_accept_source_route:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_default_accept_source_route:obj:1 textfilecontent54_object Path Filename Pattern Instance /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.default.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n 1
kernel runtime parameter net.ipv4.conf.default.accept_source_route set to the appropriate value
oval:ssg-test_sysctl_runtime_net_ipv4_conf_default_accept_source_route:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_sysctl_runtime_net_ipv4_conf_default_accept_source_route:obj:1 sysctl_object Name net.ipv4.conf.default.accept_source_route
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects mediumCCE-82470-6
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects Result Multi-check rule no OVAL Definition ID oval:ssg-sysctl_net_ipv4_conf_default_accept_redirects:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82470-6
References:
NT28(R22) , 1 , 11 , 12 , 13 , 14 , 15 , 16 , 18 , 2 , 3 , 4 , 6 , 7 , 8 , 9 , 5.10.1.1 , APO01.06 , APO13.01 , BAI04.04 , BAI10.01 , BAI10.02 , BAI10.03 , BAI10.05 , DSS01.03 , DSS01.05 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.04 , DSS05.05 , DSS05.07 , DSS06.02 , DSS06.06 , 3.1.20 , CCI-000366 , CCI-001551 , 4.2.3.4 , 4.3.3.4 , 4.3.3.5.1 , 4.3.3.5.2 , 4.3.3.5.3 , 4.3.3.5.4 , 4.3.3.5.5 , 4.3.3.5.6 , 4.3.3.5.7 , 4.3.3.5.8 , 4.3.3.6.1 , 4.3.3.6.2 , 4.3.3.6.3 , 4.3.3.6.4 , 4.3.3.6.5 , 4.3.3.6.6 , 4.3.3.6.7 , 4.3.3.6.8 , 4.3.3.6.9 , 4.3.3.7.1 , 4.3.3.7.2 , 4.3.3.7.3 , 4.3.3.7.4 , 4.3.4.3.2 , 4.3.4.3.3 , 4.4.3.3 , SR 1.1 , SR 1.10 , SR 1.11 , SR 1.12 , SR 1.13 , SR 1.2 , SR 1.3 , SR 1.4 , SR 1.5 , SR 1.6 , SR 1.7 , SR 1.8 , SR 1.9 , SR 2.1 , SR 2.2 , SR 2.3 , SR 2.4 , SR 2.5 , SR 2.6 , SR 2.7 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.2 , SR 7.1 , SR 7.2 , SR 7.6 , A.10.1.1 , A.11.1.4 , A.11.1.5 , A.11.2.1 , A.12.1.1 , A.12.1.2 , A.12.1.3 , A.12.5.1 , A.12.6.2 , A.13.1.1 , A.13.1.2 , A.13.1.3 , A.13.2.1 , A.13.2.2 , A.13.2.3 , A.13.2.4 , A.14.1.2 , A.14.1.3 , A.14.2.2 , A.14.2.3 , A.14.2.4 , A.17.2.1 , A.6.1.2 , A.7.1.1 , A.7.1.2 , A.7.3.1 , A.8.2.2 , A.8.2.3 , A.9.1.1 , A.9.1.2 , A.9.2.3 , A.9.4.1 , A.9.4.4 , A.9.4.5 , CM-7(a) , CM-7(b) , CM-6(a) , SC-7(a) , DE.AE-1 , DE.CM-1 , ID.AM-3 , PR.AC-5 , PR.DS-4 , PR.DS-5 , PR.IP-1 , PR.PT-3 , PR.PT-4 , SRG-OS-000480-GPOS-00227
Description To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory
/etc/sysctl.d:
net.ipv4.conf.default.accept_redirects = 0 Rationale ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages modify the
host's route table and are unauthenticated. An illicit ICMP redirect
message could result in a man-in-the-middle attack.
OVAL test results details
net.ipv4.conf.default.accept_redirects static configuration
oval:ssg-test_static_sysctl_net_ipv4_conf_default_accept_redirects:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_sysctl_net_ipv4_conf_default_accept_redirects:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv4.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1
net.ipv4.conf.default.accept_redirects static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_net_ipv4_conf_default_accept_redirects:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_etc_sysctld_net_ipv4_conf_default_accept_redirects:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1
net.ipv4.conf.default.accept_redirects static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_net_ipv4_conf_default_accept_redirects:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_run_sysctld_net_ipv4_conf_default_accept_redirects:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1
net.ipv4.conf.default.accept_redirects static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_default_accept_redirects:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_default_accept_redirects:obj:1 textfilecontent54_object Path Filename Pattern Instance /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n 1
kernel runtime parameter net.ipv4.conf.default.accept_redirects set to the appropriate value
oval:ssg-test_sysctl_runtime_net_ipv4_conf_default_accept_redirects:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_sysctl_runtime_net_ipv4_conf_default_accept_redirects:obj:1 sysctl_object Name net.ipv4.conf.default.accept_redirects
Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_log_martians unknownCCE-82487-0
Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_log_martians Result Multi-check rule no OVAL Definition ID oval:ssg-sysctl_net_ipv4_conf_default_log_martians:def:1 Time 2020-05-28T09:50:18+00:00 Severity unknown Identifiers and References Identifiers:
CCE-82487-0
References:
1 , 11 , 12 , 13 , 14 , 15 , 16 , 2 , 3 , 7 , 8 , 9 , APO13.01 , BAI04.04 , BAI10.01 , BAI10.02 , BAI10.03 , BAI10.05 , DSS01.03 , DSS01.04 , DSS03.05 , DSS05.02 , DSS05.03 , DSS05.05 , DSS05.07 , DSS06.06 , 3.1.20 , CCI-000126 , 4.3.3.5.1 , 4.3.3.5.2 , 4.3.3.5.3 , 4.3.3.5.4 , 4.3.3.5.5 , 4.3.3.5.6 , 4.3.3.5.7 , 4.3.3.5.8 , 4.3.3.6.1 , 4.3.3.6.2 , 4.3.3.6.3 , 4.3.3.6.4 , 4.3.3.6.5 , 4.3.3.6.6 , 4.3.3.6.7 , 4.3.3.6.8 , 4.3.3.6.9 , 4.3.3.7.1 , 4.3.3.7.2 , 4.3.3.7.3 , 4.3.3.7.4 , 4.3.4.3.2 , 4.3.4.3.3 , SR 1.1 , SR 1.10 , SR 1.11 , SR 1.12 , SR 1.13 , SR 1.2 , SR 1.3 , SR 1.4 , SR 1.5 , SR 1.6 , SR 1.7 , SR 1.8 , SR 1.9 , SR 2.1 , SR 2.2 , SR 2.3 , SR 2.4 , SR 2.5 , SR 2.6 , SR 2.7 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.2 , SR 7.1 , SR 7.2 , SR 7.6 , A.11.2.6 , A.12.1.2 , A.12.1.3 , A.12.5.1 , A.12.6.2 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.2 , A.14.2.3 , A.14.2.4 , A.17.2.1 , A.6.2.1 , A.6.2.2 , A.9.1.2 , CM-7(a) , CM-7(b) , SC-5(3)(a) , DE.CM-1 , PR.AC-3 , PR.DS-4 , PR.IP-1 , PR.PT-3 , PR.PT-4 , SRG-OS-000480-GPOS-00227
Description To set the runtime status of the net.ipv4.conf.default.log_martians kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.default.log_martians=1
To make sure that the setting is persistent, add the following line to a file in the directory
/etc/sysctl.d:
net.ipv4.conf.default.log_martians = 1 Rationale The presence of "martian" packets (which have impossible addresses)
as well as spoofed packets, source-routed packets, and redirects could be a
sign of nefarious network activity. Logging these packets enables this activity
to be detected.
OVAL test results details
net.ipv4.conf.default.log_martians static configuration
oval:ssg-test_static_sysctl_net_ipv4_conf_default_log_martians:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_sysctl_net_ipv4_conf_default_log_martians:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv4.conf.default.log_martians[\s]*=[\s]*(\d+)[\s]*\n 1
net.ipv4.conf.default.log_martians static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_net_ipv4_conf_default_log_martians:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_etc_sysctld_net_ipv4_conf_default_log_martians:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.default.log_martians[\s]*=[\s]*(\d+)[\s]*\n 1
net.ipv4.conf.default.log_martians static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_net_ipv4_conf_default_log_martians:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_run_sysctld_net_ipv4_conf_default_log_martians:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.default.log_martians[\s]*=[\s]*(\d+)[\s]*\n 1
net.ipv4.conf.default.log_martians static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_default_log_martians:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_default_log_martians:obj:1 textfilecontent54_object Path Filename Pattern Instance /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.conf.default.log_martians[\s]*=[\s]*(\d+)[\s]*\n 1
kernel runtime parameter net.ipv4.conf.default.log_martians set to the appropriate value
oval:ssg-test_sysctl_runtime_net_ipv4_conf_default_log_martians:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_sysctl_runtime_net_ipv4_conf_default_log_martians:obj:1 sysctl_object Name net.ipv4.conf.default.log_martians
Enable Kernel Parameter to Use TCP Syncookies on IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies mediumCCE-82492-0
Enable Kernel Parameter to Use TCP Syncookies on IPv4 Interfaces Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies Result Multi-check rule no OVAL Definition ID oval:ssg-sysctl_net_ipv4_tcp_syncookies:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82492-0
References:
NT28(R22) , 1 , 12 , 13 , 14 , 15 , 16 , 18 , 2 , 4 , 6 , 7 , 8 , 9 , 5.10.1.1 , APO01.06 , APO13.01 , BAI04.04 , DSS01.03 , DSS01.05 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.04 , DSS05.07 , DSS06.02 , 3.1.20 , CCI-000366 , 4.2.3.4 , 4.3.3.4 , 4.4.3.3 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.2 , SR 7.1 , SR 7.2 , SR 7.6 , A.10.1.1 , A.11.1.4 , A.11.1.5 , A.11.2.1 , A.12.1.1 , A.12.1.2 , A.12.1.3 , A.13.1.1 , A.13.1.2 , A.13.1.3 , A.13.2.1 , A.13.2.2 , A.13.2.3 , A.13.2.4 , A.14.1.2 , A.14.1.3 , A.17.2.1 , A.6.1.2 , A.7.1.1 , A.7.1.2 , A.7.3.1 , A.8.2.2 , A.8.2.3 , A.9.1.1 , A.9.1.2 , A.9.2.3 , A.9.4.1 , A.9.4.4 , A.9.4.5 , CM-7(a) , CM-7(b) , SC-5(1) , SC-5(2) , SC-5(3)(a) , CM-6(a) , DE.AE-1 , DE.CM-1 , ID.AM-3 , PR.AC-5 , PR.DS-4 , PR.DS-5 , PR.PT-4 , SRG-OS-000480-GPOS-00227 , SRG-OS-000420-GPOS-00186 , SRG-OS-000142-GPOS-00071
Description To set the runtime status of the net.ipv4.tcp_syncookies kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.tcp_syncookies=1
To make sure that the setting is persistent, add the following line to a file in the directory
/etc/sysctl.d:
net.ipv4.tcp_syncookies = 1 Rationale A TCP SYN flood attack can cause a denial of service by filling a
system's TCP connection table with connections in the SYN_RCVD state.
Syncookies can be used to track a connection when a subsequent ACK is received,
verifying the initiator is attempting a valid connection and is not a flood
source. This feature is activated when a flood condition is detected, and
enables the system to continue servicing valid connection requests.
OVAL test results details
net.ipv4.tcp_syncookies static configuration
oval:ssg-test_static_sysctl_net_ipv4_tcp_syncookies:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_sysctl_net_ipv4_tcp_syncookies:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv4.tcp_syncookies[\s]*=[\s]*(\d+)[\s]*\n 1
net.ipv4.tcp_syncookies static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_net_ipv4_tcp_syncookies:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_etc_sysctld_net_ipv4_tcp_syncookies:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.tcp_syncookies[\s]*=[\s]*(\d+)[\s]*\n 1
net.ipv4.tcp_syncookies static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_net_ipv4_tcp_syncookies:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_run_sysctld_net_ipv4_tcp_syncookies:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.tcp_syncookies[\s]*=[\s]*(\d+)[\s]*\n 1
net.ipv4.tcp_syncookies static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_net_ipv4_tcp_syncookies:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_usr_lib_sysctld_net_ipv4_tcp_syncookies:obj:1 textfilecontent54_object Path Filename Pattern Instance /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.tcp_syncookies[\s]*=[\s]*(\d+)[\s]*\n 1
kernel runtime parameter net.ipv4.tcp_syncookies set to the appropriate value
oval:ssg-test_sysctl_runtime_net_ipv4_tcp_syncookies:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_sysctl_runtime_net_ipv4_tcp_syncookies:obj:1 sysctl_object Name net.ipv4.tcp_syncookies
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts mediumCCE-82491-2
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts Result Multi-check rule no OVAL Definition ID oval:ssg-sysctl_net_ipv4_icmp_echo_ignore_broadcasts:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82491-2
References:
1 , 11 , 12 , 13 , 14 , 15 , 16 , 18 , 2 , 3 , 4 , 6 , 7 , 8 , 9 , 5.10.1.1 , APO01.06 , APO13.01 , BAI04.04 , BAI10.01 , BAI10.02 , BAI10.03 , BAI10.05 , DSS01.03 , DSS01.05 , DSS03.01 , DSS03.05 , DSS05.02 , DSS05.04 , DSS05.05 , DSS05.07 , DSS06.02 , DSS06.06 , 3.1.20 , CCI-000366 , 4.2.3.4 , 4.3.3.4 , 4.3.3.5.1 , 4.3.3.5.2 , 4.3.3.5.3 , 4.3.3.5.4 , 4.3.3.5.5 , 4.3.3.5.6 , 4.3.3.5.7 , 4.3.3.5.8 , 4.3.3.6.1 , 4.3.3.6.2 , 4.3.3.6.3 , 4.3.3.6.4 , 4.3.3.6.5 , 4.3.3.6.6 , 4.3.3.6.7 , 4.3.3.6.8 , 4.3.3.6.9 , 4.3.3.7.1 , 4.3.3.7.2 , 4.3.3.7.3 , 4.3.3.7.4 , 4.3.4.3.2 , 4.3.4.3.3 , 4.4.3.3 , SR 1.1 , SR 1.10 , SR 1.11 , SR 1.12 , SR 1.13 , SR 1.2 , SR 1.3 , SR 1.4 , SR 1.5 , SR 1.6 , SR 1.7 , SR 1.8 , SR 1.9 , SR 2.1 , SR 2.2 , SR 2.3 , SR 2.4 , SR 2.5 , SR 2.6 , SR 2.7 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 6.2 , SR 7.1 , SR 7.2 , SR 7.6 , A.10.1.1 , A.11.1.4 , A.11.1.5 , A.11.2.1 , A.12.1.1 , A.12.1.2 , A.12.1.3 , A.12.5.1 , A.12.6.2 , A.13.1.1 , A.13.1.2 , A.13.1.3 , A.13.2.1 , A.13.2.2 , A.13.2.3 , A.13.2.4 , A.14.1.2 , A.14.1.3 , A.14.2.2 , A.14.2.3 , A.14.2.4 , A.17.2.1 , A.6.1.2 , A.7.1.1 , A.7.1.2 , A.7.3.1 , A.8.2.2 , A.8.2.3 , A.9.1.1 , A.9.1.2 , A.9.2.3 , A.9.4.1 , A.9.4.4 , A.9.4.5 , CM-7(a) , CM-7(b) , SC-5 , DE.AE-1 , DE.CM-1 , ID.AM-3 , PR.AC-5 , PR.DS-4 , PR.DS-5 , PR.IP-1 , PR.PT-3 , PR.PT-4 , SRG-OS-000480-GPOS-00227
Description To set the runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
To make sure that the setting is persistent, add the following line to a file in the directory
/etc/sysctl.d:
net.ipv4.icmp_echo_ignore_broadcasts = 1 Rationale Responding to broadcast (ICMP) echoes facilitates network mapping
and provides a vector for amplification attacks.
OVAL test results details
net.ipv4.icmp_echo_ignore_broadcasts static configuration
oval:ssg-test_static_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/sysctl.conf (?:^|.*\n)[^#]*net.ipv4.icmp_echo_ignore_broadcasts[\s]*=[\s]*(\d+)[\s]*\n 1
net.ipv4.icmp_echo_ignore_broadcasts static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_net_ipv4_icmp_echo_ignore_broadcasts:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_etc_sysctld_net_ipv4_icmp_echo_ignore_broadcasts:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.icmp_echo_ignore_broadcasts[\s]*=[\s]*(\d+)[\s]*\n 1
net.ipv4.icmp_echo_ignore_broadcasts static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_net_ipv4_icmp_echo_ignore_broadcasts:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_run_sysctld_net_ipv4_icmp_echo_ignore_broadcasts:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.icmp_echo_ignore_broadcasts[\s]*=[\s]*(\d+)[\s]*\n 1
net.ipv4.icmp_echo_ignore_broadcasts static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_net_ipv4_icmp_echo_ignore_broadcasts:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_usr_lib_sysctld_net_ipv4_icmp_echo_ignore_broadcasts:obj:1 textfilecontent54_object Path Filename Pattern Instance /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*net.ipv4.icmp_echo_ignore_broadcasts[\s]*=[\s]*(\d+)[\s]*\n 1
kernel runtime parameter net.ipv4.icmp_echo_ignore_broadcasts set to the appropriate value
oval:ssg-test_sysctl_runtime_net_ipv4_icmp_echo_ignore_broadcasts:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_sysctl_runtime_net_ipv4_icmp_echo_ignore_broadcasts:obj:1 sysctl_object Name net.ipv4.icmp_echo_ignore_broadcasts
Disable ATM Supportxccdf_org.ssgproject.content_rule_kernel_module_atm_disabled mediumCCE-82518-2
Disable ATM Support Rule ID xccdf_org.ssgproject.content_rule_kernel_module_atm_disabled Result Multi-check rule no OVAL Definition ID oval:ssg-kernel_module_atm_disabled:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82518-2
References:
FMT_SMF_EXT.1 , SRG-OS-000095-GPOS-00049
Description The Asynchronous Transfer Mode (ATM) is a protocol operating on
network, data link, and physical layers, based on virtual circuits
and virtual paths.
To configure the system to prevent the atm
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install atm /bin/true Rationale Disabling ATM protects the system against exploitation of any
flaws in its implementation.
OVAL test results details
kernel module atm disabled
oval:ssg-test_kernmod_atm_disabled:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_atm_disabled:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/modprobe.d ^.*\.conf$ ^\s*install\s+atm\s+(/bin/false|/bin/true)$ 1
kernel module atm disabled in /etc/modprobe.conf
oval:ssg-test_kernmod_atm_modprobeconf:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_atm_modprobeconf:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/modprobe.conf ^\s*install\s+atm\s+(/bin/false|/bin/true)$ 1
kernel module atm disabled in /etc/modules-load.d
oval:ssg-test_kernmod_atm_etcmodules-load:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_atm_etcmodules-load:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/modules-load.d ^.*\.conf$ ^\s*install\s+atm\s+(/bin/false|/bin/true)$ 1
kernel module atm disabled in /run/modules-load.d
oval:ssg-test_kernmod_atm_runmodules-load:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_atm_runmodules-load:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/modules-load.d ^.*\.conf$ ^\s*install\s+atm\s+(/bin/false|/bin/true)$ 1
kernel module atm disabled in /usr/lib/modules-load.d
oval:ssg-test_kernmod_atm_libmodules-load:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_atm_libmodules-load:obj:1 textfilecontent54_object Path Filename Pattern Instance /usr/lib/modules-load.d ^.*\.conf$ ^\s*install\s+atm\s+(/bin/false|/bin/true)$ 1
kernel module atm disabled in /run/modprobe.d
oval:ssg-test_kernmod_atm_runmodprobed:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_atm_runmodprobed:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/modprobe.d ^.*\.conf$ ^\s*install\s+atm\s+(/bin/false|/bin/true)$ 1
kernel module atm disabled in /usr/lib/modprobe.d
oval:ssg-test_kernmod_atm_libmodprobed:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_atm_libmodprobed:obj:1 textfilecontent54_object Path Filename Pattern Instance /usr/lib/modprobe.d ^.*\.conf$ ^\s*install\s+atm\s+(/bin/false|/bin/true)$ 1
Disable IEEE 1394 (FireWire) Supportxccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled mediumCCE-82517-4
Disable IEEE 1394 (FireWire) Support Rule ID xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled Result Multi-check rule no OVAL Definition ID oval:ssg-kernel_module_firewire-core_disabled:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82517-4
References:
FMT_SMF_EXT.1 , SRG-OS-000095-GPOS-00049
Description The IEEE 1394 (FireWire) is a serial bus standard for
high-speed real-time communication.
To configure the system to prevent the firewire-core
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install firewire-core /bin/true Rationale Disabling FireWire protects the system against exploitation of any
flaws in its implementation.
OVAL test results details
kernel module firewire-core disabled
oval:ssg-test_kernmod_firewire-core_disabled:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_firewire-core_disabled:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/modprobe.d ^.*\.conf$ ^\s*install\s+firewire-core\s+(/bin/false|/bin/true)$ 1
kernel module firewire-core disabled in /etc/modprobe.conf
oval:ssg-test_kernmod_firewire-core_modprobeconf:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_firewire-core_modprobeconf:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/modprobe.conf ^\s*install\s+firewire-core\s+(/bin/false|/bin/true)$ 1
kernel module firewire-core disabled in /etc/modules-load.d
oval:ssg-test_kernmod_firewire-core_etcmodules-load:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_firewire-core_etcmodules-load:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/modules-load.d ^.*\.conf$ ^\s*install\s+firewire-core\s+(/bin/false|/bin/true)$ 1
kernel module firewire-core disabled in /run/modules-load.d
oval:ssg-test_kernmod_firewire-core_runmodules-load:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_firewire-core_runmodules-load:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/modules-load.d ^.*\.conf$ ^\s*install\s+firewire-core\s+(/bin/false|/bin/true)$ 1
kernel module firewire-core disabled in /usr/lib/modules-load.d
oval:ssg-test_kernmod_firewire-core_libmodules-load:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_firewire-core_libmodules-load:obj:1 textfilecontent54_object Path Filename Pattern Instance /usr/lib/modules-load.d ^.*\.conf$ ^\s*install\s+firewire-core\s+(/bin/false|/bin/true)$ 1
kernel module firewire-core disabled in /run/modprobe.d
oval:ssg-test_kernmod_firewire-core_runmodprobed:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_firewire-core_runmodprobed:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/modprobe.d ^.*\.conf$ ^\s*install\s+firewire-core\s+(/bin/false|/bin/true)$ 1
kernel module firewire-core disabled in /usr/lib/modprobe.d
oval:ssg-test_kernmod_firewire-core_libmodprobed:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_firewire-core_libmodprobed:obj:1 textfilecontent54_object Path Filename Pattern Instance /usr/lib/modprobe.d ^.*\.conf$ ^\s*install\s+firewire-core\s+(/bin/false|/bin/true)$ 1
Disable CAN Supportxccdf_org.ssgproject.content_rule_kernel_module_can_disabled mediumCCE-82519-0
Disable CAN Support Rule ID xccdf_org.ssgproject.content_rule_kernel_module_can_disabled Result Multi-check rule no OVAL Definition ID oval:ssg-kernel_module_can_disabled:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82519-0
References:
FMT_SMF_EXT.1 , SRG-OS-000095-GPOS-00049
Description The Controller Area Network (CAN) is a serial communications
protocol which was initially developed for automotive and
is now also used in marine, industrial, and medical applications.
To configure the system to prevent the can
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install can /bin/true Rationale Disabling CAN protects the system against exploitation of any
flaws in its implementation.
OVAL test results details
kernel module can disabled
oval:ssg-test_kernmod_can_disabled:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_can_disabled:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/modprobe.d ^.*\.conf$ ^\s*install\s+can\s+(/bin/false|/bin/true)$ 1
kernel module can disabled in /etc/modprobe.conf
oval:ssg-test_kernmod_can_modprobeconf:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_can_modprobeconf:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/modprobe.conf ^\s*install\s+can\s+(/bin/false|/bin/true)$ 1
kernel module can disabled in /etc/modules-load.d
oval:ssg-test_kernmod_can_etcmodules-load:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_can_etcmodules-load:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/modules-load.d ^.*\.conf$ ^\s*install\s+can\s+(/bin/false|/bin/true)$ 1
kernel module can disabled in /run/modules-load.d
oval:ssg-test_kernmod_can_runmodules-load:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_can_runmodules-load:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/modules-load.d ^.*\.conf$ ^\s*install\s+can\s+(/bin/false|/bin/true)$ 1
kernel module can disabled in /usr/lib/modules-load.d
oval:ssg-test_kernmod_can_libmodules-load:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_can_libmodules-load:obj:1 textfilecontent54_object Path Filename Pattern Instance /usr/lib/modules-load.d ^.*\.conf$ ^\s*install\s+can\s+(/bin/false|/bin/true)$ 1
kernel module can disabled in /run/modprobe.d
oval:ssg-test_kernmod_can_runmodprobed:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_can_runmodprobed:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/modprobe.d ^.*\.conf$ ^\s*install\s+can\s+(/bin/false|/bin/true)$ 1
kernel module can disabled in /usr/lib/modprobe.d
oval:ssg-test_kernmod_can_libmodprobed:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_can_libmodprobed:obj:1 textfilecontent54_object Path Filename Pattern Instance /usr/lib/modprobe.d ^.*\.conf$ ^\s*install\s+can\s+(/bin/false|/bin/true)$ 1
Disable TIPC Supportxccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled mediumCCE-82520-8
Disable TIPC Support Rule ID xccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled Result Multi-check rule no OVAL Definition ID oval:ssg-kernel_module_tipc_disabled:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82520-8
References:
11 , 14 , 3 , 9 , BAI10.01 , BAI10.02 , BAI10.03 , BAI10.05 , DSS05.02 , DSS05.05 , DSS06.06 , 4.3.3.5.1 , 4.3.3.5.2 , 4.3.3.5.3 , 4.3.3.5.4 , 4.3.3.5.5 , 4.3.3.5.6 , 4.3.3.5.7 , 4.3.3.5.8 , 4.3.3.6.1 , 4.3.3.6.2 , 4.3.3.6.3 , 4.3.3.6.4 , 4.3.3.6.5 , 4.3.3.6.6 , 4.3.3.6.7 , 4.3.3.6.8 , 4.3.3.6.9 , 4.3.3.7.1 , 4.3.3.7.2 , 4.3.3.7.3 , 4.3.3.7.4 , 4.3.4.3.2 , 4.3.4.3.3 , SR 1.1 , SR 1.10 , SR 1.11 , SR 1.12 , SR 1.13 , SR 1.2 , SR 1.3 , SR 1.4 , SR 1.5 , SR 1.6 , SR 1.7 , SR 1.8 , SR 1.9 , SR 2.1 , SR 2.2 , SR 2.3 , SR 2.4 , SR 2.5 , SR 2.6 , SR 2.7 , SR 7.6 , A.12.1.2 , A.12.5.1 , A.12.6.2 , A.14.2.2 , A.14.2.3 , A.14.2.4 , A.9.1.2 , CM-7(a) , CM-7(b) , CM-6(a) , PR.IP-1 , PR.PT-3 , FMT_SMF_EXT.1 , SRG-OS-000095-GPOS-00049
Description The Transparent Inter-Process Communication (TIPC) protocol
is designed to provide communications between nodes in a
cluster.
To configure the system to prevent the tipc
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install tipc /bin/true Rationale Disabling TIPC protects
the system against exploitation of any flaws in its implementation.
Warnings warning
This configuration baseline was created to deploy the base operating system for general purpose
workloads. When the operating system is configured for certain purposes, such as
a node in High Performance Computing cluster, it is expected that
the tipc kernel module will be loaded.
OVAL test results details
kernel module tipc disabled
oval:ssg-test_kernmod_tipc_disabled:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_tipc_disabled:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/modprobe.d ^.*\.conf$ ^\s*install\s+tipc\s+(/bin/false|/bin/true)$ 1
kernel module tipc disabled in /etc/modprobe.conf
oval:ssg-test_kernmod_tipc_modprobeconf:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_tipc_modprobeconf:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/modprobe.conf ^\s*install\s+tipc\s+(/bin/false|/bin/true)$ 1
kernel module tipc disabled in /etc/modules-load.d
oval:ssg-test_kernmod_tipc_etcmodules-load:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_tipc_etcmodules-load:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/modules-load.d ^.*\.conf$ ^\s*install\s+tipc\s+(/bin/false|/bin/true)$ 1
kernel module tipc disabled in /run/modules-load.d
oval:ssg-test_kernmod_tipc_runmodules-load:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_tipc_runmodules-load:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/modules-load.d ^.*\.conf$ ^\s*install\s+tipc\s+(/bin/false|/bin/true)$ 1
kernel module tipc disabled in /usr/lib/modules-load.d
oval:ssg-test_kernmod_tipc_libmodules-load:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_tipc_libmodules-load:obj:1 textfilecontent54_object Path Filename Pattern Instance /usr/lib/modules-load.d ^.*\.conf$ ^\s*install\s+tipc\s+(/bin/false|/bin/true)$ 1
kernel module tipc disabled in /run/modprobe.d
oval:ssg-test_kernmod_tipc_runmodprobed:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_tipc_runmodprobed:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/modprobe.d ^.*\.conf$ ^\s*install\s+tipc\s+(/bin/false|/bin/true)$ 1
kernel module tipc disabled in /usr/lib/modprobe.d
oval:ssg-test_kernmod_tipc_libmodprobed:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_tipc_libmodprobed:obj:1 textfilecontent54_object Path Filename Pattern Instance /usr/lib/modprobe.d ^.*\.conf$ ^\s*install\s+tipc\s+(/bin/false|/bin/true)$ 1
Disable SCTP Supportxccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled mediumCCE-82516-6
Disable SCTP Support Rule ID xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled Result Multi-check rule no OVAL Definition ID oval:ssg-kernel_module_sctp_disabled:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82516-6
References:
11 , 14 , 3 , 9 , 5.10.1 , BAI10.01 , BAI10.02 , BAI10.03 , BAI10.05 , DSS05.02 , DSS05.05 , DSS06.06 , 3.4.6 , 4.3.3.5.1 , 4.3.3.5.2 , 4.3.3.5.3 , 4.3.3.5.4 , 4.3.3.5.5 , 4.3.3.5.6 , 4.3.3.5.7 , 4.3.3.5.8 , 4.3.3.6.1 , 4.3.3.6.2 , 4.3.3.6.3 , 4.3.3.6.4 , 4.3.3.6.5 , 4.3.3.6.6 , 4.3.3.6.7 , 4.3.3.6.8 , 4.3.3.6.9 , 4.3.3.7.1 , 4.3.3.7.2 , 4.3.3.7.3 , 4.3.3.7.4 , 4.3.4.3.2 , 4.3.4.3.3 , SR 1.1 , SR 1.10 , SR 1.11 , SR 1.12 , SR 1.13 , SR 1.2 , SR 1.3 , SR 1.4 , SR 1.5 , SR 1.6 , SR 1.7 , SR 1.8 , SR 1.9 , SR 2.1 , SR 2.2 , SR 2.3 , SR 2.4 , SR 2.5 , SR 2.6 , SR 2.7 , SR 7.6 , A.12.1.2 , A.12.5.1 , A.12.6.2 , A.14.2.2 , A.14.2.3 , A.14.2.4 , A.9.1.2 , CM-7(a) , CM-7(b) , CM-6(a) , PR.IP-1 , PR.PT-3 , SRG-OS-000095-GPOS-00049
Description The Stream Control Transmission Protocol (SCTP) is a
transport layer protocol, designed to support the idea of
message-oriented communication, with several streams of messages
within one connection.
To configure the system to prevent the sctp
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install sctp /bin/true Rationale Disabling SCTP protects
the system against exploitation of any flaws in its implementation.
OVAL test results details
kernel module sctp disabled
oval:ssg-test_kernmod_sctp_disabled:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_sctp_disabled:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/modprobe.d ^.*\.conf$ ^\s*install\s+sctp\s+(/bin/false|/bin/true)$ 1
kernel module sctp disabled in /etc/modprobe.conf
oval:ssg-test_kernmod_sctp_modprobeconf:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_sctp_modprobeconf:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/modprobe.conf ^\s*install\s+sctp\s+(/bin/false|/bin/true)$ 1
kernel module sctp disabled in /etc/modules-load.d
oval:ssg-test_kernmod_sctp_etcmodules-load:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_sctp_etcmodules-load:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/modules-load.d ^.*\.conf$ ^\s*install\s+sctp\s+(/bin/false|/bin/true)$ 1
kernel module sctp disabled in /run/modules-load.d
oval:ssg-test_kernmod_sctp_runmodules-load:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_sctp_runmodules-load:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/modules-load.d ^.*\.conf$ ^\s*install\s+sctp\s+(/bin/false|/bin/true)$ 1
kernel module sctp disabled in /usr/lib/modules-load.d
oval:ssg-test_kernmod_sctp_libmodules-load:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_sctp_libmodules-load:obj:1 textfilecontent54_object Path Filename Pattern Instance /usr/lib/modules-load.d ^.*\.conf$ ^\s*install\s+sctp\s+(/bin/false|/bin/true)$ 1
kernel module sctp disabled in /run/modprobe.d
oval:ssg-test_kernmod_sctp_runmodprobed:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_sctp_runmodprobed:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/modprobe.d ^.*\.conf$ ^\s*install\s+sctp\s+(/bin/false|/bin/true)$ 1
kernel module sctp disabled in /usr/lib/modprobe.d
oval:ssg-test_kernmod_sctp_libmodprobed:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_sctp_libmodprobed:obj:1 textfilecontent54_object Path Filename Pattern Instance /usr/lib/modprobe.d ^.*\.conf$ ^\s*install\s+sctp\s+(/bin/false|/bin/true)$ 1
Install iptables Packagexccdf_org.ssgproject.content_rule_package_iptables_installed mediumCCE-82522-4
Install iptables Package Rule ID xccdf_org.ssgproject.content_rule_package_iptables_installed Result Multi-check rule no OVAL Definition ID oval:ssg-package_iptables_installed:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82522-4
References:
CM-6(a) , SRG-OS-000480-GPOS-00227
Description The iptables package can be installed with the following command:
Rationale iptables controls the Linux kernel network packet filtering
code. iptables allows system operators to set up firewalls and IP
masquerading, etc.
OVAL test results details
package iptables is installed
oval:ssg-test_package_iptables_installed:tst:1
true Following items have been found on the system: Name Arch Epoch Release Version Evr Signature keyid Extended name iptables x86_64 (none) 10.el8 1.8.4 0:1.8.4-10.el8 199e2f91fd431d51 iptables-0:1.8.4-10.el8.x86_64
Disable Bluetooth Servicexccdf_org.ssgproject.content_rule_service_bluetooth_disabled medium
Disable Bluetooth Service Rule ID xccdf_org.ssgproject.content_rule_service_bluetooth_disabled Result Multi-check rule no OVAL Definition ID oval:ssg-service_bluetooth_disabled:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References References:
11 , 12 , 14 , 15 , 3 , 8 , 9 , APO13.01 , BAI10.01 , BAI10.02 , BAI10.03 , BAI10.05 , DSS01.04 , DSS05.02 , DSS05.03 , DSS05.05 , DSS06.06 , 3.1.16 , CCI-000085 , CCI-001551 , 4.3.3.5.1 , 4.3.3.5.2 , 4.3.3.5.3 , 4.3.3.5.4 , 4.3.3.5.5 , 4.3.3.5.6 , 4.3.3.5.7 , 4.3.3.5.8 , 4.3.3.6.1 , 4.3.3.6.2 , 4.3.3.6.3 , 4.3.3.6.4 , 4.3.3.6.5 , 4.3.3.6.6 , 4.3.3.6.7 , 4.3.3.6.8 , 4.3.3.6.9 , 4.3.3.7.1 , 4.3.3.7.2 , 4.3.3.7.3 , 4.3.3.7.4 , 4.3.4.3.2 , 4.3.4.3.3 , SR 1.1 , SR 1.10 , SR 1.11 , SR 1.12 , SR 1.13 , SR 1.2 , SR 1.3 , SR 1.4 , SR 1.5 , SR 1.6 , SR 1.7 , SR 1.8 , SR 1.9 , SR 2.1 , SR 2.2 , SR 2.3 , SR 2.4 , SR 2.5 , SR 2.6 , SR 2.7 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 7.1 , SR 7.6 , A.11.2.6 , A.12.1.2 , A.12.5.1 , A.12.6.2 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.2 , A.14.2.3 , A.14.2.4 , A.6.2.1 , A.6.2.2 , A.9.1.2 , AC-18(a) , AC-18(3) , CM-7(a) , CM-7(b) , CM-6(a) , MP-7 , PR.AC-3 , PR.IP-1 , PR.PT-3 , PR.PT-4
Description
The bluetooth service can be disabled with the following command:
$ sudo systemctl disable bluetooth.service
The
bluetooth service can be masked with the following command:
$ sudo systemctl mask bluetooth.service
$ sudo service bluetooth stop Rationale Disabling the bluetooth service prevents the system from attempting
connections to Bluetooth devices, which entails some security risk.
Nevertheless, variation in this risk decision may be expected due to the
utility of Bluetooth connectivity and its limited range.
OVAL test results details
package bluez is removed
oval:ssg-test_service_bluetooth_package_bluez_removed:tst:1
true No items have been found conforming to the following objects: Object oval:ssg-obj_test_service_bluetooth_package_bluez_removed:obj:1 rpminfo_object
Test that the bluetooth service is not running
oval:ssg-test_service_not_running_bluetooth:tst:1
true No items have been found conforming to the following objects: Object oval:ssg-obj_service_not_running_bluetooth:obj:1 systemdunitproperty_object Unit Property ^bluetooth\.(service|socket)$ ActiveState
Test that the property LoadState from the service bluetooth is masked
oval:ssg-test_service_loadstate_is_masked_bluetooth:tst:1
true No items have been found conforming to the following objects: Object oval:ssg-obj_service_loadstate_is_masked_bluetooth:obj:1 systemdunitproperty_object Unit Property ^bluetooth\.(service|socket)$ LoadState
Test that the property FragmentPath from the service bluetooth is set to /dev/null
oval:ssg-test_service_fragmentpath_is_dev_null_bluetooth:tst:1
true No items have been found conforming to the following objects: Object oval:ssg-obj_service_fragmentpath_is_dev_null_bluetooth:obj:1 systemdunitproperty_object Unit Property ^bluetooth\.(service|socket)$ FragmentPath
Deactivate Wireless Network Interfacesxccdf_org.ssgproject.content_rule_wireless_disable_interfaces mediumCCE-82660-2
Deactivate Wireless Network Interfaces Rule ID xccdf_org.ssgproject.content_rule_wireless_disable_interfaces Result Multi-check rule no OVAL Definition ID oval:ssg-wireless_disable_interfaces:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82660-2
References:
11 , 12 , 14 , 15 , 3 , 8 , 9 , APO13.01 , BAI10.01 , BAI10.02 , BAI10.03 , BAI10.05 , DSS01.04 , DSS05.02 , DSS05.03 , DSS05.05 , DSS06.06 , 3.1.16 , CCI-000085 , CCI-002418 , CCI-002421 , 4.3.3.5.1 , 4.3.3.5.2 , 4.3.3.5.3 , 4.3.3.5.4 , 4.3.3.5.5 , 4.3.3.5.6 , 4.3.3.5.7 , 4.3.3.5.8 , 4.3.3.6.1 , 4.3.3.6.2 , 4.3.3.6.3 , 4.3.3.6.4 , 4.3.3.6.5 , 4.3.3.6.6 , 4.3.3.6.7 , 4.3.3.6.8 , 4.3.3.6.9 , 4.3.3.7.1 , 4.3.3.7.2 , 4.3.3.7.3 , 4.3.3.7.4 , 4.3.4.3.2 , 4.3.4.3.3 , SR 1.1 , SR 1.10 , SR 1.11 , SR 1.12 , SR 1.13 , SR 1.2 , SR 1.3 , SR 1.4 , SR 1.5 , SR 1.6 , SR 1.7 , SR 1.8 , SR 1.9 , SR 2.1 , SR 2.2 , SR 2.3 , SR 2.4 , SR 2.5 , SR 2.6 , SR 2.7 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 7.1 , SR 7.6 , A.11.2.6 , A.12.1.2 , A.12.5.1 , A.12.6.2 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.2 , A.14.2.3 , A.14.2.4 , A.6.2.1 , A.6.2.2 , A.9.1.2 , AC-18(a) , AC-18(3) , CM-7(a) , CM-7(b) , CM-6(a) , MP-7 , PR.AC-3 , PR.IP-1 , PR.PT-3 , PR.PT-4 , SRG-OS-000424-GPOS-00188
Description Deactivating wireless network interfaces should prevent
normal usage of the wireless capability.
$ sudo nmcli radio wifi off Rationale The use of wireless networking can introduce many different attack vectors into
the organization's network. Common attack vectors such as malicious association
and ad hoc networks will allow an attacker to spoof a wireless access point
(AP), allowing validated systems to connect to the malicious AP and enabling the
attacker to monitor and record network traffic. These malicious APs can also
serve to create a man-in-the-middle attack or be used to create a denial of
service to valid network resources.
OVAL test results details
query /proc/net/wireless
oval:ssg-test_wireless_disable_interfaces:tst:1
true No items have been found conforming to the following objects: Object oval:ssg-object_wireless_disable_interfaces:obj:1 textfilecontent54_object Filepath Pattern Instance /proc/net/wireless ^\s*[-\w]+: 1
Disable WiFi or Bluetooth in BIOSxccdf_org.ssgproject.content_rule_wireless_disable_in_bios unknownCCE-82659-4
Disable WiFi or Bluetooth in BIOS Rule ID xccdf_org.ssgproject.content_rule_wireless_disable_in_bios Result Multi-check rule no Time 2020-05-28T09:50:18+00:00 Severity unknown Identifiers and References Identifiers:
CCE-82659-4
References:
11 , 12 , 14 , 15 , 3 , 8 , 9 , APO13.01 , BAI10.01 , BAI10.02 , BAI10.03 , BAI10.05 , DSS01.04 , DSS05.02 , DSS05.03 , DSS05.05 , DSS06.06 , CCI-000085 , 4.3.3.5.1 , 4.3.3.5.2 , 4.3.3.5.3 , 4.3.3.5.4 , 4.3.3.5.5 , 4.3.3.5.6 , 4.3.3.5.7 , 4.3.3.5.8 , 4.3.3.6.1 , 4.3.3.6.2 , 4.3.3.6.3 , 4.3.3.6.4 , 4.3.3.6.5 , 4.3.3.6.6 , 4.3.3.6.7 , 4.3.3.6.8 , 4.3.3.6.9 , 4.3.3.7.1 , 4.3.3.7.2 , 4.3.3.7.3 , 4.3.3.7.4 , 4.3.4.3.2 , 4.3.4.3.3 , SR 1.1 , SR 1.10 , SR 1.11 , SR 1.12 , SR 1.13 , SR 1.2 , SR 1.3 , SR 1.4 , SR 1.5 , SR 1.6 , SR 1.7 , SR 1.8 , SR 1.9 , SR 2.1 , SR 2.2 , SR 2.3 , SR 2.4 , SR 2.5 , SR 2.6 , SR 2.7 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 7.1 , SR 7.6 , A.11.2.6 , A.12.1.2 , A.12.5.1 , A.12.6.2 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.2 , A.14.2.3 , A.14.2.4 , A.6.2.1 , A.6.2.2 , A.9.1.2 , AC-18(a) , AC-18(3) , CM-7(a) , CM-7(b) , CM-6(a) , MP-7 , PR.AC-3 , PR.IP-1 , PR.PT-3 , PR.PT-4
Description Some machines that include built-in wireless support offer the
ability to disable the device through the BIOS. This is hardware-specific;
consult your hardware manual or explore the BIOS setup during
boot.
Rationale Disabling wireless support in the BIOS prevents easy
activation of the wireless interface, generally requiring administrators
to reboot the system first.
Evaluation messages info
No candidate or applicable check found.
Disable Bluetooth Kernel Modulexccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled mediumCCE-82515-8
Disable Bluetooth Kernel Module Rule ID xccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled Result Multi-check rule no OVAL Definition ID oval:ssg-kernel_module_bluetooth_disabled:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82515-8
References:
11 , 12 , 14 , 15 , 3 , 8 , 9 , 5.13.1.3 , APO13.01 , BAI10.01 , BAI10.02 , BAI10.03 , BAI10.05 , DSS01.04 , DSS05.02 , DSS05.03 , DSS05.05 , DSS06.06 , 3.1.16 , CCI-000085 , CCI-001551 , 4.3.3.5.1 , 4.3.3.5.2 , 4.3.3.5.3 , 4.3.3.5.4 , 4.3.3.5.5 , 4.3.3.5.6 , 4.3.3.5.7 , 4.3.3.5.8 , 4.3.3.6.1 , 4.3.3.6.2 , 4.3.3.6.3 , 4.3.3.6.4 , 4.3.3.6.5 , 4.3.3.6.6 , 4.3.3.6.7 , 4.3.3.6.8 , 4.3.3.6.9 , 4.3.3.7.1 , 4.3.3.7.2 , 4.3.3.7.3 , 4.3.3.7.4 , 4.3.4.3.2 , 4.3.4.3.3 , SR 1.1 , SR 1.10 , SR 1.11 , SR 1.12 , SR 1.13 , SR 1.2 , SR 1.3 , SR 1.4 , SR 1.5 , SR 1.6 , SR 1.7 , SR 1.8 , SR 1.9 , SR 2.1 , SR 2.2 , SR 2.3 , SR 2.4 , SR 2.5 , SR 2.6 , SR 2.7 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 7.1 , SR 7.6 , A.11.2.6 , A.12.1.2 , A.12.5.1 , A.12.6.2 , A.13.1.1 , A.13.2.1 , A.14.1.3 , A.14.2.2 , A.14.2.3 , A.14.2.4 , A.6.2.1 , A.6.2.2 , A.9.1.2 , AC-18(a) , AC-18(3) , CM-7(a) , CM-7(b) , CM-6(a) , MP-7 , PR.AC-3 , PR.IP-1 , PR.PT-3 , PR.PT-4 , SRG-OS-000095-GPOS-00049
Description The kernel's module loading system can be configured to prevent
loading of the Bluetooth module. Add the following to
the appropriate /etc/modprobe.d configuration file
to prevent the loading of the Bluetooth module:
install bluetooth /bin/true Rationale If Bluetooth functionality must be disabled, preventing the kernel
from loading the kernel module provides an additional safeguard against its
activation.
OVAL test results details
kernel module bluetooth disabled
oval:ssg-test_kernmod_bluetooth_disabled:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_bluetooth_disabled:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/modprobe.d ^.*\.conf$ ^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$ 1
kernel module bluetooth disabled in /etc/modprobe.conf
oval:ssg-test_kernmod_bluetooth_modprobeconf:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_bluetooth_modprobeconf:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/modprobe.conf ^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$ 1
kernel module bluetooth disabled in /etc/modules-load.d
oval:ssg-test_kernmod_bluetooth_etcmodules-load:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_bluetooth_etcmodules-load:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/modules-load.d ^.*\.conf$ ^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$ 1
kernel module bluetooth disabled in /run/modules-load.d
oval:ssg-test_kernmod_bluetooth_runmodules-load:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_bluetooth_runmodules-load:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/modules-load.d ^.*\.conf$ ^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$ 1
kernel module bluetooth disabled in /usr/lib/modules-load.d
oval:ssg-test_kernmod_bluetooth_libmodules-load:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_bluetooth_libmodules-load:obj:1 textfilecontent54_object Path Filename Pattern Instance /usr/lib/modules-load.d ^.*\.conf$ ^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$ 1
kernel module bluetooth disabled in /run/modprobe.d
oval:ssg-test_kernmod_bluetooth_runmodprobed:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_bluetooth_runmodprobed:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/modprobe.d ^.*\.conf$ ^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$ 1
kernel module bluetooth disabled in /usr/lib/modprobe.d
oval:ssg-test_kernmod_bluetooth_libmodprobed:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_bluetooth_libmodprobed:obj:1 textfilecontent54_object Path Filename Pattern Instance /usr/lib/modprobe.d ^.*\.conf$ ^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$ 1
Prevent non-Privileged Users from Modifying Network Interfaces using nmclixccdf_org.ssgproject.content_rule_network_nmcli_permissions mediumCCE-82696-6
Prevent non-Privileged Users from Modifying Network Interfaces using nmcli Rule ID xccdf_org.ssgproject.content_rule_network_nmcli_permissions Result Multi-check rule no OVAL Definition ID oval:ssg-network_nmcli_permissions:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82696-6
References:
3.1.16 , AC-18(4) , CM-6(a)
Description By default, non-privileged users are given permissions to modify networking
interfaces and configurations using the nmcli command. Non-privileged
users should not be making configuration changes to network configurations. To
ensure that non-privileged users do not have permissions to make changes to the
network configuration using nmcli, create the following configuration in
/etc/polkit-1/localauthority/20-org.d/10-nm-harden-access.pkla:
[Disable General User Access to NetworkManager]
Identity=default
Action=org.freedesktop.NetworkManager.*
ResultAny=no
ResultInactive=no
ResultActive=auth_admin
Rationale Allowing non-privileged users to make changes to network settings can allow
untrusted access, prevent system availability, and/or can lead to a compromise or
attack.
OVAL test results details
polkit is properly configured to prevent non-privilged users from changing networking settings
oval:ssg-test_network_nmcli_permissions:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_network_nmcli_permissions:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/polkit-1/localauthority/20-org.d/.*$ ^\[.*\]\n\s*Identity=default\n\s*Action=org\.freedesktop\.NetworkManager\.\*\n\s*ResultAny=no\n\s*ResultInactive=no\n\s*(ResultActive=auth_admin)\n*\s*$ 1
Ensure Logrotate Runs Periodicallyxccdf_org.ssgproject.content_rule_ensure_logrotate_activated mediumCCE-82689-1
Ensure Logrotate Runs Periodically Rule ID xccdf_org.ssgproject.content_rule_ensure_logrotate_activated Result Multi-check rule no OVAL Definition ID oval:ssg-ensure_logrotate_activated:def:1 Time 2020-05-28T09:50:18+00:00 Severity medium Identifiers and References Identifiers:
CCE-82689-1
References:
NT28(R43) , NT12(R18) , 1 , 14 , 15 , 16 , 3 , 5 , 6 , APO11.04 , BAI03.05 , DSS05.04 , DSS05.07 , MEA02.01 , CCI-000366 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.4.4.7 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.8 , SR 2.9 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , CM-6(a) , PR.PT-1 , Req-10.7
Description The logrotate utility allows for the automatic rotation of
log files. The frequency of rotation is specified in /etc/logrotate.conf,
which triggers a cron task. To configure logrotate to run daily, add or correct
the following line in /etc/logrotate.conf:
# rotate log files frequency
daily Rationale Log files that are not properly rotated run the risk of growing so large
that they fill up the /var/log partition. Valuable logging information could be lost
if the /var/log partition becomes full.
OVAL test results details
Tests the presence of daily setting in /etc/logrotate.conf file
oval:ssg-test_logrotate_conf_daily_setting:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_logrotate_conf_daily_setting:obj:1 textfilecontent54_object Behaviors Filepath Pattern Instance Filter no value /etc/logrotate.conf (?:daily)*.*(?=[\n][\s]*daily)(.*)$ 1 oval:ssg-state_another_rotate_interval_after_daily:ste:1
Tests the existence of /etc/cron.daily/logrotate file (and verify it actually calls logrotate utility)
oval:ssg-test_cron_daily_logrotate_existence:tst:1
true Following items have been found on the system: Path Content /etc/cron.daily/logrotate
/usr/sbin/logrotate /etc/logrotate.conf
Ensure SELinux State is Enforcingxccdf_org.ssgproject.content_rule_selinux_state highCCE-82531-5
Ensure SELinux State is Enforcing Rule ID xccdf_org.ssgproject.content_rule_selinux_state Result Multi-check rule no OVAL Definition ID oval:ssg-selinux_state:def:1 Time 2020-05-28T09:50:18+00:00 Severity high Identifiers and References Identifiers:
CCE-82531-5
References:
NT28(R4) , 1 , 11 , 12 , 13 , 14 , 15 , 16 , 18 , 3 , 4 , 5 , 6 , 8 , 9 , APO01.06 , APO11.04 , APO13.01 , BAI03.05 , DSS01.05 , DSS03.01 , DSS05.02 , DSS05.04 , DSS05.05 , DSS05.07 , DSS06.02 , DSS06.03 , DSS06.06 , MEA02.01 , 3.1.2 , 3.7.2 , CCI-002165 , CCI-002696 , 164.308(a)(1)(ii)(D) , 164.308(a)(3) , 164.308(a)(4) , 164.310(b) , 164.310(c) , 164.312(a) , 164.312(e) , 4.2.3.4 , 4.3.3.2.2 , 4.3.3.3.9 , 4.3.3.4 , 4.3.3.5.1 , 4.3.3.5.2 , 4.3.3.5.3 , 4.3.3.5.4 , 4.3.3.5.5 , 4.3.3.5.6 , 4.3.3.5.7 , 4.3.3.5.8 , 4.3.3.6.1 , 4.3.3.6.2 , 4.3.3.6.3 , 4.3.3.6.4 , 4.3.3.6.5 , 4.3.3.6.6 , 4.3.3.6.7 , 4.3.3.6.8 , 4.3.3.6.9 , 4.3.3.7.1 , 4.3.3.7.2 , 4.3.3.7.3 , 4.3.3.7.4 , 4.3.4.4.7 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , 4.4.3.3 , SR 1.1 , SR 1.10 , SR 1.11 , SR 1.12 , SR 1.13 , SR 1.2 , SR 1.3 , SR 1.4 , SR 1.5 , SR 1.6 , SR 1.7 , SR 1.8 , SR 1.9 , SR 2.1 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.2 , SR 2.3 , SR 2.4 , SR 2.5 , SR 2.6 , SR 2.7 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 7.1 , SR 7.6 , A.10.1.1 , A.11.1.4 , A.11.1.5 , A.11.2.1 , A.12.1.1 , A.12.1.2 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.1.2 , A.13.1.3 , A.13.2.1 , A.13.2.2 , A.13.2.3 , A.13.2.4 , A.14.1.2 , A.14.1.3 , A.6.1.2 , A.7.1.1 , A.7.1.2 , A.7.3.1 , A.8.2.2 , A.8.2.3 , A.9.1.1 , A.9.1.2 , A.9.2.1 , A.9.2.3 , A.9.4.1 , A.9.4.4 , A.9.4.5 , AC-3 , AC-3(3)(a) , AU-9 , SC-7(21) , DE.AE-1 , ID.AM-3 , PR.AC-4 , PR.AC-5 , PR.AC-6 , PR.DS-5 , PR.PT-1 , PR.PT-3 , PR.PT-4 , SRG-OS-000445-GPOS-00199 , SRG-OS-000445-VMM-001780
Description The SELinux state should be set to enforcing /etc/selinux/config, add or correct the
following line to configure the system to boot into enforcing mode:
SELINUX=enforcing Rationale Setting the SELinux state to enforcing ensures SELinux is able to confine
potentially compromised processes to the security policy, which is designed to
prevent them from causing damage to the system or further elevating their
privileges.
OVAL test results details
/selinux/enforce is 1
oval:ssg-test_etc_selinux_config:tst:1
true Following items have been found on the system: Path Content /etc/selinux/config SELINUX=enforcing
Configure SELinux Policyxccdf_org.ssgproject.content_rule_selinux_policytype highCCE-82532-3
Configure SELinux Policy Rule ID xccdf_org.ssgproject.content_rule_selinux_policytype Result Multi-check rule no OVAL Definition ID oval:ssg-selinux_policytype:def:1 Time 2020-05-28T09:50:18+00:00 Severity high Identifiers and References Identifiers:
CCE-82532-3
References:
NT28(R66) , 1 , 11 , 12 , 13 , 14 , 15 , 16 , 18 , 3 , 4 , 5 , 6 , 8 , 9 , APO01.06 , APO11.04 , APO13.01 , BAI03.05 , DSS01.05 , DSS03.01 , DSS05.02 , DSS05.04 , DSS05.05 , DSS05.07 , DSS06.02 , DSS06.03 , DSS06.06 , MEA02.01 , 3.1.2 , 3.7.2 , CCI-002696 , 164.308(a)(1)(ii)(D) , 164.308(a)(3) , 164.308(a)(4) , 164.310(b) , 164.310(c) , 164.312(a) , 164.312(e) , 4.2.3.4 , 4.3.3.2.2 , 4.3.3.3.9 , 4.3.3.4 , 4.3.3.5.1 , 4.3.3.5.2 , 4.3.3.5.3 , 4.3.3.5.4 , 4.3.3.5.5 , 4.3.3.5.6 , 4.3.3.5.7 , 4.3.3.5.8 , 4.3.3.6.1 , 4.3.3.6.2 , 4.3.3.6.3 , 4.3.3.6.4 , 4.3.3.6.5 , 4.3.3.6.6 , 4.3.3.6.7 , 4.3.3.6.8 , 4.3.3.6.9 , 4.3.3.7.1 , 4.3.3.7.2 , 4.3.3.7.3 , 4.3.3.7.4 , 4.3.4.4.7 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , 4.4.3.3 , SR 1.1 , SR 1.10 , SR 1.11 , SR 1.12 , SR 1.13 , SR 1.2 , SR 1.3 , SR 1.4 , SR 1.5 , SR 1.6 , SR 1.7 , SR 1.8 , SR 1.9 , SR 2.1 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.2 , SR 2.3 , SR 2.4 , SR 2.5 , SR 2.6 , SR 2.7 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 7.1 , SR 7.6 , A.10.1.1 , A.11.1.4 , A.11.1.5 , A.11.2.1 , A.12.1.1 , A.12.1.2 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.1.2 , A.13.1.3 , A.13.2.1 , A.13.2.2 , A.13.2.3 , A.13.2.4 , A.14.1.2 , A.14.1.3 , A.6.1.2 , A.7.1.1 , A.7.1.2 , A.7.3.1 , A.8.2.2 , A.8.2.3 , A.9.1.1 , A.9.1.2 , A.9.2.1 , A.9.2.3 , A.9.4.1 , A.9.4.4 , A.9.4.5 , AC-3 , AC-3(3)(a) , AU-9 , SC-7(21) , DE.AE-1 , ID.AM-3 , PR.AC-4 , PR.AC-5 , PR.AC-6 , PR.DS-5 , PR.PT-1 , PR.PT-3 , PR.PT-4 , SRG-OS-000445-GPOS-00199 , SRG-OS-000445-VMM-001780
Description The SELinux targeted policy is appropriate for
general-purpose desktops and servers, as well as systems in many other roles.
To configure the system to use this policy, add or correct the following line
in /etc/selinux/config:
SELINUXTYPE=targeted
Other policies, such as
mls, provide additional security labeling
and greater confinement but are not compatible with many general-purpose
use cases.
Rationale Setting the SELinux policy to targeted or a more specialized policy
ensures the system will confine processes that are likely to be
targeted for exploitation, such as network or system services.
permissive mode. In such
temporary cases, SELinux policies should be developed, and once work
is completed, the system should be reconfigured to
targeted
OVAL test results details
Tests the value of the ^[\s]*SELINUXTYPE[\s]*=[\s]*([^#]*) expression in the /etc/selinux/config file
oval:ssg-test_selinux_policy:tst:1
true Following items have been found on the system: Path Content /etc/selinux/config SELINUXTYPE=targeted
Ensure No Daemons are Unconfined by SELinuxxccdf_org.ssgproject.content_rule_selinux_confinement_of_daemons mediumCCE-82688-3
Ensure No Daemons are Unconfined by SELinux Rule ID xccdf_org.ssgproject.content_rule_selinux_confinement_of_daemons Result Multi-check rule no OVAL Definition ID oval:ssg-selinux_confinement_of_daemons:def:1 Time 2020-05-28T09:50:19+00:00 Severity medium Identifiers and References Identifiers:
CCE-82688-3
References:
1.7.1.5 , 1 , 11 , 12 , 13 , 14 , 15 , 16 , 18 , 3 , 5 , 6 , 9 , APO01.06 , APO11.04 , BAI03.05 , BAI10.01 , BAI10.02 , BAI10.03 , BAI10.05 , DSS05.02 , DSS05.04 , DSS05.05 , DSS05.07 , DSS06.02 , DSS06.06 , MEA02.01 , 3.1.2 , 3.1.5 , 3.7.2 , 164.308(a)(1)(ii)(D) , 164.308(a)(3) , 164.308(a)(4) , 164.310(b) , 164.310(c) , 164.312(a) , 164.312(e) , 4.3.3.3.9 , 4.3.3.5.1 , 4.3.3.5.2 , 4.3.3.5.3 , 4.3.3.5.4 , 4.3.3.5.5 , 4.3.3.5.6 , 4.3.3.5.7 , 4.3.3.5.8 , 4.3.3.6.1 , 4.3.3.6.2 , 4.3.3.6.3 , 4.3.3.6.4 , 4.3.3.6.5 , 4.3.3.6.6 , 4.3.3.6.7 , 4.3.3.6.8 , 4.3.3.6.9 , 4.3.3.7.1 , 4.3.3.7.2 , 4.3.3.7.3 , 4.3.3.7.4 , 4.3.4.3.2 , 4.3.4.3.3 , 4.3.4.4.7 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 1.1 , SR 1.10 , SR 1.11 , SR 1.12 , SR 1.13 , SR 1.2 , SR 1.3 , SR 1.4 , SR 1.5 , SR 1.6 , SR 1.7 , SR 1.8 , SR 1.9 , SR 2.1 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.2 , SR 2.3 , SR 2.4 , SR 2.5 , SR 2.6 , SR 2.7 , SR 2.8 , SR 2.9 , SR 5.2 , SR 7.6 , A.10.1.1 , A.11.1.4 , A.11.1.5 , A.11.2.1 , A.12.1.2 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.5.1 , A.12.6.2 , A.12.7.1 , A.13.1.1 , A.13.1.3 , A.13.2.1 , A.13.2.3 , A.13.2.4 , A.14.1.2 , A.14.1.3 , A.14.2.2 , A.14.2.3 , A.14.2.4 , A.6.1.2 , A.7.1.1 , A.7.1.2 , A.7.3.1 , A.8.2.2 , A.8.2.3 , A.9.1.1 , A.9.1.2 , A.9.2.3 , A.9.4.1 , A.9.4.4 , A.9.4.5 , CM-7(a) , CM-7(b) , CM-6(a) , AC-3(3)(a) , AC-6 , PR.AC-4 , PR.DS-5 , PR.IP-1 , PR.PT-1 , PR.PT-3
Description Daemons for which the SELinux policy does not contain rules will inherit the
context of the parent process. Because daemons are launched during
startup and descend from the init process, they inherit the initrc_t context.
$ sudo ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }'
It should produce no output in a well-configured system.
Rationale Daemons which run with the initrc_t context may cause AVC denials,
or allow privileges that the daemon does not require.
Warnings warning
Automatic remediation of this control is not available. Remediation
can be achieved by amending SELinux policy or stopping the unconfined
daemons as outlined above.
OVAL test results details
device_t in /dev
oval:ssg-test_selinux_confinement_of_daemons:tst:1
true No items have been found conforming to the following objects: Object oval:ssg-object_selinux_confinement_of_daemons:obj:1 selinuxsecuritycontext_object Behaviors Path Filename Filter no value /proc ^.*$ oval:ssg-state_selinux_confinement_of_daemons:ste:1
Ensure SELinux Not Disabled in /etc/default/grubxccdf_org.ssgproject.content_rule_grub2_enable_selinux mediumCCE-82666-9
Ensure SELinux Not Disabled in /etc/default/grub Rule ID xccdf_org.ssgproject.content_rule_grub2_enable_selinux Result Multi-check rule no OVAL Definition ID oval:ssg-grub2_enable_selinux:def:1 Time 2020-05-28T09:50:19+00:00 Severity medium Identifiers and References Identifiers:
CCE-82666-9
References:
1 , 11 , 12 , 13 , 14 , 15 , 16 , 18 , 3 , 4 , 5 , 6 , 8 , 9 , APO01.06 , APO11.04 , APO13.01 , BAI03.05 , DSS01.05 , DSS03.01 , DSS05.02 , DSS05.04 , DSS05.05 , DSS05.07 , DSS06.02 , DSS06.03 , DSS06.06 , MEA02.01 , 3.1.2 , 3.7.2 , CCI-000022 , CCI-000032 , 164.308(a)(1)(ii)(D) , 164.308(a)(3) , 164.308(a)(4) , 164.310(b) , 164.310(c) , 164.312(a) , 164.312(e) , 4.2.3.4 , 4.3.3.2.2 , 4.3.3.3.9 , 4.3.3.4 , 4.3.3.5.1 , 4.3.3.5.2 , 4.3.3.5.3 , 4.3.3.5.4 , 4.3.3.5.5 , 4.3.3.5.6 , 4.3.3.5.7 , 4.3.3.5.8 , 4.3.3.6.1 , 4.3.3.6.2 , 4.3.3.6.3 , 4.3.3.6.4 , 4.3.3.6.5 , 4.3.3.6.6 , 4.3.3.6.7 , 4.3.3.6.8 , 4.3.3.6.9 , 4.3.3.7.1 , 4.3.3.7.2 , 4.3.3.7.3 , 4.3.3.7.4 , 4.3.4.4.7 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , 4.4.3.3 , SR 1.1 , SR 1.10 , SR 1.11 , SR 1.12 , SR 1.13 , SR 1.2 , SR 1.3 , SR 1.4 , SR 1.5 , SR 1.6 , SR 1.7 , SR 1.8 , SR 1.9 , SR 2.1 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.2 , SR 2.3 , SR 2.4 , SR 2.5 , SR 2.6 , SR 2.7 , SR 2.8 , SR 2.9 , SR 3.1 , SR 3.5 , SR 3.8 , SR 4.1 , SR 4.3 , SR 5.1 , SR 5.2 , SR 5.3 , SR 7.1 , SR 7.6 , A.10.1.1 , A.11.1.4 , A.11.1.5 , A.11.2.1 , A.12.1.1 , A.12.1.2 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , A.13.1.1 , A.13.1.2 , A.13.1.3 , A.13.2.1 , A.13.2.2 , A.13.2.3 , A.13.2.4 , A.14.1.2 , A.14.1.3 , A.6.1.2 , A.7.1.1 , A.7.1.2 , A.7.3.1 , A.8.2.2 , A.8.2.3 , A.9.1.1 , A.9.1.2 , A.9.2.1 , A.9.2.3 , A.9.4.1 , A.9.4.4 , A.9.4.5 , AC-3 , AC-3(3)(a) , DE.AE-1 , ID.AM-3 , PR.AC-4 , PR.AC-5 , PR.AC-6 , PR.DS-5 , PR.PT-1 , PR.PT-3 , PR.PT-4 , SRG-OS-000445-VMM-001780
Description SELinux can be disabled at boot time by an argument in
/etc/default/grub.
Remove any instances of selinux=0 from the kernel arguments in that
file to prevent SELinux from being disabled at boot.
Rationale Disabling a major host protection feature, such as SELinux, at boot time prevents
it from confining system services at boot time. Further, it increases
the chances that it will remain off during system operation.
OVAL test results details
check value selinux|enforcing=0 in /etc/default/grub, fail if found
oval:ssg-test_selinux_default_grub:tst:1
true No items have been found conforming to the following objects: Object oval:ssg-object_selinux_default_grub:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/default/grub ^[\s]*GRUB_CMDLINE_LINUX.*(selinux|enforcing)=0.*$ 1
check value selinux|enforcing=0 in /etc/grub2.cfg, fail if found
oval:ssg-test_selinux_grub2_cfg:tst:1
true No items have been found conforming to the following objects: Object oval:ssg-object_selinux_grub2_cfg:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/grub2.cfg ^.*(selinux|enforcing)=0.*$ 1
check value selinux|enforcing=0 in /etc/grub.d fail if found
oval:ssg-test_selinux_grub_dir:tst:1
true No items have been found conforming to the following objects: Object oval:ssg-object_selinux_grub_dir:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/grub.d ^.*$ ^.*(selinux|enforcing)=0.*$ 1
Disable the Automounterxccdf_org.ssgproject.content_rule_service_autofs_disabled mediumCCE-82663-6
Disable the Automounter Rule ID xccdf_org.ssgproject.content_rule_service_autofs_disabled Result Multi-check rule no OVAL Definition ID oval:ssg-service_autofs_disabled:def:1 Time 2020-05-28T09:50:19+00:00 Severity medium Identifiers and References Identifiers:
CCE-82663-6
References:
1 , 12 , 15 , 16 , 5 , APO13.01 , DSS01.04 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , DSS05.10 , DSS06.03 , DSS06.10 , 3.4.6 , CCI-000366 , CCI-000778 , CCI-001958 , 164.308(a)(3)(i) , 164.308(a)(3)(ii)(A) , 164.310(d)(1) , 164.310(d)(2) , 164.312(a)(1) , 164.312(a)(2)(iv) , 164.312(b) , 4.3.3.2.2 , 4.3.3.5.1 , 4.3.3.5.2 , 4.3.3.6.1 , 4.3.3.6.2 , 4.3.3.6.3 , 4.3.3.6.4 , 4.3.3.6.5 , 4.3.3.6.6 , 4.3.3.6.7 , 4.3.3.6.8 , 4.3.3.6.9 , 4.3.3.7.2 , 4.3.3.7.4 , SR 1.1 , SR 1.10 , SR 1.13 , SR 1.2 , SR 1.3 , SR 1.4 , SR 1.5 , SR 1.7 , SR 1.8 , SR 1.9 , SR 2.1 , SR 2.6 , A.11.2.6 , A.13.1.1 , A.13.2.1 , A.18.1.4 , A.6.2.1 , A.6.2.2 , A.7.1.1 , A.9.2.1 , A.9.2.2 , A.9.2.3 , A.9.2.4 , A.9.2.6 , A.9.3.1 , A.9.4.2 , A.9.4.3 , CM-7(a) , CM-7(b) , CM-6(a) , MP-7 , PR.AC-1 , PR.AC-3 , PR.AC-6 , PR.AC-7 , SRG-OS-000114-GPOS-00059 , SRG-OS-000378-GPOS-00163 , SRG-OS-000480-GPOS-00227
Description The autofs daemon mounts and unmounts filesystems, such as user
home directories shared via NFS, on demand. In addition, autofs can be used to handle
removable media, and the default configuration provides the cdrom device as /misc/cd.
However, this method of providing access to removable media is not common, so autofs
can almost always be disabled if NFS is not in use. Even if NFS is required, it may be
possible to configure filesystem mounts statically by editing /etc/fstab
rather than relying on the automounter.
autofs service can be disabled with the following command:
$ sudo systemctl disable autofs.service
The
autofs service can be masked with the following command:
$ sudo systemctl mask autofs.service Rationale Disabling the automounter permits the administrator to
statically control filesystem mounting through /etc/fstab.
OVAL test results details
package autofs is removed
oval:ssg-test_service_autofs_package_autofs_removed:tst:1
true No items have been found conforming to the following objects: Object oval:ssg-obj_test_service_autofs_package_autofs_removed:obj:1 rpminfo_object
Test that the autofs service is not running
oval:ssg-test_service_not_running_autofs:tst:1
true No items have been found conforming to the following objects: Object oval:ssg-obj_service_not_running_autofs:obj:1 systemdunitproperty_object Unit Property ^autofs\.(service|socket)$ ActiveState
Test that the property LoadState from the service autofs is masked
oval:ssg-test_service_loadstate_is_masked_autofs:tst:1
true No items have been found conforming to the following objects: Object oval:ssg-obj_service_loadstate_is_masked_autofs:obj:1 systemdunitproperty_object Unit Property ^autofs\.(service|socket)$ LoadState
Test that the property FragmentPath from the service autofs is set to /dev/null
oval:ssg-test_service_fragmentpath_is_dev_null_autofs:tst:1
true No items have been found conforming to the following objects: Object oval:ssg-obj_service_fragmentpath_is_dev_null_autofs:obj:1 systemdunitproperty_object Unit Property ^autofs\.(service|socket)$ FragmentPath
Disable Mounting of jffs2xccdf_org.ssgproject.content_rule_kernel_module_jffs2_disabled lowCCE-82716-2
Disable Mounting of jffs2 Rule ID xccdf_org.ssgproject.content_rule_kernel_module_jffs2_disabled Result Multi-check rule no OVAL Definition ID oval:ssg-kernel_module_jffs2_disabled:def:1 Time 2020-05-28T09:50:19+00:00 Severity low Identifiers and References Identifiers:
CCE-82716-2
References:
1.1.1.3 , 11 , 14 , 3 , 9 , BAI10.01 , BAI10.02 , BAI10.03 , BAI10.05 , DSS05.02 , DSS05.05 , DSS06.06 , 3.4.6 , 4.3.3.5.1 , 4.3.3.5.2 , 4.3.3.5.3 , 4.3.3.5.4 , 4.3.3.5.5 , 4.3.3.5.6 , 4.3.3.5.7 , 4.3.3.5.8 , 4.3.3.6.1 , 4.3.3.6.2 , 4.3.3.6.3 , 4.3.3.6.4 , 4.3.3.6.5 , 4.3.3.6.6 , 4.3.3.6.7 , 4.3.3.6.8 , 4.3.3.6.9 , 4.3.3.7.1 , 4.3.3.7.2 , 4.3.3.7.3 , 4.3.3.7.4 , 4.3.4.3.2 , 4.3.4.3.3 , SR 1.1 , SR 1.10 , SR 1.11 , SR 1.12 , SR 1.13 , SR 1.2 , SR 1.3 , SR 1.4 , SR 1.5 , SR 1.6 , SR 1.7 , SR 1.8 , SR 1.9 , SR 2.1 , SR 2.2 , SR 2.3 , SR 2.4 , SR 2.5 , SR 2.6 , SR 2.7 , SR 7.6 , A.12.1.2 , A.12.5.1 , A.12.6.2 , A.14.2.2 , A.14.2.3 , A.14.2.4 , A.9.1.2 , CM-7(a) , CM-7(b) , CM-6(a) , PR.IP-1 , PR.PT-3
Description
To configure the system to prevent the jffs2
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install jffs2 /bin/true
This effectively prevents usage of this uncommon filesystem.
Rationale Linux kernel modules which implement filesystems that are not needed by the
local system should be disabled.
OVAL test results details
kernel module jffs2 disabled
oval:ssg-test_kernmod_jffs2_disabled:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_jffs2_disabled:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/modprobe.d ^.*\.conf$ ^\s*install\s+jffs2\s+(/bin/false|/bin/true)$ 1
kernel module jffs2 disabled in /etc/modprobe.conf
oval:ssg-test_kernmod_jffs2_modprobeconf:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_jffs2_modprobeconf:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/modprobe.conf ^\s*install\s+jffs2\s+(/bin/false|/bin/true)$ 1
kernel module jffs2 disabled in /etc/modules-load.d
oval:ssg-test_kernmod_jffs2_etcmodules-load:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_jffs2_etcmodules-load:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/modules-load.d ^.*\.conf$ ^\s*install\s+jffs2\s+(/bin/false|/bin/true)$ 1
kernel module jffs2 disabled in /run/modules-load.d
oval:ssg-test_kernmod_jffs2_runmodules-load:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_jffs2_runmodules-load:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/modules-load.d ^.*\.conf$ ^\s*install\s+jffs2\s+(/bin/false|/bin/true)$ 1
kernel module jffs2 disabled in /usr/lib/modules-load.d
oval:ssg-test_kernmod_jffs2_libmodules-load:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_jffs2_libmodules-load:obj:1 textfilecontent54_object Path Filename Pattern Instance /usr/lib/modules-load.d ^.*\.conf$ ^\s*install\s+jffs2\s+(/bin/false|/bin/true)$ 1
kernel module jffs2 disabled in /run/modprobe.d
oval:ssg-test_kernmod_jffs2_runmodprobed:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_jffs2_runmodprobed:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/modprobe.d ^.*\.conf$ ^\s*install\s+jffs2\s+(/bin/false|/bin/true)$ 1
kernel module jffs2 disabled in /usr/lib/modprobe.d
oval:ssg-test_kernmod_jffs2_libmodprobed:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_jffs2_libmodprobed:obj:1 textfilecontent54_object Path Filename Pattern Instance /usr/lib/modprobe.d ^.*\.conf$ ^\s*install\s+jffs2\s+(/bin/false|/bin/true)$ 1
Disable Mounting of vFAT filesystemsxccdf_org.ssgproject.content_rule_kernel_module_vfat_disabled lowCCE-82720-4
Disable Mounting of vFAT filesystems Rule ID xccdf_org.ssgproject.content_rule_kernel_module_vfat_disabled Result Multi-check rule no OVAL Definition ID oval:ssg-kernel_module_vfat_disabled:def:1 Time 2020-05-28T09:50:19+00:00 Severity low Identifiers and References Identifiers:
CCE-82720-4
References:
11 , 14 , 3 , 9 , BAI10.01 , BAI10.02 , BAI10.03 , BAI10.05 , DSS05.02 , DSS05.05 , DSS06.06 , 3.4.6 , 4.3.3.5.1 , 4.3.3.5.2 , 4.3.3.5.3 , 4.3.3.5.4 , 4.3.3.5.5 , 4.3.3.5.6 , 4.3.3.5.7 , 4.3.3.5.8 , 4.3.3.6.1 , 4.3.3.6.2 , 4.3.3.6.3 , 4.3.3.6.4 , 4.3.3.6.5 , 4.3.3.6.6 , 4.3.3.6.7 , 4.3.3.6.8 , 4.3.3.6.9 , 4.3.3.7.1 , 4.3.3.7.2 , 4.3.3.7.3 , 4.3.3.7.4 , 4.3.4.3.2 , 4.3.4.3.3 , SR 1.1 , SR 1.10 , SR 1.11 , SR 1.12 , SR 1.13 , SR 1.2 , SR 1.3 , SR 1.4 , SR 1.5 , SR 1.6 , SR 1.7 , SR 1.8 , SR 1.9 , SR 2.1 , SR 2.2 , SR 2.3 , SR 2.4 , SR 2.5 , SR 2.6 , SR 2.7 , SR 7.6 , A.12.1.2 , A.12.5.1 , A.12.6.2 , A.14.2.2 , A.14.2.3 , A.14.2.4 , A.9.1.2 , CM-7(a) , CM-7(b) , CM-6(a) , PR.IP-1 , PR.PT-3
Description
To configure the system to prevent the vfat
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install vfat /bin/true
This effectively prevents usage of this uncommon filesystem.
The
vFAT filesystem format is primarily used on older
windows systems and portable USB drives or flash modules. It comes
in three types
FAT12,
FAT16, and
FAT32
all of which are supported by the
vfat kernel module.
Rationale Removing support for unneeded filesystems reduces the local attack
surface of the system.
OVAL test results details
kernel module vfat disabled
oval:ssg-test_kernmod_vfat_disabled:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_vfat_disabled:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/modprobe.d ^.*\.conf$ ^\s*install\s+vfat\s+(/bin/false|/bin/true)$ 1
kernel module vfat disabled in /etc/modprobe.conf
oval:ssg-test_kernmod_vfat_modprobeconf:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_vfat_modprobeconf:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/modprobe.conf ^\s*install\s+vfat\s+(/bin/false|/bin/true)$ 1
kernel module vfat disabled in /etc/modules-load.d
oval:ssg-test_kernmod_vfat_etcmodules-load:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_vfat_etcmodules-load:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/modules-load.d ^.*\.conf$ ^\s*install\s+vfat\s+(/bin/false|/bin/true)$ 1
kernel module vfat disabled in /run/modules-load.d
oval:ssg-test_kernmod_vfat_runmodules-load:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_vfat_runmodules-load:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/modules-load.d ^.*\.conf$ ^\s*install\s+vfat\s+(/bin/false|/bin/true)$ 1
kernel module vfat disabled in /usr/lib/modules-load.d
oval:ssg-test_kernmod_vfat_libmodules-load:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_vfat_libmodules-load:obj:1 textfilecontent54_object Path Filename Pattern Instance /usr/lib/modules-load.d ^.*\.conf$ ^\s*install\s+vfat\s+(/bin/false|/bin/true)$ 1
kernel module vfat disabled in /run/modprobe.d
oval:ssg-test_kernmod_vfat_runmodprobed:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_vfat_runmodprobed:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/modprobe.d ^.*\.conf$ ^\s*install\s+vfat\s+(/bin/false|/bin/true)$ 1
kernel module vfat disabled in /usr/lib/modprobe.d
oval:ssg-test_kernmod_vfat_libmodprobed:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_vfat_libmodprobed:obj:1 textfilecontent54_object Path Filename Pattern Instance /usr/lib/modprobe.d ^.*\.conf$ ^\s*install\s+vfat\s+(/bin/false|/bin/true)$ 1
Disable Modprobe Loading of USB Storage Driverxccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled mediumCCE-82719-6
Disable Modprobe Loading of USB Storage Driver Rule ID xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled Result Multi-check rule no OVAL Definition ID oval:ssg-kernel_module_usb-storage_disabled:def:1 Time 2020-05-28T09:50:19+00:00 Severity medium Identifiers and References Identifiers:
CCE-82719-6
References:
1 , 12 , 15 , 16 , 5 , APO13.01 , DSS01.04 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , DSS05.10 , DSS06.03 , DSS06.10 , 3.1.21 , CCI-000366 , CCI-000778 , CCI-001958 , 164.308(a)(3)(i) , 164.308(a)(3)(ii)(A) , 164.310(d)(1) , 164.310(d)(2) , 164.312(a)(1) , 164.312(a)(2)(iv) , 164.312(b) , 4.3.3.2.2 , 4.3.3.5.1 , 4.3.3.5.2 , 4.3.3.6.1 , 4.3.3.6.2 , 4.3.3.6.3 , 4.3.3.6.4 , 4.3.3.6.5 , 4.3.3.6.6 , 4.3.3.6.7 , 4.3.3.6.8 , 4.3.3.6.9 , 4.3.3.7.2 , 4.3.3.7.4 , SR 1.1 , SR 1.10 , SR 1.13 , SR 1.2 , SR 1.3 , SR 1.4 , SR 1.5 , SR 1.7 , SR 1.8 , SR 1.9 , SR 2.1 , SR 2.6 , A.11.2.6 , A.13.1.1 , A.13.2.1 , A.18.1.4 , A.6.2.1 , A.6.2.2 , A.7.1.1 , A.9.2.1 , A.9.2.2 , A.9.2.3 , A.9.2.4 , A.9.2.6 , A.9.3.1 , A.9.4.2 , A.9.4.3 , CM-7(a) , CM-7(b) , CM-6(a) , MP-7 , PR.AC-1 , PR.AC-3 , PR.AC-6 , PR.AC-7 , SRG-OS-000114-GPOS-00059 , SRG-OS-000378-GPOS-0016 , SRG-OS-000378-GPOS-00163 , SRG-OS-000480-GPOS-00227
Description To prevent USB storage devices from being used, configure the kernel module loading system
to prevent automatic loading of the USB storage driver.
To configure the system to prevent the usb-storage
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install usb-storage /bin/true
This will prevent the
modprobe program from loading the
usb-storage
module, but will not prevent an administrator (or another program) from using the
insmod program to load the module manually.
Rationale USB storage devices such as thumb drives can be used to introduce
malicious software.
OVAL test results details
kernel module usb-storage disabled
oval:ssg-test_kernmod_usb-storage_disabled:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_usb-storage_disabled:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/modprobe.d ^.*\.conf$ ^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$ 1
kernel module usb-storage disabled in /etc/modprobe.conf
oval:ssg-test_kernmod_usb-storage_modprobeconf:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_usb-storage_modprobeconf:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/modprobe.conf ^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$ 1
kernel module usb-storage disabled in /etc/modules-load.d
oval:ssg-test_kernmod_usb-storage_etcmodules-load:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_usb-storage_etcmodules-load:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/modules-load.d ^.*\.conf$ ^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$ 1
kernel module usb-storage disabled in /run/modules-load.d
oval:ssg-test_kernmod_usb-storage_runmodules-load:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_usb-storage_runmodules-load:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/modules-load.d ^.*\.conf$ ^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$ 1
kernel module usb-storage disabled in /usr/lib/modules-load.d
oval:ssg-test_kernmod_usb-storage_libmodules-load:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_usb-storage_libmodules-load:obj:1 textfilecontent54_object Path Filename Pattern Instance /usr/lib/modules-load.d ^.*\.conf$ ^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$ 1
kernel module usb-storage disabled in /run/modprobe.d
oval:ssg-test_kernmod_usb-storage_runmodprobed:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_usb-storage_runmodprobed:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/modprobe.d ^.*\.conf$ ^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$ 1
kernel module usb-storage disabled in /usr/lib/modprobe.d
oval:ssg-test_kernmod_usb-storage_libmodprobed:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_usb-storage_libmodprobed:obj:1 textfilecontent54_object Path Filename Pattern Instance /usr/lib/modprobe.d ^.*\.conf$ ^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$ 1
Disable Mounting of hfsplusxccdf_org.ssgproject.content_rule_kernel_module_hfsplus_disabled lowCCE-82715-4
Disable Mounting of hfsplus Rule ID xccdf_org.ssgproject.content_rule_kernel_module_hfsplus_disabled Result Multi-check rule no OVAL Definition ID oval:ssg-kernel_module_hfsplus_disabled:def:1 Time 2020-05-28T09:50:19+00:00 Severity low Identifiers and References Identifiers:
CCE-82715-4
References:
1.1.1.5 , 11 , 14 , 3 , 9 , BAI10.01 , BAI10.02 , BAI10.03 , BAI10.05 , DSS05.02 , DSS05.05 , DSS06.06 , 3.4.6 , 4.3.3.5.1 , 4.3.3.5.2 , 4.3.3.5.3 , 4.3.3.5.4 , 4.3.3.5.5 , 4.3.3.5.6 , 4.3.3.5.7 , 4.3.3.5.8 , 4.3.3.6.1 , 4.3.3.6.2 , 4.3.3.6.3 , 4.3.3.6.4 , 4.3.3.6.5 , 4.3.3.6.6 , 4.3.3.6.7 , 4.3.3.6.8 , 4.3.3.6.9 , 4.3.3.7.1 , 4.3.3.7.2 , 4.3.3.7.3 , 4.3.3.7.4 , 4.3.4.3.2 , 4.3.4.3.3 , SR 1.1 , SR 1.10 , SR 1.11 , SR 1.12 , SR 1.13 , SR 1.2 , SR 1.3 , SR 1.4 , SR 1.5 , SR 1.6 , SR 1.7 , SR 1.8 , SR 1.9 , SR 2.1 , SR 2.2 , SR 2.3 , SR 2.4 , SR 2.5 , SR 2.6 , SR 2.7 , SR 7.6 , A.12.1.2 , A.12.5.1 , A.12.6.2 , A.14.2.2 , A.14.2.3 , A.14.2.4 , A.9.1.2 , CM-7(a) , CM-7(b) , CM-6(a) , PR.IP-1 , PR.PT-3
Description
To configure the system to prevent the hfsplus
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install hfsplus /bin/true
This effectively prevents usage of this uncommon filesystem.
Rationale Linux kernel modules which implement filesystems that are not needed by the
local system should be disabled.
OVAL test results details
kernel module hfsplus disabled
oval:ssg-test_kernmod_hfsplus_disabled:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_hfsplus_disabled:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/modprobe.d ^.*\.conf$ ^\s*install\s+hfsplus\s+(/bin/false|/bin/true)$ 1
kernel module hfsplus disabled in /etc/modprobe.conf
oval:ssg-test_kernmod_hfsplus_modprobeconf:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_hfsplus_modprobeconf:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/modprobe.conf ^\s*install\s+hfsplus\s+(/bin/false|/bin/true)$ 1
kernel module hfsplus disabled in /etc/modules-load.d
oval:ssg-test_kernmod_hfsplus_etcmodules-load:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_hfsplus_etcmodules-load:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/modules-load.d ^.*\.conf$ ^\s*install\s+hfsplus\s+(/bin/false|/bin/true)$ 1
kernel module hfsplus disabled in /run/modules-load.d
oval:ssg-test_kernmod_hfsplus_runmodules-load:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_hfsplus_runmodules-load:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/modules-load.d ^.*\.conf$ ^\s*install\s+hfsplus\s+(/bin/false|/bin/true)$ 1
kernel module hfsplus disabled in /usr/lib/modules-load.d
oval:ssg-test_kernmod_hfsplus_libmodules-load:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_hfsplus_libmodules-load:obj:1 textfilecontent54_object Path Filename Pattern Instance /usr/lib/modules-load.d ^.*\.conf$ ^\s*install\s+hfsplus\s+(/bin/false|/bin/true)$ 1
kernel module hfsplus disabled in /run/modprobe.d
oval:ssg-test_kernmod_hfsplus_runmodprobed:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_hfsplus_runmodprobed:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/modprobe.d ^.*\.conf$ ^\s*install\s+hfsplus\s+(/bin/false|/bin/true)$ 1
kernel module hfsplus disabled in /usr/lib/modprobe.d
oval:ssg-test_kernmod_hfsplus_libmodprobed:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_hfsplus_libmodprobed:obj:1 textfilecontent54_object Path Filename Pattern Instance /usr/lib/modprobe.d ^.*\.conf$ ^\s*install\s+hfsplus\s+(/bin/false|/bin/true)$ 1
Disable Booting from USB Devices in Boot Firmwarexccdf_org.ssgproject.content_rule_bios_disable_usb_boot unknownCCE-82662-8
Disable Booting from USB Devices in Boot Firmware Rule ID xccdf_org.ssgproject.content_rule_bios_disable_usb_boot Result Multi-check rule no Time 2020-05-28T09:50:19+00:00 Severity unknown Identifiers and References Identifiers:
CCE-82662-8
References:
12 , 16 , APO13.01 , DSS01.04 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , DSS06.03 , CCI-001250 , 4.3.3.2.2 , 4.3.3.5.2 , 4.3.3.6.6 , 4.3.3.7.2 , 4.3.3.7.4 , SR 1.1 , SR 1.13 , SR 1.2 , SR 1.4 , SR 1.5 , SR 1.9 , SR 2.1 , SR 2.6 , A.11.2.6 , A.13.1.1 , A.13.2.1 , A.6.2.1 , A.6.2.2 , A.7.1.1 , A.9.2.1 , MP-7 , CM-7(b) , CM-6(a) , PR.AC-3 , PR.AC-6
Description Configure the system boot firmware (historically called BIOS on PC
systems) to disallow booting from USB drives.
Rationale Booting a system from a USB device would allow an attacker to
circumvent any security measures provided by the operating system. Attackers
could mount partitions and modify the configuration of the OS.
Evaluation messages info
No candidate or applicable check found.
Disable Mounting of hfsxccdf_org.ssgproject.content_rule_kernel_module_hfs_disabled lowCCE-82714-7
Disable Mounting of hfs Rule ID xccdf_org.ssgproject.content_rule_kernel_module_hfs_disabled Result Multi-check rule no OVAL Definition ID oval:ssg-kernel_module_hfs_disabled:def:1 Time 2020-05-28T09:50:19+00:00 Severity low Identifiers and References Identifiers:
CCE-82714-7
References:
1.1.1.4 , 11 , 14 , 3 , 9 , BAI10.01 , BAI10.02 , BAI10.03 , BAI10.05 , DSS05.02 , DSS05.05 , DSS06.06 , 3.4.6 , 4.3.3.5.1 , 4.3.3.5.2 , 4.3.3.5.3 , 4.3.3.5.4 , 4.3.3.5.5 , 4.3.3.5.6 , 4.3.3.5.7 , 4.3.3.5.8 , 4.3.3.6.1 , 4.3.3.6.2 , 4.3.3.6.3 , 4.3.3.6.4 , 4.3.3.6.5 , 4.3.3.6.6 , 4.3.3.6.7 , 4.3.3.6.8 , 4.3.3.6.9 , 4.3.3.7.1 , 4.3.3.7.2 , 4.3.3.7.3 , 4.3.3.7.4 , 4.3.4.3.2 , 4.3.4.3.3 , SR 1.1 , SR 1.10 , SR 1.11 , SR 1.12 , SR 1.13 , SR 1.2 , SR 1.3 , SR 1.4 , SR 1.5 , SR 1.6 , SR 1.7 , SR 1.8 , SR 1.9 , SR 2.1 , SR 2.2 , SR 2.3 , SR 2.4 , SR 2.5 , SR 2.6 , SR 2.7 , SR 7.6 , A.12.1.2 , A.12.5.1 , A.12.6.2 , A.14.2.2 , A.14.2.3 , A.14.2.4 , A.9.1.2 , CM-7(a) , CM-7(b) , CM-6(a) , PR.IP-1 , PR.PT-3
Description
To configure the system to prevent the hfs
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install hfs /bin/true
This effectively prevents usage of this uncommon filesystem.
Rationale Linux kernel modules which implement filesystems that are not needed by the
local system should be disabled.
OVAL test results details
kernel module hfs disabled
oval:ssg-test_kernmod_hfs_disabled:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_hfs_disabled:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/modprobe.d ^.*\.conf$ ^\s*install\s+hfs\s+(/bin/false|/bin/true)$ 1
kernel module hfs disabled in /etc/modprobe.conf
oval:ssg-test_kernmod_hfs_modprobeconf:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_hfs_modprobeconf:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/modprobe.conf ^\s*install\s+hfs\s+(/bin/false|/bin/true)$ 1
kernel module hfs disabled in /etc/modules-load.d
oval:ssg-test_kernmod_hfs_etcmodules-load:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_hfs_etcmodules-load:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/modules-load.d ^.*\.conf$ ^\s*install\s+hfs\s+(/bin/false|/bin/true)$ 1
kernel module hfs disabled in /run/modules-load.d
oval:ssg-test_kernmod_hfs_runmodules-load:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_hfs_runmodules-load:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/modules-load.d ^.*\.conf$ ^\s*install\s+hfs\s+(/bin/false|/bin/true)$ 1
kernel module hfs disabled in /usr/lib/modules-load.d
oval:ssg-test_kernmod_hfs_libmodules-load:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_hfs_libmodules-load:obj:1 textfilecontent54_object Path Filename Pattern Instance /usr/lib/modules-load.d ^.*\.conf$ ^\s*install\s+hfs\s+(/bin/false|/bin/true)$ 1
kernel module hfs disabled in /run/modprobe.d
oval:ssg-test_kernmod_hfs_runmodprobed:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_hfs_runmodprobed:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/modprobe.d ^.*\.conf$ ^\s*install\s+hfs\s+(/bin/false|/bin/true)$ 1
kernel module hfs disabled in /usr/lib/modprobe.d
oval:ssg-test_kernmod_hfs_libmodprobed:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_hfs_libmodprobed:obj:1 textfilecontent54_object Path Filename Pattern Instance /usr/lib/modprobe.d ^.*\.conf$ ^\s*install\s+hfs\s+(/bin/false|/bin/true)$ 1
Disable Mounting of cramfsxccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled lowCCE-82514-1
Disable Mounting of cramfs Rule ID xccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled Result Multi-check rule no OVAL Definition ID oval:ssg-kernel_module_cramfs_disabled:def:1 Time 2020-05-28T09:50:19+00:00 Severity low Identifiers and References Identifiers:
CCE-82514-1
References:
11 , 14 , 3 , 9 , BAI10.01 , BAI10.02 , BAI10.03 , BAI10.05 , DSS05.02 , DSS05.05 , DSS06.06 , 3.4.6 , 4.3.3.5.1 , 4.3.3.5.2 , 4.3.3.5.3 , 4.3.3.5.4 , 4.3.3.5.5 , 4.3.3.5.6 , 4.3.3.5.7 , 4.3.3.5.8 , 4.3.3.6.1 , 4.3.3.6.2 , 4.3.3.6.3 , 4.3.3.6.4 , 4.3.3.6.5 , 4.3.3.6.6 , 4.3.3.6.7 , 4.3.3.6.8 , 4.3.3.6.9 , 4.3.3.7.1 , 4.3.3.7.2 , 4.3.3.7.3 , 4.3.3.7.4 , 4.3.4.3.2 , 4.3.4.3.3 , SR 1.1 , SR 1.10 , SR 1.11 , SR 1.12 , SR 1.13 , SR 1.2 , SR 1.3 , SR 1.4 , SR 1.5 , SR 1.6 , SR 1.7 , SR 1.8 , SR 1.9 , SR 2.1 , SR 2.2 , SR 2.3 , SR 2.4 , SR 2.5 , SR 2.6 , SR 2.7 , SR 7.6 , A.12.1.2 , A.12.5.1 , A.12.6.2 , A.14.2.2 , A.14.2.3 , A.14.2.4 , A.9.1.2 , CM-7(a) , CM-7(b) , CM-6(a) , PR.IP-1 , PR.PT-3 , SRG-OS-000095-GPOS-00049
Description
To configure the system to prevent the cramfs
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install cramfs /bin/true
This effectively prevents usage of this uncommon filesystem.
The
cramfs filesystem type is a compressed read-only
Linux filesystem embedded in small footprint systems. A
cramfs image can be used without having to first
decompress the image.
Rationale Removing support for unneeded filesystem types reduces the local attack surface
of the server.
OVAL test results details
kernel module cramfs disabled
oval:ssg-test_kernmod_cramfs_disabled:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_cramfs_disabled:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/modprobe.d ^.*\.conf$ ^\s*install\s+cramfs\s+(/bin/false|/bin/true)$ 1
kernel module cramfs disabled in /etc/modprobe.conf
oval:ssg-test_kernmod_cramfs_modprobeconf:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_cramfs_modprobeconf:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/modprobe.conf ^\s*install\s+cramfs\s+(/bin/false|/bin/true)$ 1
kernel module cramfs disabled in /etc/modules-load.d
oval:ssg-test_kernmod_cramfs_etcmodules-load:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_cramfs_etcmodules-load:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/modules-load.d ^.*\.conf$ ^\s*install\s+cramfs\s+(/bin/false|/bin/true)$ 1
kernel module cramfs disabled in /run/modules-load.d
oval:ssg-test_kernmod_cramfs_runmodules-load:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_cramfs_runmodules-load:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/modules-load.d ^.*\.conf$ ^\s*install\s+cramfs\s+(/bin/false|/bin/true)$ 1
kernel module cramfs disabled in /usr/lib/modules-load.d
oval:ssg-test_kernmod_cramfs_libmodules-load:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_cramfs_libmodules-load:obj:1 textfilecontent54_object Path Filename Pattern Instance /usr/lib/modules-load.d ^.*\.conf$ ^\s*install\s+cramfs\s+(/bin/false|/bin/true)$ 1
kernel module cramfs disabled in /run/modprobe.d
oval:ssg-test_kernmod_cramfs_runmodprobed:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_cramfs_runmodprobed:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/modprobe.d ^.*\.conf$ ^\s*install\s+cramfs\s+(/bin/false|/bin/true)$ 1
kernel module cramfs disabled in /usr/lib/modprobe.d
oval:ssg-test_kernmod_cramfs_libmodprobed:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_cramfs_libmodprobed:obj:1 textfilecontent54_object Path Filename Pattern Instance /usr/lib/modprobe.d ^.*\.conf$ ^\s*install\s+cramfs\s+(/bin/false|/bin/true)$ 1
Disable Mounting of udfxccdf_org.ssgproject.content_rule_kernel_module_udf_disabled lowCCE-82718-8
Disable Mounting of udf Rule ID xccdf_org.ssgproject.content_rule_kernel_module_udf_disabled Result Multi-check rule no OVAL Definition ID oval:ssg-kernel_module_udf_disabled:def:1 Time 2020-05-28T09:50:19+00:00 Severity low Identifiers and References Identifiers:
CCE-82718-8
References:
11 , 14 , 3 , 9 , BAI10.01 , BAI10.02 , BAI10.03 , BAI10.05 , DSS05.02 , DSS05.05 , DSS06.06 , 3.4.6 , 4.3.3.5.1 , 4.3.3.5.2 , 4.3.3.5.3 , 4.3.3.5.4 , 4.3.3.5.5 , 4.3.3.5.6 , 4.3.3.5.7 , 4.3.3.5.8 , 4.3.3.6.1 , 4.3.3.6.2 , 4.3.3.6.3 , 4.3.3.6.4 , 4.3.3.6.5 , 4.3.3.6.6 , 4.3.3.6.7 , 4.3.3.6.8 , 4.3.3.6.9 , 4.3.3.7.1 , 4.3.3.7.2 , 4.3.3.7.3 , 4.3.3.7.4 , 4.3.4.3.2 , 4.3.4.3.3 , SR 1.1 , SR 1.10 , SR 1.11 , SR 1.12 , SR 1.13 , SR 1.2 , SR 1.3 , SR 1.4 , SR 1.5 , SR 1.6 , SR 1.7 , SR 1.8 , SR 1.9 , SR 2.1 , SR 2.2 , SR 2.3 , SR 2.4 , SR 2.5 , SR 2.6 , SR 2.7 , SR 7.6 , A.12.1.2 , A.12.5.1 , A.12.6.2 , A.14.2.2 , A.14.2.3 , A.14.2.4 , A.9.1.2 , CM-7(a) , CM-7(b) , CM-6(a) , PR.IP-1 , PR.PT-3
Description
To configure the system to prevent the udf
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install udf /bin/true
This effectively prevents usage of this uncommon filesystem.
The
udf filesystem type is the universal disk format
used to implement the ISO/IEC 13346 and ECMA-167 specifications.
This is an open vendor filesystem type for data storage on a broad
range of media. This filesystem type is neccessary to support
writing DVDs and newer optical disc formats.
Rationale Removing support for unneeded filesystem types reduces the local
attack surface of the system.
OVAL test results details
kernel module udf disabled
oval:ssg-test_kernmod_udf_disabled:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_udf_disabled:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/modprobe.d ^.*\.conf$ ^\s*install\s+udf\s+(/bin/false|/bin/true)$ 1
kernel module udf disabled in /etc/modprobe.conf
oval:ssg-test_kernmod_udf_modprobeconf:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_udf_modprobeconf:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/modprobe.conf ^\s*install\s+udf\s+(/bin/false|/bin/true)$ 1
kernel module udf disabled in /etc/modules-load.d
oval:ssg-test_kernmod_udf_etcmodules-load:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_udf_etcmodules-load:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/modules-load.d ^.*\.conf$ ^\s*install\s+udf\s+(/bin/false|/bin/true)$ 1
kernel module udf disabled in /run/modules-load.d
oval:ssg-test_kernmod_udf_runmodules-load:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_udf_runmodules-load:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/modules-load.d ^.*\.conf$ ^\s*install\s+udf\s+(/bin/false|/bin/true)$ 1
kernel module udf disabled in /usr/lib/modules-load.d
oval:ssg-test_kernmod_udf_libmodules-load:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_udf_libmodules-load:obj:1 textfilecontent54_object Path Filename Pattern Instance /usr/lib/modules-load.d ^.*\.conf$ ^\s*install\s+udf\s+(/bin/false|/bin/true)$ 1
kernel module udf disabled in /run/modprobe.d
oval:ssg-test_kernmod_udf_runmodprobed:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_udf_runmodprobed:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/modprobe.d ^.*\.conf$ ^\s*install\s+udf\s+(/bin/false|/bin/true)$ 1
kernel module udf disabled in /usr/lib/modprobe.d
oval:ssg-test_kernmod_udf_libmodprobed:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_udf_libmodprobed:obj:1 textfilecontent54_object Path Filename Pattern Instance /usr/lib/modprobe.d ^.*\.conf$ ^\s*install\s+udf\s+(/bin/false|/bin/true)$ 1
Disable Kernel Support for USB via Bootloader Configurationxccdf_org.ssgproject.content_rule_grub2_nousb_argument unknownCCE-82661-0
Disable Kernel Support for USB via Bootloader Configuration Rule ID xccdf_org.ssgproject.content_rule_grub2_nousb_argument Result Multi-check rule no OVAL Definition ID oval:ssg-grub2_nousb_argument:def:1 Time 2020-05-28T09:50:19+00:00 Severity unknown Identifiers and References Identifiers:
CCE-82661-0
References:
12 , 16 , APO13.01 , DSS01.04 , DSS05.03 , DSS05.04 , DSS05.05 , DSS05.07 , DSS06.03 , CCI-001250 , 164.308(a)(3)(i) , 164.308(a)(3)(ii)(A) , 164.310(d)(1) , 164.310(d)(2) , 164.312(a)(1) , 164.312(a)(2)(iv) , 164.312(b) , 4.3.3.2.2 , 4.3.3.5.2 , 4.3.3.6.6 , 4.3.3.7.2 , 4.3.3.7.4 , SR 1.1 , SR 1.13 , SR 1.2 , SR 1.4 , SR 1.5 , SR 1.9 , SR 2.1 , SR 2.6 , A.11.2.6 , A.13.1.1 , A.13.2.1 , A.6.2.1 , A.6.2.2 , A.7.1.1 , A.9.2.1 , MP-7 , CM-6(a) , PR.AC-3 , PR.AC-6
Description All USB support can be disabled by adding the nousb
argument to the kernel's boot loader configuration. To do so,
append "nousb" to the kernel line in /etc/default/grub as shown:
kernel /vmlinuz-VERSION ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet nousb Rationale Disabling the USB subsystem within the Linux kernel at system boot will
protect against potentially malicious USB devices, although it is only practical
in specialized systems.
Warnings warning
Disabling all kernel support for USB will cause problems for systems
with USB-based keyboards, mice, or printers. This configuration is
infeasible for systems which require USB devices, which is common.
OVAL test results details
tests the value of GRUB_CMDLINE_LINUX setting in the /etc/default/grub file
oval:ssg-test_grub2_nousb_argument:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_grub2_nousb_argument:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/default/grub ^[ \t]*GRUB_CMDLINE_LINUX=([^#]*).*$ 1
Disable Mounting of freevxfsxccdf_org.ssgproject.content_rule_kernel_module_freevxfs_disabled lowCCE-82713-9
Disable Mounting of freevxfs Rule ID xccdf_org.ssgproject.content_rule_kernel_module_freevxfs_disabled Result Multi-check rule no OVAL Definition ID oval:ssg-kernel_module_freevxfs_disabled:def:1 Time 2020-05-28T09:50:19+00:00 Severity low Identifiers and References Identifiers:
CCE-82713-9
References:
1.1.1.2 , 11 , 14 , 3 , 9 , BAI10.01 , BAI10.02 , BAI10.03 , BAI10.05 , DSS05.02 , DSS05.05 , DSS06.06 , 3.4.6 , 4.3.3.5.1 , 4.3.3.5.2 , 4.3.3.5.3 , 4.3.3.5.4 , 4.3.3.5.5 , 4.3.3.5.6 , 4.3.3.5.7 , 4.3.3.5.8 , 4.3.3.6.1 , 4.3.3.6.2 , 4.3.3.6.3 , 4.3.3.6.4 , 4.3.3.6.5 , 4.3.3.6.6 , 4.3.3.6.7 , 4.3.3.6.8 , 4.3.3.6.9 , 4.3.3.7.1 , 4.3.3.7.2 , 4.3.3.7.3 , 4.3.3.7.4 , 4.3.4.3.2 , 4.3.4.3.3 , SR 1.1 , SR 1.10 , SR 1.11 , SR 1.12 , SR 1.13 , SR 1.2 , SR 1.3 , SR 1.4 , SR 1.5 , SR 1.6 , SR 1.7 , SR 1.8 , SR 1.9 , SR 2.1 , SR 2.2 , SR 2.3 , SR 2.4 , SR 2.5 , SR 2.6 , SR 2.7 , SR 7.6 , A.12.1.2 , A.12.5.1 , A.12.6.2 , A.14.2.2 , A.14.2.3 , A.14.2.4 , A.9.1.2 , CM-7(a) , CM-7(b) , CM-6(a) , PR.IP-1 , PR.PT-3
Description
To configure the system to prevent the freevxfs
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install freevxfs /bin/true
This effectively prevents usage of this uncommon filesystem.
Rationale Linux kernel modules which implement filesystems that are not needed by the
local system should be disabled.
OVAL test results details
kernel module freevxfs disabled
oval:ssg-test_kernmod_freevxfs_disabled:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_freevxfs_disabled:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/modprobe.d ^.*\.conf$ ^\s*install\s+freevxfs\s+(/bin/false|/bin/true)$ 1
kernel module freevxfs disabled in /etc/modprobe.conf
oval:ssg-test_kernmod_freevxfs_modprobeconf:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_freevxfs_modprobeconf:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/modprobe.conf ^\s*install\s+freevxfs\s+(/bin/false|/bin/true)$ 1
kernel module freevxfs disabled in /etc/modules-load.d
oval:ssg-test_kernmod_freevxfs_etcmodules-load:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_freevxfs_etcmodules-load:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/modules-load.d ^.*\.conf$ ^\s*install\s+freevxfs\s+(/bin/false|/bin/true)$ 1
kernel module freevxfs disabled in /run/modules-load.d
oval:ssg-test_kernmod_freevxfs_runmodules-load:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_freevxfs_runmodules-load:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/modules-load.d ^.*\.conf$ ^\s*install\s+freevxfs\s+(/bin/false|/bin/true)$ 1
kernel module freevxfs disabled in /usr/lib/modules-load.d
oval:ssg-test_kernmod_freevxfs_libmodules-load:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_freevxfs_libmodules-load:obj:1 textfilecontent54_object Path Filename Pattern Instance /usr/lib/modules-load.d ^.*\.conf$ ^\s*install\s+freevxfs\s+(/bin/false|/bin/true)$ 1
kernel module freevxfs disabled in /run/modprobe.d
oval:ssg-test_kernmod_freevxfs_runmodprobed:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_freevxfs_runmodprobed:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/modprobe.d ^.*\.conf$ ^\s*install\s+freevxfs\s+(/bin/false|/bin/true)$ 1
kernel module freevxfs disabled in /usr/lib/modprobe.d
oval:ssg-test_kernmod_freevxfs_libmodprobed:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_freevxfs_libmodprobed:obj:1 textfilecontent54_object Path Filename Pattern Instance /usr/lib/modprobe.d ^.*\.conf$ ^\s*install\s+freevxfs\s+(/bin/false|/bin/true)$ 1
Disable Mounting of squashfsxccdf_org.ssgproject.content_rule_kernel_module_squashfs_disabled lowCCE-82717-0
Disable Mounting of squashfs Rule ID xccdf_org.ssgproject.content_rule_kernel_module_squashfs_disabled Result Multi-check rule no OVAL Definition ID oval:ssg-kernel_module_squashfs_disabled:def:1 Time 2020-05-28T09:50:19+00:00 Severity low Identifiers and References Identifiers:
CCE-82717-0
References:
11 , 14 , 3 , 9 , BAI10.01 , BAI10.02 , BAI10.03 , BAI10.05 , DSS05.02 , DSS05.05 , DSS06.06 , 3.4.6 , 4.3.3.5.1 , 4.3.3.5.2 , 4.3.3.5.3 , 4.3.3.5.4 , 4.3.3.5.5 , 4.3.3.5.6 , 4.3.3.5.7 , 4.3.3.5.8 , 4.3.3.6.1 , 4.3.3.6.2 , 4.3.3.6.3 , 4.3.3.6.4 , 4.3.3.6.5 , 4.3.3.6.6 , 4.3.3.6.7 , 4.3.3.6.8 , 4.3.3.6.9 , 4.3.3.7.1 , 4.3.3.7.2 , 4.3.3.7.3 , 4.3.3.7.4 , 4.3.4.3.2 , 4.3.4.3.3 , SR 1.1 , SR 1.10 , SR 1.11 , SR 1.12 , SR 1.13 , SR 1.2 , SR 1.3 , SR 1.4 , SR 1.5 , SR 1.6 , SR 1.7 , SR 1.8 , SR 1.9 , SR 2.1 , SR 2.2 , SR 2.3 , SR 2.4 , SR 2.5 , SR 2.6 , SR 2.7 , SR 7.6 , A.12.1.2 , A.12.5.1 , A.12.6.2 , A.14.2.2 , A.14.2.3 , A.14.2.4 , A.9.1.2 , CM-7(a) , CM-7(b) , CM-6(a) , PR.IP-1 , PR.PT-3
Description
To configure the system to prevent the squashfs
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install squashfs /bin/true
This effectively prevents usage of this uncommon filesystem.
The
squashfs filesystem type is a compressed read-only Linux
filesystem embedded in small footprint systems (similar to
cramfs). A
squashfs image can be used without having
to first decompress the image.
Rationale Removing support for unneeded filesystem types reduces the local attack
surface of the system.
OVAL test results details
kernel module squashfs disabled
oval:ssg-test_kernmod_squashfs_disabled:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_squashfs_disabled:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/modprobe.d ^.*\.conf$ ^\s*install\s+squashfs\s+(/bin/false|/bin/true)$ 1
kernel module squashfs disabled in /etc/modprobe.conf
oval:ssg-test_kernmod_squashfs_modprobeconf:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_squashfs_modprobeconf:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/modprobe.conf ^\s*install\s+squashfs\s+(/bin/false|/bin/true)$ 1
kernel module squashfs disabled in /etc/modules-load.d
oval:ssg-test_kernmod_squashfs_etcmodules-load:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_squashfs_etcmodules-load:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/modules-load.d ^.*\.conf$ ^\s*install\s+squashfs\s+(/bin/false|/bin/true)$ 1
kernel module squashfs disabled in /run/modules-load.d
oval:ssg-test_kernmod_squashfs_runmodules-load:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_squashfs_runmodules-load:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/modules-load.d ^.*\.conf$ ^\s*install\s+squashfs\s+(/bin/false|/bin/true)$ 1
kernel module squashfs disabled in /usr/lib/modules-load.d
oval:ssg-test_kernmod_squashfs_libmodules-load:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_squashfs_libmodules-load:obj:1 textfilecontent54_object Path Filename Pattern Instance /usr/lib/modules-load.d ^.*\.conf$ ^\s*install\s+squashfs\s+(/bin/false|/bin/true)$ 1
kernel module squashfs disabled in /run/modprobe.d
oval:ssg-test_kernmod_squashfs_runmodprobed:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_squashfs_runmodprobed:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/modprobe.d ^.*\.conf$ ^\s*install\s+squashfs\s+(/bin/false|/bin/true)$ 1
kernel module squashfs disabled in /usr/lib/modprobe.d
oval:ssg-test_kernmod_squashfs_libmodprobed:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_kernmod_squashfs_libmodprobed:obj:1 textfilecontent54_object Path Filename Pattern Instance /usr/lib/modprobe.d ^.*\.conf$ ^\s*install\s+squashfs\s+(/bin/false|/bin/true)$ 1
Enable Kernel Parameter to Enforce DAC on Symlinksxccdf_org.ssgproject.content_rule_sysctl_fs_protected_symlinks unknownCCE-82507-5
Enable Kernel Parameter to Enforce DAC on Symlinks Rule ID xccdf_org.ssgproject.content_rule_sysctl_fs_protected_symlinks Result Multi-check rule no OVAL Definition ID oval:ssg-sysctl_fs_protected_symlinks:def:1 Time 2020-05-28T09:50:19+00:00 Severity unknown Identifiers and References Identifiers:
CCE-82507-5
References:
NT28(R23) , 1.6.1 , CM-6(a) , AC-6(1) , SRG-OS-000324-GPOS-00125
Description To set the runtime status of the fs.protected_symlinks kernel parameter, run the following command:
$ sudo sysctl -w fs.protected_symlinks=1
To make sure that the setting is persistent, add the following line to a file in the directory
/etc/sysctl.d:
fs.protected_symlinks = 1 Rationale By enabling this kernel parameter, symbolic links are permitted to be followed
only when outside a sticky world-writable directory, or when the UID of the
link and follower match, or when the directory owner matches the symlink's owner.
Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system
accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of
open() or creat().
OVAL test results details
fs.protected_symlinks static configuration
oval:ssg-test_static_sysctl_fs_protected_symlinks:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_sysctl_fs_protected_symlinks:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/sysctl.conf ^[\s]*fs.protected_symlinks[\s]*=[\s]*1[\s]*$ 1
fs.protected_symlinks static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_fs_protected_symlinks:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_etc_sysctld_fs_protected_symlinks:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/sysctl.d ^.*\.conf$ ^[\s]*fs.protected_symlinks[\s]*=[\s]*1[\s]*$ 1
fs.protected_symlinks static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_fs_protected_symlinks:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_run_sysctld_fs_protected_symlinks:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/sysctl.d ^.*\.conf$ ^[\s]*fs.protected_symlinks[\s]*=[\s]*1[\s]*$ 1
fs.protected_symlinks static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_fs_protected_symlinks:tst:1
true Following items have been found on the system: Path Content /usr/lib/sysctl.d/50-default.conf fs.protected_symlinks = 1
kernel runtime parameter fs.protected_symlinks set to 1
oval:ssg-test_sysctl_runtime_fs_protected_symlinks:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_sysctl_runtime_fs_protected_symlinks:obj:1 sysctl_object Name fs.protected_symlinks
Enable Kernel Parameter to Enforce DAC on Hardlinksxccdf_org.ssgproject.content_rule_sysctl_fs_protected_hardlinks unknownCCE-82506-7
Enable Kernel Parameter to Enforce DAC on Hardlinks Rule ID xccdf_org.ssgproject.content_rule_sysctl_fs_protected_hardlinks Result Multi-check rule no OVAL Definition ID oval:ssg-sysctl_fs_protected_hardlinks:def:1 Time 2020-05-28T09:50:19+00:00 Severity unknown Identifiers and References Identifiers:
CCE-82506-7
References:
NT28(R23) , 1.6.1 , CM-6(a) , AC-6(1) , SRG-OS-000324-GPOS-00125
Description To set the runtime status of the fs.protected_hardlinks kernel parameter, run the following command:
$ sudo sysctl -w fs.protected_hardlinks=1
To make sure that the setting is persistent, add the following line to a file in the directory
/etc/sysctl.d:
fs.protected_hardlinks = 1 Rationale By enabling this kernel parameter, users can no longer create soft or hard links to
files which they do not own. Disallowing such hardlinks mitigate vulnerabilities
based on insecure file system accessed by privileged programs, avoiding an
exploitation vector exploiting unsafe use of open() or creat().
OVAL test results details
fs.protected_hardlinks static configuration
oval:ssg-test_static_sysctl_fs_protected_hardlinks:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_sysctl_fs_protected_hardlinks:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/sysctl.conf ^[\s]*fs.protected_hardlinks[\s]*=[\s]*1[\s]*$ 1
fs.protected_hardlinks static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_fs_protected_hardlinks:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_etc_sysctld_fs_protected_hardlinks:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/sysctl.d ^.*\.conf$ ^[\s]*fs.protected_hardlinks[\s]*=[\s]*1[\s]*$ 1
fs.protected_hardlinks static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_fs_protected_hardlinks:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_run_sysctld_fs_protected_hardlinks:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/sysctl.d ^.*\.conf$ ^[\s]*fs.protected_hardlinks[\s]*=[\s]*1[\s]*$ 1
fs.protected_hardlinks static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_fs_protected_hardlinks:tst:1
true Following items have been found on the system: Path Content /usr/lib/sysctl.d/50-default.conf fs.protected_hardlinks = 1
kernel runtime parameter fs.protected_hardlinks set to 1
oval:ssg-test_sysctl_runtime_fs_protected_hardlinks:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_sysctl_runtime_fs_protected_hardlinks:obj:1 sysctl_object Name fs.protected_hardlinks
Disable acquiring, saving, and processing core dumpsxccdf_org.ssgproject.content_rule_service_systemd-coredump_disabled unknownCCE-82530-7
Disable acquiring, saving, and processing core dumps Rule ID xccdf_org.ssgproject.content_rule_service_systemd-coredump_disabled Result Multi-check rule no OVAL Definition ID oval:ssg-service_systemd-coredump_disabled:def:1 Time 2020-05-28T09:50:19+00:00 Severity unknown Identifiers and References Identifiers:
CCE-82530-7
References:
FMT_SMF_EXT.1 , SRG-OS-000480-GPOS-00227
Description The systemd-coredump.socket unit is a socket activation of
the systemd-coredump@.service which processes core dumps.
By masking the unit, core dump processing is disabled.
Rationale A core dump includes a memory image taken at the time the operating system
terminates an application. The memory image could contain sensitive data
and is generally useful only for developers trying to debug problems.
OVAL test results details
package systemd is removed
oval:ssg-test_service_systemd-coredump_package_systemd_removed:tst:1
false Following items have been found on the system: Name Arch Epoch Release Version Evr Signature keyid Extended name systemd x86_64 (none) 27.el8 239 0:239-27.el8 199e2f91fd431d51 systemd-0:239-27.el8.x86_64
Test that the systemd-coredump service is not running
oval:ssg-test_service_not_running_systemd-coredump:tst:1
false Following items have been found on the system: Unit Property Value systemd-coredump.socket ActiveState active
Test that the property LoadState from the service systemd-coredump is masked
oval:ssg-test_service_loadstate_is_masked_systemd-coredump:tst:1
false Following items have been found on the system: Unit Property Value systemd-coredump.socket LoadState loaded
Test that the property FragmentPath from the service systemd-coredump is set to /dev/null
oval:ssg-test_service_fragmentpath_is_dev_null_systemd-coredump:tst:1
false Following items have been found on the system: Unit Property Value systemd-coredump.socket FragmentPath /usr/lib/systemd/system/systemd-coredump.socket
Disable Core Dumps for All Usersxccdf_org.ssgproject.content_rule_disable_users_coredumps unknownCCE-82526-5
Disable Core Dumps for All Users Rule ID xccdf_org.ssgproject.content_rule_disable_users_coredumps Result Multi-check rule no OVAL Definition ID oval:ssg-disable_users_coredumps:def:1 Time 2020-05-28T09:50:19+00:00 Severity unknown Identifiers and References Identifiers:
CCE-82526-5
References:
1 , 12 , 13 , 15 , 16 , 2 , 7 , 8 , APO13.01 , BAI04.04 , DSS01.03 , DSS03.05 , DSS05.07 , SR 6.2 , SR 7.1 , SR 7.2 , A.12.1.3 , A.17.2.1 , DE.CM-1 , PR.DS-4 , SRG-OS-000480-GPOS-00227
Description To disable core dumps for all users, add the following line to
/etc/security/limits.conf, or to a file within the
/etc/security/limits.d/ directory:
* hard core 0 Rationale A core dump includes a memory image taken at the time the operating system
terminates an application. The memory image could contain sensitive data and is generally useful
only for developers trying to debug problems.
OVAL test results details
Tests the value of the ^[\s]*\*[\s]+(hard|-)[\s]+core[\s]+([\d]+) setting in the /etc/security/limits.d directory
oval:ssg-test_core_dumps_limits_d:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_core_dumps_limits_d:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/security/limits.d ^.*\.conf$ ^[\s]*\*[\s]+(?:hard|-)[\s]+core[\s]+([\d]+) 1
Tests for existance of the ^[\s]*\*[\s]+(hard|-)[\s]+core setting in the /etc/security/limits.d directory
oval:ssg-test_core_dumps_limits_d_exists:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_core_dumps_limits_d_exists:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/security/limits.d ^.*\.conf$ ^[\s]*\*[\s]+(?:hard|-)[\s]+core 1
Tests the value of the ^[\s]*\*[\s]+(hard|-)[\s]+core[\s]+([\d]+) setting in the /etc/security/limits.conf file
oval:ssg-test_core_dumps_limitsconf:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_core_dumps_limitsconf:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/security/limits.conf ^[\s]*\*[\s]+(?:hard|-)[\s]+core[\s]+([\d]+) 1
Disable storing core dumpxccdf_org.ssgproject.content_rule_coredump_disable_storage unknownCCE-82528-1
Disable storing core dump Rule ID xccdf_org.ssgproject.content_rule_coredump_disable_storage Result Multi-check rule no OVAL Definition ID oval:ssg-coredump_disable_storage:def:1 Time 2020-05-28T09:50:19+00:00 Severity unknown Identifiers and References Identifiers:
CCE-82528-1
References:
FMT_SMF_EXT.1 , SRG-OS-000480-GPOS-00227
Description The Storage option in [Coredump] section
of /etc/systemd/coredump.conf
can be set to none to disable storing core dumps permanently.
Rationale A core dump includes a memory image taken at the time the operating system
terminates an application. The memory image could contain sensitive data
and is generally useful only for developers or system operators trying to
debug problems. Enabling core dumps on production systems is not recommended,
however there may be overriding operational requirements to enable advanced
debuging. Permitting temporary enablement of core dumps during such situations
should be reviewed through local needs and policy.
Warnings warning
If the /etc/systemd/coredump.conf file
does not already contain the [Coredump] section,
the value will not be configured correctly.
OVAL test results details
tests the value of Storage setting in the /etc/systemd/coredump.conf file
oval:ssg-test_coredump_disable_storage:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_coredump_disable_storage:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/systemd/coredump.conf ^\s*\[Coredump\].*(?:\n\s*[^[\s].*)*\n^[ \t]*(?i)Storage(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) 1
Disable core dump backtracesxccdf_org.ssgproject.content_rule_coredump_disable_backtraces unknownCCE-82529-9
Disable core dump backtraces Rule ID xccdf_org.ssgproject.content_rule_coredump_disable_backtraces Result Multi-check rule no OVAL Definition ID oval:ssg-coredump_disable_backtraces:def:1 Time 2020-05-28T09:50:19+00:00 Severity unknown Identifiers and References Identifiers:
CCE-82529-9
References:
FMT_SMF_EXT.1 , SRG-OS-000480-GPOS-00227
Description The ProcessSizeMax option in [Coredump] section
of /etc/systemd/coredump.conf
specifies the maximum size in bytes of a core which will be processed.
Core dumps exceeding this size may be stored, but the backtrace will not
be generated.
Rationale A core dump includes a memory image taken at the time the operating system
terminates an application. The memory image could contain sensitive data
and is generally useful only for developers or system operators trying to
debug problems.
Enabling core dumps on production systems is not recommended,
however there may be overriding operational requirements to enable advanced
debuging. Permitting temporary enablement of core dumps during such situations
should be reviewed through local needs and policy.
Warnings warning
If the /etc/systemd/coredump.conf file
does not already contain the [Coredump] section,
the value will not be configured correctly.
OVAL test results details
tests the value of ProcessSizeMax setting in the /etc/systemd/coredump.conf file
oval:ssg-test_coredump_disable_backtraces:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_coredump_disable_backtraces:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/systemd/coredump.conf ^\s*\[Coredump\].*(?:\n\s*[^[\s].*)*\n^[ \t]*(?i)ProcessSizeMax(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) 1
Enable page allocator poisoningxccdf_org.ssgproject.content_rule_grub2_page_poison_argument mediumCCE-82673-5
Enable page allocator poisoning Rule ID xccdf_org.ssgproject.content_rule_grub2_page_poison_argument Result Multi-check rule no OVAL Definition ID oval:ssg-grub2_page_poison_argument:def:1 Time 2020-05-28T09:50:19+00:00 Severity medium Identifiers and References Identifiers:
CCE-82673-5
References:
CM-6(a) , SRG-OS-000480-GPOS-00227
Description To enable poisoning of free pages,
add the argument page_poison=1 to the default
GRUB 2 command line for the Linux operating system in
/etc/default/grub, in the manner below:
GRUB_CMDLINE_LINUX="page_poison=1" Rationale Poisoning writes an arbitrary value to freed pages, so any modification or
reference to that page after being freed or before being initialized will be
detected and prevented.
This prevents many types of use-after-free vulnerabilities at little performance cost.
Also prevents leak of data and detection of corrupted memory.
Warnings warning
The GRUB 2 configuration file,
grub.cfg,
is automatically updated each time a new kernel is installed. Note that any
changes to
/etc/default/grub require rebuilding the
grub.cfg
file. To update the GRUB 2 configuration file manually, use the
grub2-mkconfig -o command as follows:
OVAL test results details
check forkernel command line parameters page_poison=1 in /boot/grub2/grubenv for all kernels
oval:ssg-test_grub2_page_poison_argument_grub_env:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_grub2_page_poison_argument_grub_env:obj:1 textfilecontent54_object Filepath Pattern Instance /boot/grub2/grubenv ^kernelopts=(.*)$ 1
Restrict Exposed Kernel Pointer Addresses Accessxccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict mediumCCE-82498-7
Restrict Exposed Kernel Pointer Addresses Access Rule ID xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict Result Multi-check rule no OVAL Definition ID oval:ssg-sysctl_kernel_kptr_restrict:def:1 Time 2020-05-28T09:50:19+00:00 Severity medium Identifiers and References Identifiers:
CCE-82498-7
References:
NT28(R23) , SC-30 , SC-30(2) , SC-30(5) , CM-6(a) , SRG-OS-000132-GPOS-00067
Description To set the runtime status of the kernel.kptr_restrict kernel parameter, run the following command:
$ sudo sysctl -w kernel.kptr_restrict=1
To make sure that the setting is persistent, add the following line to a file in the directory
/etc/sysctl.d:
kernel.kptr_restrict = 1 Rationale Exposing kernel pointers (through procfs or seq_printf()) exposes
kernel writeable structures that can contain functions pointers. If a write vulnereability occurs
in the kernel allowing a write access to any of this structure, the kernel can be compromise. This
option disallow any program withtout the CAP_SYSLOG capability from getting the kernel pointers addresses,
replacing them with 0.
OVAL test results details
kernel.kptr_restrict static configuration
oval:ssg-test_static_sysctl_kernel_kptr_restrict:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_sysctl_kernel_kptr_restrict:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/sysctl.conf ^[\s]*kernel.kptr_restrict[\s]*=[\s]*1[\s]*$ 1
kernel.kptr_restrict static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_kernel_kptr_restrict:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_etc_sysctld_kernel_kptr_restrict:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/sysctl.d ^.*\.conf$ ^[\s]*kernel.kptr_restrict[\s]*=[\s]*1[\s]*$ 1
kernel.kptr_restrict static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_kernel_kptr_restrict:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_run_sysctld_kernel_kptr_restrict:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/sysctl.d ^.*\.conf$ ^[\s]*kernel.kptr_restrict[\s]*=[\s]*1[\s]*$ 1
kernel.kptr_restrict static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_kernel_kptr_restrict:tst:1
true Following items have been found on the system: Path Content /usr/lib/sysctl.d/50-default.conf kernel.kptr_restrict = 1
kernel runtime parameter kernel.kptr_restrict set to 1
oval:ssg-test_sysctl_runtime_kernel_kptr_restrict:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_sysctl_runtime_kernel_kptr_restrict:obj:1 sysctl_object
Disable Kernel Image Loadingxccdf_org.ssgproject.content_rule_sysctl_kernel_kexec_load_disabled mediumCCE-82500-0
Disable Kernel Image Loading Rule ID xccdf_org.ssgproject.content_rule_sysctl_kernel_kexec_load_disabled Result Multi-check rule no OVAL Definition ID oval:ssg-sysctl_kernel_kexec_load_disabled:def:1 Time 2020-05-28T09:50:19+00:00 Severity medium Identifiers and References Identifiers:
CCE-82500-0
References:
SRG-OS-000480-GPOS-00227
Description To set the runtime status of the kernel.kexec_load_disabled kernel parameter, run the following command:
$ sudo sysctl -w kernel.kexec_load_disabled=1
To make sure that the setting is persistent, add the following line to a file in the directory
/etc/sysctl.d:
kernel.kexec_load_disabled = 1 Rationale Disabling kexec_load allows greater control of the kernel memory.
It makes it impossible to load another kernel image after it has been disabled.
OVAL test results details
kernel.kexec_load_disabled static configuration
oval:ssg-test_static_sysctl_kernel_kexec_load_disabled:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_sysctl_kernel_kexec_load_disabled:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/sysctl.conf ^[\s]*kernel.kexec_load_disabled[\s]*=[\s]*1[\s]*$ 1
kernel.kexec_load_disabled static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_kernel_kexec_load_disabled:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_etc_sysctld_kernel_kexec_load_disabled:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/sysctl.d ^.*\.conf$ ^[\s]*kernel.kexec_load_disabled[\s]*=[\s]*1[\s]*$ 1
kernel.kexec_load_disabled static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_kernel_kexec_load_disabled:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_run_sysctld_kernel_kexec_load_disabled:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/sysctl.d ^.*\.conf$ ^[\s]*kernel.kexec_load_disabled[\s]*=[\s]*1[\s]*$ 1
kernel.kexec_load_disabled static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_kernel_kexec_load_disabled:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_usr_lib_sysctld_kernel_kexec_load_disabled:obj:1 textfilecontent54_object Path Filename Pattern Instance /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*kernel.kexec_load_disabled[\s]*=[\s]*1[\s]*$ 1
kernel runtime parameter kernel.kexec_load_disabled set to 1
oval:ssg-test_sysctl_runtime_kernel_kexec_load_disabled:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_sysctl_runtime_kernel_kexec_load_disabled:obj:1 sysctl_object Name kernel.kexec_load_disabled
Disallow kernel profiling by unprivileged usersxccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_paranoid mediumCCE-82502-6
Disallow kernel profiling by unprivileged users Rule ID xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_paranoid Result Multi-check rule no OVAL Definition ID oval:ssg-sysctl_kernel_perf_event_paranoid:def:1 Time 2020-05-28T09:50:19+00:00 Severity medium Identifiers and References Identifiers:
CCE-82502-6
References:
NT28(R23) , FMT_SMF_EXT.1 , SRG-OS-000132-GPOS-00067
Description To set the runtime status of the kernel.perf_event_paranoid kernel parameter, run the following command:
$ sudo sysctl -w kernel.perf_event_paranoid=2
To make sure that the setting is persistent, add the following line to a file in the directory
/etc/sysctl.d:
kernel.perf_event_paranoid = 2 Rationale Kernel profiling can reveal sensitive information about kernel behaviour.
OVAL test results details
kernel.perf_event_paranoid static configuration
oval:ssg-test_static_sysctl_kernel_perf_event_paranoid:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_sysctl_kernel_perf_event_paranoid:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/sysctl.conf ^[\s]*kernel.perf_event_paranoid[\s]*=[\s]*2[\s]*$ 1
kernel.perf_event_paranoid static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_kernel_perf_event_paranoid:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_etc_sysctld_kernel_perf_event_paranoid:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/sysctl.d ^.*\.conf$ ^[\s]*kernel.perf_event_paranoid[\s]*=[\s]*2[\s]*$ 1
kernel.perf_event_paranoid static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_kernel_perf_event_paranoid:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_run_sysctld_kernel_perf_event_paranoid:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/sysctl.d ^.*\.conf$ ^[\s]*kernel.perf_event_paranoid[\s]*=[\s]*2[\s]*$ 1
kernel.perf_event_paranoid static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_kernel_perf_event_paranoid:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_usr_lib_sysctld_kernel_perf_event_paranoid:obj:1 textfilecontent54_object Path Filename Pattern Instance /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*kernel.perf_event_paranoid[\s]*=[\s]*2[\s]*$ 1
kernel runtime parameter kernel.perf_event_paranoid set to 2
oval:ssg-test_sysctl_runtime_kernel_perf_event_paranoid:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_sysctl_runtime_kernel_perf_event_paranoid:obj:1 sysctl_object Name kernel.perf_event_paranoid
Restrict usage of ptrace to descendant processesxccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope mediumCCE-82501-8
Restrict usage of ptrace to descendant processes Rule ID xccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope Result Multi-check rule no OVAL Definition ID oval:ssg-sysctl_kernel_yama_ptrace_scope:def:1 Time 2020-05-28T09:50:19+00:00 Severity medium Identifiers and References Identifiers:
CCE-82501-8
References:
NT28(R25) , SRG-OS-000132-GPOS-00067
Description To set the runtime status of the kernel.yama.ptrace_scope kernel parameter, run the following command:
$ sudo sysctl -w kernel.yama.ptrace_scope=1
To make sure that the setting is persistent, add the following line to a file in the directory
/etc/sysctl.d:
kernel.yama.ptrace_scope = 1 Rationale Unrestricted usage of ptrace allows compromised binaries to run ptrace
on another processes of the user. Like this, the attacker can steal
sensitive information from the target processes (e.g. SSH sessions, web browser, ...)
without any additional assistance from the user (i.e. without resorting to phishing).
OVAL test results details
kernel.yama.ptrace_scope static configuration
oval:ssg-test_static_sysctl_kernel_yama_ptrace_scope:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_sysctl_kernel_yama_ptrace_scope:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/sysctl.conf ^[\s]*kernel.yama.ptrace_scope[\s]*=[\s]*1[\s]*$ 1
kernel.yama.ptrace_scope static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_kernel_yama_ptrace_scope:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_etc_sysctld_kernel_yama_ptrace_scope:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/sysctl.d ^.*\.conf$ ^[\s]*kernel.yama.ptrace_scope[\s]*=[\s]*1[\s]*$ 1
kernel.yama.ptrace_scope static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_kernel_yama_ptrace_scope:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_run_sysctld_kernel_yama_ptrace_scope:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/sysctl.d ^.*\.conf$ ^[\s]*kernel.yama.ptrace_scope[\s]*=[\s]*1[\s]*$ 1
kernel.yama.ptrace_scope static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_kernel_yama_ptrace_scope:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_usr_lib_sysctld_kernel_yama_ptrace_scope:obj:1 textfilecontent54_object Path Filename Pattern Instance /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*kernel.yama.ptrace_scope[\s]*=[\s]*1[\s]*$ 1
kernel runtime parameter kernel.yama.ptrace_scope set to 1
oval:ssg-test_sysctl_runtime_kernel_yama_ptrace_scope:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_sysctl_runtime_kernel_yama_ptrace_scope:obj:1 sysctl_object Name kernel.yama.ptrace_scope
Harden the operation of the BPF just-in-time compilerxccdf_org.ssgproject.content_rule_sysctl_net_core_bpf_jit_harden mediumCCE-82505-9
Harden the operation of the BPF just-in-time compiler Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_core_bpf_jit_harden Result Multi-check rule no OVAL Definition ID oval:ssg-sysctl_net_core_bpf_jit_harden:def:1 Time 2020-05-28T09:50:19+00:00 Severity medium Identifiers and References Identifiers:
CCE-82505-9
References:
FMT_SMF_EXT.1 , SRG-OS-000480-GPOS-00227
Description To set the runtime status of the net.core.bpf_jit_harden kernel parameter, run the following command:
$ sudo sysctl -w net.core.bpf_jit_harden=2
To make sure that the setting is persistent, add the following line to a file in the directory
/etc/sysctl.d:
net.core.bpf_jit_harden = 2 Rationale When hardened, the extended Berkeley Packet Filter just-in-time compiler
will randomize any kernel addresses in the BPF programs and maps,
and will not expose the JIT addresses in /proc/kallsyms.
OVAL test results details
net.core.bpf_jit_harden static configuration
oval:ssg-test_static_sysctl_net_core_bpf_jit_harden:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_sysctl_net_core_bpf_jit_harden:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/sysctl.conf ^[\s]*net.core.bpf_jit_harden[\s]*=[\s]*2[\s]*$ 1
net.core.bpf_jit_harden static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_net_core_bpf_jit_harden:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_etc_sysctld_net_core_bpf_jit_harden:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/sysctl.d ^.*\.conf$ ^[\s]*net.core.bpf_jit_harden[\s]*=[\s]*2[\s]*$ 1
net.core.bpf_jit_harden static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_net_core_bpf_jit_harden:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_run_sysctld_net_core_bpf_jit_harden:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/sysctl.d ^.*\.conf$ ^[\s]*net.core.bpf_jit_harden[\s]*=[\s]*2[\s]*$ 1
net.core.bpf_jit_harden static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_net_core_bpf_jit_harden:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_usr_lib_sysctld_net_core_bpf_jit_harden:obj:1 textfilecontent54_object Path Filename Pattern Instance /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*net.core.bpf_jit_harden[\s]*=[\s]*2[\s]*$ 1
kernel runtime parameter net.core.bpf_jit_harden set to 2
oval:ssg-test_sysctl_runtime_net_core_bpf_jit_harden:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_sysctl_runtime_net_core_bpf_jit_harden:obj:1 sysctl_object Name net.core.bpf_jit_harden
Restrict Access to Kernel Message Bufferxccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict mediumCCE-82499-5
Restrict Access to Kernel Message Buffer Rule ID xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict Result Multi-check rule no OVAL Definition ID oval:ssg-sysctl_kernel_dmesg_restrict:def:1 Time 2020-05-28T09:50:19+00:00 Severity medium Identifiers and References Identifiers:
CCE-82499-5
References:
NT28(R23) , 3.1.5 , CCI-001314 , 164.308(a)(1)(ii)(D) , 164.308(a)(3) , 164.308(a)(4) , 164.310(b) , 164.310(c) , 164.312(a) , 164.312(e) , SI-11(a) , SI-11(b) , SRG-OS-000132-GPOS-00067
Description To set the runtime status of the kernel.dmesg_restrict kernel parameter, run the following command:
$ sudo sysctl -w kernel.dmesg_restrict=1
To make sure that the setting is persistent, add the following line to a file in the directory
/etc/sysctl.d:
kernel.dmesg_restrict = 1 Rationale Unprivileged access to the kernel syslog can expose sensitive kernel
address information.
OVAL test results details
kernel.dmesg_restrict static configuration
oval:ssg-test_static_sysctl_kernel_dmesg_restrict:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_sysctl_kernel_dmesg_restrict:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/sysctl.conf ^[\s]*kernel.dmesg_restrict[\s]*=[\s]*1[\s]*$ 1
kernel.dmesg_restrict static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_kernel_dmesg_restrict:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_etc_sysctld_kernel_dmesg_restrict:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/sysctl.d ^.*\.conf$ ^[\s]*kernel.dmesg_restrict[\s]*=[\s]*1[\s]*$ 1
kernel.dmesg_restrict static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_kernel_dmesg_restrict:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_run_sysctld_kernel_dmesg_restrict:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/sysctl.d ^.*\.conf$ ^[\s]*kernel.dmesg_restrict[\s]*=[\s]*1[\s]*$ 1
kernel.dmesg_restrict static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_kernel_dmesg_restrict:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_usr_lib_sysctld_kernel_dmesg_restrict:obj:1 textfilecontent54_object Path Filename Pattern Instance /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*kernel.dmesg_restrict[\s]*=[\s]*1[\s]*$ 1
kernel runtime parameter kernel.dmesg_restrict set to 1
oval:ssg-test_sysctl_runtime_kernel_dmesg_restrict:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_sysctl_runtime_kernel_dmesg_restrict:obj:1 sysctl_object Name kernel.dmesg_restrict
Disable vsyscallsxccdf_org.ssgproject.content_rule_grub2_vsyscall_argument infoCCE-82674-3
Disable vsyscalls Rule ID xccdf_org.ssgproject.content_rule_grub2_vsyscall_argument Result Multi-check rule no OVAL Definition ID oval:ssg-grub2_vsyscall_argument:def:1 Time 2020-05-28T09:50:19+00:00 Severity info Identifiers and References Identifiers:
CCE-82674-3
References:
CM-7(a) , SRG-OS-000480-GPOS-00227
Description To disable use of virtual syscalls,
add the argument vsyscall=none to the default
GRUB 2 command line for the Linux operating system in
/etc/default/grub, in the manner below:
GRUB_CMDLINE_LINUX="vsyscall=none" Rationale Virtual Syscalls provide an opportunity of attack for a user who has control
of the return instruction pointer.
Warnings warning
The GRUB 2 configuration file,
grub.cfg,
is automatically updated each time a new kernel is installed. Note that any
changes to
/etc/default/grub require rebuilding the
grub.cfg
file. To update the GRUB 2 configuration file manually, use the
grub2-mkconfig -o command as follows:
OVAL test results details
check forkernel command line parameters vsyscall=none in /boot/grub2/grubenv for all kernels
oval:ssg-test_grub2_vsyscall_argument_grub_env:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_grub2_vsyscall_argument_grub_env:obj:1 textfilecontent54_object Filepath Pattern Instance /boot/grub2/grubenv ^kernelopts=(.*)$ 1
Disable storing core dumpsxccdf_org.ssgproject.content_rule_sysctl_kernel_core_pattern unknownCCE-82527-3
Disable storing core dumps Rule ID xccdf_org.ssgproject.content_rule_sysctl_kernel_core_pattern Result Multi-check rule no OVAL Definition ID oval:ssg-sysctl_kernel_core_pattern:def:1 Time 2020-05-28T09:50:19+00:00 Severity unknown Identifiers and References Identifiers:
CCE-82527-3
References:
FMT_SMF_EXT.1 , SRG-OS-000480-GPOS-00227
Description To set the runtime status of the kernel.core_pattern kernel parameter, run the following command:
$ sudo sysctl -w kernel.core_pattern=|/bin/false
To make sure that the setting is persistent, add the following line to a file in the directory
/etc/sysctl.d:
kernel.core_pattern = |/bin/false Rationale A core dump includes a memory image taken at the time the operating system
terminates an application. The memory image could contain sensitive data and is generally useful
only for developers trying to debug problems.
OVAL test results details
kernel.core_pattern static configuration
oval:ssg-test_static_sysctl_kernel_core_pattern:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_sysctl_kernel_core_pattern:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/sysctl.conf ^[\s]*kernel.core_pattern[\s]*=[\s]*|/bin/false[\s]*$ 1
kernel.core_pattern static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_kernel_core_pattern:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_etc_sysctld_kernel_core_pattern:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/sysctl.d ^.*\.conf$ ^[\s]*kernel.core_pattern[\s]*=[\s]*|/bin/false[\s]*$ 1
kernel.core_pattern static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_kernel_core_pattern:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_run_sysctld_kernel_core_pattern:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/sysctl.d ^.*\.conf$ ^[\s]*kernel.core_pattern[\s]*=[\s]*|/bin/false[\s]*$ 1
kernel.core_pattern static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_kernel_core_pattern:tst:1
true Following items have been found on the system: Path Content /usr/lib/sysctl.d/50-coredump.conf
kernel.core_pattern=
kernel runtime parameter kernel.core_pattern set to |/bin/false
oval:ssg-test_sysctl_runtime_kernel_core_pattern:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_sysctl_runtime_kernel_core_pattern:obj:1 sysctl_object
Disable Access to Network bpf() Syscall From Unprivileged Processesxccdf_org.ssgproject.content_rule_sysctl_kernel_unprivileged_bpf_disabled mediumCCE-82504-2
Disable Access to Network bpf() Syscall From Unprivileged Processes Rule ID xccdf_org.ssgproject.content_rule_sysctl_kernel_unprivileged_bpf_disabled Result Multi-check rule no OVAL Definition ID oval:ssg-sysctl_kernel_unprivileged_bpf_disabled:def:1 Time 2020-05-28T09:50:19+00:00 Severity medium Identifiers and References Identifiers:
CCE-82504-2
References:
FMT_SMF_EXT.1 , SRG-OS-000132-GPOS-00067
Description To set the runtime status of the kernel.unprivileged_bpf_disabled kernel parameter, run the following command:
$ sudo sysctl -w kernel.unprivileged_bpf_disabled=1
To make sure that the setting is persistent, add the following line to a file in the directory
/etc/sysctl.d:
kernel.unprivileged_bpf_disabled = 1 Rationale Loading and accessing the packet filters programs and maps using the bpf()
syscall has the potential of revealing sensitive information about the kernel state.
OVAL test results details
kernel.unprivileged_bpf_disabled static configuration
oval:ssg-test_static_sysctl_kernel_unprivileged_bpf_disabled:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_sysctl_kernel_unprivileged_bpf_disabled:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/sysctl.conf ^[\s]*kernel.unprivileged_bpf_disabled[\s]*=[\s]*1[\s]*$ 1
kernel.unprivileged_bpf_disabled static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_kernel_unprivileged_bpf_disabled:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_etc_sysctld_kernel_unprivileged_bpf_disabled:obj:1 textfilecontent54_object Path Filename Pattern Instance /etc/sysctl.d ^.*\.conf$ ^[\s]*kernel.unprivileged_bpf_disabled[\s]*=[\s]*1[\s]*$ 1
kernel.unprivileged_bpf_disabled static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_kernel_unprivileged_bpf_disabled:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_run_sysctld_kernel_unprivileged_bpf_disabled:obj:1 textfilecontent54_object Path Filename Pattern Instance /run/sysctl.d ^.*\.conf$ ^[\s]*kernel.unprivileged_bpf_disabled[\s]*=[\s]*1[\s]*$ 1
kernel.unprivileged_bpf_disabled static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_kernel_unprivileged_bpf_disabled:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_static_usr_lib_sysctld_kernel_unprivileged_bpf_disabled:obj:1 textfilecontent54_object Path Filename Pattern Instance /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*kernel.unprivileged_bpf_disabled[\s]*=[\s]*1[\s]*$ 1
kernel runtime parameter kernel.unprivileged_bpf_disabled set to 1
oval:ssg-test_sysctl_runtime_kernel_unprivileged_bpf_disabled:tst:1
not applicable No items have been found conforming to the following objects: Object oval:ssg-object_sysctl_runtime_kernel_unprivileged_bpf_disabled:obj:1 sysctl_object Name kernel.unprivileged_bpf_disabled
Enable the NTP Daemonxccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled mediumCCE-82682-6
Enable the NTP Daemon Rule ID xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled Result Multi-check rule no OVAL Definition ID oval:ssg-service_chronyd_or_ntpd_enabled:def:1 Time 2020-05-28T09:50:19+00:00 Severity medium Identifiers and References Identifiers:
CCE-82682-6
References:
1 , 14 , 15 , 16 , 3 , 5 , 6 , APO11.04 , BAI03.05 , DSS05.04 , DSS05.07 , MEA02.01 , 3.3.7 , CCI-000160 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.4.4.7 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.8 , SR 2.9 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , CM-6(a) , AU-8(1)(a) , PR.PT-1 , Req-10.4 , SRG-OS-000356-VMM-001340
Description
Run the following command to determine the current status of the
chronyd service:
$ systemctl is-active chronyd
If the service is running, it should return the following:
active
Note: The
chronyd daemon is enabled by default.
Run the following command to determine the current status of the
ntpd service:
$ systemctl is-active ntpd
If the service is running, it should return the following:
active
Note: The
ntpd daemon is not enabled by default. Though as mentioned
in the previous sections in certain environments the
ntpd daemon might
be preferred to be used rather than the
chronyd one. Refer to:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html
for guidance which NTP daemon to choose depending on the environment used.
Rationale Enabling some of chronyd or ntpd services ensures
that the NTP daemon will be running and that the system will synchronize its
time to any servers specified. This is important whether the system is
configured to be a client (and synchronize only its own clock) or it is also
acting as an NTP server to other systems. Synchronizing time is essential for
authentication services such as Kerberos, but it is also important for
maintaining accurate logs and auditing possible security breaches.
chronyd and ntpd NTP daemons offer all of the
functionality of ntpdate, which is now deprecated. Additional
information on this is available at
http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate
OVAL test results details
package chrony is installed
oval:ssg-test_service_chronyd_package_chrony_installed:tst:1
true Following items have been found on the system: Name Arch Epoch Release Version Evr Signature keyid Extended name chrony x86_64 (none) 1.el8 3.5 0:3.5-1.el8 199e2f91fd431d51 chrony-0:3.5-1.el8.x86_64
Test that the chronyd service is running
oval:ssg-test_service_running_chronyd:tst:1
true Following items have been found on the system: Unit Property Value chronyd.service ActiveState active
systemd test
oval:ssg-test_multi_user_wants_chronyd:tst:1
true Following items have been found on the system: Unit Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency multi-user.target basic.target var.mount sysinit.target systemd-sysusers.service dracut-shutdown.service lvm2-lvmpolld.socket multipathd.service systemd-ask-password-console.path systemd-tmpfiles-setup-dev.service systemd-journal-catalog-update.service sys-kernel-debug.mount systemd-udevd.service dev-hugepages.mount selinux-autorelabel-mark.service systemd-journald.service proc-sys-fs-binfmt_misc.automount systemd-update-utmp.service sys-fs-fuse-connections.mount local-fs.target ostree-remount.service systemd-remount-fs.service boot-efi.mount boot.mount systemd-udev-trigger.service cryptsetup.target systemd-tmpfiles-setup.service systemd-update-done.service dev-mqueue.mount systemd-machine-id-commit.service swap.target systemd-random-seed.service systemd-modules-load.service ldconfig.service systemd-binfmt.service kmod-static-nodes.service systemd-sysctl.service systemd-hwdb-update.service sys-kernel-config.mount lvm2-monitor.service systemd-journal-flush.service sockets.target systemd-coredump.socket dm-event.socket systemd-udevd-kernel.socket systemd-initctl.socket systemd-udevd-control.socket systemd-journald.socket multipathd.socket systemd-journald-dev-log.socket dbus.socket slices.target system.slice -.slice timers.target systemd-tmpfiles-clean.timer unbound-anchor.timer microcode.service ignition-firstboot-complete.service coreos-update-ca-trust.service paths.target afterburn-sshkeys@core.service ostree-finalize-staged.path systemd-ask-password-wall.path remote-fs.target irqbalance.service remote-cryptsetup.target afterburn-checkin.service NetworkManager.service sshd.service sssd.service dbus.service mcd-write-pivot-reboot.service systemd-user-sessions.service gcp-routes.service systemd-logind.service console-login-helper-messages-issuegen.service vmtoolsd.service mdmonitor.service machine-config-daemon-firstboot.service afterburn-firstboot-checkin.service coreos-regenerate-iscsi-initiatorname.service systemd-update-utmp-runlevel.service rhcos-growpart.service kubelet.service chronyd.service auditd.service getty.target getty@tty1.service serial-getty@ttyS0.service
systemd test
oval:ssg-test_multi_user_wants_chronyd_socket:tst:1
false Following items have been found on the system: Unit Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency multi-user.target basic.target var.mount sysinit.target systemd-sysusers.service dracut-shutdown.service lvm2-lvmpolld.socket multipathd.service systemd-ask-password-console.path systemd-tmpfiles-setup-dev.service systemd-journal-catalog-update.service sys-kernel-debug.mount systemd-udevd.service dev-hugepages.mount selinux-autorelabel-mark.service systemd-journald.service proc-sys-fs-binfmt_misc.automount systemd-update-utmp.service sys-fs-fuse-connections.mount local-fs.target ostree-remount.service systemd-remount-fs.service boot-efi.mount boot.mount systemd-udev-trigger.service cryptsetup.target systemd-tmpfiles-setup.service systemd-update-done.service dev-mqueue.mount systemd-machine-id-commit.service swap.target systemd-random-seed.service systemd-modules-load.service ldconfig.service systemd-binfmt.service kmod-static-nodes.service systemd-sysctl.service systemd-hwdb-update.service sys-kernel-config.mount lvm2-monitor.service systemd-journal-flush.service sockets.target systemd-coredump.socket dm-event.socket systemd-udevd-kernel.socket systemd-initctl.socket systemd-udevd-control.socket systemd-journald.socket multipathd.socket systemd-journald-dev-log.socket dbus.socket slices.target system.slice -.slice timers.target systemd-tmpfiles-clean.timer unbound-anchor.timer microcode.service ignition-firstboot-complete.service coreos-update-ca-trust.service paths.target afterburn-sshkeys@core.service ostree-finalize-staged.path systemd-ask-password-wall.path remote-fs.target irqbalance.service remote-cryptsetup.target afterburn-checkin.service NetworkManager.service sshd.service sssd.service dbus.service mcd-write-pivot-reboot.service systemd-user-sessions.service gcp-routes.service systemd-logind.service console-login-helper-messages-issuegen.service vmtoolsd.service mdmonitor.service machine-config-daemon-firstboot.service afterburn-firstboot-checkin.service coreos-regenerate-iscsi-initiatorname.service systemd-update-utmp-runlevel.service rhcos-growpart.service kubelet.service chronyd.service auditd.service getty.target getty@tty1.service serial-getty@ttyS0.service
package ntp is installed
oval:ssg-test_service_ntpd_package_ntp_installed:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_test_service_ntpd_package_ntp_installed:obj:1 rpminfo_object
Test that the ntpd service is running
oval:ssg-test_service_running_ntpd:tst:1
false Following items have been found on the system: Unit Property Value ntpd.service ActiveState inactive
systemd test
oval:ssg-test_multi_user_wants_ntpd:tst:1
false Following items have been found on the system: Unit Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency multi-user.target basic.target var.mount sysinit.target systemd-sysusers.service dracut-shutdown.service lvm2-lvmpolld.socket multipathd.service systemd-ask-password-console.path systemd-tmpfiles-setup-dev.service systemd-journal-catalog-update.service sys-kernel-debug.mount systemd-udevd.service dev-hugepages.mount selinux-autorelabel-mark.service systemd-journald.service proc-sys-fs-binfmt_misc.automount systemd-update-utmp.service sys-fs-fuse-connections.mount local-fs.target ostree-remount.service systemd-remount-fs.service boot-efi.mount boot.mount systemd-udev-trigger.service cryptsetup.target systemd-tmpfiles-setup.service systemd-update-done.service dev-mqueue.mount systemd-machine-id-commit.service swap.target systemd-random-seed.service systemd-modules-load.service ldconfig.service systemd-binfmt.service kmod-static-nodes.service systemd-sysctl.service systemd-hwdb-update.service sys-kernel-config.mount lvm2-monitor.service systemd-journal-flush.service sockets.target systemd-coredump.socket dm-event.socket systemd-udevd-kernel.socket systemd-initctl.socket systemd-udevd-control.socket systemd-journald.socket multipathd.socket systemd-journald-dev-log.socket dbus.socket slices.target system.slice -.slice timers.target systemd-tmpfiles-clean.timer unbound-anchor.timer microcode.service ignition-firstboot-complete.service coreos-update-ca-trust.service paths.target afterburn-sshkeys@core.service ostree-finalize-staged.path systemd-ask-password-wall.path remote-fs.target irqbalance.service remote-cryptsetup.target afterburn-checkin.service NetworkManager.service sshd.service sssd.service dbus.service mcd-write-pivot-reboot.service systemd-user-sessions.service gcp-routes.service systemd-logind.service console-login-helper-messages-issuegen.service vmtoolsd.service mdmonitor.service machine-config-daemon-firstboot.service afterburn-firstboot-checkin.service coreos-regenerate-iscsi-initiatorname.service systemd-update-utmp-runlevel.service rhcos-growpart.service kubelet.service chronyd.service auditd.service getty.target getty@tty1.service serial-getty@ttyS0.service
systemd test
oval:ssg-test_multi_user_wants_ntpd_socket:tst:1
false Following items have been found on the system: Unit Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency multi-user.target basic.target var.mount sysinit.target systemd-sysusers.service dracut-shutdown.service lvm2-lvmpolld.socket multipathd.service systemd-ask-password-console.path systemd-tmpfiles-setup-dev.service systemd-journal-catalog-update.service sys-kernel-debug.mount systemd-udevd.service dev-hugepages.mount selinux-autorelabel-mark.service systemd-journald.service proc-sys-fs-binfmt_misc.automount systemd-update-utmp.service sys-fs-fuse-connections.mount local-fs.target ostree-remount.service systemd-remount-fs.service boot-efi.mount boot.mount systemd-udev-trigger.service cryptsetup.target systemd-tmpfiles-setup.service systemd-update-done.service dev-mqueue.mount systemd-machine-id-commit.service swap.target systemd-random-seed.service systemd-modules-load.service ldconfig.service systemd-binfmt.service kmod-static-nodes.service systemd-sysctl.service systemd-hwdb-update.service sys-kernel-config.mount lvm2-monitor.service systemd-journal-flush.service sockets.target systemd-coredump.socket dm-event.socket systemd-udevd-kernel.socket systemd-initctl.socket systemd-udevd-control.socket systemd-journald.socket multipathd.socket systemd-journald-dev-log.socket dbus.socket slices.target system.slice -.slice timers.target systemd-tmpfiles-clean.timer unbound-anchor.timer microcode.service ignition-firstboot-complete.service coreos-update-ca-trust.service paths.target afterburn-sshkeys@core.service ostree-finalize-staged.path systemd-ask-password-wall.path remote-fs.target irqbalance.service remote-cryptsetup.target afterburn-checkin.service NetworkManager.service sshd.service sssd.service dbus.service mcd-write-pivot-reboot.service systemd-user-sessions.service gcp-routes.service systemd-logind.service console-login-helper-messages-issuegen.service vmtoolsd.service mdmonitor.service machine-config-daemon-firstboot.service afterburn-firstboot-checkin.service coreos-regenerate-iscsi-initiatorname.service systemd-update-utmp-runlevel.service rhcos-growpart.service kubelet.service chronyd.service auditd.service getty.target getty@tty1.service serial-getty@ttyS0.service
Specify Additional Remote NTP Serversxccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers mediumCCE-82685-9
Specify Additional Remote NTP Servers Rule ID xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers Result Multi-check rule no OVAL Definition ID oval:ssg-chronyd_or_ntpd_specify_multiple_servers:def:1 Time 2020-05-28T09:50:19+00:00 Severity medium Identifiers and References Identifiers:
CCE-82685-9
References:
1 , 14 , 15 , 16 , 3 , 5 , 6 , APO11.04 , BAI03.05 , DSS05.04 , DSS05.07 , MEA02.01 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.4.4.7 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.8 , SR 2.9 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , CM-6(a) , AU-8(1)(a) , AU-8(2) , PR.PT-1 , Req-10.4.3
Description Depending on specific functional requirements of a concrete
production environment, the Red Hat OpenShift Container Platform 4 system can be
configured to utilize the services of the chronyd NTP daemon (the
default), or services of the ntpd NTP daemon. Refer to
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html
for more detailed comparison of the features of both of the choices, and for
further guidance how to choose between the two NTP daemons.
if the system is configured to use the chronyd as the NTP daemon
(the default), edit the file /etc/chrony.conf as follows, if the system is configured to use the ntpd as the NTP daemon,
edit the file /etc/ntp.conf as documented below.
Add additional lines of the following form, substituting the IP address or
hostname of a remote NTP server for
ntpserver :
server ntpserver Rationale Specifying additional NTP servers increases the availability of
accurate time data, in the event that one of the specified servers becomes
unavailable. This is typical for a system acting as an NTP server for
other systems.
OVAL test results details
package chrony is installed
oval:ssg-test_service_chronyd_package_chrony_installed:tst:1
true Following items have been found on the system: Name Arch Epoch Release Version Evr Signature keyid Extended name chrony x86_64 (none) 1.el8 3.5 0:3.5-1.el8 199e2f91fd431d51 chrony-0:3.5-1.el8.x86_64
Test that the chronyd service is running
oval:ssg-test_service_running_chronyd:tst:1
true Following items have been found on the system: Unit Property Value chronyd.service ActiveState active
systemd test
oval:ssg-test_multi_user_wants_chronyd:tst:1
true Following items have been found on the system: Unit Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency multi-user.target basic.target var.mount sysinit.target systemd-sysusers.service dracut-shutdown.service lvm2-lvmpolld.socket multipathd.service systemd-ask-password-console.path systemd-tmpfiles-setup-dev.service systemd-journal-catalog-update.service sys-kernel-debug.mount systemd-udevd.service dev-hugepages.mount selinux-autorelabel-mark.service systemd-journald.service proc-sys-fs-binfmt_misc.automount systemd-update-utmp.service sys-fs-fuse-connections.mount local-fs.target ostree-remount.service systemd-remount-fs.service boot-efi.mount boot.mount systemd-udev-trigger.service cryptsetup.target systemd-tmpfiles-setup.service systemd-update-done.service dev-mqueue.mount systemd-machine-id-commit.service swap.target systemd-random-seed.service systemd-modules-load.service ldconfig.service systemd-binfmt.service kmod-static-nodes.service systemd-sysctl.service systemd-hwdb-update.service sys-kernel-config.mount lvm2-monitor.service systemd-journal-flush.service sockets.target systemd-coredump.socket dm-event.socket systemd-udevd-kernel.socket systemd-initctl.socket systemd-udevd-control.socket systemd-journald.socket multipathd.socket systemd-journald-dev-log.socket dbus.socket slices.target system.slice -.slice timers.target systemd-tmpfiles-clean.timer unbound-anchor.timer microcode.service ignition-firstboot-complete.service coreos-update-ca-trust.service paths.target afterburn-sshkeys@core.service ostree-finalize-staged.path systemd-ask-password-wall.path remote-fs.target irqbalance.service remote-cryptsetup.target afterburn-checkin.service NetworkManager.service sshd.service sssd.service dbus.service mcd-write-pivot-reboot.service systemd-user-sessions.service gcp-routes.service systemd-logind.service console-login-helper-messages-issuegen.service vmtoolsd.service mdmonitor.service machine-config-daemon-firstboot.service afterburn-firstboot-checkin.service coreos-regenerate-iscsi-initiatorname.service systemd-update-utmp-runlevel.service rhcos-growpart.service kubelet.service chronyd.service auditd.service getty.target getty@tty1.service serial-getty@ttyS0.service
systemd test
oval:ssg-test_multi_user_wants_chronyd_socket:tst:1
false Following items have been found on the system: Unit Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency multi-user.target basic.target var.mount sysinit.target systemd-sysusers.service dracut-shutdown.service lvm2-lvmpolld.socket multipathd.service systemd-ask-password-console.path systemd-tmpfiles-setup-dev.service systemd-journal-catalog-update.service sys-kernel-debug.mount systemd-udevd.service dev-hugepages.mount selinux-autorelabel-mark.service systemd-journald.service proc-sys-fs-binfmt_misc.automount systemd-update-utmp.service sys-fs-fuse-connections.mount local-fs.target ostree-remount.service systemd-remount-fs.service boot-efi.mount boot.mount systemd-udev-trigger.service cryptsetup.target systemd-tmpfiles-setup.service systemd-update-done.service dev-mqueue.mount systemd-machine-id-commit.service swap.target systemd-random-seed.service systemd-modules-load.service ldconfig.service systemd-binfmt.service kmod-static-nodes.service systemd-sysctl.service systemd-hwdb-update.service sys-kernel-config.mount lvm2-monitor.service systemd-journal-flush.service sockets.target systemd-coredump.socket dm-event.socket systemd-udevd-kernel.socket systemd-initctl.socket systemd-udevd-control.socket systemd-journald.socket multipathd.socket systemd-journald-dev-log.socket dbus.socket slices.target system.slice -.slice timers.target systemd-tmpfiles-clean.timer unbound-anchor.timer microcode.service ignition-firstboot-complete.service coreos-update-ca-trust.service paths.target afterburn-sshkeys@core.service ostree-finalize-staged.path systemd-ask-password-wall.path remote-fs.target irqbalance.service remote-cryptsetup.target afterburn-checkin.service NetworkManager.service sshd.service sssd.service dbus.service mcd-write-pivot-reboot.service systemd-user-sessions.service gcp-routes.service systemd-logind.service console-login-helper-messages-issuegen.service vmtoolsd.service mdmonitor.service machine-config-daemon-firstboot.service afterburn-firstboot-checkin.service coreos-regenerate-iscsi-initiatorname.service systemd-update-utmp-runlevel.service rhcos-growpart.service kubelet.service chronyd.service auditd.service getty.target getty@tty1.service serial-getty@ttyS0.service
Ensure more than one chronyd NTP server is set
oval:ssg-test_chronyd_multiple_servers:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-object_chronyd_multiple_servers:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/chrony.conf ^([\s]*server[\s]+.+$){2,}$ 1
package ntp is installed
oval:ssg-test_service_ntpd_package_ntp_installed:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_test_service_ntpd_package_ntp_installed:obj:1 rpminfo_object
Test that the ntpd service is running
oval:ssg-test_service_running_ntpd:tst:1
false Following items have been found on the system: Unit Property Value ntpd.service ActiveState inactive
systemd test
oval:ssg-test_multi_user_wants_ntpd:tst:1
false Following items have been found on the system: Unit Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency multi-user.target basic.target var.mount sysinit.target systemd-sysusers.service dracut-shutdown.service lvm2-lvmpolld.socket multipathd.service systemd-ask-password-console.path systemd-tmpfiles-setup-dev.service systemd-journal-catalog-update.service sys-kernel-debug.mount systemd-udevd.service dev-hugepages.mount selinux-autorelabel-mark.service systemd-journald.service proc-sys-fs-binfmt_misc.automount systemd-update-utmp.service sys-fs-fuse-connections.mount local-fs.target ostree-remount.service systemd-remount-fs.service boot-efi.mount boot.mount systemd-udev-trigger.service cryptsetup.target systemd-tmpfiles-setup.service systemd-update-done.service dev-mqueue.mount systemd-machine-id-commit.service swap.target systemd-random-seed.service systemd-modules-load.service ldconfig.service systemd-binfmt.service kmod-static-nodes.service systemd-sysctl.service systemd-hwdb-update.service sys-kernel-config.mount lvm2-monitor.service systemd-journal-flush.service sockets.target systemd-coredump.socket dm-event.socket systemd-udevd-kernel.socket systemd-initctl.socket systemd-udevd-control.socket systemd-journald.socket multipathd.socket systemd-journald-dev-log.socket dbus.socket slices.target system.slice -.slice timers.target systemd-tmpfiles-clean.timer unbound-anchor.timer microcode.service ignition-firstboot-complete.service coreos-update-ca-trust.service paths.target afterburn-sshkeys@core.service ostree-finalize-staged.path systemd-ask-password-wall.path remote-fs.target irqbalance.service remote-cryptsetup.target afterburn-checkin.service NetworkManager.service sshd.service sssd.service dbus.service mcd-write-pivot-reboot.service systemd-user-sessions.service gcp-routes.service systemd-logind.service console-login-helper-messages-issuegen.service vmtoolsd.service mdmonitor.service machine-config-daemon-firstboot.service afterburn-firstboot-checkin.service coreos-regenerate-iscsi-initiatorname.service systemd-update-utmp-runlevel.service rhcos-growpart.service kubelet.service chronyd.service auditd.service getty.target getty@tty1.service serial-getty@ttyS0.service
systemd test
oval:ssg-test_multi_user_wants_ntpd_socket:tst:1
false Following items have been found on the system: Unit Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency multi-user.target basic.target var.mount sysinit.target systemd-sysusers.service dracut-shutdown.service lvm2-lvmpolld.socket multipathd.service systemd-ask-password-console.path systemd-tmpfiles-setup-dev.service systemd-journal-catalog-update.service sys-kernel-debug.mount systemd-udevd.service dev-hugepages.mount selinux-autorelabel-mark.service systemd-journald.service proc-sys-fs-binfmt_misc.automount systemd-update-utmp.service sys-fs-fuse-connections.mount local-fs.target ostree-remount.service systemd-remount-fs.service boot-efi.mount boot.mount systemd-udev-trigger.service cryptsetup.target systemd-tmpfiles-setup.service systemd-update-done.service dev-mqueue.mount systemd-machine-id-commit.service swap.target systemd-random-seed.service systemd-modules-load.service ldconfig.service systemd-binfmt.service kmod-static-nodes.service systemd-sysctl.service systemd-hwdb-update.service sys-kernel-config.mount lvm2-monitor.service systemd-journal-flush.service sockets.target systemd-coredump.socket dm-event.socket systemd-udevd-kernel.socket systemd-initctl.socket systemd-udevd-control.socket systemd-journald.socket multipathd.socket systemd-journald-dev-log.socket dbus.socket slices.target system.slice -.slice timers.target systemd-tmpfiles-clean.timer unbound-anchor.timer microcode.service ignition-firstboot-complete.service coreos-update-ca-trust.service paths.target afterburn-sshkeys@core.service ostree-finalize-staged.path systemd-ask-password-wall.path remote-fs.target irqbalance.service remote-cryptsetup.target afterburn-checkin.service NetworkManager.service sshd.service sssd.service dbus.service mcd-write-pivot-reboot.service systemd-user-sessions.service gcp-routes.service systemd-logind.service console-login-helper-messages-issuegen.service vmtoolsd.service mdmonitor.service machine-config-daemon-firstboot.service afterburn-firstboot-checkin.service coreos-regenerate-iscsi-initiatorname.service systemd-update-utmp-runlevel.service rhcos-growpart.service kubelet.service chronyd.service auditd.service getty.target getty@tty1.service serial-getty@ttyS0.service
Ensure more than one ntpd NTP server is set
oval:ssg-test_ntpd_multiple_servers:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_ntpd_multiple_servers:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/ntp.conf ^([\s]*server[\s]+.+$){2,}$ 1
Disable network management of chrony daemonxccdf_org.ssgproject.content_rule_chronyd_no_chronyc_network unknownCCE-82466-4
Disable network management of chrony daemon Rule ID xccdf_org.ssgproject.content_rule_chronyd_no_chronyc_network Result Multi-check rule no OVAL Definition ID oval:ssg-chronyd_no_chronyc_network:def:1 Time 2020-05-28T09:50:19+00:00 Severity unknown Identifiers and References Identifiers:
CCE-82466-4
References:
FMT_SMF_EXT.1 , SRG-OS-000096-GPOS-00050
Description The cmdport option in /etc/chrony.conf can be set to
0 to stop chrony daemon from listening on the UDP port 323
for management connections made by chronyc.
Rationale Not exposing the management interface of the chrony daemon on
the network diminishes the attack space.
OVAL test results details
package chrony is installed
oval:ssg-test_service_chronyd_package_chrony_installed:tst:1
true Following items have been found on the system: Name Arch Epoch Release Version Evr Signature keyid Extended name chrony x86_64 (none) 1.el8 3.5 0:3.5-1.el8 199e2f91fd431d51 chrony-0:3.5-1.el8.x86_64
Test that the chronyd service is running
oval:ssg-test_service_running_chronyd:tst:1
true Following items have been found on the system: Unit Property Value chronyd.service ActiveState active
systemd test
oval:ssg-test_multi_user_wants_chronyd:tst:1
true Following items have been found on the system: Unit Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency multi-user.target basic.target var.mount sysinit.target systemd-sysusers.service dracut-shutdown.service lvm2-lvmpolld.socket multipathd.service systemd-ask-password-console.path systemd-tmpfiles-setup-dev.service systemd-journal-catalog-update.service sys-kernel-debug.mount systemd-udevd.service dev-hugepages.mount selinux-autorelabel-mark.service systemd-journald.service proc-sys-fs-binfmt_misc.automount systemd-update-utmp.service sys-fs-fuse-connections.mount local-fs.target ostree-remount.service systemd-remount-fs.service boot-efi.mount boot.mount systemd-udev-trigger.service cryptsetup.target systemd-tmpfiles-setup.service systemd-update-done.service dev-mqueue.mount systemd-machine-id-commit.service swap.target systemd-random-seed.service systemd-modules-load.service ldconfig.service systemd-binfmt.service kmod-static-nodes.service systemd-sysctl.service systemd-hwdb-update.service sys-kernel-config.mount lvm2-monitor.service systemd-journal-flush.service sockets.target systemd-coredump.socket dm-event.socket systemd-udevd-kernel.socket systemd-initctl.socket systemd-udevd-control.socket systemd-journald.socket multipathd.socket systemd-journald-dev-log.socket dbus.socket slices.target system.slice -.slice timers.target systemd-tmpfiles-clean.timer unbound-anchor.timer microcode.service ignition-firstboot-complete.service coreos-update-ca-trust.service paths.target afterburn-sshkeys@core.service ostree-finalize-staged.path systemd-ask-password-wall.path remote-fs.target irqbalance.service remote-cryptsetup.target afterburn-checkin.service NetworkManager.service sshd.service sssd.service dbus.service mcd-write-pivot-reboot.service systemd-user-sessions.service gcp-routes.service systemd-logind.service console-login-helper-messages-issuegen.service vmtoolsd.service mdmonitor.service machine-config-daemon-firstboot.service afterburn-firstboot-checkin.service coreos-regenerate-iscsi-initiatorname.service systemd-update-utmp-runlevel.service rhcos-growpart.service kubelet.service chronyd.service auditd.service getty.target getty@tty1.service serial-getty@ttyS0.service
systemd test
oval:ssg-test_multi_user_wants_chronyd_socket:tst:1
false Following items have been found on the system: Unit Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency multi-user.target basic.target var.mount sysinit.target systemd-sysusers.service dracut-shutdown.service lvm2-lvmpolld.socket multipathd.service systemd-ask-password-console.path systemd-tmpfiles-setup-dev.service systemd-journal-catalog-update.service sys-kernel-debug.mount systemd-udevd.service dev-hugepages.mount selinux-autorelabel-mark.service systemd-journald.service proc-sys-fs-binfmt_misc.automount systemd-update-utmp.service sys-fs-fuse-connections.mount local-fs.target ostree-remount.service systemd-remount-fs.service boot-efi.mount boot.mount systemd-udev-trigger.service cryptsetup.target systemd-tmpfiles-setup.service systemd-update-done.service dev-mqueue.mount systemd-machine-id-commit.service swap.target systemd-random-seed.service systemd-modules-load.service ldconfig.service systemd-binfmt.service kmod-static-nodes.service systemd-sysctl.service systemd-hwdb-update.service sys-kernel-config.mount lvm2-monitor.service systemd-journal-flush.service sockets.target systemd-coredump.socket dm-event.socket systemd-udevd-kernel.socket systemd-initctl.socket systemd-udevd-control.socket systemd-journald.socket multipathd.socket systemd-journald-dev-log.socket dbus.socket slices.target system.slice -.slice timers.target systemd-tmpfiles-clean.timer unbound-anchor.timer microcode.service ignition-firstboot-complete.service coreos-update-ca-trust.service paths.target afterburn-sshkeys@core.service ostree-finalize-staged.path systemd-ask-password-wall.path remote-fs.target irqbalance.service remote-cryptsetup.target afterburn-checkin.service NetworkManager.service sshd.service sssd.service dbus.service mcd-write-pivot-reboot.service systemd-user-sessions.service gcp-routes.service systemd-logind.service console-login-helper-messages-issuegen.service vmtoolsd.service mdmonitor.service machine-config-daemon-firstboot.service afterburn-firstboot-checkin.service coreos-regenerate-iscsi-initiatorname.service systemd-update-utmp-runlevel.service rhcos-growpart.service kubelet.service chronyd.service auditd.service getty.target getty@tty1.service serial-getty@ttyS0.service
check if cmdport is 0 in /etc/chrony.conf
oval:ssg-test_chronyd_no_chronyc_network:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_chronyd_cmdport_value:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/chrony.conf ^\s*cmdport[\s]+(\S+) 1
Disable chrony daemon from acting as serverxccdf_org.ssgproject.content_rule_chronyd_client_only unknownCCE-82465-6
Disable chrony daemon from acting as server Rule ID xccdf_org.ssgproject.content_rule_chronyd_client_only Result Multi-check rule no OVAL Definition ID oval:ssg-chronyd_client_only:def:1 Time 2020-05-28T09:50:19+00:00 Severity unknown Identifiers and References Identifiers:
CCE-82465-6
References:
FMT_SMF_EXT.1 , SRG-OS-000096-GPOS-00050
Description The port option in /etc/chrony.conf can be set to
0 to make chrony daemon to never open any listening port
for server operation and to operate strictly in a client-only mode.
Rationale Minimizing the exposure of the server functionality of the chrony
daemon diminishes the attack surface.
OVAL test results details
package chrony is installed
oval:ssg-test_service_chronyd_package_chrony_installed:tst:1
true Following items have been found on the system: Name Arch Epoch Release Version Evr Signature keyid Extended name chrony x86_64 (none) 1.el8 3.5 0:3.5-1.el8 199e2f91fd431d51 chrony-0:3.5-1.el8.x86_64
Test that the chronyd service is running
oval:ssg-test_service_running_chronyd:tst:1
true Following items have been found on the system: Unit Property Value chronyd.service ActiveState active
systemd test
oval:ssg-test_multi_user_wants_chronyd:tst:1
true Following items have been found on the system: Unit Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency multi-user.target basic.target var.mount sysinit.target systemd-sysusers.service dracut-shutdown.service lvm2-lvmpolld.socket multipathd.service systemd-ask-password-console.path systemd-tmpfiles-setup-dev.service systemd-journal-catalog-update.service sys-kernel-debug.mount systemd-udevd.service dev-hugepages.mount selinux-autorelabel-mark.service systemd-journald.service proc-sys-fs-binfmt_misc.automount systemd-update-utmp.service sys-fs-fuse-connections.mount local-fs.target ostree-remount.service systemd-remount-fs.service boot-efi.mount boot.mount systemd-udev-trigger.service cryptsetup.target systemd-tmpfiles-setup.service systemd-update-done.service dev-mqueue.mount systemd-machine-id-commit.service swap.target systemd-random-seed.service systemd-modules-load.service ldconfig.service systemd-binfmt.service kmod-static-nodes.service systemd-sysctl.service systemd-hwdb-update.service sys-kernel-config.mount lvm2-monitor.service systemd-journal-flush.service sockets.target systemd-coredump.socket dm-event.socket systemd-udevd-kernel.socket systemd-initctl.socket systemd-udevd-control.socket systemd-journald.socket multipathd.socket systemd-journald-dev-log.socket dbus.socket slices.target system.slice -.slice timers.target systemd-tmpfiles-clean.timer unbound-anchor.timer microcode.service ignition-firstboot-complete.service coreos-update-ca-trust.service paths.target afterburn-sshkeys@core.service ostree-finalize-staged.path systemd-ask-password-wall.path remote-fs.target irqbalance.service remote-cryptsetup.target afterburn-checkin.service NetworkManager.service sshd.service sssd.service dbus.service mcd-write-pivot-reboot.service systemd-user-sessions.service gcp-routes.service systemd-logind.service console-login-helper-messages-issuegen.service vmtoolsd.service mdmonitor.service machine-config-daemon-firstboot.service afterburn-firstboot-checkin.service coreos-regenerate-iscsi-initiatorname.service systemd-update-utmp-runlevel.service rhcos-growpart.service kubelet.service chronyd.service auditd.service getty.target getty@tty1.service serial-getty@ttyS0.service
systemd test
oval:ssg-test_multi_user_wants_chronyd_socket:tst:1
false Following items have been found on the system: Unit Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency multi-user.target basic.target var.mount sysinit.target systemd-sysusers.service dracut-shutdown.service lvm2-lvmpolld.socket multipathd.service systemd-ask-password-console.path systemd-tmpfiles-setup-dev.service systemd-journal-catalog-update.service sys-kernel-debug.mount systemd-udevd.service dev-hugepages.mount selinux-autorelabel-mark.service systemd-journald.service proc-sys-fs-binfmt_misc.automount systemd-update-utmp.service sys-fs-fuse-connections.mount local-fs.target ostree-remount.service systemd-remount-fs.service boot-efi.mount boot.mount systemd-udev-trigger.service cryptsetup.target systemd-tmpfiles-setup.service systemd-update-done.service dev-mqueue.mount systemd-machine-id-commit.service swap.target systemd-random-seed.service systemd-modules-load.service ldconfig.service systemd-binfmt.service kmod-static-nodes.service systemd-sysctl.service systemd-hwdb-update.service sys-kernel-config.mount lvm2-monitor.service systemd-journal-flush.service sockets.target systemd-coredump.socket dm-event.socket systemd-udevd-kernel.socket systemd-initctl.socket systemd-udevd-control.socket systemd-journald.socket multipathd.socket systemd-journald-dev-log.socket dbus.socket slices.target system.slice -.slice timers.target systemd-tmpfiles-clean.timer unbound-anchor.timer microcode.service ignition-firstboot-complete.service coreos-update-ca-trust.service paths.target afterburn-sshkeys@core.service ostree-finalize-staged.path systemd-ask-password-wall.path remote-fs.target irqbalance.service remote-cryptsetup.target afterburn-checkin.service NetworkManager.service sshd.service sssd.service dbus.service mcd-write-pivot-reboot.service systemd-user-sessions.service gcp-routes.service systemd-logind.service console-login-helper-messages-issuegen.service vmtoolsd.service mdmonitor.service machine-config-daemon-firstboot.service afterburn-firstboot-checkin.service coreos-regenerate-iscsi-initiatorname.service systemd-update-utmp-runlevel.service rhcos-growpart.service kubelet.service chronyd.service auditd.service getty.target getty@tty1.service serial-getty@ttyS0.service
check if port is 0 in /etc/chrony.conf
oval:ssg-test_chronyd_client_only:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_chronyd_port_value:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/chrony.conf ^\s*port[\s]+(\S+) 1
Specify a Remote NTP Serverxccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server mediumCCE-82683-4
Specify a Remote NTP Server Rule ID xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server Result Multi-check rule no OVAL Definition ID oval:ssg-chronyd_or_ntpd_specify_remote_server:def:1 Time 2020-05-28T09:50:19+00:00 Severity medium Identifiers and References Identifiers:
CCE-82683-4
References:
1 , 14 , 15 , 16 , 3 , 5 , 6 , APO11.04 , BAI03.05 , DSS05.04 , DSS05.07 , MEA02.01 , 3.3.7 , CCI-000160 , CCI-001891 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.4.4.7 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.8 , SR 2.9 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , CM-6(a) , AU-8(1)(a) , AU-8(2) , PR.PT-1 , Req-10.4.1 , Req-10.4.3 , SRG-OS-000355-VMM-001330
Description Depending on specific functional requirements of a concrete
production environment, the Red Hat OpenShift Container Platform 4 system can be
configured to utilize the services of the chronyd NTP daemon (the
default), or services of the ntpd NTP daemon. Refer to
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html
for more detailed comparison of the features of both of the choices, and for
further guidance how to choose between the two NTP daemons.
if the system is configured to use the chronyd as the NTP daemon (the
default), edit the file /etc/chrony.conf as follows, if the system is configured to use the ntpd as the NTP daemon,
edit the file /etc/ntp.conf as documented below.
Add or correct the following lines, substituting the IP or hostname of a remote
NTP server for
ntpserver :
server ntpserver
This instructs the NTP software to contact that remote server to obtain time
data.
Rationale Synchronizing with an NTP server makes it possible to collate system
logs from multiple sources or correlate computer events with real time events.
OVAL test results details
package chrony is installed
oval:ssg-test_service_chronyd_package_chrony_installed:tst:1
true Following items have been found on the system: Name Arch Epoch Release Version Evr Signature keyid Extended name chrony x86_64 (none) 1.el8 3.5 0:3.5-1.el8 199e2f91fd431d51 chrony-0:3.5-1.el8.x86_64
Test that the chronyd service is running
oval:ssg-test_service_running_chronyd:tst:1
true Following items have been found on the system: Unit Property Value chronyd.service ActiveState active
systemd test
oval:ssg-test_multi_user_wants_chronyd:tst:1
true Following items have been found on the system: Unit Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency multi-user.target basic.target var.mount sysinit.target systemd-sysusers.service dracut-shutdown.service lvm2-lvmpolld.socket multipathd.service systemd-ask-password-console.path systemd-tmpfiles-setup-dev.service systemd-journal-catalog-update.service sys-kernel-debug.mount systemd-udevd.service dev-hugepages.mount selinux-autorelabel-mark.service systemd-journald.service proc-sys-fs-binfmt_misc.automount systemd-update-utmp.service sys-fs-fuse-connections.mount local-fs.target ostree-remount.service systemd-remount-fs.service boot-efi.mount boot.mount systemd-udev-trigger.service cryptsetup.target systemd-tmpfiles-setup.service systemd-update-done.service dev-mqueue.mount systemd-machine-id-commit.service swap.target systemd-random-seed.service systemd-modules-load.service ldconfig.service systemd-binfmt.service kmod-static-nodes.service systemd-sysctl.service systemd-hwdb-update.service sys-kernel-config.mount lvm2-monitor.service systemd-journal-flush.service sockets.target systemd-coredump.socket dm-event.socket systemd-udevd-kernel.socket systemd-initctl.socket systemd-udevd-control.socket systemd-journald.socket multipathd.socket systemd-journald-dev-log.socket dbus.socket slices.target system.slice -.slice timers.target systemd-tmpfiles-clean.timer unbound-anchor.timer microcode.service ignition-firstboot-complete.service coreos-update-ca-trust.service paths.target afterburn-sshkeys@core.service ostree-finalize-staged.path systemd-ask-password-wall.path remote-fs.target irqbalance.service remote-cryptsetup.target afterburn-checkin.service NetworkManager.service sshd.service sssd.service dbus.service mcd-write-pivot-reboot.service systemd-user-sessions.service gcp-routes.service systemd-logind.service console-login-helper-messages-issuegen.service vmtoolsd.service mdmonitor.service machine-config-daemon-firstboot.service afterburn-firstboot-checkin.service coreos-regenerate-iscsi-initiatorname.service systemd-update-utmp-runlevel.service rhcos-growpart.service kubelet.service chronyd.service auditd.service getty.target getty@tty1.service serial-getty@ttyS0.service
systemd test
oval:ssg-test_multi_user_wants_chronyd_socket:tst:1
false Following items have been found on the system: Unit Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency multi-user.target basic.target var.mount sysinit.target systemd-sysusers.service dracut-shutdown.service lvm2-lvmpolld.socket multipathd.service systemd-ask-password-console.path systemd-tmpfiles-setup-dev.service systemd-journal-catalog-update.service sys-kernel-debug.mount systemd-udevd.service dev-hugepages.mount selinux-autorelabel-mark.service systemd-journald.service proc-sys-fs-binfmt_misc.automount systemd-update-utmp.service sys-fs-fuse-connections.mount local-fs.target ostree-remount.service systemd-remount-fs.service boot-efi.mount boot.mount systemd-udev-trigger.service cryptsetup.target systemd-tmpfiles-setup.service systemd-update-done.service dev-mqueue.mount systemd-machine-id-commit.service swap.target systemd-random-seed.service systemd-modules-load.service ldconfig.service systemd-binfmt.service kmod-static-nodes.service systemd-sysctl.service systemd-hwdb-update.service sys-kernel-config.mount lvm2-monitor.service systemd-journal-flush.service sockets.target systemd-coredump.socket dm-event.socket systemd-udevd-kernel.socket systemd-initctl.socket systemd-udevd-control.socket systemd-journald.socket multipathd.socket systemd-journald-dev-log.socket dbus.socket slices.target system.slice -.slice timers.target systemd-tmpfiles-clean.timer unbound-anchor.timer microcode.service ignition-firstboot-complete.service coreos-update-ca-trust.service paths.target afterburn-sshkeys@core.service ostree-finalize-staged.path systemd-ask-password-wall.path remote-fs.target irqbalance.service remote-cryptsetup.target afterburn-checkin.service NetworkManager.service sshd.service sssd.service dbus.service mcd-write-pivot-reboot.service systemd-user-sessions.service gcp-routes.service systemd-logind.service console-login-helper-messages-issuegen.service vmtoolsd.service mdmonitor.service machine-config-daemon-firstboot.service afterburn-firstboot-checkin.service coreos-regenerate-iscsi-initiatorname.service systemd-update-utmp-runlevel.service rhcos-growpart.service kubelet.service chronyd.service auditd.service getty.target getty@tty1.service serial-getty@ttyS0.service
Ensure at least one NTP server is set
oval:ssg-test_chronyd_remote_server:tst:1
true Following items have been found on the system: Path Content /etc/chrony.conf pool 2.rhel.pool.ntp.org iburst
package ntp is installed
oval:ssg-test_service_ntpd_package_ntp_installed:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_test_service_ntpd_package_ntp_installed:obj:1 rpminfo_object
Test that the ntpd service is running
oval:ssg-test_service_running_ntpd:tst:1
false Following items have been found on the system: Unit Property Value ntpd.service ActiveState inactive
systemd test
oval:ssg-test_multi_user_wants_ntpd:tst:1
false Following items have been found on the system: Unit Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency multi-user.target basic.target var.mount sysinit.target systemd-sysusers.service dracut-shutdown.service lvm2-lvmpolld.socket multipathd.service systemd-ask-password-console.path systemd-tmpfiles-setup-dev.service systemd-journal-catalog-update.service sys-kernel-debug.mount systemd-udevd.service dev-hugepages.mount selinux-autorelabel-mark.service systemd-journald.service proc-sys-fs-binfmt_misc.automount systemd-update-utmp.service sys-fs-fuse-connections.mount local-fs.target ostree-remount.service systemd-remount-fs.service boot-efi.mount boot.mount systemd-udev-trigger.service cryptsetup.target systemd-tmpfiles-setup.service systemd-update-done.service dev-mqueue.mount systemd-machine-id-commit.service swap.target systemd-random-seed.service systemd-modules-load.service ldconfig.service systemd-binfmt.service kmod-static-nodes.service systemd-sysctl.service systemd-hwdb-update.service sys-kernel-config.mount lvm2-monitor.service systemd-journal-flush.service sockets.target systemd-coredump.socket dm-event.socket systemd-udevd-kernel.socket systemd-initctl.socket systemd-udevd-control.socket systemd-journald.socket multipathd.socket systemd-journald-dev-log.socket dbus.socket slices.target system.slice -.slice timers.target systemd-tmpfiles-clean.timer unbound-anchor.timer microcode.service ignition-firstboot-complete.service coreos-update-ca-trust.service paths.target afterburn-sshkeys@core.service ostree-finalize-staged.path systemd-ask-password-wall.path remote-fs.target irqbalance.service remote-cryptsetup.target afterburn-checkin.service NetworkManager.service sshd.service sssd.service dbus.service mcd-write-pivot-reboot.service systemd-user-sessions.service gcp-routes.service systemd-logind.service console-login-helper-messages-issuegen.service vmtoolsd.service mdmonitor.service machine-config-daemon-firstboot.service afterburn-firstboot-checkin.service coreos-regenerate-iscsi-initiatorname.service systemd-update-utmp-runlevel.service rhcos-growpart.service kubelet.service chronyd.service auditd.service getty.target getty@tty1.service serial-getty@ttyS0.service
systemd test
oval:ssg-test_multi_user_wants_ntpd_socket:tst:1
false Following items have been found on the system: Unit Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency multi-user.target basic.target var.mount sysinit.target systemd-sysusers.service dracut-shutdown.service lvm2-lvmpolld.socket multipathd.service systemd-ask-password-console.path systemd-tmpfiles-setup-dev.service systemd-journal-catalog-update.service sys-kernel-debug.mount systemd-udevd.service dev-hugepages.mount selinux-autorelabel-mark.service systemd-journald.service proc-sys-fs-binfmt_misc.automount systemd-update-utmp.service sys-fs-fuse-connections.mount local-fs.target ostree-remount.service systemd-remount-fs.service boot-efi.mount boot.mount systemd-udev-trigger.service cryptsetup.target systemd-tmpfiles-setup.service systemd-update-done.service dev-mqueue.mount systemd-machine-id-commit.service swap.target systemd-random-seed.service systemd-modules-load.service ldconfig.service systemd-binfmt.service kmod-static-nodes.service systemd-sysctl.service systemd-hwdb-update.service sys-kernel-config.mount lvm2-monitor.service systemd-journal-flush.service sockets.target systemd-coredump.socket dm-event.socket systemd-udevd-kernel.socket systemd-initctl.socket systemd-udevd-control.socket systemd-journald.socket multipathd.socket systemd-journald-dev-log.socket dbus.socket slices.target system.slice -.slice timers.target systemd-tmpfiles-clean.timer unbound-anchor.timer microcode.service ignition-firstboot-complete.service coreos-update-ca-trust.service paths.target afterburn-sshkeys@core.service ostree-finalize-staged.path systemd-ask-password-wall.path remote-fs.target irqbalance.service remote-cryptsetup.target afterburn-checkin.service NetworkManager.service sshd.service sssd.service dbus.service mcd-write-pivot-reboot.service systemd-user-sessions.service gcp-routes.service systemd-logind.service console-login-helper-messages-issuegen.service vmtoolsd.service mdmonitor.service machine-config-daemon-firstboot.service afterburn-firstboot-checkin.service coreos-regenerate-iscsi-initiatorname.service systemd-update-utmp-runlevel.service rhcos-growpart.service kubelet.service chronyd.service auditd.service getty.target getty@tty1.service serial-getty@ttyS0.service
Ensure at least one ntpd NTP server is set
oval:ssg-test_ntp_remote_server:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_ntp_remote_server:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/ntp.conf ^[\s]*server[\s]+.+$ 1
Configure Time Service Maxpoll Intervalxccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll mediumCCE-82684-2
Configure Time Service Maxpoll Interval Rule ID xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll Result Multi-check rule no OVAL Definition ID oval:ssg-chronyd_or_ntpd_set_maxpoll:def:1 Time 2020-05-28T09:50:19+00:00 Severity medium Identifiers and References Identifiers:
CCE-82684-2
References:
1 , 14 , 15 , 16 , 3 , 5 , 6 , APO11.04 , BAI03.05 , DSS05.04 , DSS05.07 , MEA02.01 , CCI-001891 , CCI-002046 , 4.3.3.3.9 , 4.3.3.5.8 , 4.3.4.4.7 , 4.4.2.1 , 4.4.2.2 , 4.4.2.4 , SR 2.10 , SR 2.11 , SR 2.12 , SR 2.8 , SR 2.9 , A.12.4.1 , A.12.4.2 , A.12.4.3 , A.12.4.4 , A.12.7.1 , CM-6(a) , AU-8(1)(b) , PR.PT-1 , SRG-OS-000355-GPOS-00143 , SRG-OS-000356-GPOS-00144
Description The maxpoll should be configured to
10 in /etc/ntp.conf or
/etc/chrony.conf to continuously poll time servers. To configure
maxpoll in /etc/ntp.conf or /etc/chrony.conf
add the following:
maxpoll 10 Rationale Inaccurate time stamps make it more difficult to correlate
events and can lead to an inaccurate analysis. Determining the correct
time a particular event occurred on a system is critical when conducting
forensic analysis and investigating system events. Sources outside the
configured acceptable allowance (drift) may be inaccurate.
OVAL test results details
package ntp is installed
oval:ssg-test_service_ntpd_package_ntp_installed:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_test_service_ntpd_package_ntp_installed:obj:1 rpminfo_object
Test that the ntpd service is running
oval:ssg-test_service_running_ntpd:tst:1
false Following items have been found on the system: Unit Property Value ntpd.service ActiveState inactive
systemd test
oval:ssg-test_multi_user_wants_ntpd:tst:1
false Following items have been found on the system: Unit Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency multi-user.target basic.target var.mount sysinit.target systemd-sysusers.service dracut-shutdown.service lvm2-lvmpolld.socket multipathd.service systemd-ask-password-console.path systemd-tmpfiles-setup-dev.service systemd-journal-catalog-update.service sys-kernel-debug.mount systemd-udevd.service dev-hugepages.mount selinux-autorelabel-mark.service systemd-journald.service proc-sys-fs-binfmt_misc.automount systemd-update-utmp.service sys-fs-fuse-connections.mount local-fs.target ostree-remount.service systemd-remount-fs.service boot-efi.mount boot.mount systemd-udev-trigger.service cryptsetup.target systemd-tmpfiles-setup.service systemd-update-done.service dev-mqueue.mount systemd-machine-id-commit.service swap.target systemd-random-seed.service systemd-modules-load.service ldconfig.service systemd-binfmt.service kmod-static-nodes.service systemd-sysctl.service systemd-hwdb-update.service sys-kernel-config.mount lvm2-monitor.service systemd-journal-flush.service sockets.target systemd-coredump.socket dm-event.socket systemd-udevd-kernel.socket systemd-initctl.socket systemd-udevd-control.socket systemd-journald.socket multipathd.socket systemd-journald-dev-log.socket dbus.socket slices.target system.slice -.slice timers.target systemd-tmpfiles-clean.timer unbound-anchor.timer microcode.service ignition-firstboot-complete.service coreos-update-ca-trust.service paths.target afterburn-sshkeys@core.service ostree-finalize-staged.path systemd-ask-password-wall.path remote-fs.target irqbalance.service remote-cryptsetup.target afterburn-checkin.service NetworkManager.service sshd.service sssd.service dbus.service mcd-write-pivot-reboot.service systemd-user-sessions.service gcp-routes.service systemd-logind.service console-login-helper-messages-issuegen.service vmtoolsd.service mdmonitor.service machine-config-daemon-firstboot.service afterburn-firstboot-checkin.service coreos-regenerate-iscsi-initiatorname.service systemd-update-utmp-runlevel.service rhcos-growpart.service kubelet.service chronyd.service auditd.service getty.target getty@tty1.service serial-getty@ttyS0.service
systemd test
oval:ssg-test_multi_user_wants_ntpd_socket:tst:1
false Following items have been found on the system: Unit Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency multi-user.target basic.target var.mount sysinit.target systemd-sysusers.service dracut-shutdown.service lvm2-lvmpolld.socket multipathd.service systemd-ask-password-console.path systemd-tmpfiles-setup-dev.service systemd-journal-catalog-update.service sys-kernel-debug.mount systemd-udevd.service dev-hugepages.mount selinux-autorelabel-mark.service systemd-journald.service proc-sys-fs-binfmt_misc.automount systemd-update-utmp.service sys-fs-fuse-connections.mount local-fs.target ostree-remount.service systemd-remount-fs.service boot-efi.mount boot.mount systemd-udev-trigger.service cryptsetup.target systemd-tmpfiles-setup.service systemd-update-done.service dev-mqueue.mount systemd-machine-id-commit.service swap.target systemd-random-seed.service systemd-modules-load.service ldconfig.service systemd-binfmt.service kmod-static-nodes.service systemd-sysctl.service systemd-hwdb-update.service sys-kernel-config.mount lvm2-monitor.service systemd-journal-flush.service sockets.target systemd-coredump.socket dm-event.socket systemd-udevd-kernel.socket systemd-initctl.socket systemd-udevd-control.socket systemd-journald.socket multipathd.socket systemd-journald-dev-log.socket dbus.socket slices.target system.slice -.slice timers.target systemd-tmpfiles-clean.timer unbound-anchor.timer microcode.service ignition-firstboot-complete.service coreos-update-ca-trust.service paths.target afterburn-sshkeys@core.service ostree-finalize-staged.path systemd-ask-password-wall.path remote-fs.target irqbalance.service remote-cryptsetup.target afterburn-checkin.service NetworkManager.service sshd.service sssd.service dbus.service mcd-write-pivot-reboot.service systemd-user-sessions.service gcp-routes.service systemd-logind.service console-login-helper-messages-issuegen.service vmtoolsd.service mdmonitor.service machine-config-daemon-firstboot.service afterburn-firstboot-checkin.service coreos-regenerate-iscsi-initiatorname.service systemd-update-utmp-runlevel.service rhcos-growpart.service kubelet.service chronyd.service auditd.service getty.target getty@tty1.service serial-getty@ttyS0.service
check if maxpoll is set in /etc/ntp.conf
oval:ssg-test_ntp_set_maxpoll:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_ntp_set_maxpoll:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/ntp.conf ^server[\s]+[\S]+.*maxpoll[\s]+(\d+) 1
check if all server entries have maxpoll set in /etc/ntp.conf
oval:ssg-test_ntp_all_server_has_maxpoll:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_ntp_all_server_has_maxpoll:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/ntp.conf ^server[\s]+[\S]+[\s]+(.*) 1
package chrony is installed
oval:ssg-test_service_chronyd_package_chrony_installed:tst:1
true Following items have been found on the system: Name Arch Epoch Release Version Evr Signature keyid Extended name chrony x86_64 (none) 1.el8 3.5 0:3.5-1.el8 199e2f91fd431d51 chrony-0:3.5-1.el8.x86_64
Test that the chronyd service is running
oval:ssg-test_service_running_chronyd:tst:1
true Following items have been found on the system: Unit Property Value chronyd.service ActiveState active
systemd test
oval:ssg-test_multi_user_wants_chronyd:tst:1
true Following items have been found on the system: Unit Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency multi-user.target basic.target var.mount sysinit.target systemd-sysusers.service dracut-shutdown.service lvm2-lvmpolld.socket multipathd.service systemd-ask-password-console.path systemd-tmpfiles-setup-dev.service systemd-journal-catalog-update.service sys-kernel-debug.mount systemd-udevd.service dev-hugepages.mount selinux-autorelabel-mark.service systemd-journald.service proc-sys-fs-binfmt_misc.automount systemd-update-utmp.service sys-fs-fuse-connections.mount local-fs.target ostree-remount.service systemd-remount-fs.service boot-efi.mount boot.mount systemd-udev-trigger.service cryptsetup.target systemd-tmpfiles-setup.service systemd-update-done.service dev-mqueue.mount systemd-machine-id-commit.service swap.target systemd-random-seed.service systemd-modules-load.service ldconfig.service systemd-binfmt.service kmod-static-nodes.service systemd-sysctl.service systemd-hwdb-update.service sys-kernel-config.mount lvm2-monitor.service systemd-journal-flush.service sockets.target systemd-coredump.socket dm-event.socket systemd-udevd-kernel.socket systemd-initctl.socket systemd-udevd-control.socket systemd-journald.socket multipathd.socket systemd-journald-dev-log.socket dbus.socket slices.target system.slice -.slice timers.target systemd-tmpfiles-clean.timer unbound-anchor.timer microcode.service ignition-firstboot-complete.service coreos-update-ca-trust.service paths.target afterburn-sshkeys@core.service ostree-finalize-staged.path systemd-ask-password-wall.path remote-fs.target irqbalance.service remote-cryptsetup.target afterburn-checkin.service NetworkManager.service sshd.service sssd.service dbus.service mcd-write-pivot-reboot.service systemd-user-sessions.service gcp-routes.service systemd-logind.service console-login-helper-messages-issuegen.service vmtoolsd.service mdmonitor.service machine-config-daemon-firstboot.service afterburn-firstboot-checkin.service coreos-regenerate-iscsi-initiatorname.service systemd-update-utmp-runlevel.service rhcos-growpart.service kubelet.service chronyd.service auditd.service getty.target getty@tty1.service serial-getty@ttyS0.service
systemd test
oval:ssg-test_multi_user_wants_chronyd_socket:tst:1
false Following items have been found on the system: Unit Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency multi-user.target basic.target var.mount sysinit.target systemd-sysusers.service dracut-shutdown.service lvm2-lvmpolld.socket multipathd.service systemd-ask-password-console.path systemd-tmpfiles-setup-dev.service systemd-journal-catalog-update.service sys-kernel-debug.mount systemd-udevd.service dev-hugepages.mount selinux-autorelabel-mark.service systemd-journald.service proc-sys-fs-binfmt_misc.automount systemd-update-utmp.service sys-fs-fuse-connections.mount local-fs.target ostree-remount.service systemd-remount-fs.service boot-efi.mount boot.mount systemd-udev-trigger.service cryptsetup.target systemd-tmpfiles-setup.service systemd-update-done.service dev-mqueue.mount systemd-machine-id-commit.service swap.target systemd-random-seed.service systemd-modules-load.service ldconfig.service systemd-binfmt.service kmod-static-nodes.service systemd-sysctl.service systemd-hwdb-update.service sys-kernel-config.mount lvm2-monitor.service systemd-journal-flush.service sockets.target systemd-coredump.socket dm-event.socket systemd-udevd-kernel.socket systemd-initctl.socket systemd-udevd-control.socket systemd-journald.socket multipathd.socket systemd-journald-dev-log.socket dbus.socket slices.target system.slice -.slice timers.target systemd-tmpfiles-clean.timer unbound-anchor.timer microcode.service ignition-firstboot-complete.service coreos-update-ca-trust.service paths.target afterburn-sshkeys@core.service ostree-finalize-staged.path systemd-ask-password-wall.path remote-fs.target irqbalance.service remote-cryptsetup.target afterburn-checkin.service NetworkManager.service sshd.service sssd.service dbus.service mcd-write-pivot-reboot.service systemd-user-sessions.service gcp-routes.service systemd-logind.service console-login-helper-messages-issuegen.service vmtoolsd.service mdmonitor.service machine-config-daemon-firstboot.service afterburn-firstboot-checkin.service coreos-regenerate-iscsi-initiatorname.service systemd-update-utmp-runlevel.service rhcos-growpart.service kubelet.service chronyd.service auditd.service getty.target getty@tty1.service serial-getty@ttyS0.service
check if maxpoll is set in /etc/chrony.conf
oval:ssg-test_chrony_set_maxpoll:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_chrony_set_maxpoll:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/chrony.conf ^server[\s]+[\S]+.*maxpoll[\s]+(\d+) 1
check if all server entries have maxpoll set in /etc/chrony.conf
oval:ssg-test_chrony_all_server_has_maxpoll:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_chrony_all_server_has_maxpoll:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/chrony.conf ^server[\s]+[\S]+[\s]+(.*) 1
Enable the Hardware RNG Entropy Gatherer Servicexccdf_org.ssgproject.content_rule_service_rngd_enabled mediumCCE-82535-6
Enable the Hardware RNG Entropy Gatherer Service Rule ID xccdf_org.ssgproject.content_rule_service_rngd_enabled Result Multi-check rule no OVAL Definition ID oval:ssg-service_rngd_enabled:def:1 Time 2020-05-28T09:50:19+00:00 Severity medium Identifiers and References Identifiers:
CCE-82535-6
References:
FCS_RBG_EXT.1 , SRG-OS-000480-GPOS-00227
Description The Hardware RNG Entropy Gatherer service should be enabled.
The rngd service can be enabled with the following command:
$ sudo systemctl enable rngd.service Rationale The rngd service
feeds random data from hardware device to kernel random device.
OVAL test results details
package rng-tools is installed
oval:ssg-test_service_rngd_package_rng-tools_installed:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_test_service_rngd_package_rng-tools_installed:obj:1 rpminfo_object
Test that the rngd service is running
oval:ssg-test_service_running_rngd:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_service_running_rngd:obj:1 systemdunitproperty_object Unit Property ^rngd\.(socket|service)$ ActiveState
systemd test
oval:ssg-test_multi_user_wants_rngd:tst:1
false Following items have been found on the system: Unit Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency multi-user.target basic.target var.mount sysinit.target systemd-sysusers.service dracut-shutdown.service lvm2-lvmpolld.socket multipathd.service systemd-ask-password-console.path systemd-tmpfiles-setup-dev.service systemd-journal-catalog-update.service sys-kernel-debug.mount systemd-udevd.service dev-hugepages.mount selinux-autorelabel-mark.service systemd-journald.service proc-sys-fs-binfmt_misc.automount systemd-update-utmp.service sys-fs-fuse-connections.mount local-fs.target ostree-remount.service systemd-remount-fs.service boot-efi.mount boot.mount systemd-udev-trigger.service cryptsetup.target systemd-tmpfiles-setup.service systemd-update-done.service dev-mqueue.mount systemd-machine-id-commit.service swap.target systemd-random-seed.service systemd-modules-load.service ldconfig.service systemd-binfmt.service kmod-static-nodes.service systemd-sysctl.service systemd-hwdb-update.service sys-kernel-config.mount lvm2-monitor.service systemd-journal-flush.service sockets.target systemd-coredump.socket dm-event.socket systemd-udevd-kernel.socket systemd-initctl.socket systemd-udevd-control.socket systemd-journald.socket multipathd.socket systemd-journald-dev-log.socket dbus.socket slices.target system.slice -.slice timers.target systemd-tmpfiles-clean.timer unbound-anchor.timer microcode.service ignition-firstboot-complete.service coreos-update-ca-trust.service paths.target afterburn-sshkeys@core.service ostree-finalize-staged.path systemd-ask-password-wall.path remote-fs.target irqbalance.service remote-cryptsetup.target afterburn-checkin.service NetworkManager.service sshd.service sssd.service dbus.service mcd-write-pivot-reboot.service systemd-user-sessions.service gcp-routes.service systemd-logind.service console-login-helper-messages-issuegen.service vmtoolsd.service mdmonitor.service machine-config-daemon-firstboot.service afterburn-firstboot-checkin.service coreos-regenerate-iscsi-initiatorname.service systemd-update-utmp-runlevel.service rhcos-growpart.service kubelet.service chronyd.service auditd.service getty.target getty@tty1.service serial-getty@ttyS0.service
systemd test
oval:ssg-test_multi_user_wants_rngd_socket:tst:1
false Following items have been found on the system: Unit Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency multi-user.target basic.target var.mount sysinit.target systemd-sysusers.service dracut-shutdown.service lvm2-lvmpolld.socket multipathd.service systemd-ask-password-console.path systemd-tmpfiles-setup-dev.service systemd-journal-catalog-update.service sys-kernel-debug.mount systemd-udevd.service dev-hugepages.mount selinux-autorelabel-mark.service systemd-journald.service proc-sys-fs-binfmt_misc.automount systemd-update-utmp.service sys-fs-fuse-connections.mount local-fs.target ostree-remount.service systemd-remount-fs.service boot-efi.mount boot.mount systemd-udev-trigger.service cryptsetup.target systemd-tmpfiles-setup.service systemd-update-done.service dev-mqueue.mount systemd-machine-id-commit.service swap.target systemd-random-seed.service systemd-modules-load.service ldconfig.service systemd-binfmt.service kmod-static-nodes.service systemd-sysctl.service systemd-hwdb-update.service sys-kernel-config.mount lvm2-monitor.service systemd-journal-flush.service sockets.target systemd-coredump.socket dm-event.socket systemd-udevd-kernel.socket systemd-initctl.socket systemd-udevd-control.socket systemd-journald.socket multipathd.socket systemd-journald-dev-log.socket dbus.socket slices.target system.slice -.slice timers.target systemd-tmpfiles-clean.timer unbound-anchor.timer microcode.service ignition-firstboot-complete.service coreos-update-ca-trust.service paths.target afterburn-sshkeys@core.service ostree-finalize-staged.path systemd-ask-password-wall.path remote-fs.target irqbalance.service remote-cryptsetup.target afterburn-checkin.service NetworkManager.service sshd.service sssd.service dbus.service mcd-write-pivot-reboot.service systemd-user-sessions.service gcp-routes.service systemd-logind.service console-login-helper-messages-issuegen.service vmtoolsd.service mdmonitor.service machine-config-daemon-firstboot.service afterburn-firstboot-checkin.service coreos-regenerate-iscsi-initiatorname.service systemd-update-utmp-runlevel.service rhcos-growpart.service kubelet.service chronyd.service auditd.service getty.target getty@tty1.service serial-getty@ttyS0.service
Configure SSSD to run as user sssdxccdf_org.ssgproject.content_rule_sssd_run_as_sssd_user mediumCCE-82536-4
Configure SSSD to run as user sssd Rule ID xccdf_org.ssgproject.content_rule_sssd_run_as_sssd_user Result Multi-check rule no OVAL Definition ID oval:ssg-sssd_run_as_sssd_user:def:1 Time 2020-05-28T09:50:19+00:00 Severity medium Identifiers and References Identifiers:
CCE-82536-4
References:
FMT_SMF_EXT.1 , SRG-OS-000480-GPOS-00227
Description SSSD processes should be configured to run as user sssd, not root.
Rationale To minimize privileges of SSSD processes, they are configured to
run as non-root user.
OVAL test results details
tests the value of user setting in SSSD config files
oval:ssg-test_sssd_run_as_sssd_user:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_sssd_user_value:obj:1 textfilecontent54_object Filepath Pattern Instance ^/etc/sssd/(sssd|conf\.d/.*)\.conf$ ^\s*\[sssd\].*(?:\n\s*[^[\s].*)*\n\s*user[ \t]*=[ \t]*(\S*) 1
Set SSH Client Alive Max Countxccdf_org.ssgproject.content_rule_sshd_set_keepalive mediumCCE-82464-9
Set SSH Client Alive Max Count Rule ID xccdf_org.ssgproject.content_rule_sshd_set_keepalive Result Multi-check rule no OVAL Definition ID oval:ssg-sshd_set_keepalive:def:1 Time 2020-05-28T09:50:19+00:00 Severity medium Identifiers and References Identifiers:
CCE-82464-9
References:
1 , 12 , 13 , 14 , 15 , 16 , 18 , 3 , 5 , 7 , 8 , 5.5.6 , APO13.01 , BAI03.01 , BAI03.02 , BAI03.03 , DSS01.03 , DSS03.05 , DSS05.04 , DSS05.05 , DSS05.07 , DSS05.10 , DSS06.03 , DSS06.10 , 3.1.11 , CCI-000879 , CCI-001133 , CCI-002361 , 164.308(a)(4)(i) , 164.308(b)(1) , 164.308(b)(3) , 164.310(b) , 164.312(e)(1) , 164.312(e)(2)(ii) , 4.3.3.2.2 , 4.3.3.5.1 , 4.3.3.5.2 , 4.3.3.6.1 , 4.3.3.6.2 , 4.3.3.6.3 , 4.3.3.6.4 , 4.3.3.6.5 , 4.3.3.6.6 , 4.3.3.6.7 , 4.3.3.6.8 , 4.3.3.6.9 , 4.3.3.7.2 , 4.3.3.7.3 , 4.3.3.7.4 , 4.3.4.3.3 , SR 1.1 , SR 1.10 , SR 1.2 , SR 1.3 , SR 1.4 , SR 1.5 , SR 1.7 , SR 1.8 , SR 1.9 , SR 2.1 , SR 6.2 , A.12.4.1 , A.12.4.3 , A.14.1.1 , A.14.2.1 , A.14.2.5 , A.18.1.4 , A.6.1.2 , A.6.1.5 , A.7.1.1 , A.9.1.2 , A.9.2.1 , A.9.2.2 , A.9.2.3 , A.9.2.4 , A.9.2.6 , A.9.3.1 , A.9.4.1 , A.9.4.2 , A.9.4.3 , A.9.4.4 , A.9.4.5 , AC-2(5) , AC-12 , AC-17(a) , SC-10 , CM-6(a) , DE.CM-1 , DE.CM-3 , PR.AC-1 , PR.AC-4 , PR.AC-6 , PR.AC-7 , PR.IP-2 , SRG-OS-000163-GPOS-00072 , SRG-OS-000279-GPOS-00109 , SRG-OS-000480-VMM-002000
Description To ensure the SSH idle timeout occurs precisely when the ClientAliveInterval is set,
edit /etc/ssh/sshd_config as follows:
ClientAliveCountMax 0 Rationale This ensures a user login will be terminated as soon as the ClientAliveInterval
is reached.
OVAL test results details
Verify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false Following items have been found on the system: Var ref Value oval:ssg-sshd_required:var:1 0
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true Following items have been found on the system: Var ref Value oval:ssg-sshd_required:var:1 0
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false Following items have been found on the system: Name Arch Epoch Release Version Evr Signature keyid Extended name openssh-server x86_64 (none) 4.el8_1 8.0p1 0:8.0p1-4.el8_1 199e2f91fd431d51 openssh-server-0:8.0p1-4.el8_1.x86_64
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false Following items have been found on the system: Var ref Value oval:ssg-sshd_required:var:1 0
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true Following items have been found on the system: Var ref Value oval:ssg-sshd_required:var:1 0
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true Following items have been found on the system: Name Arch Epoch Release Version Evr Signature keyid Extended name openssh-server x86_64 (none) 4.el8_1 8.0p1 0:8.0p1-4.el8_1 199e2f91fd431d51 openssh-server-0:8.0p1-4.el8_1.x86_64
Tests the value of the ClientAliveCountMax setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_clientalivecountmax:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_sshd_clientalivecountmax:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/ssh/sshd_config ^[\s]*(?i)ClientAliveCountMax[\s]+([\d]+)[\s]*(?:#.*)?$ 1
Disable SSH Support for .rhosts Filesxccdf_org.ssgproject.content_rule_sshd_disable_rhosts mediumCCE-82665-1
Disable SSH Support for .rhosts Files Rule ID xccdf_org.ssgproject.content_rule_sshd_disable_rhosts Result Multi-check rule no OVAL Definition ID oval:ssg-sshd_disable_rhosts:def:1 Time 2020-05-28T09:50:19+00:00 Severity medium Identifiers and References Identifiers:
CCE-82665-1
References:
11 , 12 , 14 , 15 , 16 , 18 , 3 , 5 , 9 , 5.5.6 , BAI10.01 , BAI10.02 , BAI10.03 , BAI10.05 , DSS05.02 , DSS05.04 , DSS05.05 , DSS05.07 , DSS06.03 , DSS06.06 , 3.1.12 , CCI-000366 , 4.3.3.2.2 , 4.3.3.5.1 , 4.3.3.5.2 , 4.3.3.5.3 , 4.3.3.5.4 , 4.3.3.5.5 , 4.3.3.5.6 , 4.3.3.5.7 , 4.3.3.5.8 , 4.3.3.6.1 , 4.3.3.6.2 , 4.3.3.6.3 , 4.3.3.6.4 , 4.3.3.6.5 , 4.3.3.6.6 , 4.3.3.6.7 , 4.3.3.6.8 , 4.3.3.6.9 , 4.3.3.7.1 , 4.3.3.7.2 , 4.3.3.7.3 , 4.3.3.7.4 , 4.3.4.3.2 , 4.3.4.3.3 , SR 1.1 , SR 1.10 , SR 1.11 , SR 1.12 , SR 1.13 , SR 1.2 , SR 1.3 , SR 1.4 , SR 1.5 , SR 1.6 , SR 1.7 , SR 1.8 , SR 1.9 , SR 2.1 , SR 2.2 , SR 2.3 , SR 2.4 , SR 2.5 , SR 2.6 , SR 2.7 , SR 7.6 , A.12.1.2 , A.12.5.1 , A.12.6.2 , A.14.2.2 , A.14.2.3 , A.14.2.4 , A.6.1.2 , A.7.1.1 , A.9.1.2 , A.9.2.1 , A.9.2.3 , A.9.4.1 , A.9.4.4 , A.9.4.5 , AC-17(a) , CM-7(a) , CM-7(b) , CM-6(a) , PR.AC-4 , PR.AC-6 , PR.IP-1 , PR.PT-3 , FIA_AFL.1 , SRG-OS-000480-GPOS-00227 , SRG-OS-000107-VMM-000530
Description SSH can emulate the behavior of the obsolete rsh
command in allowing users to enable insecure access to their
accounts via .rhosts files.
/etc/ssh/sshd_config:
IgnoreRhosts yes Rationale SSH trust relationships mean a compromise on one host
can allow an attacker to move trivially to other hosts.
OVAL test results details
Verify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false Following items have been found on the system: Var ref Value oval:ssg-sshd_required:var:1 0
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true Following items have been found on the system: Var ref Value oval:ssg-sshd_required:var:1 0
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false Following items have been found on the system: Name Arch Epoch Release Version Evr Signature keyid Extended name openssh-server x86_64 (none) 4.el8_1 8.0p1 0:8.0p1-4.el8_1 199e2f91fd431d51 openssh-server-0:8.0p1-4.el8_1.x86_64
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false Following items have been found on the system: Var ref Value oval:ssg-sshd_required:var:1 0
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true Following items have been found on the system: Var ref Value oval:ssg-sshd_required:var:1 0
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true Following items have been found on the system: Name Arch Epoch Release Version Evr Signature keyid Extended name openssh-server x86_64 (none) 4.el8_1 8.0p1 0:8.0p1-4.el8_1 199e2f91fd431d51 openssh-server-0:8.0p1-4.el8_1.x86_64
tests the value of IgnoreRhosts setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_disable_rhosts:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_sshd_disable_rhosts:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/ssh/sshd_config ^[ \t]*(?i)IgnoreRhosts(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1
tests the absence of IgnoreRhosts setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_disable_rhosts_default_not_overriden:tst:1
true No items have been found conforming to the following objects: Object oval:ssg-obj_sshd_disable_rhosts_default_not_overriden:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/ssh/sshd_config ^[ \t]*(?i)IgnoreRhosts(?-i)[ \t]+ 1
Set SSH Idle Timeout Intervalxccdf_org.ssgproject.content_rule_sshd_set_idle_timeout mediumCCE-82549-7
Set SSH Idle Timeout Interval Rule ID xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout Result Multi-check rule no OVAL Definition ID oval:ssg-sshd_set_idle_timeout:def:1 Time 2020-05-28T09:50:19+00:00 Severity medium Identifiers and References Identifiers:
CCE-82549-7
References:
NT28(R29) , 1 , 12 , 13 , 14 , 15 , 16 , 18 , 3 , 5 , 7 , 8 , 5.5.6 , APO13.01 , BAI03.01 , BAI03.02 , BAI03.03 , DSS01.03 , DSS03.05 , DSS05.04 , DSS05.05 , DSS05.07 , DSS05.10 , DSS06.03 , DSS06.10 , 3.1.11 , CCI-000879 , CCI-001133 , CCI-002361 , 4.3.3.2.2 , 4.3.3.5.1 , 4.3.3.5.2 , 4.3.3.6.1 , 4.3.3.6.2 , 4.3.3.6.3 , 4.3.3.6.4 , 4.3.3.6.5 , 4.3.3.6.6 , 4.3.3.6.7 , 4.3.3.6.8 , 4.3.3.6.9 , 4.3.3.7.2 , 4.3.3.7.3 , 4.3.3.7.4 , 4.3.4.3.3 , SR 1.1 , SR 1.10 , SR 1.2 , SR 1.3 , SR 1.4 , SR 1.5 , SR 1.7 , SR 1.8 , SR 1.9 , SR 2.1 , SR 6.2 , A.12.4.1 , A.12.4.3 , A.14.1.1 , A.14.2.1 , A.14.2.5 , A.18.1.4 , A.6.1.2 , A.6.1.5 , A.7.1.1 , A.9.1.2 , A.9.2.1 , A.9.2.2 , A.9.2.3 , A.9.2.4 , A.9.2.6 , A.9.3.1 , A.9.4.1 , A.9.4.2 , A.9.4.3 , A.9.4.4 , A.9.4.5 , CM-6(a) , AC-17(a) , AC-2(5) , AC-12 , AC-17(a) , SC-10 , CM-6(a) , DE.CM-1 , DE.CM-3 , PR.AC-1 , PR.AC-4 , PR.AC-6 , PR.AC-7 , PR.IP-2 , Req-8.1.8 , SRG-OS-000126-GPOS-00066 , SRG-OS-000163-GPOS-00072 , SRG-OS-000279-GPOS-00109 , SRG-OS-000395-GPOS-00175 , SRG-OS-000480-VMM-002000
Description SSH allows administrators to set an idle timeout interval. After this interval
has passed, the idle user will be automatically logged out.
/etc/ssh/sshd_config as
follows:
ClientAliveInterval 300
The timeout
interval is given in seconds. For example, have a timeout
of 10 minutes, set
interval to 600.
If a shorter timeout has already been set for the login shell, that value will
preempt any SSH setting made in
/etc/ssh/sshd_config. Keep in mind that
some processes may stop SSH from correctly detecting that the user is idle.
Rationale Terminating an idle ssh session within a short time period reduces the window of
opportunity for unauthorized personnel to take control of a management session
enabled on the console or console port that has been let unattended.
OVAL test results details
Verify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false Following items have been found on the system: Var ref Value oval:ssg-sshd_required:var:1 0
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true Following items have been found on the system: Var ref Value oval:ssg-sshd_required:var:1 0
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false Following items have been found on the system: Name Arch Epoch Release Version Evr Signature keyid Extended name openssh-server x86_64 (none) 4.el8_1 8.0p1 0:8.0p1-4.el8_1 199e2f91fd431d51 openssh-server-0:8.0p1-4.el8_1.x86_64
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false Following items have been found on the system: Var ref Value oval:ssg-sshd_required:var:1 0
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true Following items have been found on the system: Var ref Value oval:ssg-sshd_required:var:1 0
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true Following items have been found on the system: Name Arch Epoch Release Version Evr Signature keyid Extended name openssh-server x86_64 (none) 4.el8_1 8.0p1 0:8.0p1-4.el8_1 199e2f91fd431d51 openssh-server-0:8.0p1-4.el8_1.x86_64
timeout is configured
oval:ssg-test_sshd_idle_timeout:tst:1
true Following items have been found on the system: Path Content /etc/ssh/sshd_config ClientAliveInterval 180
#ClientAliveCountMax 3
Limit Users' SSH Accessxccdf_org.ssgproject.content_rule_sshd_limit_user_access unknownCCE-82664-4
Limit Users' SSH Access Rule ID xccdf_org.ssgproject.content_rule_sshd_limit_user_access Result Multi-check rule no Time 2020-05-28T09:50:19+00:00 Severity unknown Identifiers and References Identifiers:
CCE-82664-4
References:
11 , 12 , 14 , 15 , 16 , 18 , 3 , 5 , DSS05.02 , DSS05.04 , DSS05.05 , DSS05.07 , DSS06.03 , DSS06.06 , 3.1.12 , 4.3.3.2.2 , 4.3.3.5.1 , 4.3.3.5.2 , 4.3.3.5.3 , 4.3.3.5.4 , 4.3.3.5.5 , 4.3.3.5.6 , 4.3.3.5.7 , 4.3.3.5.8 , 4.3.3.6.1 , 4.3.3.6.2 , 4.3.3.6.3 , 4.3.3.6.4 , 4.3.3.6.5 , 4.3.3.6.6 , 4.3.3.6.7 , 4.3.3.6.8 , 4.3.3.6.9 , 4.3.3.7.1 , 4.3.3.7.2 , 4.3.3.7.3 , 4.3.3.7.4 , SR 1.1 , SR 1.10 , SR 1.11 , SR 1.12 , SR 1.13 , SR 1.2 , SR 1.3 , SR 1.4 , SR 1.5 , SR 1.6 , SR 1.7 , SR 1.8 , SR 1.9 , SR 2.1 , SR 2.2 , SR 2.3 , SR 2.4 , SR 2.5 , SR 2.6 , SR 2.7 , A.6.1.2 , A.7.1.1 , A.9.1.2 , A.9.2.1 , A.9.2.3 , A.9.4.1 , A.9.4.4 , A.9.4.5 , AC-3 , CM-6(a) , PR.AC-4 , PR.AC-6 , PR.PT-3
Description By default, the SSH configuration allows any user with an account
to access the system. In order to specify the users that are allowed to login
via SSH and deny all other users, add or correct the following line in the
/etc/ssh/sshd_config file:
DenyUsers USER1 USER2
Where
USER1 and
USER2 are valid user names.
Rationale Specifying which accounts are allowed SSH access into the system reduces the
possibility of unauthorized access to the system.
Evaluation messages info
No candidate or applicable check found.
Verify Permissions on SSH Server config filexccdf_org.ssgproject.content_rule_file_permissions_sshd_config medium
Verify Permissions on SSH Server config file Rule ID xccdf_org.ssgproject.content_rule_file_permissions_sshd_config Result Multi-check rule no OVAL Definition ID oval:ssg-file_permissions_sshd_config:def:1 Time 2020-05-28T09:50:19+00:00 Severity medium Identifiers and References References:
12 , 13 , 14 , 15 , 16 , 18 , 3 , 5 , APO01.06 , DSS05.04 , DSS05.07 , DSS06.02 , 4.3.3.7.3 , SR 2.1 , SR 5.2 , A.10.1.1 , A.11.1.4 , A.11.1.5 , A.11.2.1 , A.13.1.1 , A.13.1.3 , A.13.2.1 , A.13.2.3 , A.13.2.4 , A.14.1.2 , A.14.1.3 , A.6.1.2 , A.7.1.1 , A.7.1.2 , A.7.3.1 , A.8.2.2 , A.8.2.3 , A.9.1.1 , A.9.1.2 , A.9.2.3 , A.9.4.1 , A.9.4.4 , A.9.4.5 , AC-17(a) , CM-6(a) , AC-6(1) , PR.AC-4 , PR.DS-5 , SRG-OS-000480-GPOS-00227
Description
To properly set the permissions of /etc/ssh/sshd_config, run the command:
$ sudo chmod 0600 /etc/ssh/sshd_config Rationale Service configuration files enable or disable features of their respective
services that if configured incorrectly can lead to insecure and vulnerable
configurations. Therefore, service configuration files should be owned by the
correct group to prevent unauthorized changes.
OVAL test results details
Testing mode of /etc/ssh/sshd_config
oval:ssg-test_file_permissions_sshd_config:tst:1
true Following items have been found on the system: Path Type UID GID Size (B) Permissions /etc/ssh/sshd_config regular 0 0 4424 rw-------
Verify Owner on SSH Server config filexccdf_org.ssgproject.content_rule_file_owner_sshd_config medium
Verify Owner on SSH Server config file Rule ID xccdf_org.ssgproject.content_rule_file_owner_sshd_config Result Multi-check rule no OVAL Definition ID oval:ssg-file_owner_sshd_config:def:1 Time 2020-05-28T09:50:19+00:00 Severity medium Identifiers and References References:
12 , 13 , 14 , 15 , 16 , 18 , 3 , 5 , APO01.06 , DSS05.04 , DSS05.07 , DSS06.02 , 4.3.3.7.3 , SR 2.1 , SR 5.2 , A.10.1.1 , A.11.1.4 , A.11.1.5 , A.11.2.1 , A.13.1.1 , A.13.1.3 , A.13.2.1 , A.13.2.3 , A.13.2.4 , A.14.1.2 , A.14.1.3 , A.6.1.2 , A.7.1.1 , A.7.1.2 , A.7.3.1 , A.8.2.2 , A.8.2.3 , A.9.1.1 , A.9.1.2 , A.9.2.3 , A.9.4.1 , A.9.4.4 , A.9.4.5 , AC-17(a) , CM-6(a) , AC-6(1) , PR.AC-4 , PR.DS-5 , SRG-OS-000480-GPOS-00227
Description
To properly set the owner of /etc/ssh/sshd_config, run the command:
$ sudo chown root /etc/ssh/sshd_config Rationale Service configuration files enable or disable features of their respective
services that if configured incorrectly can lead to insecure and vulnerable
configurations. Therefore, service configuration files should be owned by the
correct group to prevent unauthorized changes.
OVAL test results details
Testing user ownership of /etc/ssh/sshd_config
oval:ssg-test_file_owner_sshd_config:tst:1
true Following items have been found on the system: Path Type UID GID Size (B) Permissions /etc/ssh/sshd_config regular 0 0 4424 rw-------
Verify Permissions on SSH Server Private *_key Key Filesxccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key medium
Verify Permissions on SSH Server Private *_key Key Files Rule ID xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key Result Multi-check rule no OVAL Definition ID oval:ssg-file_permissions_sshd_private_key:def:1 Time 2020-05-28T09:50:19+00:00 Severity medium Identifiers and References References:
12 , 13 , 14 , 15 , 16 , 18 , 3 , 5 , APO01.06 , DSS05.04 , DSS05.07 , DSS06.02 , 3.1.13 , 3.13.10 , CCI-000366 , 4.3.3.7.3 , SR 2.1 , SR 5.2 , A.10.1.1 , A.11.1.4 , A.11.1.5 , A.11.2.1 , A.13.1.1 , A.13.1.3 , A.13.2.1 , A.13.2.3 , A.13.2.4 , A.14.1.2 , A.14.1.3 , A.6.1.2 , A.7.1.1 , A.7.1.2 , A.7.3.1 , A.8.2.2 , A.8.2.3 , A.9.1.1 , A.9.1.2 , A.9.2.3 , A.9.4.1 , A.9.4.4 , A.9.4.5 , AC-17(a) , CM-6(a) , AC-6(1) , PR.AC-4 , PR.DS-5 , SRG-OS-000480-GPOS-00227
Description
To properly set the permissions of /etc/ssh/*_key, run the command:
$ sudo chmod 0640 /etc/ssh/*_key Rationale If an unauthorized user obtains the private SSH host key file, the host could be
impersonated.
OVAL test results details
Testing mode of /etc/ssh/
oval:ssg-test_file_permissions_sshd_private_key:tst:1
true Following items have been found on the system: Path Type UID GID Size (B) Permissions /etc/ssh/ssh_host_ecdsa_key regular 0 999 480 rw-r----- /etc/ssh/ssh_host_ed25519_key regular 0 999 387 rw-r----- /etc/ssh/ssh_host_rsa_key regular 0 999 2578 rw-r-----
Verify Permissions on SSH Server Public *.pub Key Filesxccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key medium
Verify Permissions on SSH Server Public *.pub Key Files Rule ID xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key Result Multi-check rule no OVAL Definition ID oval:ssg-file_permissions_sshd_pub_key:def:1 Time 2020-05-28T09:50:19+00:00 Severity medium Identifiers and References References:
12 , 13 , 14 , 15 , 16 , 18 , 3 , 5 , APO01.06 , DSS05.04 , DSS05.07 , DSS06.02 , 3.1.13 , 3.13.10 , CCI-000366 , 4.3.3.7.3 , SR 2.1 , SR 5.2 , A.10.1.1 , A.11.1.4 , A.11.1.5 , A.11.2.1 , A.13.1.1 , A.13.1.3 , A.13.2.1 , A.13.2.3 , A.13.2.4 , A.14.1.2 , A.14.1.3 , A.6.1.2 , A.7.1.1 , A.7.1.2 , A.7.3.1 , A.8.2.2 , A.8.2.3 , A.9.1.1 , A.9.1.2 , A.9.2.3 , A.9.4.1 , A.9.4.4 , A.9.4.5 , AC-17(a) , CM-6(a) , AC-6(1) , PR.AC-4 , PR.DS-5 , SRG-OS-000480-GPOS-00227
Description To properly set the permissions of /etc/ssh/*.pub, run the command:
$ sudo chmod 0644 /etc/ssh/*.pub Rationale If a public host key file is modified by an unauthorized user, the SSH service
may be compromised.
OVAL test results details
Testing mode of /etc/ssh/
oval:ssg-test_file_permissions_sshd_pub_key:tst:1
true Following items have been found on the system: Path Type UID GID Size (B) Permissions /etc/ssh/ssh_host_rsa_key.pub regular 0 0 554 rw-r--r-- /etc/ssh/ssh_host_ed25519_key.pub regular 0 0 82 rw-r--r-- /etc/ssh/ssh_host_ecdsa_key.pub regular 0 0 162 rw-r--r--
Verify Group Who Owns SSH Server config filexccdf_org.ssgproject.content_rule_file_groupowner_sshd_config medium
Verify Group Who Owns SSH Server config file Rule ID xccdf_org.ssgproject.content_rule_file_groupowner_sshd_config Result Multi-check rule no OVAL Definition ID oval:ssg-file_groupowner_sshd_config:def:1 Time 2020-05-28T09:50:19+00:00 Severity medium Identifiers and References References:
12 , 13 , 14 , 15 , 16 , 18 , 3 , 5 , APO01.06 , DSS05.04 , DSS05.07 , DSS06.02 , 4.3.3.7.3 , SR 2.1 , SR 5.2 , A.10.1.1 , A.11.1.4 , A.11.1.5 , A.11.2.1 , A.13.1.1 , A.13.1.3 , A.13.2.1 , A.13.2.3 , A.13.2.4 , A.14.1.2 , A.14.1.3 , A.6.1.2 , A.7.1.1 , A.7.1.2 , A.7.3.1 , A.8.2.2 , A.8.2.3 , A.9.1.1 , A.9.1.2 , A.9.2.3 , A.9.4.1 , A.9.4.4 , A.9.4.5 , AC-17(a) , CM-6(a) , AC-6(1) , PR.AC-4 , PR.DS-5 , SRG-OS-000480-GPOS-00227
Description
To properly set the group owner of /etc/ssh/sshd_config, run the command:
$ sudo chgrp root /etc/ssh/sshd_config Rationale Service configuration files enable or disable features of their respective
services that if configured incorrectly can lead to insecure and vulnerable
configurations. Therefore, service configuration files should be owned by the
correct group to prevent unauthorized changes.
OVAL test results details
Testing group ownership of /etc/ssh/sshd_config
oval:ssg-test_file_groupowner_sshd_config:tst:1
true Following items have been found on the system: Path Type UID GID Size (B) Permissions /etc/ssh/sshd_config regular 0 0 4424 rw-------
Install usbguard Packagexccdf_org.ssgproject.content_rule_package_usbguard_installed mediumCCE-82524-0
Install usbguard Package Rule ID xccdf_org.ssgproject.content_rule_package_usbguard_installed Result Multi-check rule no OVAL Definition ID oval:ssg-package_usbguard_installed:def:1 Time 2020-05-28T09:50:19+00:00 Severity medium Identifiers and References Identifiers:
CCE-82524-0
References:
SRG-OS-000378-GPOS-00163
Description The usbguard package can be installed with the following command:
Rationale usbguard is a software framework that helps to protect
against rogue USB devices by implementing basic whitelisting/blacklisting
capabilities based on USB device attributes.
OVAL test results details
package usbguard is installed
oval:ssg-test_package_usbguard_installed:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_test_package_usbguard_installed:obj:1 rpminfo_object
Enable the USBGuard Servicexccdf_org.ssgproject.content_rule_service_usbguard_enabled mediumCCE-82537-2
Enable the USBGuard Service Rule ID xccdf_org.ssgproject.content_rule_service_usbguard_enabled Result Multi-check rule no OVAL Definition ID oval:ssg-service_usbguard_enabled:def:1 Time 2020-05-28T09:50:19+00:00 Severity medium Identifiers and References Identifiers:
CCE-82537-2
References:
FMT_SMF_EXT.1 , SRG-OS-000378-GPOS-00163
Description The USBGuard service should be enabled.
The usbguard service can be enabled with the following command:
$ sudo systemctl enable usbguard.service Rationale The usbguard service must be running in order to
enforce the USB device authorization policy for all USB devices.
OVAL test results details
package usbguard is installed
oval:ssg-test_service_usbguard_package_usbguard_installed:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_test_service_usbguard_package_usbguard_installed:obj:1 rpminfo_object
Test that the usbguard service is running
oval:ssg-test_service_running_usbguard:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_service_running_usbguard:obj:1 systemdunitproperty_object Unit Property ^usbguard\.(socket|service)$ ActiveState
systemd test
oval:ssg-test_multi_user_wants_usbguard:tst:1
false Following items have been found on the system: Unit Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency multi-user.target basic.target var.mount sysinit.target systemd-sysusers.service dracut-shutdown.service lvm2-lvmpolld.socket multipathd.service systemd-ask-password-console.path systemd-tmpfiles-setup-dev.service systemd-journal-catalog-update.service sys-kernel-debug.mount systemd-udevd.service dev-hugepages.mount selinux-autorelabel-mark.service systemd-journald.service proc-sys-fs-binfmt_misc.automount systemd-update-utmp.service sys-fs-fuse-connections.mount local-fs.target ostree-remount.service systemd-remount-fs.service boot-efi.mount boot.mount systemd-udev-trigger.service cryptsetup.target systemd-tmpfiles-setup.service systemd-update-done.service dev-mqueue.mount systemd-machine-id-commit.service swap.target systemd-random-seed.service systemd-modules-load.service ldconfig.service systemd-binfmt.service kmod-static-nodes.service systemd-sysctl.service systemd-hwdb-update.service sys-kernel-config.mount lvm2-monitor.service systemd-journal-flush.service sockets.target systemd-coredump.socket dm-event.socket systemd-udevd-kernel.socket systemd-initctl.socket systemd-udevd-control.socket systemd-journald.socket multipathd.socket systemd-journald-dev-log.socket dbus.socket slices.target system.slice -.slice timers.target systemd-tmpfiles-clean.timer unbound-anchor.timer microcode.service ignition-firstboot-complete.service coreos-update-ca-trust.service paths.target afterburn-sshkeys@core.service ostree-finalize-staged.path systemd-ask-password-wall.path remote-fs.target irqbalance.service remote-cryptsetup.target afterburn-checkin.service NetworkManager.service sshd.service sssd.service dbus.service mcd-write-pivot-reboot.service systemd-user-sessions.service gcp-routes.service systemd-logind.service console-login-helper-messages-issuegen.service vmtoolsd.service mdmonitor.service machine-config-daemon-firstboot.service afterburn-firstboot-checkin.service coreos-regenerate-iscsi-initiatorname.service systemd-update-utmp-runlevel.service rhcos-growpart.service kubelet.service chronyd.service auditd.service getty.target getty@tty1.service serial-getty@ttyS0.service
systemd test
oval:ssg-test_multi_user_wants_usbguard_socket:tst:1
false Following items have been found on the system: Unit Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency Dependency multi-user.target basic.target var.mount sysinit.target systemd-sysusers.service dracut-shutdown.service lvm2-lvmpolld.socket multipathd.service systemd-ask-password-console.path systemd-tmpfiles-setup-dev.service systemd-journal-catalog-update.service sys-kernel-debug.mount systemd-udevd.service dev-hugepages.mount selinux-autorelabel-mark.service systemd-journald.service proc-sys-fs-binfmt_misc.automount systemd-update-utmp.service sys-fs-fuse-connections.mount local-fs.target ostree-remount.service systemd-remount-fs.service boot-efi.mount boot.mount systemd-udev-trigger.service cryptsetup.target systemd-tmpfiles-setup.service systemd-update-done.service dev-mqueue.mount systemd-machine-id-commit.service swap.target systemd-random-seed.service systemd-modules-load.service ldconfig.service systemd-binfmt.service kmod-static-nodes.service systemd-sysctl.service systemd-hwdb-update.service sys-kernel-config.mount lvm2-monitor.service systemd-journal-flush.service sockets.target systemd-coredump.socket dm-event.socket systemd-udevd-kernel.socket systemd-initctl.socket systemd-udevd-control.socket systemd-journald.socket multipathd.socket systemd-journald-dev-log.socket dbus.socket slices.target system.slice -.slice timers.target systemd-tmpfiles-clean.timer unbound-anchor.timer microcode.service ignition-firstboot-complete.service coreos-update-ca-trust.service paths.target afterburn-sshkeys@core.service ostree-finalize-staged.path systemd-ask-password-wall.path remote-fs.target irqbalance.service remote-cryptsetup.target afterburn-checkin.service NetworkManager.service sshd.service sssd.service dbus.service mcd-write-pivot-reboot.service systemd-user-sessions.service gcp-routes.service systemd-logind.service console-login-helper-messages-issuegen.service vmtoolsd.service mdmonitor.service machine-config-daemon-firstboot.service afterburn-firstboot-checkin.service coreos-regenerate-iscsi-initiatorname.service systemd-update-utmp-runlevel.service rhcos-growpart.service kubelet.service chronyd.service auditd.service getty.target getty@tty1.service serial-getty@ttyS0.service
Log USBGuard daemon audit events using Linux Auditxccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend mediumCCE-82538-0
Log USBGuard daemon audit events using Linux Audit Rule ID xccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend Result Multi-check rule no OVAL Definition ID oval:ssg-configure_usbguard_auditbackend:def:1 Time 2020-05-28T09:50:19+00:00 Severity medium Identifiers and References Identifiers:
CCE-82538-0
References:
FMT_SMF_EXT.1 , SRG-OS-000062-GPOS-00031
Description To configure USBGuard daemon to log via Linux Audit
(as opposed directly to a file),
AuditBackend option in /etc/usbguard/usbguard-daemon.conf
needs to be set to LinuxAudit.
Rationale Using the Linux Audit logging allows for centralized trace
of events.
OVAL test results details
tests the value of AuditBackend setting in the /etc/usbguard/usbguard-daemon.conf file
oval:ssg-test_configure_usbguard_auditbackend:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_configure_usbguard_auditbackend:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/usbguard/usbguard-daemon.conf ^[ \t]*AuditBackend=(.+?)[ \t]*(?:$|#) 1
The configuration file /etc/usbguard/usbguard-daemon.conf exists for configure_usbguard_auditbackend
oval:ssg-test_configure_usbguard_auditbackend_config_file_exists:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_configure_usbguard_auditbackend_config_file:obj:1 file_object Filepath ^/etc/usbguard/usbguard-daemon.conf
Authorize Human Interface Devices and USB hubs in USBGuard daemonxccdf_org.ssgproject.content_rule_usbguard_allow_hid_and_hub mediumCCE-82539-8
Authorize Human Interface Devices and USB hubs in USBGuard daemon Rule ID xccdf_org.ssgproject.content_rule_usbguard_allow_hid_and_hub Result Multi-check rule no OVAL Definition ID oval:ssg-usbguard_allow_hid_and_hub:def:1 Time 2020-05-28T09:50:19+00:00 Severity medium Identifiers and References Identifiers:
CCE-82539-8
References:
FMT_SMF_EXT.1 , SRG-OS-000114-GPOS-00059
Description To allow authorization of USB devices combining human interface device and hub capabilities
by USBGuard daemon,
add the line
allow with-interface match_all { 03:*:* 09:00:* }
to /etc/usbguard/rules.conf.
Rationale Without allowing Human Interface Devices, it might not be possible
to interact with the system. Without allowing hubs, it might not be possible to use any
USB devices on the system.
Warnings warning
This rule should be understood primarily as a convenience administration feature. This rule ensures that if the USBGuard default rules.conf file is present, it will alter it so that USB human interface devices and hubs are allowed. However, if the rules.conf file is altered by system administrator, the rule does not check if USB human interface devices and hubs are allowed. This assumes that an administrator modified the file with some purpose in mind.
OVAL test results details
Check that /etc/usbguard/rules.conf contains at least one non whitespace character and exists
oval:ssg-test_usbguard_rules_nonempty:tst:1
false No items have been found conforming to the following objects: Object oval:ssg-obj_usbguard_rules_nonempty:obj:1 textfilecontent54_object Filepath Pattern Instance /etc/usbguard/rules.conf ^.*\S+.*$ 1
Scroll back to the first rule