xccdf_org.open-scap_testresult_xccdf_org.ssgproject.content_profile_ospp

Guide to the Secure Configuration of Red Hat Enterprise Linux 8

with profile Protection Profile for General Purpose Operating Systems
This profile reflects mandatory configuration controls identified in the NIAP Configuration Annex to the Protection Profile for General Purpose Operating Systems (Protection Profile Version 4.2.1). This configuration profile is consistent with CNSSI-1253, which requires U.S. National Security Systems to adhere to certain configuration parameters. Accordingly, this configuration profile is suitable for use in U.S. National Security Systems.

The SCAP Security Guide Project
https://www.open-scap.org/security-policies/scap-security-guide

This guide presents a catalog of security-relevant configuration settings for Red Hat Enterprise Linux 8. It is a rendering of content structured in the eXtensible Configuration Checklist Description Format (XCCDF) in order to support security automation. The SCAP content is is available in the scap-security-guide package which is developed at https://www.open-scap.org/security-policies/scap-security-guide.

Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance.

Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. The creators of this guidance assume no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Evaluation Characteristics

Evaluation target	rhel8.example.com
Benchmark URL	ssg-rhel8-ds.xml
Benchmark ID	xccdf_org.ssgproject.content_benchmark_RHEL-8
Benchmark version	0.1.50
Profile ID	xccdf_org.ssgproject.content_profile_ospp
Started at	2021-03-21T19:59:44+01:00
Finished at	2021-03-21T19:59:44+01:00
Performed by	root
Test system	cpe:/a:redhat:openscap:1.3.3

CPE Platforms

cpe:/o:redhat:enterprise_linux:8

Addresses

IPv4 127.0.0.1
IPv4 192.168.122.8
IPv6 0:0:0:0:0:0:0:1
IPv6 fe80:0:0:0:9fb8:54a0:643b:ab20
MAC 00:00:00:00:00:00
MAC 52:54:00:E6:B4:A4

Compliance and Scoring

The target system did not satisfy the conditions of 131 rules! Please review rule results and consider applying remediation.

Rule results

67 passed

131 failed

2 other

Severity of failed rules

23 other

9 low

91 medium

8 high

Score

Scoring system	Score	Maximum	Percent
urn:xccdf:scoring:default	56.561554	100.000000	56.56%

Rule Overview

Title	Severity	Result
Guide to the Secure Configuration of Red Hat Enterprise Linux 8 131x fail
System Settings 116x fail
Account and Access Control 24x fail
Protect Accounts by Configuring PAM 12x fail
Set Password Quality Requirements 8x fail
Set Password Quality Requirements with pam_pwquality 8x fail
Set Password Maximum Consecutive Repeating Characters	medium	fail
Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class	medium	fail
Ensure PAM Enforces Password Requirements - Minimum Different Characters	medium	fail
Ensure PAM Enforces Password Requirements - Minimum Special Characters	medium	fail
Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters	medium	fail
Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters	medium	fail
Ensure PAM Enforces Password Requirements - Minimum Length	medium	fail
Ensure PAM Enforces Password Requirements - Minimum Digit Characters	medium	fail
Set Lockouts for Failed Password Attempts 4x fail
Set Lockout Time for Failed Password Attempts	medium	fail
Set Interval For Counting Failed Password Attempts	medium	fail
Set Deny For Failed Password Attempts	medium	fail
Limit Password Reuse	medium	fail
Protect Physical Console Access 6x fail
Configure Screen Locking 4x fail
Configure Console Screen Locking 4x fail
Install the tmux Package	medium	pass
Configure tmux to lock session after inactivity	medium	fail
Support session locking with tmux	medium	fail
Prevent user from disabling the screen lock	medium	fail
Configure the tmux Lock Command	medium	fail
Disable debug-shell SystemD Service	medium	pass
Disable Ctrl-Alt-Del Burst Action	high	fail
Disable Ctrl-Alt-Del Reboot Activation	high	fail
Require Authentication for Single User Mode	medium	pass
Verify that Interactive Boot is Disabled	medium	pass
Protect Accounts by Restricting Password-Based Login 2x fail
Verify Proper Storage and Existence of Password Hashes 1x fail
Prevent Login to Accounts With Empty Password	high	fail
Set Password Expiration Parameters 1x fail
Set Password Minimum Length in login.defs	medium	fail
Restrict Root Logins
Restrict Virtual Console Root Logins	medium	pass
Secure Session Configuration Files for Login Accounts 4x fail
Ensure that Users Have Sensible Umask Values 3x fail
Ensure the Default C Shell Umask is Set Correctly	unknown	fail
Ensure the Default Umask is Set Correctly in /etc/profile	unknown	fail
Ensure the Default Bash Umask is Set Correctly	unknown	fail
Limit the Number of Concurrent Login Sessions Allowed Per User	low	fail
System Accounting with auditd 19x fail
Configure auditd Data Retention 1x fail
Write Audit Logs to the Disk	medium	pass
Configure auditd flush priority	medium	pass
Resolve information before writing to audit logs	medium	pass
Set hostname as computer node name in audit logs	medium	fail
Set number of records to cause an explicit flush to audit logs	medium	pass
Include Local Events in Audit Logs	medium	pass
System Accounting with auditd 16x fail
Configure auditing of unsuccessful file deletions	medium	fail
Perform general configuration of Audit for OSPP	medium	fail
Configure auditing of successful file deletions	medium	fail
Configure auditing of successful file creations	medium	fail
Configure auditing of unsuccessful ownership changes	medium	fail
Configure auditing of successful ownership changes	medium	fail
Configure auditing of successful permission changes	medium	fail
Configure auditing of unsuccessful file modifications	medium	fail
Configure auditing of unsuccessful file accesses	medium	fail
Configure auditing of successful file modifications	medium	fail
Configure basic parameters of Audit system	medium	fail
Configure auditing of unsuccessful permission changes	medium	fail
Configure auditing of unsuccessful file creations	medium	fail
Configure immutable Audit login UIDs	medium	fail
Configure auditing of successful file accesses	medium	fail
Configure auditing of loading and unloading of kernel modules	medium	fail
Ensure the audit Subsystem is Installed	medium	pass
Enable auditd Service	high	pass
Extend Audit Backlog Limit for the Audit Daemon	medium	fail
Enable Auditing for Processes Which Start Prior to the Audit Daemon	medium	fail
Installing and Maintaining Software 19x fail
Updating Software 6x fail
Install dnf-automatic Package	medium	fail
Ensure gpgcheck Enabled In Main yum Configuration	high	pass
Ensure Red Hat GPG Key Installed	high	pass
Ensure gpgcheck Enabled for Local Packages	high	fail
Ensure gpgcheck Enabled for All yum Package Repositories	high	fail
Configure dnf-automatic to Install Available Updates Automatically	medium	fail
Enable dnf-automatic Timer	medium	fail
Configure dnf-automatic to Install Only Security Updates	low	fail
Disk Partitioning 4x fail
Ensure /var Located On Separate Partition	low	fail
Ensure /home Located On Separate Partition	low	fail
Ensure /var/log/audit Located On Separate Partition	low	fail
Ensure /var/log Located On Separate Partition	medium	fail
System Tooling / Utilities 3x fail
Install dnf-plugin-subscription-manager Package	medium	pass
Install openscap-scanner Package	medium	pass
Install rng-tools Package	medium	pass
Install scap-security-guide Package	medium	pass
Install subscription-manager Package	medium	pass
Uninstall abrt-addon-ccpp Package	low	pass
Uninstall abrt-addon-kerneloops Package	low	pass
Uninstall abrt-addon-python Package	low	pass
Uninstall abrt-cli Package	low	pass
Uninstall abrt-plugin-logger Package	low	pass
Uninstall abrt-plugin-rhtsupport Package	low	pass
Uninstall abrt-plugin-sosreport Package	low	pass
Uninstall gssproxy Package	low	pass
Uninstall iprutils Package	low	fail
Uninstall krb5-workstation Package	medium	pass
Uninstall pigz Package	low	fail
Uninstall tuned Package	low	fail
Sudo
Install sudo Package	medium	pass
System and Software Integrity 6x fail
Software Integrity Checking 1x fail
Verify Integrity with AIDE 1x fail
Install AIDE	medium	fail
Federal Information Processing Standard (FIPS) 2x fail
Enable Dracut FIPS Module	medium	fail
Enable FIPS Mode	high	fail
System Cryptographic Policies 3x fail
Install crypto-policies package	medium	pass
OpenSSL uses strong entropy source	medium	fail
Configure SSH to use System Crypto Policy	medium	pass
Configure BIND to use System Crypto Policy	medium	pass
Configure OpenSSL library to use System Crypto Policy	medium	pass
Configure Libreswan to use System Crypto Policy	medium	pass
Configure session renegotiation for SSH client	medium	fail
Configure System Cryptography Policy	high	fail
Configure Kerberos to use System Crypto Policy	medium	pass
GRUB2 bootloader configuration 1x fail
Enable Kernel Page-Table Isolation (KPTI)	high	fail
Set the UEFI Boot Loader Password	medium	pass
Disable vsyscalls	info	informational
zIPL bootloader configuration
Enable Auditing to Start Prior to the Audit Daemon in zIPL	medium	notapplicable
Enable page allocator poisoning in zIPL	medium	notapplicable
Disable vsyscalls in zIPL	info	notapplicable
Ensure all zIPL boot entries are BLS compliant	medium	notapplicable
Extend Audit Backlog Limit for the Audit Daemon in zIPL	medium	notapplicable
Ensure zIPL bootmap is up to date	medium	notapplicable
Enable SLUB/SLAB allocator poisoning in zIPL	medium	notapplicable
Network Configuration and Firewalls 20x fail
firewalld
Inspect and Activate Default firewalld Rules
Install firewalld Package	medium	pass
Verify firewalld Enabled	medium	pass
Wireless Networking 1x fail
Disable Wireless Through Software Configuration 1x fail
Disable Bluetooth Kernel Module	medium	fail
IPv6 4x fail
Configure IPv6 Settings if Necessary 4x fail
Disable Accepting Router Advertisements on all IPv6 Interfaces by Default	unknown	fail
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default	medium	fail
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces	medium	fail
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces	medium	pass
Configure Accepting Router Advertisements on All IPv6 Interfaces	unknown	fail
Disable Accepting ICMP Redirects for All IPv6 Interfaces	medium	pass
Kernel Parameters Which Affect Networking 10x fail
Network Parameters for Hosts Only 1x fail
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default	medium	pass
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces	medium	pass
Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces	medium	fail
Network Related Kernel Runtime Parameters for Hosts and Routers 9x fail
Disable Accepting ICMP Redirects for All IPv4 Interfaces	medium	pass
Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces	unknown	fail
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces	medium	pass
Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces	unknown	fail
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces	medium	pass
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces	medium	fail
Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default	unknown	fail
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default	medium	fail
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces	medium	pass
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default	medium	fail
Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces	medium	fail
Configure Kernel Parameter for Accepting Secure Redirects By Default	medium	fail
Enable Kernel Parameter to Use TCP Syncookies on IPv4 Interfaces	medium	fail
iptables and ip6tables
Install iptables Package	medium	pass
Uncommon Network Protocols 5x fail
Disable IEEE 1394 (FireWire) Support	medium	fail
Disable SCTP Support	medium	fail
Disable CAN Support	medium	fail
Disable TIPC Support	medium	fail
Disable ATM Support	medium	fail
SELinux
Install policycoreutils-python-utils package	medium	pass
Install policycoreutils Package	high	pass
Ensure SELinux State is Enforcing	high	pass
Configure SELinux Policy	high	pass
File Permissions and Masks 33x fail
Verify Permissions on Important Files and Directories
Enable Kernel Parameter to Enforce DAC on Symlinks	unknown	pass
Enable Kernel Parameter to Enforce DAC on Hardlinks	unknown	pass
Restrict Dynamic Mounting and Unmounting of Filesystems 1x fail
Disable Mounting of cramfs	low	fail
Restrict Programs from Dangerous Execution Patterns 13x fail
Enable ExecShield
Restrict Exposed Kernel Pointer Addresses Access	medium	pass
Disable Core Dumps 4x fail
Disable acquiring, saving, and processing core dumps	unknown	fail
Disable storing core dump	unknown	fail
Disable Core Dumps for All Users	unknown	fail
Disable core dump backtraces	unknown	fail
Memory Poisoning 2x fail
Enable SLUB/SLAB allocator poisoning	medium	fail
Enable page allocator poisoning	medium	fail
Disable Kernel Image Loading	medium	fail
Harden the operation of the BPF just-in-time compiler	medium	fail
Disable Access to Network bpf() Syscall From Unprivileged Processes	medium	fail
Disable the use of user namespaces	info	informational
Disable storing core dumps	unknown	fail
Restrict usage of ptrace to descendant processes	medium	fail
Disallow kernel profiling by unprivileged users	medium	fail
Restrict Access to Kernel Message Buffer	medium	fail
Restrict Partition Mount Options 19x fail
Add noexec Option to /tmp	unknown	fail
Add nodev Option to /var	medium	fail
Add nosuid Option to /var/log	medium	fail
Add nodev Option to /var/log/audit	medium	fail
Add nodev Option to /tmp	unknown	fail
Add nosuid Option to /boot	medium	fail
Add nodev Option to /var/log	medium	fail
Add nosuid Option to /var/tmp	unknown	fail
Add nosuid Option to /tmp	unknown	fail
Add nodev Option to /dev/shm	medium	pass
Add nosuid Option to /var/log/audit	medium	fail
Add nosuid Option to /home	medium	fail
Add noexec Option to /var/log/audit	medium	fail
Add noexec Option to /var/tmp	unknown	fail
Add nosuid Option to /dev/shm	medium	pass
Add noexec Option to /dev/shm	medium	fail
Add noexec Option to /var/log	medium	fail
Add nodev Option to /boot	medium	fail
Add nodev Option to Non-Root Local Partitions	unknown	fail
Add nodev Option to /var/tmp	unknown	fail
Add nodev Option to /home	unknown	fail
Services 15x fail
Application Whitelisting Daemon 2x fail
Install fapolicyd Package	medium	fail
Enable the File Access Policy Service	medium	fail
NFS and RPC
Uninstall nfs-utils Package	low	pass
Hardware RNG Entropy Gatherer Daemon
Enable the Hardware RNG Entropy Gatherer Service	medium	pass
Mail Server Software
Uninstall Sendmail Package	medium	pass
SSH Server 7x fail
Configure OpenSSH Server if Necessary 7x fail
Disable SSH Root Login	medium	fail
Disable SSH Access via Empty Passwords	high	pass
Force frequent session key renegotiation	medium	fail
SSH server uses strong entropy to seed	medium	fail
Enable SSH Warning Banner	medium	fail
Disable Kerberos Authentication	medium	pass
Set SSH Idle Timeout Interval	medium	fail
Enable Use of Strict Mode Checking	medium	pass
Disable Host-Based Authentication	medium	pass
Set SSH Client Alive Max Count	medium	fail
Disable GSSAPI Authentication	medium	fail
Install OpenSSH client software	medium	pass
Install the OpenSSH Server Package	medium	pass
Base Services
Uninstall Automatic Bug Reporting Tool (abrt)	medium	pass
USBGuard daemon 4x fail
Install usbguard Package	medium	fail
Enable the USBGuard Service	medium	fail
Authorize Human Interface Devices and USB hubs in USBGuard daemon	medium	fail
Log USBGuard daemon audit events using Linux Audit	medium	fail
Network Time Protocol 2x fail
Disable network management of chrony daemon	unknown	fail
Disable chrony daemon from acting as server	unknown	fail
Kerberos
Disable Kerberos by removing host keytab	medium	pass

Result Details

Set Password Maximum Consecutive Repeating Characters

Rule ID xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-accounts_password_pam_maxrepeat:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82066-2

References: 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000195, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, SRG-OS-000072-GPOS-00040

Description

The pam_pwquality module's maxrepeat parameter controls requirements for consecutive repeating characters. When set to a positive number, it will reject passwords which contain more than that number of consecutive characters. Modify the maxrepeat setting in /etc/security/pwquality.conf to equal 3 to prevent a run of (3 + 1) or more identical characters.

Rationale

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

# Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then


var_password_pam_maxrepeat="3"
# Function to replace configuration setting in config file or add the configuration setting if
# it does not exist.
#
# Expects arguments:
#
# config_file:		Configuration file that will be modified
# key:			Configuration option to change
# value:		Value of the configuration option to change
# cce:			The CCE identifier or '@CCENUM@' if no CCE identifier exists
# format:		The printf-like format string that will be given stripped key and value as arguments,
#			so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =)
#
# Optional arugments:
#
# format:		Optional argument to specify the format of how key/value should be
# 			modified/appended in the configuration file. The default is key = value.
#
# Example Call(s):
#
#     With default format of 'key = value':
#     replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@'
#
#     With custom key/value format:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s'
#
#     With a variable:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s'
#
function replace_or_append {
  local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option=''
  local config_file=$1
  local key=$2
  local value=$3
  local cce=$4
  local format=$5

  if [ "$case_insensitive_mode" = yes ]; then
    sed_case_insensitive_option="i"
    grep_case_insensitive_option="-i"
  fi
  [ -n "$format" ] || format="$default_format"
  # Check sanity of the input
  [ $# -ge "3" ] || { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; }

  # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
  # Otherwise, regular sed command will do.
  sed_command=('sed' '-i')
  if test -L "$config_file"; then
    sed_command+=('--follow-symlinks')
  fi

  # Test that the cce arg is not empty or does not equal @CCENUM@.
  # If @CCENUM@ exists, it means that there is no CCE assigned.
  if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then
    cce="${cce}"
  else
    cce="CCE"
  fi

  # Strip any search characters in the key arg so that the key can be replaced without
  # adding any search characters to the config file.
  stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "$key")

  # shellcheck disable=SC2059
  printf -v formatted_output "$format" "$stripped_key" "$value"

  # If the key exists, change it. Otherwise, add it to the config_file.
  # We search for the key string followed by a word boundary (matched by \>),
  # so if we search for 'setting', 'setting2' won't match.
  if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then
    "${sed_command[@]}" "s/${key}\\>.*/$formatted_output/g$sed_case_insensitive_option" "$config_file"
  else
    # \n is precaution for case where file ends without trailing newline
    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file"
    printf '%s\n' "$formatted_output" >> "$config_file"
  fi
}
replace_or_append '/etc/security/pwquality.conf' '^maxrepeat' $var_password_pam_maxrepeat 'CCE-82066-2' '%s = %s'

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
    - accounts_password_pam_maxrepeat
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-82066-2
    - NIST-800-53-IA-5(c)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-IA-5(4)
- name: XCCDF Value var_password_pam_maxrepeat # promote to variable
  set_fact:
    var_password_pam_maxrepeat: !!str 3
  tags:
    - always

- name: Ensure PAM variable maxrepeat is set accordingly
  lineinfile:
    create: true
    dest: /etc/security/pwquality.conf
    regexp: ^#?\s*maxrepeat
    line: maxrepeat = {{ var_password_pam_maxrepeat }}
  when: '"pam" in ansible_facts.packages'
  tags:
    - accounts_password_pam_maxrepeat
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-82066-2
    - NIST-800-53-IA-5(c)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-IA-5(4)

OVAL test results details

check the configuration of /etc/pam.d/system-auth oval:ssg-test_password_pam_pwquality:tst:1 true

Following items have been found on the system:

Path	Content
/etc/pam.d/system-auth	password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=

check the configuration of /etc/security/pwquality.conf oval:ssg-test_password_pam_pwquality_maxrepeat:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_password_pam_pwquality_maxrepeat:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/security/pwquality.conf	^maxrepeat[\s]=[\s](\d+)(?:[\s]\|$)	1

Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class

Rule ID xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-accounts_password_pam_maxclassrepeat:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-81034-1

References: 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000195, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, SRG-OS-000072-GPOS-00040

Description

The pam_pwquality module's maxclassrepeat parameter controls requirements for consecutive repeating characters from the same character class. When set to a positive number, it will reject passwords which contain more than that number of consecutive characters from the same character class. Modify the maxclassrepeat setting in /etc/security/pwquality.conf to equal 4 to prevent a run of (4 + 1) or more identical characters.

Rationale

Use of a complex password helps to increase the time and resources required to comrpomise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex a password, the greater the number of possible combinations that need to be tested before the password is compromised.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

# Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then


var_password_pam_maxclassrepeat="4"
# Function to replace configuration setting in config file or add the configuration setting if
# it does not exist.
#
# Expects arguments:
#
# config_file:		Configuration file that will be modified
# key:			Configuration option to change
# value:		Value of the configuration option to change
# cce:			The CCE identifier or '@CCENUM@' if no CCE identifier exists
# format:		The printf-like format string that will be given stripped key and value as arguments,
#			so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =)
#
# Optional arugments:
#
# format:		Optional argument to specify the format of how key/value should be
# 			modified/appended in the configuration file. The default is key = value.
#
# Example Call(s):
#
#     With default format of 'key = value':
#     replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@'
#
#     With custom key/value format:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s'
#
#     With a variable:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s'
#
function replace_or_append {
  local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option=''
  local config_file=$1
  local key=$2
  local value=$3
  local cce=$4
  local format=$5

  if [ "$case_insensitive_mode" = yes ]; then
    sed_case_insensitive_option="i"
    grep_case_insensitive_option="-i"
  fi
  [ -n "$format" ] || format="$default_format"
  # Check sanity of the input
  [ $# -ge "3" ] || { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; }

  # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
  # Otherwise, regular sed command will do.
  sed_command=('sed' '-i')
  if test -L "$config_file"; then
    sed_command+=('--follow-symlinks')
  fi

  # Test that the cce arg is not empty or does not equal @CCENUM@.
  # If @CCENUM@ exists, it means that there is no CCE assigned.
  if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then
    cce="${cce}"
  else
    cce="CCE"
  fi

  # Strip any search characters in the key arg so that the key can be replaced without
  # adding any search characters to the config file.
  stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "$key")

  # shellcheck disable=SC2059
  printf -v formatted_output "$format" "$stripped_key" "$value"

  # If the key exists, change it. Otherwise, add it to the config_file.
  # We search for the key string followed by a word boundary (matched by \>),
  # so if we search for 'setting', 'setting2' won't match.
  if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then
    "${sed_command[@]}" "s/${key}\\>.*/$formatted_output/g$sed_case_insensitive_option" "$config_file"
  else
    # \n is precaution for case where file ends without trailing newline
    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file"
    printf '%s\n' "$formatted_output" >> "$config_file"
  fi
}
replace_or_append '/etc/security/pwquality.conf' '^maxclassrepeat' $var_password_pam_maxclassrepeat 'CCE-81034-1' '%s = %s'

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
    - accounts_password_pam_maxclassrepeat
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-81034-1
    - NIST-800-53-IA-5(c)
    - NIST-800-53-IA-5(1)(a)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-IA-5(4)
- name: XCCDF Value var_password_pam_maxclassrepeat # promote to variable
  set_fact:
    var_password_pam_maxclassrepeat: !!str 4
  tags:
    - always

- name: Ensure PAM variable maxclassrepeat is set accordingly
  lineinfile:
    create: true
    dest: /etc/security/pwquality.conf
    regexp: ^#?\s*maxclassrepeat
    line: maxclassrepeat = {{ var_password_pam_maxclassrepeat }}
  when: '"pam" in ansible_facts.packages'
  tags:
    - accounts_password_pam_maxclassrepeat
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-81034-1
    - NIST-800-53-IA-5(c)
    - NIST-800-53-IA-5(1)(a)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-IA-5(4)

OVAL test results details

check the configuration of /etc/pam.d/system-auth oval:ssg-test_password_pam_pwquality:tst:1 true

Following items have been found on the system:

Path	Content
/etc/pam.d/system-auth	password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=

check the configuration of /etc/security/pwquality.conf oval:ssg-test_password_pam_pwquality_maxclassrepeat:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_password_pam_pwquality_maxclassrepeat:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/security/pwquality.conf	^maxclassrepeat[\s]=[\s](\d+)(?:[\s]\|$)	1

Ensure PAM Enforces Password Requirements - Minimum Different Characters

Rule ID xccdf_org.ssgproject.content_rule_accounts_password_pam_difok

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-accounts_password_pam_difok:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-80654-7

References: 1, 12, 15, 16, 5, 5.6.2.1.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000195, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(b), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, SRG-OS-000072-GPOS-00040, SRG-OS-000072-VMM-000390

Description

The pam_pwquality module's difok parameter sets the number of characters in a password that must not be present in and old password during a password change.

Modify the difok setting in /etc/security/pwquality.conf to equal 4 to require differing characters when changing passwords.

Rationale

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute–force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Requiring a minimum number of different characters during password changes ensures that newly changed passwords should not resemble previously compromised ones. Note that passwords which are changed on compromised systems will still be compromised, however.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

# Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then


var_password_pam_difok="4"
# Function to replace configuration setting in config file or add the configuration setting if
# it does not exist.
#
# Expects arguments:
#
# config_file:		Configuration file that will be modified
# key:			Configuration option to change
# value:		Value of the configuration option to change
# cce:			The CCE identifier or '@CCENUM@' if no CCE identifier exists
# format:		The printf-like format string that will be given stripped key and value as arguments,
#			so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =)
#
# Optional arugments:
#
# format:		Optional argument to specify the format of how key/value should be
# 			modified/appended in the configuration file. The default is key = value.
#
# Example Call(s):
#
#     With default format of 'key = value':
#     replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@'
#
#     With custom key/value format:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s'
#
#     With a variable:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s'
#
function replace_or_append {
  local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option=''
  local config_file=$1
  local key=$2
  local value=$3
  local cce=$4
  local format=$5

  if [ "$case_insensitive_mode" = yes ]; then
    sed_case_insensitive_option="i"
    grep_case_insensitive_option="-i"
  fi
  [ -n "$format" ] || format="$default_format"
  # Check sanity of the input
  [ $# -ge "3" ] || { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; }

  # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
  # Otherwise, regular sed command will do.
  sed_command=('sed' '-i')
  if test -L "$config_file"; then
    sed_command+=('--follow-symlinks')
  fi

  # Test that the cce arg is not empty or does not equal @CCENUM@.
  # If @CCENUM@ exists, it means that there is no CCE assigned.
  if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then
    cce="${cce}"
  else
    cce="CCE"
  fi

  # Strip any search characters in the key arg so that the key can be replaced without
  # adding any search characters to the config file.
  stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "$key")

  # shellcheck disable=SC2059
  printf -v formatted_output "$format" "$stripped_key" "$value"

  # If the key exists, change it. Otherwise, add it to the config_file.
  # We search for the key string followed by a word boundary (matched by \>),
  # so if we search for 'setting', 'setting2' won't match.
  if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then
    "${sed_command[@]}" "s/${key}\\>.*/$formatted_output/g$sed_case_insensitive_option" "$config_file"
  else
    # \n is precaution for case where file ends without trailing newline
    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file"
    printf '%s\n' "$formatted_output" >> "$config_file"
  fi
}
replace_or_append '/etc/security/pwquality.conf' '^difok' $var_password_pam_difok 'CCE-80654-7' '%s = %s'

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
    - accounts_password_pam_difok
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-80654-7
    - NIST-800-53-IA-5(c)
    - NIST-800-53-IA-5(1)(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-IA-5(4)
    - CJIS-5.6.2.1.1
- name: XCCDF Value var_password_pam_difok # promote to variable
  set_fact:
    var_password_pam_difok: !!str 4
  tags:
    - always

- name: Ensure PAM variable difok is set accordingly
  lineinfile:
    create: true
    dest: /etc/security/pwquality.conf
    regexp: ^#?\s*difok
    line: difok = {{ var_password_pam_difok }}
  when: '"pam" in ansible_facts.packages'
  tags:
    - accounts_password_pam_difok
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-80654-7
    - NIST-800-53-IA-5(c)
    - NIST-800-53-IA-5(1)(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-IA-5(4)
    - CJIS-5.6.2.1.1

OVAL test results details

check the configuration of /etc/pam.d/system-auth oval:ssg-test_password_pam_pwquality:tst:1 true

Following items have been found on the system:

Path	Content
/etc/pam.d/system-auth	password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=

check the configuration of /etc/security/pwquality.conf oval:ssg-test_password_pam_pwquality_difok:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_password_pam_pwquality_difok:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/security/pwquality.conf	^difok[\s]=[\s](\d+)(?:[\s]\|$)	1

Ensure PAM Enforces Password Requirements - Minimum Special Characters

Rule ID xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-accounts_password_pam_ocredit:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-80663-8

References: 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-001619, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000266-GPOS-00101, SRG-OS-000266-VMM-000940

Description

The pam_pwquality module's ocredit= parameter controls requirements for usage of special (or "other") characters in a password. When set to a negative number, any password will be required to contain that many special characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each special character. Modify the ocredit setting in /etc/security/pwquality.conf to equal -1 to require use of a special character in passwords.

Rationale

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

# Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then


var_password_pam_ocredit="-1"
# Function to replace configuration setting in config file or add the configuration setting if
# it does not exist.
#
# Expects arguments:
#
# config_file:		Configuration file that will be modified
# key:			Configuration option to change
# value:		Value of the configuration option to change
# cce:			The CCE identifier or '@CCENUM@' if no CCE identifier exists
# format:		The printf-like format string that will be given stripped key and value as arguments,
#			so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =)
#
# Optional arugments:
#
# format:		Optional argument to specify the format of how key/value should be
# 			modified/appended in the configuration file. The default is key = value.
#
# Example Call(s):
#
#     With default format of 'key = value':
#     replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@'
#
#     With custom key/value format:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s'
#
#     With a variable:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s'
#
function replace_or_append {
  local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option=''
  local config_file=$1
  local key=$2
  local value=$3
  local cce=$4
  local format=$5

  if [ "$case_insensitive_mode" = yes ]; then
    sed_case_insensitive_option="i"
    grep_case_insensitive_option="-i"
  fi
  [ -n "$format" ] || format="$default_format"
  # Check sanity of the input
  [ $# -ge "3" ] || { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; }

  # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
  # Otherwise, regular sed command will do.
  sed_command=('sed' '-i')
  if test -L "$config_file"; then
    sed_command+=('--follow-symlinks')
  fi

  # Test that the cce arg is not empty or does not equal @CCENUM@.
  # If @CCENUM@ exists, it means that there is no CCE assigned.
  if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then
    cce="${cce}"
  else
    cce="CCE"
  fi

  # Strip any search characters in the key arg so that the key can be replaced without
  # adding any search characters to the config file.
  stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "$key")

  # shellcheck disable=SC2059
  printf -v formatted_output "$format" "$stripped_key" "$value"

  # If the key exists, change it. Otherwise, add it to the config_file.
  # We search for the key string followed by a word boundary (matched by \>),
  # so if we search for 'setting', 'setting2' won't match.
  if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then
    "${sed_command[@]}" "s/${key}\\>.*/$formatted_output/g$sed_case_insensitive_option" "$config_file"
  else
    # \n is precaution for case where file ends without trailing newline
    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file"
    printf '%s\n' "$formatted_output" >> "$config_file"
  fi
}
replace_or_append '/etc/security/pwquality.conf' '^ocredit' $var_password_pam_ocredit 'CCE-80663-8' '%s = %s'

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
    - accounts_password_pam_ocredit
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-80663-8
    - NIST-800-53-IA-5(c)
    - NIST-800-53-IA-5(1)(a)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-IA-5(4)
- name: XCCDF Value var_password_pam_ocredit # promote to variable
  set_fact:
    var_password_pam_ocredit: !!str -1
  tags:
    - always

- name: Ensure PAM variable ocredit is set accordingly
  lineinfile:
    create: true
    dest: /etc/security/pwquality.conf
    regexp: ^#?\s*ocredit
    line: ocredit = {{ var_password_pam_ocredit }}
  when: '"pam" in ansible_facts.packages'
  tags:
    - accounts_password_pam_ocredit
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-80663-8
    - NIST-800-53-IA-5(c)
    - NIST-800-53-IA-5(1)(a)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-IA-5(4)

OVAL test results details

check the configuration of /etc/pam.d/system-auth oval:ssg-test_password_pam_pwquality:tst:1 true

Following items have been found on the system:

Path	Content
/etc/pam.d/system-auth	password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=

check the configuration of /etc/security/pwquality.conf oval:ssg-test_password_pam_pwquality_ocredit:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_password_pam_pwquality_ocredit:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/security/pwquality.conf	^ocredit[\s]=[\s](-?\d+)(?:[\s]\|$)	1

Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters

Rule ID xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-accounts_password_pam_ucredit:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-80665-3

References: 6.3.2, 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000192, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_MOF_EXT.1, Req-8.2.3, SRG-OS-000069-GPOS-00037, SRG-OS-000069-VMM-000360

Description

The pam_pwquality module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each uppercase character. Modify the ucredit setting in /etc/security/pwquality.conf to require the use of an uppercase character in passwords.

Rationale

Use of a complex password helps to increase the time and resources reuiqred to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

# Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then


var_password_pam_ucredit="-1"
# Function to replace configuration setting in config file or add the configuration setting if
# it does not exist.
#
# Expects arguments:
#
# config_file:		Configuration file that will be modified
# key:			Configuration option to change
# value:		Value of the configuration option to change
# cce:			The CCE identifier or '@CCENUM@' if no CCE identifier exists
# format:		The printf-like format string that will be given stripped key and value as arguments,
#			so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =)
#
# Optional arugments:
#
# format:		Optional argument to specify the format of how key/value should be
# 			modified/appended in the configuration file. The default is key = value.
#
# Example Call(s):
#
#     With default format of 'key = value':
#     replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@'
#
#     With custom key/value format:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s'
#
#     With a variable:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s'
#
function replace_or_append {
  local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option=''
  local config_file=$1
  local key=$2
  local value=$3
  local cce=$4
  local format=$5

  if [ "$case_insensitive_mode" = yes ]; then
    sed_case_insensitive_option="i"
    grep_case_insensitive_option="-i"
  fi
  [ -n "$format" ] || format="$default_format"
  # Check sanity of the input
  [ $# -ge "3" ] || { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; }

  # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
  # Otherwise, regular sed command will do.
  sed_command=('sed' '-i')
  if test -L "$config_file"; then
    sed_command+=('--follow-symlinks')
  fi

  # Test that the cce arg is not empty or does not equal @CCENUM@.
  # If @CCENUM@ exists, it means that there is no CCE assigned.
  if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then
    cce="${cce}"
  else
    cce="CCE"
  fi

  # Strip any search characters in the key arg so that the key can be replaced without
  # adding any search characters to the config file.
  stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "$key")

  # shellcheck disable=SC2059
  printf -v formatted_output "$format" "$stripped_key" "$value"

  # If the key exists, change it. Otherwise, add it to the config_file.
  # We search for the key string followed by a word boundary (matched by \>),
  # so if we search for 'setting', 'setting2' won't match.
  if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then
    "${sed_command[@]}" "s/${key}\\>.*/$formatted_output/g$sed_case_insensitive_option" "$config_file"
  else
    # \n is precaution for case where file ends without trailing newline
    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file"
    printf '%s\n' "$formatted_output" >> "$config_file"
  fi
}
replace_or_append '/etc/security/pwquality.conf' '^ucredit' $var_password_pam_ucredit 'CCE-80665-3' '%s = %s'

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
    - accounts_password_pam_ucredit
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-80665-3
    - NIST-800-53-IA-5(c)
    - NIST-800-53-IA-5(1)(a)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-IA-5(4)
    - PCI-DSS-Req-8.2.3
- name: XCCDF Value var_password_pam_ucredit # promote to variable
  set_fact:
    var_password_pam_ucredit: !!str -1
  tags:
    - always

- name: Ensure PAM variable ucredit is set accordingly
  lineinfile:
    create: true
    dest: /etc/security/pwquality.conf
    regexp: ^#?\s*ucredit
    line: ucredit = {{ var_password_pam_ucredit }}
  when: '"pam" in ansible_facts.packages'
  tags:
    - accounts_password_pam_ucredit
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-80665-3
    - NIST-800-53-IA-5(c)
    - NIST-800-53-IA-5(1)(a)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-IA-5(4)
    - PCI-DSS-Req-8.2.3

OVAL test results details

check the configuration of /etc/pam.d/system-auth oval:ssg-test_password_pam_pwquality:tst:1 true

Following items have been found on the system:

Path	Content
/etc/pam.d/system-auth	password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=

check the configuration of /etc/security/pwquality.conf oval:ssg-test_password_pam_pwquality_ucredit:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_password_pam_pwquality_ucredit:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/security/pwquality.conf	^ucredit[\s]=[\s](-?\d+)(?:[\s]\|$)	1

Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters

Rule ID xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-accounts_password_pam_lcredit:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-80655-4

References: 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000193, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_MOF_EXT.1, Req-8.2.3, SRG-OS-000070-GPOS-00038, SRG-OS-000070-VMM-000370

Description

The pam_pwquality module's lcredit parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each lowercase character. Modify the lcredit setting in /etc/security/pwquality.conf to require the use of a lowercase character in passwords.

Rationale

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

# Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then


var_password_pam_lcredit="-1"
# Function to replace configuration setting in config file or add the configuration setting if
# it does not exist.
#
# Expects arguments:
#
# config_file:		Configuration file that will be modified
# key:			Configuration option to change
# value:		Value of the configuration option to change
# cce:			The CCE identifier or '@CCENUM@' if no CCE identifier exists
# format:		The printf-like format string that will be given stripped key and value as arguments,
#			so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =)
#
# Optional arugments:
#
# format:		Optional argument to specify the format of how key/value should be
# 			modified/appended in the configuration file. The default is key = value.
#
# Example Call(s):
#
#     With default format of 'key = value':
#     replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@'
#
#     With custom key/value format:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s'
#
#     With a variable:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s'
#
function replace_or_append {
  local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option=''
  local config_file=$1
  local key=$2
  local value=$3
  local cce=$4
  local format=$5

  if [ "$case_insensitive_mode" = yes ]; then
    sed_case_insensitive_option="i"
    grep_case_insensitive_option="-i"
  fi
  [ -n "$format" ] || format="$default_format"
  # Check sanity of the input
  [ $# -ge "3" ] || { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; }

  # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
  # Otherwise, regular sed command will do.
  sed_command=('sed' '-i')
  if test -L "$config_file"; then
    sed_command+=('--follow-symlinks')
  fi

  # Test that the cce arg is not empty or does not equal @CCENUM@.
  # If @CCENUM@ exists, it means that there is no CCE assigned.
  if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then
    cce="${cce}"
  else
    cce="CCE"
  fi

  # Strip any search characters in the key arg so that the key can be replaced without
  # adding any search characters to the config file.
  stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "$key")

  # shellcheck disable=SC2059
  printf -v formatted_output "$format" "$stripped_key" "$value"

  # If the key exists, change it. Otherwise, add it to the config_file.
  # We search for the key string followed by a word boundary (matched by \>),
  # so if we search for 'setting', 'setting2' won't match.
  if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then
    "${sed_command[@]}" "s/${key}\\>.*/$formatted_output/g$sed_case_insensitive_option" "$config_file"
  else
    # \n is precaution for case where file ends without trailing newline
    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file"
    printf '%s\n' "$formatted_output" >> "$config_file"
  fi
}
replace_or_append '/etc/security/pwquality.conf' '^lcredit' $var_password_pam_lcredit 'CCE-80655-4' '%s = %s'

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
    - accounts_password_pam_lcredit
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-80655-4
    - NIST-800-53-IA-5(c)
    - NIST-800-53-IA-5(1)(a)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-IA-5(4)
    - PCI-DSS-Req-8.2.3
- name: XCCDF Value var_password_pam_lcredit # promote to variable
  set_fact:
    var_password_pam_lcredit: !!str -1
  tags:
    - always

- name: Ensure PAM variable lcredit is set accordingly
  lineinfile:
    create: true
    dest: /etc/security/pwquality.conf
    regexp: ^#?\s*lcredit
    line: lcredit = {{ var_password_pam_lcredit }}
  when: '"pam" in ansible_facts.packages'
  tags:
    - accounts_password_pam_lcredit
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-80655-4
    - NIST-800-53-IA-5(c)
    - NIST-800-53-IA-5(1)(a)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-IA-5(4)
    - PCI-DSS-Req-8.2.3

OVAL test results details

check the configuration of /etc/pam.d/system-auth oval:ssg-test_password_pam_pwquality:tst:1 true

Following items have been found on the system:

Path	Content
/etc/pam.d/system-auth	password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=

check the configuration of /etc/security/pwquality.conf oval:ssg-test_password_pam_pwquality_lcredit:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_password_pam_pwquality_lcredit:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/security/pwquality.conf	^lcredit[\s]=[\s](-?\d+)(?:[\s]\|$)	1

Ensure PAM Enforces Password Requirements - Minimum Length

Rule ID xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-accounts_password_pam_minlen:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-80656-2

References: 6.3.2, 1, 12, 15, 16, 5, 5.6.2.1.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000205, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_MOF_EXT.1, Req-8.2.3, SRG-OS-000078-GPOS-00046, SRG-OS-000072-VMM-000390, SRG-OS-000078-VMM-000450

Description

The pam_pwquality module's minlen parameter controls requirements for minimum characters required in a password. Add minlen=12 after pam_pwquality to set minimum password length requirements.

Rationale

The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromose the password.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

# Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then


var_password_pam_minlen="12"
# Function to replace configuration setting in config file or add the configuration setting if
# it does not exist.
#
# Expects arguments:
#
# config_file:		Configuration file that will be modified
# key:			Configuration option to change
# value:		Value of the configuration option to change
# cce:			The CCE identifier or '@CCENUM@' if no CCE identifier exists
# format:		The printf-like format string that will be given stripped key and value as arguments,
#			so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =)
#
# Optional arugments:
#
# format:		Optional argument to specify the format of how key/value should be
# 			modified/appended in the configuration file. The default is key = value.
#
# Example Call(s):
#
#     With default format of 'key = value':
#     replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@'
#
#     With custom key/value format:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s'
#
#     With a variable:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s'
#
function replace_or_append {
  local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option=''
  local config_file=$1
  local key=$2
  local value=$3
  local cce=$4
  local format=$5

  if [ "$case_insensitive_mode" = yes ]; then
    sed_case_insensitive_option="i"
    grep_case_insensitive_option="-i"
  fi
  [ -n "$format" ] || format="$default_format"
  # Check sanity of the input
  [ $# -ge "3" ] || { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; }

  # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
  # Otherwise, regular sed command will do.
  sed_command=('sed' '-i')
  if test -L "$config_file"; then
    sed_command+=('--follow-symlinks')
  fi

  # Test that the cce arg is not empty or does not equal @CCENUM@.
  # If @CCENUM@ exists, it means that there is no CCE assigned.
  if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then
    cce="${cce}"
  else
    cce="CCE"
  fi

  # Strip any search characters in the key arg so that the key can be replaced without
  # adding any search characters to the config file.
  stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "$key")

  # shellcheck disable=SC2059
  printf -v formatted_output "$format" "$stripped_key" "$value"

  # If the key exists, change it. Otherwise, add it to the config_file.
  # We search for the key string followed by a word boundary (matched by \>),
  # so if we search for 'setting', 'setting2' won't match.
  if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then
    "${sed_command[@]}" "s/${key}\\>.*/$formatted_output/g$sed_case_insensitive_option" "$config_file"
  else
    # \n is precaution for case where file ends without trailing newline
    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file"
    printf '%s\n' "$formatted_output" >> "$config_file"
  fi
}
replace_or_append '/etc/security/pwquality.conf' '^minlen' $var_password_pam_minlen 'CCE-80656-2' '%s = %s'

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
    - accounts_password_pam_minlen
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-80656-2
    - NIST-800-53-IA-5(c)
    - NIST-800-53-IA-5(1)(a)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-IA-5(4)
    - PCI-DSS-Req-8.2.3
    - CJIS-5.6.2.1.1
- name: XCCDF Value var_password_pam_minlen # promote to variable
  set_fact:
    var_password_pam_minlen: !!str 12
  tags:
    - always

- name: Ensure PAM variable minlen is set accordingly
  lineinfile:
    create: true
    dest: /etc/security/pwquality.conf
    regexp: ^#?\s*minlen
    line: minlen = {{ var_password_pam_minlen }}
  when: '"pam" in ansible_facts.packages'
  tags:
    - accounts_password_pam_minlen
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-80656-2
    - NIST-800-53-IA-5(c)
    - NIST-800-53-IA-5(1)(a)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-IA-5(4)
    - PCI-DSS-Req-8.2.3
    - CJIS-5.6.2.1.1

OVAL test results details

check the configuration of /etc/pam.d/system-auth oval:ssg-test_password_pam_pwquality:tst:1 true

Following items have been found on the system:

Path	Content
/etc/pam.d/system-auth	password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=

check the configuration of /etc/security/pwquality.conf oval:ssg-test_password_pam_pwquality_minlen:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_password_pam_pwquality_minlen:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/security/pwquality.conf	^minlen[\s]=[\s](\d+)(?:[\s]\|$)	1

Ensure PAM Enforces Password Requirements - Minimum Digit Characters

Rule ID xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-accounts_password_pam_dcredit:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-80653-9

References: 6.3.2, 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000194, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_MOF_EXT.1, Req-8.2.3, SRG-OS-000071-GPOS-00039, SRG-OS-000071-VMM-000380

Description

The pam_pwquality module's dcredit parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional length credit for each digit. Modify the dcredit setting in /etc/security/pwquality.conf to require the use of a digit in passwords.

Rationale

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Requiring digits makes password guessing attacks more difficult by ensuring a larger search space.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

# Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then


var_password_pam_dcredit="-1"
# Function to replace configuration setting in config file or add the configuration setting if
# it does not exist.
#
# Expects arguments:
#
# config_file:		Configuration file that will be modified
# key:			Configuration option to change
# value:		Value of the configuration option to change
# cce:			The CCE identifier or '@CCENUM@' if no CCE identifier exists
# format:		The printf-like format string that will be given stripped key and value as arguments,
#			so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =)
#
# Optional arugments:
#
# format:		Optional argument to specify the format of how key/value should be
# 			modified/appended in the configuration file. The default is key = value.
#
# Example Call(s):
#
#     With default format of 'key = value':
#     replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@'
#
#     With custom key/value format:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s'
#
#     With a variable:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s'
#
function replace_or_append {
  local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option=''
  local config_file=$1
  local key=$2
  local value=$3
  local cce=$4
  local format=$5

  if [ "$case_insensitive_mode" = yes ]; then
    sed_case_insensitive_option="i"
    grep_case_insensitive_option="-i"
  fi
  [ -n "$format" ] || format="$default_format"
  # Check sanity of the input
  [ $# -ge "3" ] || { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; }

  # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
  # Otherwise, regular sed command will do.
  sed_command=('sed' '-i')
  if test -L "$config_file"; then
    sed_command+=('--follow-symlinks')
  fi

  # Test that the cce arg is not empty or does not equal @CCENUM@.
  # If @CCENUM@ exists, it means that there is no CCE assigned.
  if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then
    cce="${cce}"
  else
    cce="CCE"
  fi

  # Strip any search characters in the key arg so that the key can be replaced without
  # adding any search characters to the config file.
  stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "$key")

  # shellcheck disable=SC2059
  printf -v formatted_output "$format" "$stripped_key" "$value"

  # If the key exists, change it. Otherwise, add it to the config_file.
  # We search for the key string followed by a word boundary (matched by \>),
  # so if we search for 'setting', 'setting2' won't match.
  if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then
    "${sed_command[@]}" "s/${key}\\>.*/$formatted_output/g$sed_case_insensitive_option" "$config_file"
  else
    # \n is precaution for case where file ends without trailing newline
    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file"
    printf '%s\n' "$formatted_output" >> "$config_file"
  fi
}
replace_or_append '/etc/security/pwquality.conf' '^dcredit' $var_password_pam_dcredit 'CCE-80653-9' '%s = %s'

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
    - accounts_password_pam_dcredit
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-80653-9
    - NIST-800-53-IA-5(c)
    - NIST-800-53-IA-5(1)(a)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-IA-5(4)
    - PCI-DSS-Req-8.2.3
- name: XCCDF Value var_password_pam_dcredit # promote to variable
  set_fact:
    var_password_pam_dcredit: !!str -1
  tags:
    - always

- name: Ensure PAM variable dcredit is set accordingly
  lineinfile:
    create: true
    dest: /etc/security/pwquality.conf
    regexp: ^#?\s*dcredit
    line: dcredit = {{ var_password_pam_dcredit }}
  when: '"pam" in ansible_facts.packages'
  tags:
    - accounts_password_pam_dcredit
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-80653-9
    - NIST-800-53-IA-5(c)
    - NIST-800-53-IA-5(1)(a)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-IA-5(4)
    - PCI-DSS-Req-8.2.3

OVAL test results details

check the configuration of /etc/pam.d/system-auth oval:ssg-test_password_pam_pwquality:tst:1 true

Following items have been found on the system:

Path	Content
/etc/pam.d/system-auth	password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=

check the configuration of /etc/security/pwquality.conf oval:ssg-test_password_pam_pwquality_dcredit:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_password_pam_pwquality_dcredit:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/security/pwquality.conf	^dcredit[\s]=[\s](-?\d+)(?:[\s]\|$)	1

Set Lockout Time for Failed Password Attempts

Rule ID xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-accounts_passwords_pam_faillock_unlock_time:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-80670-3

References: 5.3.2, 1, 12, 15, 16, 5.5.3, DSS05.04, DSS05.10, DSS06.10, 3.1.8, CCI-000044, CCI-002238, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(b), PR.AC-7, FMT_MOF_EXT.1, Req-8.1.7, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, SRG-OS-000329-VMM-001180

Description

To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:

add the following line immediately before the pam_unix.so statement in the AUTH section:

auth required pam_faillock.so preauth silent deny=3 unlock_time=0 fail_interval=900

add the following line immediately after the pam_unix.so statement in the AUTH section:

auth [default=die] pam_faillock.so authfail deny=3 unlock_time=0 fail_interval=900

add the following line immediately before the pam_unix.so statement in the ACCOUNT section:
```
account required pam_faillock.so
```

If unlock_time is set to 0, manual intervention by an administrator is required to unlock a user.

Rationale

Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations.

Remediation Shell script ⇲

# Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then


var_accounts_passwords_pam_faillock_unlock_time="0"

AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")

for pam_file in "${AUTH_FILES[@]}"
do
    # is auth required pam_faillock.so preauth present?
    if grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*$' "$pam_file" ; then
        # is the option set?
        if grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*'"unlock_time"'=([0-9]*).*$' "$pam_file" ; then
            # just change the value of option to a correct value
            sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock.so.*preauth.*silent.*\)\('"unlock_time"' *= *\).*/\1\2'"$var_accounts_passwords_pam_faillock_unlock_time"'/' "$pam_file"
        # the option is not set.
        else
            # append the option
            sed -i --follow-symlinks '/^auth.*required.*pam_faillock.so.*preauth.*silent.*/ s/$/ '"unlock_time"'='"$var_accounts_passwords_pam_faillock_unlock_time"'/' "$pam_file"
        fi
    # auth required pam_faillock.so preauth is not present, insert the whole line
    else
        sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix.so.*/i auth        required      pam_faillock.so preauth silent '"unlock_time"'='"$var_accounts_passwords_pam_faillock_unlock_time" "$pam_file"
    fi
    # is auth default pam_faillock.so authfail present?
    if grep -qE '^\s*auth\s+(\[default=die\])\s+pam_faillock\.so\s+authfail.*$' "$pam_file" ; then
        # is the option set?
        if grep -qE '^\s*auth\s+(\[default=die\])\s+pam_faillock\.so\s+authfail.*'"unlock_time"'=([0-9]*).*$' "$pam_file" ; then
            # just change the value of option to a correct value
            sed -i --follow-symlinks 's/\(^auth.*[default=die].*pam_faillock.so.*authfail.*\)\('"unlock_time"' *= *\).*/\1\2'"$var_accounts_passwords_pam_faillock_unlock_time"'/' "$pam_file"
        # the option is not set.
        else
            # append the option
            sed -i --follow-symlinks '/^auth.*[default=die].*pam_faillock.so.*authfail.*/ s/$/ '"unlock_time"'='"$var_accounts_passwords_pam_faillock_unlock_time"'/' "$pam_file"
        fi
    # auth default pam_faillock.so authfail is not present, insert the whole line
    else
        sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix.so.*/a auth        [default=die] pam_faillock.so authfail '"unlock_time"'='"$var_accounts_passwords_pam_faillock_unlock_time" "$pam_file"
    fi
    if ! grep -qE '^\s*account\s+required\s+pam_faillock\.so.*$' "$pam_file" ; then
        sed -E -i --follow-symlinks '/^\s*account\s*required\s*pam_unix.so/i account     required      pam_faillock.so' "$pam_file"
    fi
done

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
    - accounts_passwords_pam_faillock_unlock_time
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-80670-3
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-7(b)
    - NIST-800-171-3.1.8
    - PCI-DSS-Req-8.1.7
    - CJIS-5.5.3
- name: XCCDF Value var_accounts_passwords_pam_faillock_unlock_time # promote to variable
  set_fact:
    var_accounts_passwords_pam_faillock_unlock_time: !!str 0
  tags:
    - always

- name: Add auth pam_faillock preauth unlock_time before pam_unix.so
  pamd:
    name: '{{ item }}'
    type: auth
    control: sufficient
    module_path: pam_unix.so
    new_type: auth
    new_control: required
    new_module_path: pam_faillock.so
    module_arguments: preauth silent unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time
      }}
    state: before
  loop:
    - system-auth
    - password-auth
  when: '"pam" in ansible_facts.packages'
  tags:
    - accounts_passwords_pam_faillock_unlock_time
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-80670-3
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-7(b)
    - NIST-800-171-3.1.8
    - PCI-DSS-Req-8.1.7
    - CJIS-5.5.3

- name: Add unlock_time argument to pam_faillock preauth
  pamd:
    name: '{{ item }}'
    type: auth
    control: required
    module_path: pam_faillock.so
    module_arguments: preauth silent unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time
      }}
    state: args_present
  loop:
    - system-auth
    - password-auth
  when: '"pam" in ansible_facts.packages'
  tags:
    - accounts_passwords_pam_faillock_unlock_time
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-80670-3
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-7(b)
    - NIST-800-171-3.1.8
    - PCI-DSS-Req-8.1.7
    - CJIS-5.5.3

- name: Add auth pam_faillock authfail unlock_interval after pam_unix.so
  pamd:
    name: '{{ item }}'
    type: auth
    control: sufficient
    module_path: pam_unix.so
    new_type: auth
    new_control: '[default=die]'
    new_module_path: pam_faillock.so
    module_arguments: authfail unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time
      }}
    state: after
  loop:
    - system-auth
    - password-auth
  when: '"pam" in ansible_facts.packages'
  tags:
    - accounts_passwords_pam_faillock_unlock_time
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-80670-3
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-7(b)
    - NIST-800-171-3.1.8
    - PCI-DSS-Req-8.1.7
    - CJIS-5.5.3

- name: Add unlock_time argument to auth pam_faillock authfail
  pamd:
    name: '{{ item }}'
    type: auth
    control: '[default=die]'
    module_path: pam_faillock.so
    module_arguments: authfail unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time
      }}
    state: args_present
  loop:
    - system-auth
    - password-auth
  when: '"pam" in ansible_facts.packages'
  tags:
    - accounts_passwords_pam_faillock_unlock_time
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-80670-3
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-7(b)
    - NIST-800-171-3.1.8
    - PCI-DSS-Req-8.1.7
    - CJIS-5.5.3

- name: Add account pam_faillock before pam_unix.so
  pamd:
    name: '{{ item }}'
    type: account
    control: required
    module_path: pam_unix.so
    new_type: account
    new_control: required
    new_module_path: pam_faillock.so
    state: before
  loop:
    - system-auth
    - password-auth
  when: '"pam" in ansible_facts.packages'
  tags:
    - accounts_passwords_pam_faillock_unlock_time
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-80670-3
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-7(b)
    - NIST-800-171-3.1.8
    - PCI-DSS-Req-8.1.7
    - CJIS-5.5.3

OVAL test results details

check preauth maximum failed login attempts allowed in /etc/pam.d/system-auth oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_system-auth:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_system-auth:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/pam.d/system-auth	^\sauth\s+(?:(?:required))\s+pam_faillock\.so\s+preauth.unlock_time=([0-9]).$	1

check authfail maximum failed login attempts allowed in /etc/pam.d/system-auth oval:ssg-test_accounts_passwords_pam_faillock_authfail_unlock_time_system-auth:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_accounts_passwords_pam_faillock_authfail_unlock_time_system-auth:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/pam.d/system-auth	^\sauth\s+(?:(?:sufficient)\|(?:\[default=die\]))\s+pam_faillock\.so\s+authfail.unlock_time=([0-9]).$	1

check authfail maximum failed login attempts allowed in /etc/pam.d/password-auth oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_password-auth:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_password-auth:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/pam.d/password-auth	^\sauth\s+(?:(?:sufficient)\|(?:\[default=die\]))\s+pam_faillock\.so\s+authfail.unlock_time=([0-9]).$	1

check preauth maximum failed login attempts allowed in /etc/pam.d/password-auth oval:ssg-test_accounts_passwords_pam_faillock_preauth_unlock_time_password-auth:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_accounts_passwords_pam_faillock_preauth_unlock_time_password-auth:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/pam.d/password-auth	^\sauth\s+(?:(?:required))\s+pam_faillock\.so\s+preauth.unlock_time=([0-9]).$	1

Set Interval For Counting Failed Password Attempts

Rule ID xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-accounts_passwords_pam_faillock_interval:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-80669-5

References: 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, CCI-000044, CCI-002238, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(a), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, SRG-OS-000021-VMM-000050

Description

Utilizing pam_faillock.so, the fail_interval directive configures the system to lock out an account after a number of incorrect login attempts within a specified time period. Modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:

Add the following line immediately before the pam_unix.so statement in the AUTH section:

auth required pam_faillock.so preauth silent deny=3 unlock_time=0 fail_interval=900

Add the following line immediately after the pam_unix.so statement in the AUTH section:

auth [default=die] pam_faillock.so authfail deny=3 unlock_time=0 fail_interval=900

Add the following line immediately before the pam_unix.so statement in the ACCOUNT section:
```
account required pam_faillock.so
```

Rationale

By limiting the number of failed logon attempts the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.

Remediation Shell script ⇲

# Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then

# include our remediation functions library

var_accounts_passwords_pam_faillock_fail_interval="900"

AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")

for pam_file in "${AUTH_FILES[@]}"
do
    # is auth required pam_faillock.so preauth present?
    if grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*$' "$pam_file" ; then
        # is the option set?
        if grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*'"fail_interval"'=([0-9]*).*$' "$pam_file" ; then
            # just change the value of option to a correct value
            sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock.so.*preauth.*silent.*\)\('"fail_interval"' *= *\).*/\1\2'"$var_accounts_passwords_pam_faillock_fail_interval"'/' "$pam_file"
        # the option is not set.
        else
            # append the option
            sed -i --follow-symlinks '/^auth.*required.*pam_faillock.so.*preauth.*silent.*/ s/$/ '"fail_interval"'='"$var_accounts_passwords_pam_faillock_fail_interval"'/' "$pam_file"
        fi
    # auth required pam_faillock.so preauth is not present, insert the whole line
    else
        sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix.so.*/i auth        required      pam_faillock.so preauth silent '"fail_interval"'='"$var_accounts_passwords_pam_faillock_fail_interval" "$pam_file"
    fi
    # is auth default pam_faillock.so authfail present?
    if grep -qE '^\s*auth\s+(\[default=die\])\s+pam_faillock\.so\s+authfail.*$' "$pam_file" ; then
        # is the option set?
        if grep -qE '^\s*auth\s+(\[default=die\])\s+pam_faillock\.so\s+authfail.*'"fail_interval"'=([0-9]*).*$' "$pam_file" ; then
            # just change the value of option to a correct value
            sed -i --follow-symlinks 's/\(^auth.*[default=die].*pam_faillock.so.*authfail.*\)\('"fail_interval"' *= *\).*/\1\2'"$var_accounts_passwords_pam_faillock_fail_interval"'/' "$pam_file"
        # the option is not set.
        else
            # append the option
            sed -i --follow-symlinks '/^auth.*[default=die].*pam_faillock.so.*authfail.*/ s/$/ '"fail_interval"'='"$var_accounts_passwords_pam_faillock_fail_interval"'/' "$pam_file"
        fi
    # auth default pam_faillock.so authfail is not present, insert the whole line
    else
        sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix.so.*/a auth        [default=die] pam_faillock.so authfail '"fail_interval"'='"$var_accounts_passwords_pam_faillock_fail_interval" "$pam_file"
    fi
    if ! grep -qE '^\s*account\s+required\s+pam_faillock\.so.*$' "$pam_file" ; then
        sed -E -i --follow-symlinks '/^\s*account\s*required\s*pam_unix.so/i account     required      pam_faillock.so' "$pam_file"
    fi
done

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
    - accounts_passwords_pam_faillock_interval
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-80669-5
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-7(a)
- name: XCCDF Value var_accounts_passwords_pam_faillock_fail_interval # promote to variable
  set_fact:
    var_accounts_passwords_pam_faillock_fail_interval: !!str 900
  tags:
    - always

- name: Add auth pam_faillock preauth fail_interval before pam_unix.so
  pamd:
    name: '{{ item }}'
    type: auth
    control: sufficient
    module_path: pam_unix.so
    new_type: auth
    new_control: required
    new_module_path: pam_faillock.so
    module_arguments: preauth silent fail_interval={{ var_accounts_passwords_pam_faillock_fail_interval
      }}
    state: before
  loop:
    - system-auth
    - password-auth
  when: '"pam" in ansible_facts.packages'
  tags:
    - accounts_passwords_pam_faillock_interval
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-80669-5
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-7(a)

- name: Add fail_interval argument to auth pam_faillock preauth
  pamd:
    name: '{{ item }}'
    type: auth
    control: required
    module_path: pam_faillock.so
    module_arguments: preauth silent fail_interval={{ var_accounts_passwords_pam_faillock_fail_interval
      }}
    state: args_present
  loop:
    - system-auth
    - password-auth
  when: '"pam" in ansible_facts.packages'
  tags:
    - accounts_passwords_pam_faillock_interval
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-80669-5
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-7(a)

- name: Add auth pam_faillock aufthfail fail_interval after pam_unix.so
  pamd:
    name: '{{ item }}'
    type: auth
    control: sufficient
    module_path: pam_unix.so
    new_type: auth
    new_control: '[default=die]'
    new_module_path: pam_faillock.so
    module_arguments: authfail fail_interval={{ var_accounts_passwords_pam_faillock_fail_interval
      }}
    state: after
  loop:
    - system-auth
    - password-auth
  when: '"pam" in ansible_facts.packages'
  tags:
    - accounts_passwords_pam_faillock_interval
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-80669-5
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-7(a)

- name: Add fail_interval argument to auth pam_faillock authfail
  pamd:
    name: '{{ item }}'
    type: auth
    control: '[default=die]'
    module_path: pam_faillock.so
    module_arguments: authfail fail_interval={{ var_accounts_passwords_pam_faillock_fail_interval
      }}
    state: args_present
  loop:
    - system-auth
    - password-auth
  when: '"pam" in ansible_facts.packages'
  tags:
    - accounts_passwords_pam_faillock_interval
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-80669-5
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-7(a)

- name: Add account pam_faillock before pam_unix.so
  pamd:
    name: '{{ item }}'
    type: account
    control: required
    module_path: pam_unix.so
    new_type: account
    new_control: required
    new_module_path: pam_faillock.so
    state: before
  loop:
    - system-auth
    - password-auth
  when: '"pam" in ansible_facts.packages'
  tags:
    - accounts_passwords_pam_faillock_interval
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-80669-5
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-7(a)

OVAL test results details

check maximum preauth fail_interval allowed in /etc/pam.d/system-auth oval:ssg-test_accounts_passwords_pam_faillock_fail_interval_system-auth:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_accounts_passwords_pam_faillock_fail_interval_system-auth:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/pam.d/system-auth	^\sauth\s+(?:(?:required))\s+pam_faillock\.so\s+preauth.fail_interval=([0-9]).$	1

check maximum authfail fail_interval allowed in /etc/pam.d/system-auth oval:ssg-test_accounts_passwords_pam_faillock_authfail_fail_interval_system-auth:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_accounts_passwords_pam_faillock_authfail_fail_interval_system-auth:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/pam.d/system-auth	^\sauth\s+(?:(?:sufficient)\|(?:\[default=die\]))\s+pam_faillock\.so\s+authfail.fail_interval=([0-9]).$	1

check maximum authfail fail_interval allowed in /etc/pam.d/password-auth oval:ssg-test_accounts_passwords_pam_faillock_fail_interval_password-auth:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_accounts_passwords_pam_faillock_fail_interval_password-auth:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/pam.d/password-auth	^\sauth\s+(?:(?:sufficient)\|(?:\[default=die\]))\s+pam_faillock\.so\s+authfail.fail_interval=([0-9]).$	1

check maximum preauth fail_interval allowed in /etc/pam.d/password-auth oval:ssg-test_accounts_passwords_pam_faillock_preauth_fail_interval_password-auth:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_accounts_passwords_pam_faillock_preauth_fail_interval_password-auth:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/pam.d/password-auth	^\sauth\s+(?:(?:required))\s+pam_faillock\.so\s+preauth.fail_interval=([0-9]).$	1

check if pam_faillock.so is required in account section in /etc/pam.d/password-auth oval:ssg-test_accounts_passwords_pam_faillock_account_requires_password-auth:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_accounts_passwords_pam_faillock_account_requires_password-auth:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/pam.d/password-auth	^\saccount\s+required\s+pam_faillock\.so.$	1

check if pam_faillock.so is required in account section in /etc/pam.d/system-auth oval:ssg-test_accounts_passwords_pam_faillock_account_requires_system-auth:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_accounts_passwords_pam_faillock_account_requires_system-auth:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/pam.d/system-auth	^\saccount\s+required\s+pam_faillock\.so.$	1

Set Deny For Failed Password Attempts

Rule ID xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-accounts_passwords_pam_faillock_deny:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-80667-9

References: 5.3.2, 1, 12, 15, 16, 5.5.3, DSS05.04, DSS05.10, DSS06.10, 3.1.8, CCI-000044, CCI-002238, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(a), PR.AC-7, FMT_MOF_EXT.1, Req-8.1.6, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, SRG-OS-000021-VMM-000050

Description

To configure the system to lock out accounts after a number of incorrect login attempts using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:

add the following line immediately before the pam_unix.so statement in the AUTH section:

auth required pam_faillock.so preauth silent deny=3 unlock_time=0 fail_interval=900

add the following line immediately after the pam_unix.so statement in the AUTH section:

auth [default=die] pam_faillock.so authfail deny=3 unlock_time=0 fail_interval=900

add the following line immediately before the pam_unix.so statement in the ACCOUNT section:
```
account required pam_faillock.so
```

Rationale

Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks.

Remediation Shell script ⇲

# Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then


var_accounts_passwords_pam_faillock_deny="3"

AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")

for pam_file in "${AUTH_FILES[@]}"
do
    # is auth required pam_faillock.so preauth present?
    if grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*$' "$pam_file" ; then
        # is the option set?
        if grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*'"deny"'=([0-9]*).*$' "$pam_file" ; then
            # just change the value of option to a correct value
            sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock.so.*preauth.*silent.*\)\('"deny"' *= *\).*/\1\2'"$var_accounts_passwords_pam_faillock_deny"'/' "$pam_file"
        # the option is not set.
        else
            # append the option
            sed -i --follow-symlinks '/^auth.*required.*pam_faillock.so.*preauth.*silent.*/ s/$/ '"deny"'='"$var_accounts_passwords_pam_faillock_deny"'/' "$pam_file"
        fi
    # auth required pam_faillock.so preauth is not present, insert the whole line
    else
        sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix.so.*/i auth        required      pam_faillock.so preauth silent '"deny"'='"$var_accounts_passwords_pam_faillock_deny" "$pam_file"
    fi
    # is auth default pam_faillock.so authfail present?
    if grep -qE '^\s*auth\s+(\[default=die\])\s+pam_faillock\.so\s+authfail.*$' "$pam_file" ; then
        # is the option set?
        if grep -qE '^\s*auth\s+(\[default=die\])\s+pam_faillock\.so\s+authfail.*'"deny"'=([0-9]*).*$' "$pam_file" ; then
            # just change the value of option to a correct value
            sed -i --follow-symlinks 's/\(^auth.*[default=die].*pam_faillock.so.*authfail.*\)\('"deny"' *= *\).*/\1\2'"$var_accounts_passwords_pam_faillock_deny"'/' "$pam_file"
        # the option is not set.
        else
            # append the option
            sed -i --follow-symlinks '/^auth.*[default=die].*pam_faillock.so.*authfail.*/ s/$/ '"deny"'='"$var_accounts_passwords_pam_faillock_deny"'/' "$pam_file"
        fi
    # auth default pam_faillock.so authfail is not present, insert the whole line
    else
        sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix.so.*/a auth        [default=die] pam_faillock.so authfail '"deny"'='"$var_accounts_passwords_pam_faillock_deny" "$pam_file"
    fi
    if ! grep -qE '^\s*account\s+required\s+pam_faillock\.so.*$' "$pam_file" ; then
        sed -E -i --follow-symlinks '/^\s*account\s*required\s*pam_unix.so/i account     required      pam_faillock.so' "$pam_file"
    fi
done

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
    - accounts_passwords_pam_faillock_deny
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-80667-9
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-7(a)
    - NIST-800-171-3.1.8
    - PCI-DSS-Req-8.1.6
    - CJIS-5.5.3
- name: XCCDF Value var_accounts_passwords_pam_faillock_deny # promote to variable
  set_fact:
    var_accounts_passwords_pam_faillock_deny: !!str 3
  tags:
    - always

- name: Add auth pam_faillock preauth deny before pam_unix.so
  pamd:
    name: '{{ item }}'
    type: auth
    control: sufficient
    module_path: pam_unix.so
    new_type: auth
    new_control: required
    new_module_path: pam_faillock.so
    module_arguments: preauth silent deny={{ var_accounts_passwords_pam_faillock_deny
      }}
    state: before
  loop:
    - system-auth
    - password-auth
  when: '"pam" in ansible_facts.packages'
  tags:
    - accounts_passwords_pam_faillock_deny
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-80667-9
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-7(a)
    - NIST-800-171-3.1.8
    - PCI-DSS-Req-8.1.6
    - CJIS-5.5.3

- name: Add deny argument to auth pam_faillock preauth
  pamd:
    name: '{{ item }}'
    type: auth
    control: required
    module_path: pam_faillock.so
    module_arguments: preauth silent deny={{ var_accounts_passwords_pam_faillock_deny
      }}
    state: args_present
  loop:
    - system-auth
    - password-auth
  when: '"pam" in ansible_facts.packages'
  tags:
    - accounts_passwords_pam_faillock_deny
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-80667-9
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-7(a)
    - NIST-800-171-3.1.8
    - PCI-DSS-Req-8.1.6
    - CJIS-5.5.3

- name: Add auth pam_faillock authfail deny after pam_unix.so
  pamd:
    name: '{{ item }}'
    type: auth
    control: sufficient
    module_path: pam_unix.so
    new_type: auth
    new_control: '[default=die]'
    new_module_path: pam_faillock.so
    module_arguments: authfail deny={{ var_accounts_passwords_pam_faillock_deny }}
    state: after
  loop:
    - system-auth
    - password-auth
  when: '"pam" in ansible_facts.packages'
  tags:
    - accounts_passwords_pam_faillock_deny
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-80667-9
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-7(a)
    - NIST-800-171-3.1.8
    - PCI-DSS-Req-8.1.6
    - CJIS-5.5.3

- name: Add deny argument to auth pam_faillock authfail
  pamd:
    name: '{{ item }}'
    type: auth
    new_type: auth
    control: '[default=die]'
    module_path: pam_faillock.so
    module_arguments: authfail deny={{ var_accounts_passwords_pam_faillock_deny }}
    state: args_present
  loop:
    - system-auth
    - password-auth
  when: '"pam" in ansible_facts.packages'
  tags:
    - accounts_passwords_pam_faillock_deny
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-80667-9
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-7(a)
    - NIST-800-171-3.1.8
    - PCI-DSS-Req-8.1.6
    - CJIS-5.5.3

- name: Add account pam_faillock before pam_unix.so
  pamd:
    name: '{{ item }}'
    type: account
    control: required
    module_path: pam_unix.so
    new_type: account
    new_control: required
    new_module_path: pam_faillock.so
    state: before
  loop:
    - system-auth
    - password-auth
  when: '"pam" in ansible_facts.packages'
  tags:
    - accounts_passwords_pam_faillock_deny
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-80667-9
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-7(a)
    - NIST-800-171-3.1.8
    - PCI-DSS-Req-8.1.6
    - CJIS-5.5.3

OVAL test results details

Check pam_faillock.so preauth silent present, with correct deny value, and is followed by pam_unix. oval:ssg-test_accounts_passwords_pam_faillock_preauth_silent_system-auth:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_accounts_passwords_pam_faillock_preauth_silent_system-auth:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/pam.d/system-auth	[\n][\s]auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+[^\n]silent[\s]+[^\n]deny=([0-9]+)[\s](?s).[\n][\s]auth[^\n]+pam_unix\.so[^\n]*[\n]	1

Check if pam_faillock.so is called in account phase before pam_unix oval:ssg-test_accounts_passwords_pam_faillock_account_phase_system-auth:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_accounts_passwords_pam_faillock_account_phase_system-auth:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/pam.d/system-auth	[\n][\s]account[\s]+required[\s]+pam_faillock\.so[^\n][\n][\s]account[\s]+required[\s]+pam_unix\.so[^\n][\n]	1

Check pam_faillock.so preauth silent present in /etc/pam.d/password-auth, has correct deny value, and is followed by pam_unix oval:ssg-test_accounts_passwords_pam_faillock_preauth_silent_password-auth:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_accounts_passwords_pam_faillock_preauth_silent_password-auth:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/pam.d/password-auth	[\n][\s]auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+[^\n]silent[\s]+[^\n]deny=([0-9]+)[\s](?s).[\n][\s]auth[^\n]+pam_unix\.so[^\n]*[\n]	1

Check if pam_faillock_so is called in account phase before pam_unix. oval:ssg-test_accounts_passwords_pam_faillock_account_phase_password-auth:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_accounts_passwords_pam_faillock_account_phase_password-auth:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/pam.d/password-auth	[\n][\s]account[\s]+required[\s]+pam_faillock\.so[^\n][\n][\s]account[\s]+required[\s]+pam_unix\.so[^\n][\n]	1

Checks if pam_faillock authfail is hit even if pam_unix skips lines by defaulting, and also authfail deny value oval:ssg-test_accounts_passwords_pam_faillock_numeric_default_check_system-auth:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_accounts_passwords_pam_faillock_when_lines_skipped_system-auth:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
3Referenced variable has no values (oval:ssg-var_accounts_passwords_pam_faillock_preauth_default_lin	/etc/pam.d/system-auth	1

Check control values of pam_unix, that it is followed by pam_faillock.so authfail and deny value of pam_faillock.so authfail oval:ssg-test_accounts_passwords_pam_faillock_authfail_deny_system-auth:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_accounts_passwords_pam_faillock_authfail_deny_system-auth:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/pam.d/system-auth	[\n][\s]auth[\s]+(?:(?:sufficient)\|(?:\[[^\]]default=ignore[^\]]\]))[^\n]+pam_unix\.so(?:.[\n])*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[^\n]+deny=([0-9]+)	1

Checks if pam_faillock authfail is hit even if pam_unix skips lines by defaulting, and also authfail deny value oval:ssg-test_accounts_passwords_pam_faillock_numeric_default_check_password-auth:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_accounts_passwords_pam_faillock_when_lines_skipped_password-auth:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
3Referenced variable has no values (oval:ssg-var_accounts_passwords_pam_faillock_preauth_default_lin	/etc/pam.d/password-auth	1

Check pam_faillock authfail is present after pam_unix, check pam_unix has proper control values, and authfail deny value is correct. oval:ssg-test_accounts_passwords_pam_faillock_authfail_deny_password-auth:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_accounts_passwords_pam_faillock_authfail_deny_password-auth:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/pam.d/password-auth	[\n][\s]auth[\s]+(?:(?:sufficient)\|(?:\[[^\]]default=ignore[[^\]]\]))[\s]+pam_unix\.so(?:.[\n])[^\n]auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[\s]+[^\n]*deny=([0-9]+)	1

Limit Password Reuse

Rule ID xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-accounts_password_pam_unix_remember:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-80666-1

References: 5.3.3, 1, 12, 15, 16, 5, 5.6.2.1.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.8, CCI-000200, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(f), IA-5(1)(e), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.5, SRG-OS-000077-GPOS-00045, SRG-OS-000077-VMM-000440

Description

Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix or pam_pwhistory PAM modules.

In the file /etc/pam.d/system-auth, append remember=5 to the line which refers to the pam_unix.so or pam_pwhistory.somodule, as shown below:

for the pam_unix.so case:

password sufficient pam_unix.so ...existing_options... remember=5

for the pam_pwhistory.so case:

password requisite pam_pwhistory.so ...existing_options... remember=5

The DoD STIG requirement is 5 passwords.

Rationale

Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user.

Remediation Shell script ⇲

# Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then


var_password_pam_unix_remember="5"

AUTH_FILES[0]="/etc/pam.d/system-auth"
AUTH_FILES[1]="/etc/pam.d/password-auth"

for pamFile in "${AUTH_FILES[@]}"
do
	if grep -q "remember=" $pamFile; then
		sed -i --follow-symlinks "s/\(^password.*sufficient.*pam_unix.so.*\)\(\(remember *= *\)[^ $]*\)/\1remember=$var_password_pam_unix_remember/" $pamFile
	else
		sed -i --follow-symlinks "/^password[[:space:]]\+sufficient[[:space:]]\+pam_unix.so/ s/$/ remember=$var_password_pam_unix_remember/" $pamFile
	fi
done

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium
Strategy:	configure

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
    - accounts_password_pam_unix_remember
    - medium_severity
    - configure_strategy
    - low_complexity
    - medium_disruption
    - no_reboot_needed
    - CCE-80666-1
    - NIST-800-53-IA-5(f)
    - NIST-800-53-IA-5(1)(e)
    - NIST-800-171-3.5.8
    - PCI-DSS-Req-8.2.5
    - CJIS-5.6.2.1.1
- name: XCCDF Value var_password_pam_unix_remember # promote to variable
  set_fact:
    var_password_pam_unix_remember: !!str 5
  tags:
    - always

- name: Do not allow users to reuse recent passwords - system-auth (change)
  replace:
    dest: /etc/pam.d/system-auth
    follow: true
    regexp: ^(password\s+sufficient\s+pam_unix\.so\s.*remember\s*=\s*)(\S+)(.*)$
    replace: \g<1>{{ var_password_pam_unix_remember }}\g<3>
  when: '"pam" in ansible_facts.packages'
  tags:
    - accounts_password_pam_unix_remember
    - medium_severity
    - configure_strategy
    - low_complexity
    - medium_disruption
    - no_reboot_needed
    - CCE-80666-1
    - NIST-800-53-IA-5(f)
    - NIST-800-53-IA-5(1)(e)
    - NIST-800-171-3.5.8
    - PCI-DSS-Req-8.2.5
    - CJIS-5.6.2.1.1

- name: Do not allow users to reuse recent passwords - system-auth (add)
  replace:
    dest: /etc/pam.d/system-auth
    follow: true
    regexp: ^password\s+sufficient\s+pam_unix\.so\s(?!.*remember\s*=\s*).*$
    replace: \g<0> remember={{ var_password_pam_unix_remember }}
  when: '"pam" in ansible_facts.packages'
  tags:
    - accounts_password_pam_unix_remember
    - medium_severity
    - configure_strategy
    - low_complexity
    - medium_disruption
    - no_reboot_needed
    - CCE-80666-1
    - NIST-800-53-IA-5(f)
    - NIST-800-53-IA-5(1)(e)
    - NIST-800-171-3.5.8
    - PCI-DSS-Req-8.2.5
    - CJIS-5.6.2.1.1

OVAL test results details

Test if remember attribute of pam_unix.so is set correctly in /etc/pam.d/system-auth oval:ssg-test_accounts_password_pam_unix_remember:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_accounts_password_pam_unix_remember:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/pam.d/system-auth	^\spassword\s+(?:(?:sufficient)\|(?:required))\s+pam_unix\.so.remember=([0-9]).$	1

Test if remember attribute of pam_pwhistory.so is set correctly in /etc/pam.d/system-auth oval:ssg-test_accounts_password_pam_pwhistory_remember:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_accounts_password_pam_pwhistory_remember:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/pam.d/system-auth	^\spassword\s+(?:(?:requisite)\|(?:required))\s+pam_pwhistory\.so.remember=([0-9]).$	1

Install the tmux Package

Rule ID	xccdf_org.ssgproject.content_rule_package_tmux_installed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_tmux_installed:def:1
Time	2021-03-21T19:59:44+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80644-8 References: 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.10, CCI-000058, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000030-GPOS-00011, SRG-OS-000030-VMM-000110
Description	To enable console screen locking, install the `tmux` package. The `tmux` package can be installed with the following command: $ sudo yum install tmux Instruct users to begin new terminal sessions with the following command: $ tmux The console can now be locked with the following key combination: ctrl+b :lock-session
Rationale	A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operation system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. The `tmux` package allows for a session lock to be implemented and configured.

OVAL test results details

package tmux is installed oval:ssg-test_package_tmux_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
tmux	x86_64	(none)	1.el8	2.7	0:2.7-1.el8	199e2f91fd431d51	tmux-0:2.7-1.el8.x86_64

Configure tmux to lock session after inactivity

Rule ID xccdf_org.ssgproject.content_rule_configure_tmux_lock_after_time

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-configure_tmux_lock_after_time:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82199-1

References: FMT_SMF_EXT.1, SRG-OS-000029-GPOS-00010

Description

To enable console screen locking in tmux terminal multiplexer after a period of inactivity, the lock-after-time option has to be set to nonzero value in /etc/tmux.conf.

Rationale

Locking the session after a period of inactivity limits the potential exposure if the session is left unattended.

Remediation Shell script ⇲

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then

tmux_conf="/etc/tmux.conf"

if grep -qP '^\s*set\s+-g\s+lock-after-time' "$tmux_conf" ; then
    sed -i 's/^\s*set\s\+-g\s\+lock-after-time.*$/set -g lock-after-time 900/' "$tmux_conf"
else
    echo "set -g lock-after-time 900" >> "$tmux_conf"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

- name: Configure tmux to lock session after inactivity
  block:

    - name: Deduplicate values from /etc/tmux.conf
      lineinfile:
        path: /etc/tmux.conf
        create: false
        regexp: ^\s*set -g lock-after-time\s+
        state: absent

    - name: Insert correct line to /etc/tmux.conf
      lineinfile:
        path: /etc/tmux.conf
        create: true
        line: set -g lock-after-time 900
        state: present
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - configure_tmux_lock_after_time
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-82199-1

OVAL test results details

check lock-after-time is set to 900 in /etc/tmux.conf oval:ssg-test_configure_tmux_lock_after_time:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_configure_tmux_lock_after_time:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/tmux.conf	^\sset\s+-g\s+lock-after-time\s+900\s(?:#.*)?$	1

Support session locking with tmux

Rule ID	xccdf_org.ssgproject.content_rule_configure_bashrc_exec_tmux
Result	fail
Multi-check rule	no
OVAL Definition ID	oval:ssg-configure_bashrc_exec_tmux:def:1
Time	2021-03-21T19:59:44+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82266-8 References: FMT_SMF_EXT.1, SRG-OS-000031-GPOS-00012
Description	The `tmux` terminal multiplexer is used to implement automatic session locking. It should be started from `/etc/bashrc`.
Rationale	Unlike `bash` itself, the `tmux` terminal multiplexer provides a mechanism to lock sessions after period of inactivity.
Remediation Shell script ⇲ `# Remediation is applicable only in certain platforms if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then if ! grep -x ' case "$name" in sshd\|login) exec tmux ;; esac' /etc/bashrc; then cat >> /etc/bashrc <<'EOF' if [ "$PS1" ]; then parent=$(ps -o ppid= -p $$) name=$(ps -o comm= -p $parent) case "$name" in sshd\|login) exec tmux ;; esac fi EOF fi else >&2 echo 'Remediation is not applicable, nothing was done' fi`

OVAL test results details

check tmux is configured to exec on the last line of /etc/bashrc oval:ssg-test_configure_bashrc_exec_tmux:tst:1 false

Following items have been found on the system:

Path	Content
/etc/bashrc	# /etc/bashrc # System wide functions and aliases # Environment stuff goes in /etc/profile # It's NOT a good idea to change this file unless you know what you # are doing. It's much better to create a custom.sh shell script in # /etc/profile.d/ to make custom changes to your environment, as this # will prevent the need for merging in future updates. # Prevent doublesourcing if [ -z "$BASHRCSOURCED" ]; then BASHRCSOURCED="Y" # are we an interactive shell? if [ "$PS1" ]; then if [ -z "$PROMPT_COMMAND" ]; then case $TERM in xterm\|vte) if [ -e /etc/sysconfig/bash-prompt-xterm ]; then PROMPT_COMMAND=/etc/sysconfig/bash-prompt-xterm elif [ "${VTE_VERSION:-0}" -ge 3405 ]; then PROMPT_COMMAND="__vte_prompt_command" else PROMPT_COMMAND='printf "\033]0;%s@%s:%s\007" "${USER}" "${HOSTNAME%%.}" "${PWD/#$HOME/\~}"' fi ;; screen) if [ -e /etc/sysconfig/bash-prompt-screen ]; then PROMPT_COMMAND=/etc/sysconfig/bash-prompt-screen else PROMPT_COMMAND='printf "\033k%s@%s:%s\033\\" "${USER}" "${HOSTNAME%%.}" "${PWD/#$HOME/\~}"' fi ;; ) [ -e /etc/sysconfig/bash-prompt-default ] && PROMPT_COMMAND=/etc/sysconfig/bash-prompt-default ;; esac fi # Turn on parallel history shopt -s histappend history -a # Turn on checkwinsize shopt -s checkwinsize [ "$PS1" = "\\s-\\v\\\$ " ] && PS1="[\u@\h \W]\\$ " # You might want to have e.g. tty in prompt (e.g. more virtual machines) # and console windows # If you want to do so, just add e.g. # if [ "$PS1" ]; then # PS1="[\u@\h:\l \W]\\$ " # fi # to your custom modification shell script in /etc/profile.d/ directory fi if ! shopt -q login_shell ; then # We're not a login shell # Need to redefine pathmunge, it gets undefined at the end of /etc/profile pathmunge () { case ":${PATH}:" in :"$1":) ;; ) if [ "$2" = "after" ] ; then PATH=$PATH:$1 else PATH=$1:$PATH fi esac } # By default, we want umask to get set. This sets it for non-login shell. # Current threshold for system reserved uid/gids is 200 # You could check uidgid reservation validity in # /usr/share/doc/setup-/uidgid file if [ $UID -gt 199 ] && [ "`/usr/bin/id -gn`" = "`/usr/bin/id -un`" ]; then umask 002 else umask 022 fi SHELL=/bin/bash # Only display echos from profile.d scripts if we are no login shell # and interactive - otherwise just process them to set envvars for i in /etc/profile.d/*.sh; do if [ -r "$i" ]; then if [ "$PS1" ]; then . "$i" else . "$i" >/dev/null fi fi done unset i unset -f pathmunge fi fi # vim:ts=4:sw=4

Prevent user from disabling the screen lock

Rule ID	xccdf_org.ssgproject.content_rule_no_tmux_in_shells
Result	fail
Multi-check rule	no
OVAL Definition ID	oval:ssg-no_tmux_in_shells:def:1
Time	2021-03-21T19:59:44+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82361-7 References: FMT_SMF_EXT.1, SRG-OS-000324-GPOS-00125
Description	The `tmux` terminal multiplexer is used to implement autimatic session locking. It should not be listed in `/etc/shells`.
Rationale	Not listing `tmux` among permitted shells prevents malicious program running as user from lowering security by disabling the screen lock.
Remediation Shell script ⇲ `# Remediation is applicable only in certain platforms if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then if grep -q 'tmux$' /etc/shells ; then sed -i '/tmux$/d' /etc/shells fi else >&2 echo 'Remediation is not applicable, nothing was done' fi`
Remediation script ⇲ `apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig spec: config: ignition: version: 2.2.0 storage: files: - contents: source: data:,/bin/sh%0A/bin/bash%0A/usr/bin/sh%0A/usr/bin/bash%0A filesystem: root mode: 0644 path: /etc/shells`

OVAL test results details

check that tmux is not listed in /etc/shells oval:ssg-test_no_tmux_in_shells:tst:1 false

Following items have been found on the system:

Path	Content
/etc/shells	tmux

Configure the tmux Lock Command

Rule ID xccdf_org.ssgproject.content_rule_configure_tmux_lock_command

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-configure_tmux_lock_command:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-80940-0

References: CCI-000056, CCI-000058, AC-11(a), AC-11(b), CM-6(a), SRG-OS-000028-GPOS-00009, SRG-OS-000028-VMM-000090, SRG-OS-000030-VMM-000110

Description

To enable console screen locking in tmux terminal multiplexer, the vlock command must be configured to be used as a locking mechanism. Add the following line to /etc/tmux.conf:

set -g lock-command vlock

. The console can now be locked with the following key combination:

ctrl+b :lock-session

Rationale

The tmux package allows for a session lock to be implemented and configured. However, the session lock is implemented by an external command. The tmux default configuration does not contain an effective session lock.

Remediation Shell script ⇲

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then

tmux_conf="/etc/tmux.conf"

if grep -qP '^\s*set\s+-g\s+lock-command' "$tmux_conf" ; then
    sed -i 's/^\s*set\s\+-g\s\+lock-command.*$/set -g lock-command vlock/' "$tmux_conf"
else
    echo "set -g lock-command vlock" >> "$tmux_conf"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

- name: Configure the tmux Lock Command
  block:

    - name: Deduplicate values from /etc/tmux.conf
      lineinfile:
        path: /etc/tmux.conf
        create: false
        regexp: ^\s*set -g lock-command\s+
        state: absent

    - name: Insert correct line to /etc/tmux.conf
      lineinfile:
        path: /etc/tmux.conf
        create: true
        line: set -g lock-command vlock
        state: present
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - configure_tmux_lock_command
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-80940-0
    - NIST-800-53-AC-11(a)
    - NIST-800-53-AC-11(b)
    - NIST-800-53-CM-6(a)

OVAL test results details

check lock-command is set to vlock in /etc/tmux.conf oval:ssg-test_configure_tmux_lock_command:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_configure_tmux_lock_command:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/tmux.conf	^\sset\s+-g\s+lock-command\s+vlock\s(?:#.*)?$	1

Disable debug-shell SystemD Service

Rule ID	xccdf_org.ssgproject.content_rule_service_debug-shell_disabled
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-service_debug-shell_disabled:def:1
Time	2021-03-21T19:59:44+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80876-6 References: 3.4.5, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), FIA_AFL.1, SRG-OS-000324-GPOS-00125
Description	SystemD's `debug-shell` service is intended to diagnose SystemD related boot issues with various `systemctl` commands. Once enabled and following a system reboot, the root shell will be available on `tty9` which is access by pressing `CTRL-ALT-F9`. The `debug-shell` service should only be used for SystemD related issues and should otherwise be disabled. By default, the `debug-shell` SystemD service is already disabled. The `debug-shell` service can be disabled with the following command: $ sudo systemctl disable debug-shell.service The `debug-shell` service can be masked with the following command: $ sudo systemctl mask debug-shell.service
Rationale	This prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted.

OVAL test results details

package systemd is removed oval:ssg-test_service_debug-shell_package_systemd_removed:tst:1 false

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
systemd	x86_64	(none)	41.el8_3.1	239	0:239-41.el8_3.1	199e2f91fd431d51	systemd-0:239-41.el8_3.1.x86_64

Test that the debug-shell service is not running oval:ssg-test_service_not_running_debug-shell:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_service_not_running_debug-shell:obj:1 of type systemdunitproperty_object

Unit	Property
^debug-shell\.(service\|socket)$	ActiveState

Test that the property LoadState from the service debug-shell is masked oval:ssg-test_service_loadstate_is_masked_debug-shell:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_service_loadstate_is_masked_debug-shell:obj:1 of type systemdunitproperty_object

Unit	Property
^debug-shell\.(service\|socket)$	LoadState

Test that the property FragmentPath from the service debug-shell is set to /dev/null oval:ssg-test_service_fragmentpath_is_dev_null_debug-shell:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_service_fragmentpath_is_dev_null_debug-shell:obj:1 of type systemdunitproperty_object

Unit	Property
^debug-shell\.(service\|socket)$	FragmentPath

Disable Ctrl-Alt-Del Burst Action

Rule ID xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-disable_ctrlaltdel_burstaction:def:1

Time 2021-03-21T19:59:44+01:00

Severity high

Identifiers and References

Identifiers: CCE-80784-2

References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.4.5, CCI-000366, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), CM-6(a), PR.AC-4, PR.DS-5, SRG-OS-000324-GPOS-00125

Description

By default, SystemD will reboot the system if the Ctrl-Alt-Del key sequence is pressed Ctrl-Alt-Delete more than 7 times in 2 seconds.

To configure the system to ignore the CtrlAltDelBurstAction setting, add or modify the following to /etc/systemd/system.conf:

CtrlAltDelBurstAction=none

Rationale

A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot.

Warnings

warning Disabling the Ctrl-Alt-Del key sequence in /etc/init/control-alt-delete.conf DOES NOT disable the Ctrl-Alt-Del key sequence if running in runlevel 6 (e.g. in GNOME, KDE, etc.)! The Ctrl-Alt-Del key sequence will only be disabled if running in the non-graphical runlevel 3.

Remediation Shell script ⇲

# Remediation is applicable only in certain platforms
if rpm --quiet -q systemd; then

# Function to replace configuration setting in config file or add the configuration setting if
# it does not exist.
#
# Expects arguments:
#
# config_file:		Configuration file that will be modified
# key:			Configuration option to change
# value:		Value of the configuration option to change
# cce:			The CCE identifier or '@CCENUM@' if no CCE identifier exists
# format:		The printf-like format string that will be given stripped key and value as arguments,
#			so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =)
#
# Optional arugments:
#
# format:		Optional argument to specify the format of how key/value should be
# 			modified/appended in the configuration file. The default is key = value.
#
# Example Call(s):
#
#     With default format of 'key = value':
#     replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@'
#
#     With custom key/value format:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s'
#
#     With a variable:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s'
#
function replace_or_append {
  local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option=''
  local config_file=$1
  local key=$2
  local value=$3
  local cce=$4
  local format=$5

  if [ "$case_insensitive_mode" = yes ]; then
    sed_case_insensitive_option="i"
    grep_case_insensitive_option="-i"
  fi
  [ -n "$format" ] || format="$default_format"
  # Check sanity of the input
  [ $# -ge "3" ] || { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; }

  # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
  # Otherwise, regular sed command will do.
  sed_command=('sed' '-i')
  if test -L "$config_file"; then
    sed_command+=('--follow-symlinks')
  fi

  # Test that the cce arg is not empty or does not equal @CCENUM@.
  # If @CCENUM@ exists, it means that there is no CCE assigned.
  if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then
    cce="${cce}"
  else
    cce="CCE"
  fi

  # Strip any search characters in the key arg so that the key can be replaced without
  # adding any search characters to the config file.
  stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "$key")

  # shellcheck disable=SC2059
  printf -v formatted_output "$format" "$stripped_key" "$value"

  # If the key exists, change it. Otherwise, add it to the config_file.
  # We search for the key string followed by a word boundary (matched by \>),
  # so if we search for 'setting', 'setting2' won't match.
  if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then
    "${sed_command[@]}" "s/${key}\\>.*/$formatted_output/g$sed_case_insensitive_option" "$config_file"
  else
    # \n is precaution for case where file ends without trailing newline
    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file"
    printf '%s\n' "$formatted_output" >> "$config_file"
  fi
}
replace_or_append '/etc/systemd/system.conf' '^CtrlAltDelBurstAction=' 'none' 'CCE-80784-2' '%s=%s'

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	disable

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
    - disable_ctrlaltdel_burstaction
    - high_severity
    - disable_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-80784-2
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-6(1)
    - NIST-800-53-CM-6(a)
    - NIST-800-171-3.4.5

- name: Disable Ctrl-Alt-Del Burst Action
  lineinfile:
    dest: /etc/systemd/system.conf
    state: present
    regexp: ^CtrlAltDelBurstAction
    line: CtrlAltDelBurstAction=none
    create: true
  when: '"systemd" in ansible_facts.packages'
  tags:
    - disable_ctrlaltdel_burstaction
    - high_severity
    - disable_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-80784-2
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-6(1)
    - NIST-800-53-CM-6(a)
    - NIST-800-171-3.4.5

Remediation script ⇲

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 2.2.0
    storage:
      files:
      - contents:
          source: data:,CtrlAltDelBurstAction%3Dnone
        filesystem: root
        mode: 0644
        path: /etc/systemd/system.conf.d/disable_ctrlaltdelete_burstaction.conf

OVAL test results details

check if CtrlAltDelBurstAction is set to none oval:ssg-test_disable_ctrlaltdel_burstaction:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_disable_ctrlaltdel_burstaction:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/systemd/system.conf	^[\s]CtrlAltDelBurstAction[\s]=[\s]*none$	1

Disable Ctrl-Alt-Del Reboot Activation

Rule ID xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-disable_ctrlaltdel_reboot:def:1

Time 2021-03-21T19:59:44+01:00

Severity high

Identifiers and References

Identifiers: CCE-80785-9

References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.4.5, CCI-000366, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227

Description

By default, SystemD will reboot the system if the Ctrl-Alt-Del key sequence is pressed.

To configure the system to ignore the Ctrl-Alt-Del key sequence from the command line instead of rebooting the system, do either of the following:

ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target

systemctl mask ctrl-alt-del.target

Do not simply delete the /usr/lib/systemd/system/ctrl-alt-del.service file, as this file may be restored during future system updates.

Rationale

Warnings

Remediation Shell script ⇲

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then

# The process to disable ctrl+alt+del has changed in RHEL7. 
# Reference: https://access.redhat.com/solutions/1123873

systemctl mask ctrl-alt-del.target

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	disable

- name: Disable Ctrl-Alt-Del Reboot Activation
  systemd:
    name: ctrl-alt-del.target
    masked: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - disable_ctrlaltdel_reboot
    - high_severity
    - disable_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-80785-9
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-6(1)
    - NIST-800-171-3.4.5

OVAL test results details

Disable Ctrl-Alt-Del key sequence override exists oval:ssg-test_disable_ctrlaltdel_exists:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_disable_ctrlaltdel_exists:obj:1 of type symlink_object

Filepath
/etc/systemd/system/ctrl-alt-del.target

Require Authentication for Single User Mode

Rule ID	xccdf_org.ssgproject.content_rule_require_singleuser_auth
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-require_singleuser_auth:def:1
Time	2021-03-21T19:59:44+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80855-0 References: 1.5.3, 1, 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10, 3.1.1, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, IA-2, AC-3, CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3, FIA_AFL.1, SRG-OS-000080-GPOS-00048
Description	Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup. By default, no authentication is performed if single-user mode is selected. By default, single-user mode is protected by requiring a password and is set in `/usr/lib/systemd/system/rescue.service`.
Rationale	This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password.

OVAL test results details

Tests that /usr/lib/systemd/systemd-sulogin-shell was not removed from the default systemd rescue.service to ensure that a password must be entered to access single user mode oval:ssg-test_require_rescue_service:tst:1 true

Following items have been found on the system:

Path	Content
/usr/lib/systemd/system/rescue.service	ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue

Tests that the systemd rescue.service is in the runlevel1.target oval:ssg-test_require_rescue_service_runlevel1:tst:1 true

Following items have been found on the system:

Path	Content
/usr/lib/systemd/system/runlevel1.target	Requires=sysinit.target rescue.service

look for runlevel1.target in /etc/systemd/system oval:ssg-test_no_custom_runlevel1_target:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_no_custom_runlevel1_target:obj:1 of type file_object

Behaviors	Path	Filename
no value	/etc/systemd/system	^runlevel1.target$

look for rescue.service in /etc/systemd/system oval:ssg-test_no_custom_rescue_service:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_no_custom_rescue_service:obj:1 of type file_object

Behaviors	Path	Filename
no value	/etc/systemd/system	^rescue.service$

Verify that Interactive Boot is Disabled

Rule ID	xccdf_org.ssgproject.content_rule_grub2_disable_interactive_boot
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-grub2_disable_interactive_boot:def:1
Time	2021-03-21T19:59:44+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80826-1 References: 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06, 3.1.2, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, SC-2(1), CM-6(a), PR.AC-4, PR.AC-6, PR.PT-3, FIA_AFL.1, SRG-OS-000480-GPOS-00227
Description	Red Hat Enterprise Linux 8 systems support an "interactive boot" option that can be used to prevent services from being started. On a Red Hat Enterprise Linux 8 system, interactive boot can be enabled by providing a `1`, `yes`, `true`, or `on` value to the `systemd.confirm_spawn` kernel argument in `/etc/default/grub`. Remove any instance of systemd.confirm_spawn=(1\|yes\|true\|on) from the kernel arguments in that file to disable interactive boot. It is also required to change the runtime configuration, run: /sbin/grubby --update-kernel=ALL --remove-args="systemd.confirm_spawn"
Rationale	Using interactive boot, the console user could disable auditing, firewalls, or other services, weakening system security.

OVAL test results details

Check systemd.confirm_spawn=(1|true|yes|on) not in GRUB_CMDLINE_LINUX oval:ssg-test_grub2_disable_interactive_boot_grub_cmdline_linux:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_grub2_disable_interactive_boot_grub_cmdline_linux:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/default/grub	^\sGRUB_CMDLINE_LINUX=".systemd.confirm_spawn=(?:1\|yes\|true\|on).*$	1

Check systemd.confirm_spawn=(1|true|yes|on) not in GRUB_CMDLINE_LINUX_DEFAULT oval:ssg-test_grub2_disable_interactive_boot_grub_cmdline_linux_default:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_grub2_disable_interactive_boot_grub_cmdline_linux_default:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/default/grub	^\sGRUB_CMDLINE_LINUX_DEFAULT=".systemd.confirm_spawn=(?:1\|yes\|true\|on).*$	1

Check for GRUB_DISABLE_RECOVERY=true in /etc/default/grub oval:ssg-test_bootloader_disable_recovery_set_to_true:tst:1 true

Following items have been found on the system:

Path	Content
/etc/default/grub	GRUB_DISABLE_RECOVERY="true"

Prevent Login to Accounts With Empty Password

Rule ID xccdf_org.ssgproject.content_rule_no_empty_passwords

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-no_empty_passwords:def:1

Time 2021-03-21T19:59:44+01:00

Severity high

Identifiers and References

Identifiers: CCE-80841-0

References: 1, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2, APO01.06, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.10, 3.1.1, 3.1.5, CCI-000366, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, IA-5(1)(a), IA-5(c), CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, FIA_AFL.1, Req-8.2.3, SRG-OS-000480-GPOS-00227

Description

If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok option in /etc/pam.d/system-auth to prevent logins with empty passwords.

Rationale

If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.

Remediation Shell script ⇲

sed --follow-symlinks -i 's/\<nullok\>//g' /etc/pam.d/system-auth
sed --follow-symlinks -i 's/\<nullok\>//g' /etc/pam.d/password-auth

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium
Strategy:	configure

- name: Prevent Log In to Accounts With Empty Password - system-auth
  replace:
    dest: /etc/pam.d/system-auth
    follow: true
    regexp: nullok
  tags:
    - no_empty_passwords
    - high_severity
    - configure_strategy
    - low_complexity
    - medium_disruption
    - no_reboot_needed
    - CCE-80841-0
    - NIST-800-53-IA-5(1)(a)
    - NIST-800-53-IA-5(c)
    - NIST-800-53-CM-6(a)
    - NIST-800-171-3.1.1
    - NIST-800-171-3.1.5
    - PCI-DSS-Req-8.2.3
    - CJIS-5.5.2

- name: Prevent Log In to Accounts With Empty Password - password-auth
  replace:
    dest: /etc/pam.d/password-auth
    follow: true
    regexp: nullok
  tags:
    - no_empty_passwords
    - high_severity
    - configure_strategy
    - low_complexity
    - medium_disruption
    - no_reboot_needed
    - CCE-80841-0
    - NIST-800-53-IA-5(1)(a)
    - NIST-800-53-IA-5(c)
    - NIST-800-53-CM-6(a)
    - NIST-800-171-3.1.1
    - NIST-800-171-3.1.5
    - PCI-DSS-Req-8.2.3
    - CJIS-5.5.2

Remediation script ⇲

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 2.2.0
    storage:
      files:
      - contents:
          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
        filesystem: root
        mode: 0644
        path: /etc/pam.d/password-auth
      - contents:
          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
        filesystem: root
        mode: 0644
        path: /etc/pam.d/system-auth

OVAL test results details

make sure nullok is not used in /etc/pam.d/system-auth oval:ssg-test_no_empty_passwords:tst:1 false

Following items have been found on the system:

Path	Content
/etc/pam.d/system-auth	auth required pam_env.so auth sufficient pam_unix.so try_first_pass nullok auth required pam_deny.so account required pam_unix.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow

Set Password Minimum Length in login.defs

Rule ID xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-accounts_password_minlen_login_defs:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-80652-1

References: 1, 12, 15, 16, 5, 5.6.2.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.7, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(f), IA-5(1)(a), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000078-GPOS-00046

Description

To specify password length requirements for new accounts, edit the file /etc/login.defs and add or correct the following line:

PASS_MIN_LEN 12

The DoD requirement is 15. The FISMA requirement is 12. The profile requirement is 12. If a program consults /etc/login.defs and also another PAM module (such as pam_pwquality) during a password change operation, then the most restrictive must be satisfied. See PAM section for more information about enforcing password quality requirements.

Rationale

Requiring a minimum password length makes password cracking attacks more difficult by ensuring a larger search space. However, any security benefit from an onerous requirement must be carefully weighed against usability problems, support costs, or counterproductive behavior that may result.

Remediation Shell script ⇲

# Remediation is applicable only in certain platforms
if rpm --quiet -q shadow-utils; then


declare var_accounts_password_minlen_login_defs
var_accounts_password_minlen_login_defs="12"

grep -q ^PASS_MIN_LEN /etc/login.defs && \
sed -i "s/PASS_MIN_LEN.*/PASS_MIN_LEN\t$var_accounts_password_minlen_login_defs/g" /etc/login.defs
if ! [ $? -eq 0 ]
then
  echo -e "PASS_MIN_LEN\t$var_accounts_password_minlen_login_defs" >> /etc/login.defs
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
    - accounts_password_minlen_login_defs
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-80652-1
    - NIST-800-53-IA-5(f)
    - NIST-800-53-IA-5(1)(a)
    - NIST-800-53-CM-6(a)
    - NIST-800-171-3.5.7
    - CJIS-5.6.2.1
- name: XCCDF Value var_accounts_password_minlen_login_defs # promote to variable
  set_fact:
    var_accounts_password_minlen_login_defs: !!str 12
  tags:
    - always

- name: Set Password Minimum Length in login.defs
  lineinfile:
    dest: /etc/login.defs
    regexp: ^PASS_MIN_LEN *[0-9]*
    state: present
    line: PASS_MIN_LEN        {{ var_accounts_password_minlen_login_defs }}
    create: true
  when: '"shadow-utils" in ansible_facts.packages'
  tags:
    - accounts_password_minlen_login_defs
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-80652-1
    - NIST-800-53-IA-5(f)
    - NIST-800-53-IA-5(1)(a)
    - NIST-800-53-CM-6(a)
    - NIST-800-171-3.5.7
    - CJIS-5.6.2.1

OVAL test results details

The value of PASS_MIN_LEN should be set appropriately in /etc/login.defs oval:ssg-test_pass_min_len:tst:1 false

Following items have been found on the system:

Var ref	Value
oval:ssg-variable_last_pass_min_len_instance_value:var:1	5

Restrict Virtual Console Root Logins

Rule ID	xccdf_org.ssgproject.content_rule_securetty_root_login_console_only
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-securetty_root_login_console_only:def:1
Time	2021-03-21T19:59:44+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80864-2 References: 5.6, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.1.1, 3.1.5, CCI-000770, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-6, CM-6(a), PR.AC-4, PR.DS-5, SRG-OS-000324-GPOS-00125
Description	To restrict root logins through the (deprecated) virtual console devices, ensure lines of this form do not appear in `/etc/securetty`: vc/1 vc/2 vc/3 vc/4
Rationale	Preventing direct root login to virtual console devices helps ensure accountability for actions taken on the system using the root account.

OVAL test results details

virtual consoles /etc/securetty oval:ssg-test_virtual_consoles_etc_securetty:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_virtual_consoles_etc_securetty:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/securetty	^vc/[0-9]+$	1

Ensure the Default C Shell Umask is Set Correctly

Rule ID xccdf_org.ssgproject.content_rule_accounts_umask_etc_csh_cshrc

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-accounts_umask_etc_csh_cshrc:def:1

Time 2021-03-21T19:59:44+01:00

Severity unknown

Identifiers and References

Identifiers: CCE-81037-4

References: 18, APO13.01, BAI03.01, BAI03.02, BAI03.03, CCI-000366, 4.3.4.3.3, A.14.1.1, A.14.2.1, A.14.2.5, A.6.1.5, AC-6(1), CM-6(a), PR.IP-2, SRG-OS-000480-GPOS-00228

Description

To ensure the default umask for users of the C shell is set properly, add or correct the umask setting in /etc/csh.cshrc to read as follows:

umask 027

Rationale

The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users.

Remediation Shell script ⇲


var_accounts_user_umask="027"

grep -q umask /etc/csh.cshrc && \
  sed -i "s/umask.*/umask $var_accounts_user_umask/g" /etc/csh.cshrc
if ! [ $? -eq 0 ]; then
    echo "umask $var_accounts_user_umask" >> /etc/csh.cshrc
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

- name: XCCDF Value var_accounts_user_umask # promote to variable
  set_fact:
    var_accounts_user_umask: !!str 027
  tags:
    - always

- name: Set user umask in /etc/csh.cshrc
  replace:
    path: /etc/csh.cshrc
    regexp: umask.*
    replace: umask {{ var_accounts_user_umask }}
  tags:
    - accounts_umask_etc_csh_cshrc
    - unknown_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-81037-4
    - NIST-800-53-AC-6(1)
    - NIST-800-53-CM-6(a)

OVAL test results details

Verify the existence of var_accounts_user_umask_as_number variable oval:ssg-test_existence_of_var_accounts_user_umask_as_number_variable:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-var_accounts_user_umask_umask_as_number:var:1	23

Test the retrieved /etc/csh.cshrc umask value(s) match the var_accounts_user_umask requirement oval:ssg-tst_accounts_umask_etc_csh_cshrc:tst:1 false

Following items have been found on the system:

Var ref	Value	Value	Value	Value	Value	Value	Value	Value
oval:ssg-var_etc_csh_cshrc_umask_as_number:var:1	2	2	18	18	2	2	18	18

Ensure the Default Umask is Set Correctly in /etc/profile

Rule ID xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-accounts_umask_etc_profile:def:1

Time 2021-03-21T19:59:44+01:00

Severity unknown

Identifiers and References

Identifiers: CCE-81035-8

References: NT28(R35), 5.4.4, 18, APO13.01, BAI03.01, BAI03.02, BAI03.03, CCI-000366, 4.3.4.3.3, A.14.1.1, A.14.2.1, A.14.2.5, A.6.1.5, AC-6(1), CM-6(a), PR.IP-2, SRG-OS-000480-GPOS-00228

Description

To ensure the default umask controlled by /etc/profile is set properly, add or correct the umask setting in /etc/profile to read as follows:

umask 027

Rationale

Remediation Shell script ⇲


var_accounts_user_umask="027"

grep -q umask /etc/profile && \
  sed -i "s/umask.*/umask $var_accounts_user_umask/g" /etc/profile
if ! [ $? -eq 0 ]; then
    echo "umask $var_accounts_user_umask" >> /etc/profile
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

- name: XCCDF Value var_accounts_user_umask # promote to variable
  set_fact:
    var_accounts_user_umask: !!str 027
  tags:
    - always

- name: Set user umask in /etc/profile
  replace:
    path: /etc/profile
    regexp: umask.*
    replace: umask {{ var_accounts_user_umask }}
  tags:
    - accounts_umask_etc_profile
    - unknown_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-81035-8
    - NIST-800-53-AC-6(1)
    - NIST-800-53-CM-6(a)

OVAL test results details

Verify the existence of var_accounts_user_umask_as_number variable oval:ssg-test_existence_of_var_accounts_user_umask_as_number_variable:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-var_accounts_user_umask_umask_as_number:var:1	23

Test the retrieved /etc/profile umask value(s) match the var_accounts_user_umask requirement oval:ssg-tst_accounts_umask_etc_profile:tst:1 false

Following items have been found on the system:

Var ref	Value	Value	Value	Value	Value	Value	Value	Value
oval:ssg-var_etc_profile_umask_as_number:var:1	2	2	18	18	2	2	18	18

Ensure the Default Bash Umask is Set Correctly

Rule ID xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-accounts_umask_etc_bashrc:def:1

Time 2021-03-21T19:59:44+01:00

Severity unknown

Identifiers and References

Identifiers: CCE-81036-6

References: 5.4.4, 18, APO13.01, BAI03.01, BAI03.02, BAI03.03, CCI-000366, 4.3.4.3.3, A.14.1.1, A.14.2.1, A.14.2.5, A.6.1.5, AC-6(1), CM-6(a), PR.IP-2, SRG-OS-000480-GPOS-00228

Description

To ensure the default umask for users of the Bash shell is set properly, add or correct the umask setting in /etc/bashrc to read as follows:

umask 027

Rationale

Remediation Shell script ⇲


var_accounts_user_umask="027"

grep -q umask /etc/bashrc && \
  sed -i "s/umask.*/umask $var_accounts_user_umask/g" /etc/bashrc
if ! [ $? -eq 0 ]; then
    echo "umask $var_accounts_user_umask" >> /etc/bashrc
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

- name: XCCDF Value var_accounts_user_umask # promote to variable
  set_fact:
    var_accounts_user_umask: !!str 027
  tags:
    - always

- name: Set user umask in /etc/bashrc
  replace:
    path: /etc/bashrc
    regexp: umask.*
    replace: umask {{ var_accounts_user_umask }}
  tags:
    - accounts_umask_etc_bashrc
    - unknown_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-81036-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-CM-6(a)

OVAL test results details

Verify the existence of var_accounts_user_umask_as_number variable oval:ssg-test_existence_of_var_accounts_user_umask_as_number_variable:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-var_accounts_user_umask_umask_as_number:var:1	23

Test the retrieved /etc/bashrc umask value(s) match the var_accounts_user_umask requirement oval:ssg-tst_accounts_umask_etc_bashrc:tst:1 false

Following items have been found on the system:

Var ref	Value	Value	Value	Value	Value	Value	Value	Value
oval:ssg-var_etc_bashrc_umask_as_number:var:1	2	2	18	18	2	2	18	18

Limit the Number of Concurrent Login Sessions Allowed Per User

Rule ID xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-accounts_max_concurrent_login_sessions:def:1

Time 2021-03-21T19:59:44+01:00

Severity low

Identifiers and References

Identifiers: CCE-80955-8

References: 14, 15, 18, 9, 5.5.2.2, DSS01.05, DSS05.02, CCI-000054, 4.3.3.4, SR 3.1, SR 3.8, A.13.1.1, A.13.1.3, A.13.2.1, A.14.1.2, A.14.1.3, AC-10, CM-6(a), PR.AC-5, SRG-OS-000027-GPOS-00008, SRG-OS-000027-VMM-000080

Description

Limiting the number of allowed users and sessions per user can limit risks related to Denial of Service attacks. This addresses concurrent sessions for a single account and does not address concurrent sessions by a single user via multiple accounts. To set the number of concurrent sessions per user add the following line in /etc/security/limits.conf or a file under /etc/security/limits.d/:

* hard maxlogins 10

Rationale

Limiting simultaneous user logins can insulate the system from denial of service problems caused by excessive logins. Automated login processes operating improperly or maliciously may result in an exceptional number of simultaneous login sessions.

Remediation Shell script ⇲

# Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then


var_accounts_max_concurrent_login_sessions="10"

if grep -q '^[^#]*\<maxlogins\>' /etc/security/limits.d/*.conf; then
	sed -i "/^[^#]*\<maxlogins\>/ s/maxlogins.*/maxlogins $var_accounts_max_concurrent_login_sessions/" /etc/security/limits.d/*.conf
elif grep -q '^[^#]*\<maxlogins\>' /etc/security/limits.conf; then
	sed -i "/^[^#]*\<maxlogins\>/ s/maxlogins.*/maxlogins $var_accounts_max_concurrent_login_sessions/" /etc/security/limits.conf
else
	echo "*	hard	maxlogins	$var_accounts_max_concurrent_login_sessions" >> /etc/security/limits.conf
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
    - accounts_max_concurrent_login_sessions
    - low_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-80955-8
    - NIST-800-53-AC-10
    - NIST-800-53-CM-6(a)
    - CJIS-5.5.2.2
- name: XCCDF Value var_accounts_max_concurrent_login_sessions # promote to variable
  set_fact:
    var_accounts_max_concurrent_login_sessions: !!str 10
  tags:
    - always

- name: Limit the Number of Concurrent Login Sessions Allowed Per User
  lineinfile:
    state: present
    dest: /etc/security/limits.conf
    insertbefore: ^# End of file
    regexp: ^#?\*.*maxlogins
    line: '*           hard    maxlogins     {{ var_accounts_max_concurrent_login_sessions
      }}'
    create: true
  when: '"pam" in ansible_facts.packages'
  tags:
    - accounts_max_concurrent_login_sessions
    - low_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-80955-8
    - NIST-800-53-AC-10
    - NIST-800-53-CM-6(a)
    - CJIS-5.5.2.2

OVAL test results details

the value maxlogins should be set appropriately in /etc/security/limits.d/*.conf oval:ssg-test_limitsd_maxlogins:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_etc_security_limitsd_conf_maxlogins:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/security/limits.d	^.*\.conf$	^[\s]\[\s]+(?:(?:hard)\|(?:-))[\s]+maxlogins[\s]+(\d+)\s*$	1

the value maxlogins should be set appropriately in /etc/security/limits.d/*.conf oval:ssg-test_limitsd_maxlogins_exists:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_etc_security_limitsd_conf_maxlogins_exists:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/security/limits.d	^.*\.conf$	^[\s]\[\s]+(?:(?:hard)\|(?:-))[\s]+maxlogins	1

the value maxlogins should be set appropriately in /etc/security/limits.conf oval:ssg-test_maxlogins:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_etc_security_limits_conf_maxlogins:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/security/limits.conf	^[\s]\[\s]+(?:(?:hard)\|(?:-))[\s]+maxlogins[\s]+(\d+)\s*$	1

Write Audit Logs to the Disk

Rule ID	xccdf_org.ssgproject.content_rule_auditd_write_logs
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-auditd_write_logs:def:1
Time	2021-03-21T19:59:44+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82366-6 References: FAU_GEN.1.1.c, SRG-OS-000480-GPOS-00227
Description	To configure Audit daemon to write Audit logs to the disk, set `write_logs` to `yes` in `/etc/audit/auditd.conf`. This is the default setting.
Rationale	If `write_logs` isn't set to `yes`, the Audit logs will not be written to the disk.

OVAL test results details

tests the value of write_logs setting in the /etc/audit/auditd.conf file oval:ssg-test_auditd_write_logs:tst:1 true

Following items have been found on the system:

Path	Content
/etc/audit/auditd.conf	write_logs = yes

tests the absence of write_logs setting in the /etc/audit/auditd.conf file oval:ssg-test_auditd_write_logs_default_not_overriden:tst:1 false

Following items have been found on the system:

Path	Content
/etc/audit/auditd.conf	write_logs =

Configure auditd flush priority

Rule ID	xccdf_org.ssgproject.content_rule_auditd_data_retention_flush
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-auditd_data_retention_flush:def:1
Time	2021-03-21T19:59:44+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80680-2 References: 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, CCI-001576, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-11, CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000480-GPOS-00227
Description	The `auditd` service can be configured to synchronously write audit event data to disk. Add or correct the following line in `/etc/audit/auditd.conf` to ensure that audit event data is fully synchronized with the log files on the disk: flush = incremental_async
Rationale	Audit data should be synchronously written to disk to ensure log integrity. These parameters assure that all audit event data is fully synchronized with the log files on the disk.

OVAL test results details

test the value of flush parameter in /etc/audit/auditd.conf oval:ssg-test_auditd_data_retention_flush:tst:1 true

Following items have been found on the system:

Path	Content
/etc/audit/auditd.conf	flush = INCREMENTAL_ASYNC

Resolve information before writing to audit logs

Rule ID	xccdf_org.ssgproject.content_rule_auditd_log_format
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-auditd_log_format:def:1
Time	2021-03-21T19:59:44+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82201-5 References: FAU_GEN.1, SRG-OS-000255-GPOS-00096
Description	To configure Audit daemon to resolve all uid, gid, syscall, architecture, and socket address information before writing the events to disk, set `log_format` to `ENRICHED` in `/etc/audit/auditd.conf`.
Rationale	If option `log_format` isn't set to `ENRICHED`, the audit records will be stored in a format exactly as the kernel sends them.

OVAL test results details

tests the value of log_format setting in the /etc/audit/auditd.conf file oval:ssg-test_auditd_log_format:tst:1 true

Following items have been found on the system:

Path	Content
/etc/audit/auditd.conf	log_format = ENRICHED

Set hostname as computer node name in audit logs

Rule ID xccdf_org.ssgproject.content_rule_auditd_name_format

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-auditd_name_format:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82897-0

References: CCI-001851, FAU_GEN.1, SRG-OS-000039-GPOS-00017, SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224

Description

To configure Audit daemon to use value returned by gethostname syscall as computer node name in the audit events, set name_format to hostname in /etc/audit/auditd.conf.

Rationale

If option name_format is left at its default value of none, audit events from different computers may be hard to distinguish.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then

if [ -e "/etc/audit/auditd.conf" ] ; then
    LC_ALL=C sed -i "/^\s*name_format\s*=\s*/Id" "/etc/audit/auditd.conf"
else
    touch "/etc/audit/auditd.conf"
fi
cp "/etc/audit/auditd.conf" "/etc/audit/auditd.conf.bak"
# Insert at the end of the file
printf '%s\n' "name_format = hostname" >> "/etc/audit/auditd.conf"
# Clean up after ourselves.
rm "/etc/audit/auditd.conf.bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

- name: Set hostname as computer node name in audit logs
  block:

    - name: Deduplicate values from /etc/audit/auditd.conf
      lineinfile:
        path: /etc/audit/auditd.conf
        create: false
        regexp: (?i)^\s*name_format\s*=\s*
        state: absent

    - name: Insert correct line to /etc/audit/auditd.conf
      lineinfile:
        path: /etc/audit/auditd.conf
        create: true
        line: name_format = hostname
        state: present
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - auditd_name_format
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-82897-0

OVAL test results details

tests the value of name_format setting in the /etc/audit/auditd.conf file oval:ssg-test_auditd_name_format:tst:1 false

Following items have been found on the system:

Path	Content
/etc/audit/auditd.conf	name_format = NONE

Set number of records to cause an explicit flush to audit logs

Rule ID	xccdf_org.ssgproject.content_rule_auditd_freq
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-auditd_freq:def:1
Time	2021-03-21T19:59:44+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82258-5 References: FAU_GEN.1, SRG-OS-000051-GPOS-00024
Description	To configure Audit daemon to issue an explicit flush to disk command after writing 50 records, set `freq` to `50` in `/etc/audit/auditd.conf`.
Rationale	If option `freq` isn't set to `50`, the flush to disk may happen after higher number of records, increasing the danger of audit loss.

OVAL test results details

tests the value of freq setting in the /etc/audit/auditd.conf file oval:ssg-test_auditd_freq:tst:1 true

Following items have been found on the system:

Path	Content
/etc/audit/auditd.conf	freq = 50

Include Local Events in Audit Logs

Rule ID	xccdf_org.ssgproject.content_rule_auditd_local_events
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-auditd_local_events:def:1
Time	2021-03-21T19:59:44+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82233-8 References: FAU_GEN.1.1.c, SRG-OS-000062-GPOS-00031
Description	To configure Audit daemon to include local events in Audit logs, set `local_events` to `yes` in `/etc/audit/auditd.conf`. This is the default setting.
Rationale	If option `local_events` isn't set to `yes` only events from network will be aggregated.

OVAL test results details

tests the value of local_events setting in the /etc/audit/auditd.conf file oval:ssg-test_auditd_local_events:tst:1 true

Following items have been found on the system:

Path	Content
/etc/audit/auditd.conf	local_events = yes

tests the absence of local_events setting in the /etc/audit/auditd.conf file oval:ssg-test_auditd_local_events_default_not_overriden:tst:1 false

Following items have been found on the system:

Path	Content
/etc/audit/auditd.conf	local_events =

Configure auditing of unsuccessful file deletions

Rule ID xccdf_org.ssgproject.content_rule_audit_delete_failed

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-audit_delete_failed:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82835-0

References: AU-2(a), FAU_GEN.1.1.c, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, SRG-OS-000475-GPOS-00220, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-OS-000461-GPOS-00205, SRG-OS-000468-GPOS-00212, SRG-OS-000467-GPOS-00211

Description

Ensure that unsuccessful attempts to delete a file are audited. The following rules configure audit as described above:

## Unsuccessful file delete
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete

The Audit package provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42-4-delete-failed.rules. To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory:

cp /usr/share/audit/sample-rules/30-ospp-v42-4-delete-failed.rules /etc/audit/rules.d/

Load new Audit rules into kernel by running:

augenrules --load

Note: This rule utilizes a file provided by Audit package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.

Rationale

Unsuccessful attempts to delete a file might be signs of malicious activities. Auditing of such events help in monitoring and investigating of such activities.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then

cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
## Unsuccessful file delete
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
EOF

augenrules --load

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

- name: Put contents into /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules according
    to policy
  copy:
    dest: /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
    content: |
      ## Unsuccessful file delete
      -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
      -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
      -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
      -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
    force: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - audit_delete_failed
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-82835-0
    - NIST-800-53-AU-2(a)

Remediation script ⇲

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 2.2.0
    storage:
      files:
      - contents:
          source: data:,%23%23%20Unsuccessful%20file%20delete%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EACCES%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EACCES%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EPERM%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EPERM%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete
        filesystem: root
        mode: 0600
        path: /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules

OVAL test results details

Tests if contents of /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules is exactly what is defined in rule description oval:ssg-test_whole_file_contents_etc_audit_rules_d_30_ospp_v42_4_delete_failed_rules:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_whole_file_contents_etc_audit_rules_d_30_ospp_v42_4_delete_failed_rules:obj:1 of type textfilecontent54_object

Behaviors	Filepath	Pattern	Instance
no value	/etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules	^.*$	1

Perform general configuration of Audit for OSPP

Rule ID xccdf_org.ssgproject.content_rule_audit_ospp_general

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-audit_ospp_general:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82373-2

References: AU-2(a), FAU_GEN.1.1.c, SRG-OS-000004-GPOS-00004, SRG-OS-000241-GPOS-00091, SRG-OS-000476-GPOS-00221, SRG-OS-000327-GPOS-00127, SRG-OS-000475-GPOS-00220, SRG-OS-000239-GPOS-00089, SRG-OS-000274-GPOS-00104, SRG-OS-000275-GPOS-00105, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121

Description

Configure some basic Audit parameters specific for OSPP profile. In particular, configure Audit to watch for direct modification of files storing system user and group information, and usage of applications with special rights which can change system configuration. Further audited events include access to audit log it self, attempts to Alter Process and Session Initiation Information, and attempts to modify MAC controls. The following rules configure audit as described above:

## The purpose of these rules is to meet the requirements for Operating
## System Protection Profile (OSPP)v4.2. These rules depends on having
## the following rule files copied to /etc/audit/rules.d:
##
## 10-base-config.rules, 11-loginuid.rules,
## 30-ospp-v42-1-create-failed.rules, 30-ospp-v42-1-create-success.rules,
## 30-ospp-v42-2-modify-failed.rules, 30-ospp-v42-2-modify-success.rules,
## 30-ospp-v42-3-access-failed.rules, 30-ospp-v42-3-access-success.rules,
## 30-ospp-v42-4-delete-failed.rules, 30-ospp-v42-4-delete-success.rules,
## 30-ospp-v42-5-perm-change-failed.rules,
## 30-ospp-v42-5-perm-change-success.rules,
## 30-ospp-v42-6-owner-change-failed.rules,
## 30-ospp-v42-6-owner-change-success.rules
##
## original copies may be found in /usr/share/audit/sample-rules/


## User add delete modify. This is covered by pam. However, someone could
## open a file and directly create or modify a user, so we'll watch passwd and
## shadow for writes
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify

## User enable and disable. This is entirely handled by pam.

## Group add delete modify. This is covered by pam. However, someone could
## open a file and directly create or modify a user, so we'll watch group and
## gshadow for writes
-a always,exit -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
-a always,exit -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify


## Use of special rights for config changes. This would be use of setuid
## programs that relate to user accts. This is not all setuid apps because
## requirements are only for ones that affect system configuration.
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes

## Privilege escalation via su or sudo. This is entirely handled by pam.

## Audit log access
-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
## Attempts to Alter Process and Session Initiation Information
-a always,exit -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
-a always,exit -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
-a always,exit -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session

## Attempts to modify MAC controls
-a always,exit -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy

## Software updates. This is entirely handled by rpm.

## System start and shutdown. This is entirely handled by systemd

## Kernel Module loading. This is handled in 43-module-load.rules

## Application invocation. The requirements list an optional requirement
## FPT_SRP_EXT.1 Software Restriction Policies. This event is intended to
## state results from that policy. This would be handled entirely by
## that daemon.

The Audit package provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42.rules. To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory:

cp /usr/share/audit/sample-rules/30-ospp-v42.rules /etc/audit/rules.d/

Load new Audit rules into kernel by running:

augenrules --load

Rationale

Auditing of events listed in the description provides data for monitoring and investigation of potentially malicious events e.g. tampering with Audit logs, malicious access to files storing information about system users and groups etc.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then

cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42.rules
## The purpose of these rules is to meet the requirements for Operating
## System Protection Profile (OSPP)v4.2. These rules depends on having
## the following rule files copied to /etc/audit/rules.d:
##
## 10-base-config.rules, 11-loginuid.rules,
## 30-ospp-v42-1-create-failed.rules, 30-ospp-v42-1-create-success.rules,
## 30-ospp-v42-2-modify-failed.rules, 30-ospp-v42-2-modify-success.rules,
## 30-ospp-v42-3-access-failed.rules, 30-ospp-v42-3-access-success.rules,
## 30-ospp-v42-4-delete-failed.rules, 30-ospp-v42-4-delete-success.rules,
## 30-ospp-v42-5-perm-change-failed.rules,
## 30-ospp-v42-5-perm-change-success.rules,
## 30-ospp-v42-6-owner-change-failed.rules,
## 30-ospp-v42-6-owner-change-success.rules
##
## original copies may be found in /usr/share/audit/sample-rules/


## User add delete modify. This is covered by pam. However, someone could
## open a file and directly create or modify a user, so we'll watch passwd and
## shadow for writes
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify

## User enable and disable. This is entirely handled by pam.

## Group add delete modify. This is covered by pam. However, someone could
## open a file and directly create or modify a user, so we'll watch group and
## gshadow for writes
-a always,exit -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
-a always,exit -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify


## Use of special rights for config changes. This would be use of setuid
## programs that relate to user accts. This is not all setuid apps because
## requirements are only for ones that affect system configuration.
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes

## Privilege escalation via su or sudo. This is entirely handled by pam.

## Audit log access
-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
## Attempts to Alter Process and Session Initiation Information
-a always,exit -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
-a always,exit -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
-a always,exit -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session

## Attempts to modify MAC controls
-a always,exit -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy

## Software updates. This is entirely handled by rpm.

## System start and shutdown. This is entirely handled by systemd

## Kernel Module loading. This is handled in 43-module-load.rules

## Application invocation. The requirements list an optional requirement
## FPT_SRP_EXT.1 Software Restriction Policies. This event is intended to
## state results from that policy. This would be handled entirely by
## that daemon.
EOF

augenrules --load

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

- name: Put contents into /etc/audit/rules.d/30-ospp-v42.rules according to policy
  copy:
    dest: /etc/audit/rules.d/30-ospp-v42.rules
    content: |
      ## The purpose of these rules is to meet the requirements for Operating
      ## System Protection Profile (OSPP)v4.2. These rules depends on having
      ## the following rule files copied to /etc/audit/rules.d:
      ##
      ## 10-base-config.rules, 11-loginuid.rules,
      ## 30-ospp-v42-1-create-failed.rules, 30-ospp-v42-1-create-success.rules,
      ## 30-ospp-v42-2-modify-failed.rules, 30-ospp-v42-2-modify-success.rules,
      ## 30-ospp-v42-3-access-failed.rules, 30-ospp-v42-3-access-success.rules,
      ## 30-ospp-v42-4-delete-failed.rules, 30-ospp-v42-4-delete-success.rules,
      ## 30-ospp-v42-5-perm-change-failed.rules,
      ## 30-ospp-v42-5-perm-change-success.rules,
      ## 30-ospp-v42-6-owner-change-failed.rules,
      ## 30-ospp-v42-6-owner-change-success.rules
      ##
      ## original copies may be found in /usr/share/audit/sample-rules/


      ## User add delete modify. This is covered by pam. However, someone could
      ## open a file and directly create or modify a user, so we'll watch passwd and
      ## shadow for writes
      -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
      -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
      -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
      -a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
      -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
      -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
      -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
      -a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify

      ## User enable and disable. This is entirely handled by pam.

      ## Group add delete modify. This is covered by pam. However, someone could
      ## open a file and directly create or modify a user, so we'll watch group and
      ## gshadow for writes
      -a always,exit -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
      -a always,exit -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
      -a always,exit -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
      -a always,exit -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify


      ## Use of special rights for config changes. This would be use of setuid
      ## programs that relate to user accts. This is not all setuid apps because
      ## requirements are only for ones that affect system configuration.
      -a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
      -a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
      -a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
      -a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
      -a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
      -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
      -a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
      -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
      -a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
      -a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
      -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
      -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
      -a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes

      ## Privilege escalation via su or sudo. This is entirely handled by pam.

      ## Audit log access
      -a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
      ## Attempts to Alter Process and Session Initiation Information
      -a always,exit -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
      -a always,exit -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
      -a always,exit -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session

      ## Attempts to modify MAC controls
      -a always,exit -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy

      ## Software updates. This is entirely handled by rpm.

      ## System start and shutdown. This is entirely handled by systemd

      ## Kernel Module loading. This is handled in 43-module-load.rules

      ## Application invocation. The requirements list an optional requirement
      ## FPT_SRP_EXT.1 Software Restriction Policies. This event is intended to
      ## state results from that policy. This would be handled entirely by
      ## that daemon.
    force: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - audit_ospp_general
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-82373-2
    - NIST-800-53-AU-2(a)

Remediation script ⇲

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 2.2.0
    storage:
      files:
      - contents:
          source: data:,%23%23%20The%20purpose%20of%20these%20rules%20is%20to%20meet%20the%20requirements%20for%20Operating%0A%23%23%20System%20Protection%20Profile%20%28OSPP%29v4.2.%20These%20rules%20depends%20on%20having%0A%23%23%20the%20following%20rule%20files%20copied%20to%20/etc/audit/rules.d%3A%0A%23%23%0A%23%23%2010-base-config.rules%2C%2011-loginuid.rules%2C%0A%23%23%2030-ospp-v42-1-create-failed.rules%2C%2030-ospp-v42-1-create-success.rules%2C%0A%23%23%2030-ospp-v42-2-modify-failed.rules%2C%2030-ospp-v42-2-modify-success.rules%2C%0A%23%23%2030-ospp-v42-3-access-failed.rules%2C%2030-ospp-v42-3-access-success.rules%2C%0A%23%23%2030-ospp-v42-4-delete-failed.rules%2C%2030-ospp-v42-4-delete-success.rules%2C%0A%23%23%2030-ospp-v42-5-perm-change-failed.rules%2C%0A%23%23%2030-ospp-v42-5-perm-change-success.rules%2C%0A%23%23%2030-ospp-v42-6-owner-change-failed.rules%2C%0A%23%23%2030-ospp-v42-6-owner-change-success.rules%0A%23%23%0A%23%23%20original%20copies%20may%20be%20found%20in%20/usr/share/audit/sample-rules/%0A%0A%0A%23%23%20User%20add%20delete%20modify.%20This%20is%20covered%20by%20pam.%20However%2C%20someone%20could%0A%23%23%20open%20a%20file%20and%20directly%20create%20or%20modify%20a%20user%2C%20so%20we%27ll%20watch%20passwd%20and%0A%23%23%20shadow%20for%20writes%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2603%20-F%20path%3D/etc/passwd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2603%20-F%20path%3D/etc/passwd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2603%20-F%20path%3D/etc/passwd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2603%20-F%20path%3D/etc/passwd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2603%20-F%20path%3D/etc/shadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2603%20-F%20path%3D/etc/shadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2603%20-F%20path%3D/etc/shadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2603%20-F%20path%3D/etc/shadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A%0A%23%23%20User%20enable%20and%20disable.%20This%20is%20entirely%20handled%20by%20pam.%0A%0A%23%23%20Group%20add%20delete%20modify.%20This%20is%20covered%20by%20pam.%20However%2C%20someone%20could%0A%23%23%20open%20a%20file%20and%20directly%20create%20or%20modify%20a%20user%2C%20so%20we%27ll%20watch%20group%20and%0A%23%23%20gshadow%20for%20writes%0A-a%20always%2Cexit%20-F%20path%3D/etc/passwd%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20path%3D/etc/shadow%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20path%3D/etc/group%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dgroup-modify%0A-a%20always%2Cexit%20-F%20path%3D/etc/gshadow%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dgroup-modify%0A%0A%0A%23%23%20Use%20of%20special%20rights%20for%20config%20changes.%20This%20would%20be%20use%20of%20setuid%0A%23%23%20programs%20that%20relate%20to%20user%20accts.%20This%20is%20not%20all%20setuid%20apps%20because%0A%23%23%20requirements%20are%20only%20for%20ones%20that%20affect%20system%20configuration.%0A-a%20always%2Cexit%20-F%20path%3D/usr/sbin/unix_chkpwd%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D/usr/sbin/usernetctl%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D/usr/sbin/userhelper%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D/usr/sbin/seunshare%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D/usr/bin/mount%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D/usr/bin/newgrp%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D/usr/bin/newuidmap%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D/usr/bin/gpasswd%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D/usr/bin/newgidmap%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D/usr/bin/umount%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D/usr/bin/passwd%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D/usr/bin/crontab%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D/usr/bin/at%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A%0A%23%23%20Privilege%20escalation%20via%20su%20or%20sudo.%20This%20is%20entirely%20handled%20by%20pam.%0A%0A%23%23%20Audit%20log%20access%0A-a%20always%2Cexit%20-F%20dir%3D/var/log/audit/%20-F%20perm%3Dr%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess-audit-trail%0A%23%23%20Attempts%20to%20Alter%20Process%20and%20Session%20Initiation%20Information%0A-a%20always%2Cexit%20-F%20path%3D/var/run/utmp%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsession%0A-a%20always%2Cexit%20-F%20path%3D/var/log/btmp%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsession%0A-a%20always%2Cexit%20-F%20path%3D/var/log/wtmp%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsession%0A%0A%23%23%20Attempts%20to%20modify%20MAC%20controls%0A-a%20always%2Cexit%20-F%20dir%3D/etc/selinux/%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3DMAC-policy%0A%0A%23%23%20Software%20updates.%20This%20is%20entirely%20handled%20by%20rpm.%0A%0A%23%23%20System%20start%20and%20shutdown.%20This%20is%20entirely%20handled%20by%20systemd%0A%0A%23%23%20Kernel%20Module%20loading.%20This%20is%20handled%20in%2043-module-load.rules%0A%0A%23%23%20Application%20invocation.%20The%20requirements%20list%20an%20optional%20requirement%0A%23%23%20FPT_SRP_EXT.1%20Software%20Restriction%20Policies.%20This%20event%20is%20intended%20to%0A%23%23%20state%20results%20from%20that%20policy.%20This%20would%20be%20handled%20entirely%20by%0A%23%23%20that%20daemon.%0A
        filesystem: root
        mode: 0600
        path: /etc/audit/rules.d/30-ospp-v42.rules

OVAL test results details

Tests if contents of /etc/audit/rules.d/30-ospp-v42.rules is exactly what is defined in rule description oval:ssg-test_whole_file_contents_etc_audit_rules_d_30_ospp_v42_rules:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_whole_file_contents_etc_audit_rules_d_30_ospp_v42_rules:obj:1 of type textfilecontent54_object

Behaviors	Filepath	Pattern	Instance
no value	/etc/audit/rules.d/30-ospp-v42.rules	^.*$	1

Configure auditing of successful file deletions

Rule ID xccdf_org.ssgproject.content_rule_audit_delete_success

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-audit_delete_success:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82836-8

Description

Ensure that successful attempts to delete a file are audited. The following rules configure audit as described above:

## Successful file delete
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete

The Audit package provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42-4-delete-success.rules. To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory:

cp /usr/share/audit/sample-rules/30-ospp-v42-4-delete-success.rules /etc/audit/rules.d/

Load new Audit rules into kernel by running:

augenrules --load

Rationale

Auditing of successful attempts to delete a file may help in monitoring and investigation of activities performed on the system.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then

cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules
## Successful file delete
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
EOF

augenrules --load

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

- name: Put contents into /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules according
    to policy
  copy:
    dest: /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules
    content: |
      ## Successful file delete
      -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
      -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
    force: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - audit_delete_success
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-82836-8
    - NIST-800-53-AU-2(a)

Remediation script ⇲

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 2.2.0
    storage:
      files:
      - contents:
          source: data:,%23%23%20Successful%20file%20delete%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20success%3D1%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-delete%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20success%3D1%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-delete
        filesystem: root
        mode: 0600
        path: /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules

OVAL test results details

Tests if contents of /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules is exactly what is defined in rule description oval:ssg-test_whole_file_contents_etc_audit_rules_d_30_ospp_v42_4_delete_success_rules:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_whole_file_contents_etc_audit_rules_d_30_ospp_v42_4_delete_success_rules:obj:1 of type textfilecontent54_object

Behaviors	Filepath	Pattern	Instance
no value	/etc/audit/rules.d/30-ospp-v42-4-delete-success.rules	^.*$	1

Configure auditing of successful file creations

Rule ID xccdf_org.ssgproject.content_rule_audit_create_success

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-audit_create_success:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82829-3

References: AU-2(a), FAU_GEN.1.1.c, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, SRG-OS-000475-GPOS-00220, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-OS-000461-GPOS-00205

Description

Ensure that successful attempts to create a file are audited. The following rules configure audit as described above:

## Successful file creation (open with O_CREAT)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b32 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b64 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create

The Audit package provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42-1-create-success.rules. To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory:

cp /usr/share/audit/sample-rules/30-ospp-v42-1-create-success.rules /etc/audit/rules.d/

Load new Audit rules into kernel by running:

augenrules --load

Rationale

Auditing of successful attempts to create a file helps in investigation of actions which happened on the system.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then

cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42-1-create-success.rules
## Successful file creation (open with O_CREAT)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b32 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b64 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
EOF

augenrules --load

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

- name: Put contents into /etc/audit/rules.d/30-ospp-v42-1-create-success.rules according
    to policy
  copy:
    dest: /etc/audit/rules.d/30-ospp-v42-1-create-success.rules
    content: |
      ## Successful file creation (open with O_CREAT)
      -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
      -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
      -a always,exit -F arch=b32 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
      -a always,exit -F arch=b64 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
      -a always,exit -F arch=b32 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
      -a always,exit -F arch=b64 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
    force: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - audit_create_success
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-82829-3
    - NIST-800-53-AU-2(a)

OVAL test results details

Tests if contents of /etc/audit/rules.d/30-ospp-v42-1-create-success.rules is exactly what is defined in rule description oval:ssg-test_whole_file_contents_etc_audit_rules_d_30_ospp_v42_1_create_success_rules:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_whole_file_contents_etc_audit_rules_d_30_ospp_v42_1_create_success_rules:obj:1 of type textfilecontent54_object

Behaviors	Filepath	Pattern	Instance
no value	/etc/audit/rules.d/30-ospp-v42-1-create-success.rules	^.*$	1

Configure auditing of unsuccessful ownership changes

Rule ID xccdf_org.ssgproject.content_rule_audit_owner_change_failed

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-audit_owner_change_failed:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82384-9

References: AU-2(a), FAU_GEN.1.1.c, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-OS-000474-GPOS-00219, SRG-OS-000475-GPOS-00220, SRG-OS-000466-GPOS-00210, SRG-OS-000064-GPOS-00033

Description

Ensure that unsuccessful attempts to change an ownership of files or directories are audited. The following rules configure audit as described above:

## Unsuccessful ownership change
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change

The Audit package provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42-6-owner-change-failed.rules. To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory:

cp /usr/share/audit/sample-rules/30-ospp-v42-6-owner-change-failed.rules /etc/audit/rules.d/

Load new Audit rules into kernel by running:

augenrules --load

Rationale

Unsuccessful attempts to change an ownership of files or directories might be signs of a malicious activity. Having such events audited helps in monitoring and investigation of such activities.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then

cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules
## Unsuccessful ownership change
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
EOF

augenrules --load

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

- name: Put contents into /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules
    according to policy
  copy:
    dest: /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules
    content: |
      ## Unsuccessful ownership change
      -a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
      -a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
      -a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
      -a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
    force: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - audit_owner_change_failed
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-82384-9
    - NIST-800-53-AU-2(a)

OVAL test results details

Tests if contents of /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules is exactly what is defined in rule description oval:ssg-test_whole_file_contents_etc_audit_rules_d_30_ospp_v42_6_owner_change_failed_rules:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_whole_file_contents_etc_audit_rules_d_30_ospp_v42_6_owner_change_failed_rules:obj:1 of type textfilecontent54_object

Behaviors	Filepath	Pattern	Instance
no value	/etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules	^.*$	1

Configure auditing of successful ownership changes

Rule ID xccdf_org.ssgproject.content_rule_audit_owner_change_success

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-audit_owner_change_success:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82385-6

Description

Ensure that successful attempts to change an ownership of files or directories are audited. The following rules configure audit as described above:

## Successful ownership change
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change
-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change

The Audit package provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42-6-owner-change-success.rules. To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory:

cp /usr/share/audit/sample-rules/30-ospp-v42-6-owner-change-success.rules /etc/audit/rules.d/

The file has the following SHA-256 checksum:

7eb41a6aaf6737c2571b6424fae7fa53af4b41a9115b6c5732a5778ccd9900ad

Load new Audit rules into kernel by running:

augenrules --load

Rationale

Auditing of successful ownership changes of files or directories helps in monitoring or investingating of activities performed on the system.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then

cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules
## Successful ownership change
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change
-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change
EOF

augenrules --load

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

- name: Put contents into /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules
    according to policy
  copy:
    dest: /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules
    content: |
      ## Successful ownership change
      -a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change
      -a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change
    force: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - audit_owner_change_success
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-82385-6
    - NIST-800-53-AU-2(a)

OVAL test results details

Tests if contents of /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules is exactly what is defined in rule description oval:ssg-test_whole_file_contents_etc_audit_rules_d_30_ospp_v42_6_owner_change_success_rules:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_whole_file_contents_etc_audit_rules_d_30_ospp_v42_6_owner_change_success_rules:obj:1 of type textfilecontent54_object

Behaviors	Filepath	Pattern	Instance
no value	/etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules	^.*$	1

Configure auditing of successful permission changes

Rule ID xccdf_org.ssgproject.content_rule_audit_perm_change_success

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-audit_perm_change_success:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82383-1

Description

Ensure that successful attempts to modify permissions of iles or directories are audited. The following rules configure audit as described above:

## Successful permission change
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change

The Audit package provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42-5-perm-change-success.rules. To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory:

cp /usr/share/audit/sample-rules/30-ospp-v42-5-perm-change-success.rules /etc/audit/rules.d/

Load new Audit rules into kernel by running:

augenrules --load

Rationale

Auditing successful file or directory permission changes helps in monitoring and investigating of activities performed on the system.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then

cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules
## Successful permission change
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
EOF

augenrules --load

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

- name: Put contents into /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules
    according to policy
  copy:
    dest: /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules
    content: |
      ## Successful permission change
      -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
      -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
    force: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - audit_perm_change_success
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-82383-1
    - NIST-800-53-AU-2(a)

OVAL test results details

Tests if contents of /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules is exactly what is defined in rule description oval:ssg-test_whole_file_contents_etc_audit_rules_d_30_ospp_v42_5_perm_change_success_rules:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_whole_file_contents_etc_audit_rules_d_30_ospp_v42_5_perm_change_success_rules:obj:1 of type textfilecontent54_object

Behaviors	Filepath	Pattern	Instance
no value	/etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules	^.*$	1

Configure auditing of unsuccessful file modifications

Rule ID xccdf_org.ssgproject.content_rule_audit_modify_failed

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-audit_modify_failed:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82830-1

References: AU-2(a), FAU_GEN.1.1.c, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, SRG-OS-000475-GPOS-00220, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-OS-000461-GPOS-00205

Description

Ensure that unsuccessful attempts to modify a file are audited. The following rules configure audit as described above:

## Unsuccessful file modifications (open for write or truncate)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification

The Audit package provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42-2-modify-failed.rules. To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory:

cp /usr/share/audit/sample-rules/30-ospp-v42-2-modify-failed.rules /etc/audit/rules.d/

Load new Audit rules into kernel by running:

augenrules --load

Rationale

Unsuccessful file modifications might be a sign of a malicious action being performed on the system. Auditing of such events helps in detection and investigation of such actions.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then

cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules
## Unsuccessful file modifications (open for write or truncate)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
EOF

augenrules --load

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

- name: Put contents into /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules according
    to policy
  copy:
    dest: /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules
    content: |
      ## Unsuccessful file modifications (open for write or truncate)
      -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
      -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
      -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
      -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
      -a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
      -a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
      -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
      -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
      -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
      -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
      -a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
      -a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
    force: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - audit_modify_failed
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-82830-1
    - NIST-800-53-AU-2(a)

Remediation script ⇲

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 2.2.0
    storage:
      files:
      - contents:
          source: data:,%23%23%20Unsuccessful%20file%20modifications%20%28open%20for%20write%20or%20truncate%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A
        filesystem: root
        mode: 0600
        path: /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules

OVAL test results details

Tests if contents of /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules is exactly what is defined in rule description oval:ssg-test_whole_file_contents_etc_audit_rules_d_30_ospp_v42_2_modify_failed_rules:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_whole_file_contents_etc_audit_rules_d_30_ospp_v42_2_modify_failed_rules:obj:1 of type textfilecontent54_object

Behaviors	Filepath	Pattern	Instance
no value	/etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules	^.*$	1

Configure auditing of unsuccessful file accesses

Rule ID xccdf_org.ssgproject.content_rule_audit_access_failed

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-audit_access_failed:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82833-5

References: AU-2(a), FAU_GEN.1.1.c, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, SRG-OS-000475-GPOS-00220, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-OS-000461-GPOS-00205

Description

Ensure that unsuccessful attempts to access a file are audited. The following rules configure audit as described above:

## Unsuccessful file access (any other opens) This has to go last.
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access

Load new Audit rules into kernel by running:

augenrules --load

Rationale

Unsuccessful attempts to access a file might be signs of malicious activity happening within the system. Auditing of such activities helps in their monitoring and investigation.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then

cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
## Unsuccessful file access (any other opens) This has to go last.
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
EOF

augenrules --load

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

- name: Put contents into /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules according
    to policy
  copy:
    dest: /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
    content: |
      ## Unsuccessful file access (any other opens) This has to go last.
      -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
      -a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
      -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
      -a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
    force: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - audit_access_failed
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-82833-5
    - NIST-800-53-AU-2(a)

Remediation script ⇲

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 2.2.0
    storage:
      files:
      - contents:
          source: data:,%23%23%20Unsuccessful%20file%20access%20%28any%20other%20opens%29%20This%20has%20to%20go%20last.%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-access%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-access
        filesystem: root
        mode: 0600
        path: /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules

OVAL test results details

Tests if contents of /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules is exactly what is defined in rule description oval:ssg-test_whole_file_contents_etc_audit_rules_d_30_ospp_v42_3_access_failed_rules:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_whole_file_contents_etc_audit_rules_d_30_ospp_v42_3_access_failed_rules:obj:1 of type textfilecontent54_object

Behaviors	Filepath	Pattern	Instance
no value	/etc/audit/rules.d/30-ospp-v42-3-access-failed.rules	^.*$	1

Configure auditing of successful file modifications

Rule ID xccdf_org.ssgproject.content_rule_audit_modify_success

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-audit_modify_success:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82832-7

References: AU-2(a), FAU_GEN.1.1.c, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, SRG-OS-000475-GPOS-00220, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-OS-000461-GPOS-00205

Description

Ensure that successful attempts to modify a file are audited. The following rules configure audit as described above:

## Successful file modifications (open for write or truncate)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b32 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification

The Audit package provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42-2-modify-success.rules. To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory:

cp /usr/share/audit/sample-rules/30-ospp-v42-2-modify-success.rules /etc/audit/rules.d/

Load new Audit rules into kernel by running:

augenrules --load

Rationale

Auditing of successful attempts to modify a file helps in investigation of actions which happened on the system.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then

cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules
## Successful file modifications (open for write or truncate)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b32 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
EOF

augenrules --load

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

- name: Put contents into /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules according
    to policy
  copy:
    dest: /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules
    content: |
      ## Successful file modifications (open for write or truncate)
      -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
      -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
      -a always,exit -F arch=b32 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
      -a always,exit -F arch=b64 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
      -a always,exit -F arch=b32 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
      -a always,exit -F arch=b64 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
    force: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - audit_modify_success
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-82832-7
    - NIST-800-53-AU-2(a)

OVAL test results details

Tests if contents of /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules is exactly what is defined in rule description oval:ssg-test_whole_file_contents_etc_audit_rules_d_30_ospp_v42_2_modify_success_rules:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_whole_file_contents_etc_audit_rules_d_30_ospp_v42_2_modify_success_rules:obj:1 of type textfilecontent54_object

Behaviors	Filepath	Pattern	Instance
no value	/etc/audit/rules.d/30-ospp-v42-2-modify-success.rules	^.*$	1

Configure basic parameters of Audit system

Rule ID xccdf_org.ssgproject.content_rule_audit_basic_configuration

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-audit_basic_configuration:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82827-7

References: AU-2(a), FAU_GEN.1.1.c, SRG-OS-000365-GPOS-00152, SRG-OS-000475-GPOS-00220

Description

Perform basic configuration of Audit system. Make sure that any previously defined rules are cleared, the auditing system is configured to handle sudden bursts of events, and in cases of failure, messages are configured to be directed to system log. The following rules configure audit as described above:

## First rule - delete all
-D

## Increase the buffers to survive stress events.
## Make this bigger for busy systems
-b 8192

## This determine how long to wait in burst of events
--backlog_wait_time 60000

## Set failure mode to syslog
-f 1

The Audit package provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/10-base-config.rules. To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory:

cp /usr/share/audit/sample-rules/10-base-config.rules /etc/audit/rules.d/

Load new Audit rules into kernel by running:

augenrules --load

Rationale

Without basic configurations, audit may not perform as expected. It may not be able to correctly handle events under stressful conditions, or log events in case of failure.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then

cat << 'EOF' > /etc/audit/rules.d/10-base-config.rules
## First rule - delete all
-D

## Increase the buffers to survive stress events.
## Make this bigger for busy systems
-b 8192

## This determine how long to wait in burst of events
--backlog_wait_time 60000

## Set failure mode to syslog
-f 1
EOF

augenrules --load

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

- name: Put contents into /etc/audit/rules.d/10-base-config.rules according to policy
  copy:
    dest: /etc/audit/rules.d/10-base-config.rules
    content: |
      ## First rule - delete all
      -D

      ## Increase the buffers to survive stress events.
      ## Make this bigger for busy systems
      -b 8192

      ## This determine how long to wait in burst of events
      --backlog_wait_time 60000

      ## Set failure mode to syslog
      -f 1
    force: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - audit_basic_configuration
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-82827-7
    - NIST-800-53-AU-2(a)

Remediation script ⇲

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 2.2.0
    storage:
      files:
      - contents:
          source: data:,%23%23%20First%20rule%20-%20delete%20all%0A-D%0A%0A%23%23%20Increase%20the%20buffers%20to%20survive%20stress%20events.%0A%23%23%20Make%20this%20bigger%20for%20busy%20systems%0A-b%208192%0A%0A%23%23%20This%20determine%20how%20long%20to%20wait%20in%20burst%20of%20events%0A--backlog_wait_time%2060000%0A%0A%23%23%20Set%20failure%20mode%20to%20syslog%0A-f%201%0A
        filesystem: root
        mode: 0600
        path: /etc/audit/rules.d/10-base-config.rules

OVAL test results details

Tests if contents of /etc/audit/rules.d/10-base-config.rules is exactly what is defined in rule description oval:ssg-test_whole_file_contents_etc_audit_rules_d_10_base_config_rules:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_whole_file_contents_etc_audit_rules_d_10_base_config_rules:obj:1 of type textfilecontent54_object

Behaviors	Filepath	Pattern	Instance
no value	/etc/audit/rules.d/10-base-config.rules	^.*$	1

Configure auditing of unsuccessful permission changes

Rule ID xccdf_org.ssgproject.content_rule_audit_perm_change_failed

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-audit_perm_change_failed:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82837-6

Description

Ensure that unsuccessful attempts to change file or directory permissions are audited. The following rules configure audit as described above:

## Unsuccessful permission change
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change

The Audit package provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42-5-perm-change-failed.rules. To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory:

cp /usr/share/audit/sample-rules/30-ospp-v42-5-perm-change-failed.rules /etc/audit/rules.d/

Load new Audit rules into kernel by running:

augenrules --load

Rationale

Unsuccessful attempts to change permissions of files or directories might be signs of malicious activity. Having such events audited helps in monitoring and investigation of such activities.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then

cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules
## Unsuccessful permission change
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
EOF

augenrules --load

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

- name: Put contents into /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules
    according to policy
  copy:
    dest: /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules
    content: |
      ## Unsuccessful permission change
      -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
      -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
      -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
      -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
    force: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - audit_perm_change_failed
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-82837-6
    - NIST-800-53-AU-2(a)

OVAL test results details

Tests if contents of /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules is exactly what is defined in rule description oval:ssg-test_whole_file_contents_etc_audit_rules_d_30_ospp_v42_5_perm_change_failed_rules:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_whole_file_contents_etc_audit_rules_d_30_ospp_v42_5_perm_change_failed_rules:obj:1 of type textfilecontent54_object

Behaviors	Filepath	Pattern	Instance
no value	/etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules	^.*$	1

Configure auditing of unsuccessful file creations

Rule ID xccdf_org.ssgproject.content_rule_audit_create_failed

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-audit_create_failed:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82374-0

References: AU-2(a), FAU_GEN.1.1.c, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, SRG-OS-000475-GPOS-00220, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-OS-000461-GPOS-00205

Description

Ensure that unsuccessful attempts to create a file are audited. The following rules configure audit as described above:

## Unsuccessful file creation (open with O_CREAT)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create

The Audit package provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42-1-create-failed.rules. To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory:

cp /usr/share/audit/sample-rules/30-ospp-v42-1-create-failed.rules /etc/audit/rules.d/

Load new Audit rules into kernel by running:

augenrules --load

Rationale

Unsuccessful file creations might be a sign of a malicious action being performed on the system. Keeping log of such events helps in monitoring and investigation of such actions.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then

cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules
## Unsuccessful file creation (open with O_CREAT)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
EOF

augenrules --load

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

- name: Put contents into /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules according
    to policy
  copy:
    dest: /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules
    content: |
      ## Unsuccessful file creation (open with O_CREAT)
      -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
      -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
      -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
      -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
      -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
      -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
      -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
      -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
      -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
      -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
      -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
      -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
    force: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - audit_create_failed
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-82374-0
    - NIST-800-53-AU-2(a)

OVAL test results details

Tests if contents of /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules is exactly what is defined in rule description oval:ssg-test_whole_file_contents_etc_audit_rules_d_30_ospp_v42_1_create_failed_rules:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_whole_file_contents_etc_audit_rules_d_30_ospp_v42_1_create_failed_rules:obj:1 of type textfilecontent54_object

Behaviors	Filepath	Pattern	Instance
no value	/etc/audit/rules.d/30-ospp-v42-1-create-failed.rules	^.*$	1

Configure immutable Audit login UIDs

Rule ID xccdf_org.ssgproject.content_rule_audit_immutable_login_uids

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-audit_immutable_login_uids:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82828-5

References: AU-2(a), FAU_GEN.1.1.c, SRG-OS-000462-GPOS-00206, SRG-OS-000475-GPOS-00220

Description

Configure kernel to prevent modification of login UIDs once they are set. Changing login UUIDs while this configuration is enforced requires special capabilities which are not available to unprivileged users. The following rules configure audit as described above:

## Make the loginuid immutable. This prevents tampering with the auid.
--loginuid-immutable

The Audit provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/11-loginuid.rules. To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory:

cp /usr/share/audit/sample-rules/11-loginuid.rules /etc/audit/rules.d/

Load new Audit rules into kernel by running:

augenrules --load

Rationale

If modification of login UIDs is not prevented, they can be changed by unprivileged users and make auditing complicated or impossible.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then

cat << 'EOF' > /etc/audit/rules.d/11-loginuid.rules
## Make the loginuid immutable. This prevents tampering with the auid.
--loginuid-immutable
EOF

augenrules --load

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

- name: Put contents into /etc/audit/rules.d/11-loginuid.rules according to policy
  copy:
    dest: /etc/audit/rules.d/11-loginuid.rules
    content: |
      ## Make the loginuid immutable. This prevents tampering with the auid.
      --loginuid-immutable
    force: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - audit_immutable_login_uids
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-82828-5
    - NIST-800-53-AU-2(a)

Remediation script ⇲

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 2.2.0
    storage:
      files:
      - contents:
          source: data:,%23%23%20Make%20the%20loginuid%20immutable.%20This%20prevents%20tampering%20with%20the%20auid.%0A--loginuid-immutable
        filesystem: root
        mode: 0600
        path: /etc/audit/rules.d/11-loginuid.rules

OVAL test results details

Tests if contents of /etc/audit/rules.d/11-loginuid.rules is exactly what is defined in rule description oval:ssg-test_whole_file_contents_etc_audit_rules_d_11_loginuid_rules:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_whole_file_contents_etc_audit_rules_d_11_loginuid_rules:obj:1 of type textfilecontent54_object

Behaviors	Filepath	Pattern	Instance
no value	/etc/audit/rules.d/11-loginuid.rules	^.*$	1

Configure auditing of successful file accesses

Rule ID xccdf_org.ssgproject.content_rule_audit_access_success

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-audit_access_success:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82834-3

References: AU-2(a), FAU_GEN.1.1.c, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, SRG-OS-000475-GPOS-00220, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-OS-000461-GPOS-00205

Description

Ensure that successful attempts to access a file are audited. The following rules configure audit as described above:

## Successful file access (any other opens) This has to go last.
## These next two are likely to result in a whole lot of events
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access

The Audit package provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42-3-access-success.rules. To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory:

cp /usr/share/audit/sample-rules/30-ospp-v42-3-access-success.rules /etc/audit/rules.d/

Load new Audit rules into kernel by running:

augenrules --load

Rationale

Auditing of successful attempts to access a file helps in investigation of activities performed on the system.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then

cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42-3-access-success.rules
## Successful file access (any other opens) This has to go last.
## These next two are likely to result in a whole lot of events
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
EOF

augenrules --load

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

- name: Put contents into /etc/audit/rules.d/30-ospp-v42-3-access-success.rules according
    to policy
  copy:
    dest: /etc/audit/rules.d/30-ospp-v42-3-access-success.rules
    content: |
      ## Successful file access (any other opens) This has to go last.
      ## These next two are likely to result in a whole lot of events
      -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
      -a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
    force: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - audit_access_success
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-82834-3
    - NIST-800-53-AU-2(a)

Remediation script ⇲

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 2.2.0
    storage:
      files:
      - contents:
          source: data:,%23%23%20Successful%20file%20access%20%28any%20other%20opens%29%20This%20has%20to%20go%20last.%0A%23%23%20These%20next%20two%20are%20likely%20to%20result%20in%20a%20whole%20lot%20of%20events%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Copenat%2Copen_by_handle_at%20-F%20success%3D1%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Copenat%2Copen_by_handle_at%20-F%20success%3D1%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-access
        filesystem: root
        mode: 0600
        path: /etc/audit/rules.d/30-ospp-v42-3-access-success.rules

OVAL test results details

Tests if contents of /etc/audit/rules.d/30-ospp-v42-3-access-success.rules is exactly what is defined in rule description oval:ssg-test_whole_file_contents_etc_audit_rules_d_30_ospp_v42_3_access_success_rules:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_whole_file_contents_etc_audit_rules_d_30_ospp_v42_3_access_success_rules:obj:1 of type textfilecontent54_object

Behaviors	Filepath	Pattern	Instance
no value	/etc/audit/rules.d/30-ospp-v42-3-access-success.rules	^.*$	1

Configure auditing of loading and unloading of kernel modules

Rule ID xccdf_org.ssgproject.content_rule_audit_module_load

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-audit_module_load:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82838-4

References: AU-2(a), FAU_GEN.1.1.c, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222, SRG-OS-000475-GPOS-00220

Description

Ensure that loading and unloading of kernel modules is audited. The following rules configure audit as described above:

## These rules watch for kernel module insertion. By monitoring
## the syscall, we do not need any watches on programs.
-a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load
-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load
-a always,exit -F arch=b32 -S delete_module -F key=module-unload
-a always,exit -F arch=b64 -S delete_module -F key=module-unload

The Audit package provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/43-module-load.rules. To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory:

cp /usr/share/audit/sample-rules/43-module-load.rules /etc/audit/rules.d/

Load new Audit rules into kernel by running:

augenrules --load

Rationale

Loading of a malicious kernel module introduces a risk to the system, as the module has access to sensitive data and perform actions at the operating system kernel level. Having such events audited helps in monitoring and investigating of malicious activities.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then

cat << 'EOF' > /etc/audit/rules.d/43-module-load.rules
## These rules watch for kernel module insertion. By monitoring
## the syscall, we do not need any watches on programs.
-a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load
-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load
-a always,exit -F arch=b32 -S delete_module -F key=module-unload
-a always,exit -F arch=b64 -S delete_module -F key=module-unload
EOF

augenrules --load

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

- name: Put contents into /etc/audit/rules.d/43-module-load.rules according to policy
  copy:
    dest: /etc/audit/rules.d/43-module-load.rules
    content: |
      ## These rules watch for kernel module insertion. By monitoring
      ## the syscall, we do not need any watches on programs.
      -a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load
      -a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load
      -a always,exit -F arch=b32 -S delete_module -F key=module-unload
      -a always,exit -F arch=b64 -S delete_module -F key=module-unload
    force: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - audit_module_load
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-82838-4
    - NIST-800-53-AU-2(a)

Remediation script ⇲

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 2.2.0
    storage:
      files:
      - contents:
          source: data:,%23%23%20These%20rules%20watch%20for%20kernel%20module%20insertion.%20By%20monitoring%0A%23%23%20the%20syscall%2C%20we%20do%20not%20need%20any%20watches%20on%20programs.%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20init_module%2Cfinit_module%20-F%20key%3Dmodule-load%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20init_module%2Cfinit_module%20-F%20key%3Dmodule-load%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20delete_module%20-F%20key%3Dmodule-unload%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20delete_module%20-F%20key%3Dmodule-unload%0A
        filesystem: root
        mode: 0600
        path: /etc/audit/rules.d/43-module-load.rules

OVAL test results details

Tests if contents of /etc/audit/rules.d/43-module-load.rules is exactly what is defined in rule description oval:ssg-test_whole_file_contents_etc_audit_rules_d_43_module_load_rules:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_whole_file_contents_etc_audit_rules_d_43_module_load_rules:obj:1 of type textfilecontent54_object

Behaviors	Filepath	Pattern	Instance
no value	/etc/audit/rules.d/43-module-load.rules	^.*$	1

Ensure the audit Subsystem is Installed

Rule ID	xccdf_org.ssgproject.content_rule_package_audit_installed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_audit_installed:def:1
Time	2021-03-21T19:59:44+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-81043-2 References: NT28(R50), 4.1.1.1, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), SRG-OS-000480-GPOS-00227, SRG-OS-000122-GPOS-00063
Description	The audit package should be installed.
Rationale	The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy.

OVAL test results details

package audit is installed oval:ssg-test_package_audit_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
audit	x86_64	(none)	0.17.20191104git1c2f876.el8	3.0	0:3.0-0.17.20191104git1c2f876.el8	199e2f91fd431d51	audit-0:3.0-0.17.20191104git1c2f876.el8.x86_64

Enable auditd Service

Rule ID	xccdf_org.ssgproject.content_rule_service_auditd_enabled
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-service_auditd_enabled:def:1
Time	2021-03-21T19:59:44+01:00
Severity	high
Identifiers and References	Identifiers: CCE-80872-5 References: 4.1.1.2, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-001464, CCI-001487, CCI-001814, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.1, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000042-GPOS-00021, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000365-GPOS-00152, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190
Description	The `auditd` service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The `auditd` service can be enabled with the following command: $ sudo systemctl enable auditd.service
Rationale	Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Ensuring the `auditd` service is active ensures audit records generated by the kernel are appropriately recorded. Additionally, a properly configured audit subsystem ensures that actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.

OVAL test results details

package audit is installed oval:ssg-test_service_auditd_package_audit_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
audit	x86_64	(none)	0.17.20191104git1c2f876.el8	3.0	0:3.0-0.17.20191104git1c2f876.el8	199e2f91fd431d51	audit-0:3.0-0.17.20191104git1c2f876.el8.x86_64

Test that the auditd service is running oval:ssg-test_service_running_auditd:tst:1 true

Following items have been found on the system:

Unit	Property	Value
auditd.service	ActiveState	active

systemd test oval:ssg-test_multi_user_wants_auditd:tst:1 true

Following items have been found on the system:

Unit	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency
multi-user.target	basic.target	sysinit.target	kmod-static-nodes.service	systemd-tmpfiles-setup.service	ldconfig.service	sys-kernel-config.mount	systemd-update-utmp.service	plymouth-read-write.service	systemd-random-seed.service	systemd-journal-catalog-update.service	dracut-shutdown.service	local-fs.target	-.mount	boot.mount	systemd-remount-fs.service	systemd-modules-load.service	systemd-udevd.service	lvm2-lvmpolld.socket	systemd-udev-trigger.service	cryptsetup.target	dev-hugepages.mount	sys-fs-fuse-connections.mount	rngd.service	proc-sys-fs-binfmt_misc.automount	sys-kernel-debug.mount	selinux-autorelabel-mark.service	nis-domainname.service	systemd-binfmt.service	systemd-update-done.service	systemd-journald.service	dev-mqueue.mount	import-state.service	systemd-hwdb-update.service	systemd-ask-password-console.path	systemd-sysctl.service	systemd-machine-id-commit.service	systemd-sysusers.service	lvm2-monitor.service	systemd-journal-flush.service	loadmodules.service	plymouth-start.service	swap.target	dev-mapper-rhel\x2dswap.swap	systemd-firstboot.service	systemd-tmpfiles-setup-dev.service	slices.target	-.slice	system.slice	timers.target	systemd-tmpfiles-clean.timer	dnf-makecache.timer	unbound-anchor.timer	microcode.service	sockets.target	cockpit.socket	dm-event.socket	systemd-journald.socket	systemd-udevd-control.socket	systemd-initctl.socket	sssd-kcm.socket	systemd-coredump.socket	dbus.socket	systemd-udevd-kernel.socket	systemd-journald-dev-log.socket	paths.target	auditd.service	chronyd.service	httpd.service	systemd-update-utmp-runlevel.service	plymouth-quit.service	irqbalance.service	crond.service	getty.target	getty@tty1.service	rsyslog.service	sshd.service	NetworkManager.service	sssd.service	firewalld.service	remote-fs.target	systemd-ask-password-wall.path	plymouth-quit-wait.service	dbus.service	tuned.service	rhsmcertd.service	kdump.service	systemd-logind.service	systemd-user-sessions.service

systemd test oval:ssg-test_multi_user_wants_auditd_socket:tst:1 false

Following items have been found on the system:

Unit	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency
multi-user.target	basic.target	sysinit.target	kmod-static-nodes.service	systemd-tmpfiles-setup.service	ldconfig.service	sys-kernel-config.mount	systemd-update-utmp.service	plymouth-read-write.service	systemd-random-seed.service	systemd-journal-catalog-update.service	dracut-shutdown.service	local-fs.target	-.mount	boot.mount	systemd-remount-fs.service	systemd-modules-load.service	systemd-udevd.service	lvm2-lvmpolld.socket	systemd-udev-trigger.service	cryptsetup.target	dev-hugepages.mount	sys-fs-fuse-connections.mount	rngd.service	proc-sys-fs-binfmt_misc.automount	sys-kernel-debug.mount	selinux-autorelabel-mark.service	nis-domainname.service	systemd-binfmt.service	systemd-update-done.service	systemd-journald.service	dev-mqueue.mount	import-state.service	systemd-hwdb-update.service	systemd-ask-password-console.path	systemd-sysctl.service	systemd-machine-id-commit.service	systemd-sysusers.service	lvm2-monitor.service	systemd-journal-flush.service	loadmodules.service	plymouth-start.service	swap.target	dev-mapper-rhel\x2dswap.swap	systemd-firstboot.service	systemd-tmpfiles-setup-dev.service	slices.target	-.slice	system.slice	timers.target	systemd-tmpfiles-clean.timer	dnf-makecache.timer	unbound-anchor.timer	microcode.service	sockets.target	cockpit.socket	dm-event.socket	systemd-journald.socket	systemd-udevd-control.socket	systemd-initctl.socket	sssd-kcm.socket	systemd-coredump.socket	dbus.socket	systemd-udevd-kernel.socket	systemd-journald-dev-log.socket	paths.target	auditd.service	chronyd.service	httpd.service	systemd-update-utmp-runlevel.service	plymouth-quit.service	irqbalance.service	crond.service	getty.target	getty@tty1.service	rsyslog.service	sshd.service	NetworkManager.service	sssd.service	firewalld.service	remote-fs.target	systemd-ask-password-wall.path	plymouth-quit-wait.service	dbus.service	tuned.service	rhsmcertd.service	kdump.service	systemd-logind.service	systemd-user-sessions.service

Extend Audit Backlog Limit for the Audit Daemon

Rule ID xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-grub2_audit_backlog_limit_argument:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-80943-4

References: 4.1.1.4, CM-6(a), SRG-OS-000254-GPOS-00095

Description

To improve the kernel capacity to queue all log events, even those which occurred prior to the audit daemon, add the argument audit_backlog_limit=8192 to the default GRUB 2 command line for the Linux operating system in /etc/default/grub, in the manner below:

GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap rhgb quiet rd.shell=0 audit=1 audit_backlog_limit=8192"

Rationale

audit_backlog_limit sets the queue length for audit events awaiting transfer to the audit daemon. Until the audit daemon is up and running, all log messages are stored in this queue. If the queue is overrun during boot process, the action defined by audit failure flag is taken.

Warnings

warning The GRUB 2 configuration file, grub.cfg, is automatically updated each time a new kernel is installed. Note that any changes to /etc/default/grub require rebuilding the grub.cfg file. To update the GRUB 2 configuration file manually, use the

grub2-mkconfig -o

command as follows:

On BIOS-based machines, issue the following command as root:
```
~]# grub2-mkconfig -o /boot/grub2/grub.cfg
```
On UEFI-based machines, issue the following command as root:
```
~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
```

Remediation Shell script ⇲

# Remediation is applicable only in certain platforms
if rpm --quiet -q grub2-common && [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then

# Correct grub2 kernelopts value using grub2-editenv
if ! grub2-editenv - list | grep -qE '^kernelopts=(.*\s)?audit_backlog_limit=8192(\s.*)?$'; then
  grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) audit_backlog_limit=8192"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	medium
Disruption:	low
Reboot:	true
Strategy:	restrict

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
    - grub2_audit_backlog_limit_argument
    - medium_severity
    - restrict_strategy
    - medium_complexity
    - low_disruption
    - reboot_required
    - CCE-80943-4
    - NIST-800-53-CM-6(a)

- name: get current kernel parameters
  command: /usr/bin/grub2-editenv - list
  register: kernelopts
  changed_when: false
  when:
    - '"grub2-common" in ansible_facts.packages'
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - grub2_audit_backlog_limit_argument
    - medium_severity
    - restrict_strategy
    - medium_complexity
    - low_disruption
    - reboot_required
    - CCE-80943-4
    - NIST-800-53-CM-6(a)

- name: Update the bootloader menu
  command: /usr/bin/grub2-editenv - set "{{ item }} audit_backlog_limit=8192"
  with_items: '{{ kernelopts.stdout_lines | select(''match'', ''^kernelopts.*'') |
    list }}'
  when:
    - kernelopts.stdout_lines is defined
    - kernelopts.stdout_lines | length > 0
    - kernelopts.stdout | regex_search('^kernelopts=(?:.*\s)?audit_backlog_limit=8192(?:\s.*)?$',
      multiline=True) is none
    - '"grub2-common" in ansible_facts.packages'
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - grub2_audit_backlog_limit_argument
    - medium_severity
    - restrict_strategy
    - medium_complexity
    - low_disruption
    - reboot_required
    - CCE-80943-4
    - NIST-800-53-CM-6(a)

Remediation script ⇲

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  kernelArguments:
    - audit_backlog_limit=8192

OVAL test results details

check forkernel command line parameters audit_backlog_limit=8192 in /boot/grub2/grubenv for all kernels oval:ssg-test_grub2_audit_backlog_limit_argument_grub_env:tst:1 false

Following items have been found on the system:

Path	Content
/boot/grub2/grubenv	kernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet

Enable Auditing for Processes Which Start Prior to the Audit Daemon

Rule ID xccdf_org.ssgproject.content_rule_grub2_audit_argument

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-grub2_audit_argument:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-80825-3

References: 4.1.1.3, 1, 11, 12, 13, 14, 15, 16, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.02, DSS05.03, DSS05.04, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, CCI-001464, CCI-000130, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AC-17(1), AU-14(1), AU-10, CM-6(a), IR-5(1), DE.AE-3, DE.AE-5, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.3, SRG-OS-000254-GPOS-00095, SRG-OS-000254-VMM-000880

Description

To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument audit=1 to the default GRUB 2 command line for the Linux operating system in /boot/grub2/grubenv, in the manner below:

# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) audit=1"

Rationale

Each process on the system carries an "auditable" flag which indicates whether its activities can be audited. Although auditd takes care of enabling this for all processes which launch after it does, adding the kernel argument ensures it is set for every process during boot.

Warnings

grub2-mkconfig -o

command as follows:

On BIOS-based machines, issue the following command as root:
```
~]# grub2-mkconfig -o /boot/grub2/grub.cfg
```
On UEFI-based machines, issue the following command as root:
```
~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
```

Remediation Shell script ⇲

# Remediation is applicable only in certain platforms
if rpm --quiet -q grub2-common && [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then

# Correct grub2 kernelopts value using grub2-editenv
if ! grub2-editenv - list | grep -qE '^kernelopts=(.*\s)?audit=1(\s.*)?$'; then
  grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) audit=1"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	medium
Disruption:	low
Reboot:	true
Strategy:	restrict

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
    - grub2_audit_argument
    - medium_severity
    - restrict_strategy
    - medium_complexity
    - low_disruption
    - reboot_required
    - CCE-80825-3
    - NIST-800-53-AC-17(1)
    - NIST-800-53-AU-14(1)
    - NIST-800-53-AU-10
    - NIST-800-53-CM-6(a)
    - NIST-800-53-IR-5(1)
    - NIST-800-171-3.3.1
    - PCI-DSS-Req-10.3
    - CJIS-5.4.1.1

- name: get current kernel parameters
  command: /usr/bin/grub2-editenv - list
  register: kernelopts
  changed_when: false
  when:
    - '"grub2-common" in ansible_facts.packages'
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - grub2_audit_argument
    - medium_severity
    - restrict_strategy
    - medium_complexity
    - low_disruption
    - reboot_required
    - CCE-80825-3
    - NIST-800-53-AC-17(1)
    - NIST-800-53-AU-14(1)
    - NIST-800-53-AU-10
    - NIST-800-53-CM-6(a)
    - NIST-800-53-IR-5(1)
    - NIST-800-171-3.3.1
    - PCI-DSS-Req-10.3
    - CJIS-5.4.1.1

- name: Update the bootloader menu
  command: /usr/bin/grub2-editenv - set "{{ item }} audit=1"
  with_items: '{{ kernelopts.stdout_lines | select(''match'', ''^kernelopts.*'') |
    list }}'
  when:
    - kernelopts.stdout_lines is defined
    - kernelopts.stdout_lines | length > 0
    - kernelopts.stdout | regex_search('^kernelopts=(?:.*\s)?audit=1(?:\s.*)?$', multiline=True)
      is none
    - '"grub2-common" in ansible_facts.packages'
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - grub2_audit_argument
    - medium_severity
    - restrict_strategy
    - medium_complexity
    - low_disruption
    - reboot_required
    - CCE-80825-3
    - NIST-800-53-AC-17(1)
    - NIST-800-53-AU-14(1)
    - NIST-800-53-AU-10
    - NIST-800-53-CM-6(a)
    - NIST-800-53-IR-5(1)
    - NIST-800-171-3.3.1
    - PCI-DSS-Req-10.3
    - CJIS-5.4.1.1

Remediation script ⇲

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  kernelArguments:
    - audit=1

OVAL test results details

check forkernel command line parameters audit=1 in /boot/grub2/grubenv for all kernels oval:ssg-test_grub2_audit_argument_grub_env:tst:1 false

Following items have been found on the system:

Path	Content
/boot/grub2/grubenv	kernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet

Install dnf-automatic Package

Rule ID xccdf_org.ssgproject.content_rule_package_dnf-automatic_installed

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-package_dnf-automatic_installed:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82985-3

References: SRG-OS-000191-GPOS-00080

Description

The dnf-automatic package can be installed with the following command:

$ sudo yum install dnf-automatic

Rationale

dnf-automatic is an alternative command line interface (CLI) to dnf upgrade suitable for automatic, regular execution.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Strategy:	enable


if ! rpm -q --quiet "dnf-automatic" ; then
    yum install -y "dnf-automatic"
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	enable

- name: Ensure dnf-automatic is installed
  package:
    name: dnf-automatic
    state: present
  tags:
    - package_dnf-automatic_installed
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-82985-3

Remediation Puppet snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	enable

include install_dnf-automatic

class install_dnf-automatic {
  package { 'dnf-automatic':
    ensure => 'installed',
  }
}

Remediation Anaconda snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	enable


package --add=dnf-automatic

OVAL test results details

package dnf-automatic is installed oval:ssg-test_package_dnf-automatic_installed:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_dnf-automatic_installed:obj:1 of type rpminfo_object

Name
dnf-automatic

Ensure gpgcheck Enabled In Main yum Configuration

Rule ID	xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-ensure_gpgcheck_globally_activated:def:1
Time	2021-03-21T19:59:44+01:00
Severity	high
Identifiers and References	Identifiers: CCE-80790-9 References: NT28(R15), 1.2.4, 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FAU_GEN.1.1.c, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650
Description	The `gpgcheck` option controls whether RPM packages' signatures are always checked prior to installation. To configure yum to check package signatures before installing them, ensure the following line appears in `/etc/yum.conf` in the `[main]` section: gpgcheck=1
Rationale	Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA).

OVAL test results details

check value of gpgcheck in /etc/yum.conf oval:ssg-test_ensure_gpgcheck_globally_activated:tst:1 true

Following items have been found on the system:

Path	Content
/etc/yum.conf	gpgcheck=1

Ensure Red Hat GPG Key Installed

Rule ID	xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-ensure_redhat_gpgkey_installed:def:1
Time	2021-03-21T19:59:44+01:00
Severity	high
Identifiers and References	Identifiers: CCE-80795-8 References: NT28(R15), 1.2.3, 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), PR.DS-6, PR.DS-8, PR.IP-1, FAU_GEN.1.1.c, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650
Description	To ensure the system can cryptographically verify base software packages come from Red Hat (and to connect to the Red Hat Network to receive them), the Red Hat GPG key must properly be installed. To install the Red Hat GPG key, run: $ sudo subscription-manager register If the system is not connected to the Internet or an RHN Satellite, then install the Red Hat GPG key from trusted media such as the Red Hat installation CD-ROM or DVD. Assuming the disc is mounted in `/media/cdrom`, use the following command as the root user to import it into the keyring: $ sudo rpm --import /media/cdrom/RPM-GPG-KEY Alternatively, the key may be pre-loaded during the RHEL installation. In such cases, the key can be installed by running the following command: sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
Rationale	Changes to software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. The Red Hat GPG key is necessary to cryptographically verify packages are from Red Hat.

OVAL test results details

installed OS part of unix family oval:ssg-test_rhel8_unix_family:tst:1 true

Following items have been found on the system:

Family
unix

installed OS part of unix family oval:ssg-test_rhel8_unix_family:tst:1 true

Following items have been found on the system:

Family
unix

redhat-release is version 8 oval:ssg-test_rhel8:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
redhat-release	x86_64	(none)	1.0.el8	8.3	0:8.3-1.0.el8	199e2f91fd431d51	redhat-release-0:8.3-1.0.el8.x86_64

redhat-release is version 8 oval:ssg-test_rhel8:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
redhat-release	x86_64	(none)	1.0.el8	8.3	0:8.3-1.0.el8	199e2f91fd431d51	redhat-release-0:8.3-1.0.el8.x86_64

redhat-release-coreos is version 8 oval:ssg-test_rhel8_coreos:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhel8_coreos:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/os-release	^PRETTY_NAME="Red Hat Enterprise Linux CoreOS \d+\.(\d)\d+\.[\d\.\-]+ $[\w\s]+$"$	1

redhat-release-coreos is version 8 oval:ssg-test_rhel8_coreos:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhel8_coreos:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/os-release	^PRETTY_NAME="Red Hat Enterprise Linux CoreOS \d+\.(\d)\d+\.[\d\.\-]+ $[\w\s]+$"$	1

redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object

Name
redhat-release-virtualization-host

redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object

Name
redhat-release-virtualization-host

RHEVH base RHEL is version 8 oval:ssg-test_rhevh_rhel8_version:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/redhat-release	^Red Hat Enterprise Linux release (\d)\.\d+$	1

RHEVH base RHEL is version 8 oval:ssg-test_rhevh_rhel8_version:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/redhat-release	^Red Hat Enterprise Linux release (\d)\.\d+$	1

installed OS part of unix family oval:ssg-test_rhel8_unix_family:tst:1 true

Following items have been found on the system:

Family
unix

installed OS part of unix family oval:ssg-test_rhel8_unix_family:tst:1 true

Following items have been found on the system:

Family
unix

redhat-release is version 8 oval:ssg-test_rhel8:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
redhat-release	x86_64	(none)	1.0.el8	8.3	0:8.3-1.0.el8	199e2f91fd431d51	redhat-release-0:8.3-1.0.el8.x86_64

redhat-release is version 8 oval:ssg-test_rhel8:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
redhat-release	x86_64	(none)	1.0.el8	8.3	0:8.3-1.0.el8	199e2f91fd431d51	redhat-release-0:8.3-1.0.el8.x86_64

redhat-release-coreos is version 8 oval:ssg-test_rhel8_coreos:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhel8_coreos:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/os-release	^PRETTY_NAME="Red Hat Enterprise Linux CoreOS \d+\.(\d)\d+\.[\d\.\-]+ $[\w\s]+$"$	1

redhat-release-coreos is version 8 oval:ssg-test_rhel8_coreos:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhel8_coreos:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/os-release	^PRETTY_NAME="Red Hat Enterprise Linux CoreOS \d+\.(\d)\d+\.[\d\.\-]+ $[\w\s]+$"$	1

redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object

Name
redhat-release-virtualization-host

redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object

Name
redhat-release-virtualization-host

RHEVH base RHEL is version 8 oval:ssg-test_rhevh_rhel8_version:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/redhat-release	^Red Hat Enterprise Linux release (\d)\.\d+$	1

RHEVH base RHEL is version 8 oval:ssg-test_rhevh_rhel8_version:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/redhat-release	^Red Hat Enterprise Linux release (\d)\.\d+$	1

Red Hat release key package is installed oval:ssg-test_package_gpgkey-fd431d51-4ae0493b_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Extended name
gpg-pubkey	(none)	(none)	56c6038f	038651bd	0:038651bd-56c6038f	gpg-pubkey-0:038651bd-56c6038f.(none)
gpg-pubkey	(none)	(none)	5d36ccdc	8e6c9578	0:8e6c9578-5d36ccdc	gpg-pubkey-0:8e6c9578-5d36ccdc.(none)
gpg-pubkey	(none)	(none)	5cf7cefb	2f86d6a1	0:2f86d6a1-5cf7cefb	gpg-pubkey-0:2f86d6a1-5cf7cefb.(none)
gpg-pubkey	(none)	(none)	5b32db75	d4082792	0:d4082792-5b32db75	gpg-pubkey-0:d4082792-5b32db75.(none)
gpg-pubkey	(none)	(none)	52d46e88	d59097ab	0:d59097ab-52d46e88	gpg-pubkey-0:d59097ab-52d46e88.(none)
gpg-pubkey	(none)	(none)	59d6ac66	bf6a7041	0:bf6a7041-59d6ac66	gpg-pubkey-0:bf6a7041-59d6ac66.(none)
gpg-pubkey	(none)	(none)	4ae0493b	fd431d51	0:fd431d51-4ae0493b	gpg-pubkey-0:fd431d51-4ae0493b.(none)

Red Hat auxiliary key package is installed oval:ssg-test_package_gpgkey-d4082792-5b32db75_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Extended name
gpg-pubkey	(none)	(none)	56c6038f	038651bd	0:038651bd-56c6038f	gpg-pubkey-0:038651bd-56c6038f.(none)
gpg-pubkey	(none)	(none)	5d36ccdc	8e6c9578	0:8e6c9578-5d36ccdc	gpg-pubkey-0:8e6c9578-5d36ccdc.(none)
gpg-pubkey	(none)	(none)	5cf7cefb	2f86d6a1	0:2f86d6a1-5cf7cefb	gpg-pubkey-0:2f86d6a1-5cf7cefb.(none)
gpg-pubkey	(none)	(none)	5b32db75	d4082792	0:d4082792-5b32db75	gpg-pubkey-0:d4082792-5b32db75.(none)
gpg-pubkey	(none)	(none)	52d46e88	d59097ab	0:d59097ab-52d46e88	gpg-pubkey-0:d59097ab-52d46e88.(none)
gpg-pubkey	(none)	(none)	59d6ac66	bf6a7041	0:bf6a7041-59d6ac66	gpg-pubkey-0:bf6a7041-59d6ac66.(none)
gpg-pubkey	(none)	(none)	4ae0493b	fd431d51	0:fd431d51-4ae0493b	gpg-pubkey-0:fd431d51-4ae0493b.(none)

Ensure gpgcheck Enabled for Local Packages

Rule ID xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-ensure_gpgcheck_local_packages:def:1

Time 2021-03-21T19:59:44+01:00

Severity high

Identifiers and References

Identifiers: CCE-80791-7

References: NT28(R15), 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-11(a), CM-11(b), CM-6(a), CM-5(3), SA-12, SA-12(10), PR.IP-1, FAU_GEN.1.1.c, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650

Description

yum should be configured to verify the signature(s) of local packages prior to installation. To configure yum to verify signatures of local packages, set the localpkg_gpgcheck to 1 in /etc/yum.conf.

Rationale

Changes to any software components can have significant effects to the overall security of the operating system. This requirement ensures the software has not been tampered and has been provided by a trusted vendor.

Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization.

Remediation Shell script ⇲

# Remediation is applicable only in certain platforms
if rpm --quiet -q yum; then

# Function to replace configuration setting in config file or add the configuration setting if
# it does not exist.
#
# Expects arguments:
#
# config_file:		Configuration file that will be modified
# key:			Configuration option to change
# value:		Value of the configuration option to change
# cce:			The CCE identifier or '@CCENUM@' if no CCE identifier exists
# format:		The printf-like format string that will be given stripped key and value as arguments,
#			so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =)
#
# Optional arugments:
#
# format:		Optional argument to specify the format of how key/value should be
# 			modified/appended in the configuration file. The default is key = value.
#
# Example Call(s):
#
#     With default format of 'key = value':
#     replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@'
#
#     With custom key/value format:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s'
#
#     With a variable:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s'
#
function replace_or_append {
  local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option=''
  local config_file=$1
  local key=$2
  local value=$3
  local cce=$4
  local format=$5

  if [ "$case_insensitive_mode" = yes ]; then
    sed_case_insensitive_option="i"
    grep_case_insensitive_option="-i"
  fi
  [ -n "$format" ] || format="$default_format"
  # Check sanity of the input
  [ $# -ge "3" ] || { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; }

  # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
  # Otherwise, regular sed command will do.
  sed_command=('sed' '-i')
  if test -L "$config_file"; then
    sed_command+=('--follow-symlinks')
  fi

  # Test that the cce arg is not empty or does not equal @CCENUM@.
  # If @CCENUM@ exists, it means that there is no CCE assigned.
  if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then
    cce="${cce}"
  else
    cce="CCE"
  fi

  # Strip any search characters in the key arg so that the key can be replaced without
  # adding any search characters to the config file.
  stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "$key")

  # shellcheck disable=SC2059
  printf -v formatted_output "$format" "$stripped_key" "$value"

  # If the key exists, change it. Otherwise, add it to the config_file.
  # We search for the key string followed by a word boundary (matched by \>),
  # so if we search for 'setting', 'setting2' won't match.
  if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then
    "${sed_command[@]}" "s/${key}\\>.*/$formatted_output/g$sed_case_insensitive_option" "$config_file"
  else
    # \n is precaution for case where file ends without trailing newline
    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file"
    printf '%s\n' "$formatted_output" >> "$config_file"
  fi
}
replace_or_append '/etc/yum.conf' '^localpkg_gpgcheck' '1' 'CCE-80791-7'

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
    - ensure_gpgcheck_local_packages
    - high_severity
    - unknown_strategy
    - low_complexity
    - medium_disruption
    - no_reboot_needed
    - CCE-80791-7
    - NIST-800-53-CM-11(a)
    - NIST-800-53-CM-11(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-CM-5(3)
    - NIST-800-53-SA-12
    - NIST-800-53-SA-12(10)
    - NIST-800-171-3.4.8

- name: Check existence of yum on Fedora
  stat:
    path: /etc/yum.conf
  register: yum_config_file
  check_mode: false
  when:
    - ansible_distribution == "Fedora"
    - '"yum" in ansible_facts.packages'
  tags:
    - ensure_gpgcheck_local_packages
    - high_severity
    - unknown_strategy
    - low_complexity
    - medium_disruption
    - no_reboot_needed
    - CCE-80791-7
    - NIST-800-53-CM-11(a)
    - NIST-800-53-CM-11(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-CM-5(3)
    - NIST-800-53-SA-12
    - NIST-800-53-SA-12(10)
    - NIST-800-171-3.4.8

- name: Ensure GPG check Enabled for Local Packages (Yum)
  ini_file:
    dest: /etc/yum.conf
    section: main
    option: localpkg_gpgcheck
    value: 1
    create: true
  when:
    - (ansible_distribution == "RedHat" or ansible_distribution == "CentOS" or ansible_distribution
      == "Scientific" or yum_config_file.stat.exists)
    - '"yum" in ansible_facts.packages'
  tags:
    - ensure_gpgcheck_local_packages
    - high_severity
    - unknown_strategy
    - low_complexity
    - medium_disruption
    - no_reboot_needed
    - CCE-80791-7
    - NIST-800-53-CM-11(a)
    - NIST-800-53-CM-11(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-CM-5(3)
    - NIST-800-53-SA-12
    - NIST-800-53-SA-12(10)
    - NIST-800-171-3.4.8

- name: Ensure GPG check Enabled for Local Packages (DNF)
  ini_file:
    dest: /etc/dnf/dnf.conf
    section: main
    option: localpkg_gpgcheck
    value: 1
    create: true
  when:
    - ansible_distribution == "Fedora"
    - '"yum" in ansible_facts.packages'
  tags:
    - ensure_gpgcheck_local_packages
    - high_severity
    - unknown_strategy
    - low_complexity
    - medium_disruption
    - no_reboot_needed
    - CCE-80791-7
    - NIST-800-53-CM-11(a)
    - NIST-800-53-CM-11(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-CM-5(3)
    - NIST-800-53-SA-12
    - NIST-800-53-SA-12(10)
    - NIST-800-171-3.4.8

OVAL test results details

check value of localpkg_gpgcheck in /etc/yum.conf oval:ssg-test_yum_ensure_gpgcheck_local_packages:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_yum_ensure_gpgcheck_local_packages:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/yum.conf	^\slocalpkg_gpgcheck\s=\s(1\|True\|yes)\s$	1

Ensure gpgcheck Enabled for All yum Package Repositories

Rule ID xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-ensure_gpgcheck_never_disabled:def:1

Time 2021-03-21T19:59:44+01:00

Severity high

Identifiers and References

Identifiers: CCE-80792-5

References: NT28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FAU_GEN.1.1.c, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650

Description

To ensure signature checking is not disabled for any repos, remove any lines from files in /etc/yum.repos.d of the form:

gpgcheck=0

Rationale

Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA)."

Remediation Shell script ⇲

sed -i 's/gpgcheck\s*=.*/gpgcheck=1/g' /etc/yum.repos.d/*

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium
Strategy:	enable

- name: Grep for yum repo section names
  shell: grep -HEr '^\[.+\]' -r /etc/yum.repos.d/
  register: repo_grep_results
  ignore_errors: true
  changed_when: false
  tags:
    - ensure_gpgcheck_never_disabled
    - high_severity
    - enable_strategy
    - low_complexity
    - medium_disruption
    - no_reboot_needed
    - CCE-80792-5
    - NIST-800-53-CM-5(3)
    - NIST-800-53-SI-7
    - NIST-800-53-SC-12
    - NIST-800-53-SC-12(3)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-SA-12
    - NIST-800-53-SA-12(10)
    - NIST-800-53-CM-11(a)
    - NIST-800-53-CM-11(b)
    - NIST-800-171-3.4.8
    - PCI-DSS-Req-6.2
    - CJIS-5.10.4.1

- name: Set gpgcheck=1 for each yum repo
  ini_file:
    path: '{{ item[0] }}'
    section: '{{ item[1] }}'
    option: gpgcheck
    value: '1'
    no_extra_spaces: true
  loop: '{{ repo_grep_results.stdout | regex_findall( ''(.+\.repo):\[(.+)\]\n?'' )
    }}'
  tags:
    - ensure_gpgcheck_never_disabled
    - high_severity
    - enable_strategy
    - low_complexity
    - medium_disruption
    - no_reboot_needed
    - CCE-80792-5
    - NIST-800-53-CM-5(3)
    - NIST-800-53-SI-7
    - NIST-800-53-SC-12
    - NIST-800-53-SC-12(3)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-SA-12
    - NIST-800-53-SA-12(10)
    - NIST-800-53-CM-11(a)
    - NIST-800-53-CM-11(b)
    - NIST-800-171-3.4.8
    - PCI-DSS-Req-6.2
    - CJIS-5.10.4.1

OVAL test results details

check for existence of gpgcheck=0 in /etc/yum.repos.d/ files oval:ssg-test_ensure_gpgcheck_never_disabled:tst:1 false

Following items have been found on the system:

Path	Content
/etc/yum.repos.d/slack.repo	gpgcheck=0
/etc/yum.repos.d/cajita.repo_old	gpgcheck=0

Configure dnf-automatic to Install Available Updates Automatically

Rule ID xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-dnf-automatic_apply_updates:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82494-6

References: SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080

Description

To ensure that the packages comprising the available updates will be automatically installed by dnf-automatic, set apply_updates to yes under [commands] section in /etc/dnf/automatic.conf.

Rationale

Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise. The automated installation of updates ensures that recent security patches are applied in a timely manner.

Remediation Shell script ⇲


CONF="/etc/dnf/automatic.conf"
APPLY_UPDATES_REGEX="[[:space:]]*\[commands]([^\n\[]*\n+)+?[[:space:]]*apply_updates"
COMMANDS_REGEX="[[:space:]]*\[commands]"

# Try find [commands] and apply_updates in automatic.conf, if it exists, set
# to yes, if it isn't here, add it, if [commands] doesn't exist, add it there
if grep -qzosP $APPLY_UPDATES_REGEX $CONF; then
    sed -i "s/apply_updates[^(\n)]*/apply_updates = yes/" $CONF
elif grep -qs $COMMANDS_REGEX $CONF; then
    sed -i "/$COMMANDS_REGEX/a apply_updates = yes" $CONF
else
    mkdir -p /etc/dnf
    echo -e "[commands]\napply_updates = yes" >> $CONF
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium

- name: Configure dnf-automatic to Install Available Updates Automatically
  ini_file:
    dest: /etc/dnf/automatic.conf
    section: commands
    option: apply_updates
    value: 'yes'
    create: true
  tags:
    - dnf-automatic_apply_updates
    - medium_severity
    - unknown_strategy
    - low_complexity
    - medium_disruption
    - no_reboot_needed
    - CCE-82494-6
    - NIST-800-53-SI-2(5)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-SI-2(c)

OVAL test results details

tests the value of apply_updates setting in the /etc/dnf/automatic.conf file oval:ssg-test_dnf-automatic_apply_updates:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_dnf-automatic_apply_updates:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/dnf/automatic.conf	^\s\[commands\].(?:\n\s[^[\s].)\n^\sapply_updates[ \t]=[ \t](.+?)[ \t]*(?:$\|#)	1

The configuration file /etc/dnf/automatic.conf exists for dnf-automatic_apply_updates oval:ssg-test_dnf-automatic_apply_updates_config_file_exists:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_dnf-automatic_apply_updates_config_file:obj:1 of type file_object

Filepath
^/etc/dnf/automatic.conf

Enable dnf-automatic Timer

Rule ID xccdf_org.ssgproject.content_rule_timer_dnf-automatic_enabled

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-timer_dnf-automatic_enabled:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82360-9

References: SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080

Description

The dnf-automatic timer can be enabled with the following command:

$ sudo systemctl enable dnf-automatic.timer

Rationale

The dnf-automatic is an alternative command line interface (CLI) to dnf upgrade with specific facilities to make it suitable to be executed automatically and regularly from systemd timers, cron jobs and similar. The tool is controlled by dnf-automatic.timer SystemD timer.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Strategy:	enable


SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" start 'dnf-automatic.timer'
"$SYSTEMCTL_EXEC" enable 'dnf-automatic.timer'

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	enable

- name: Enable timer dnf-automatic
  block:

    - name: Gather the package facts
      package_facts:
        manager: auto

    - name: Enable timer dnf-automatic
      systemd:
        name: dnf-automatic.timer
        enabled: 'yes'
        state: started
      when:
        - '"dnf-automatic" in ansible_facts.packages'
  tags:
    - timer_dnf-automatic_enabled
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-82360-9
    - NIST-800-53-SI-2(5)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-SI-2(c)

OVAL test results details

package dnf-automatic is installed oval:ssg-test_package_dnf-automatic_installed:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_dnf-automatic_installed:obj:1 of type rpminfo_object

Name
dnf-automatic

Test that the dnf-automatic timer is running oval:ssg-test_timer_running_dnf-automatic:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_timer_running_dnf-automatic:obj:1 of type systemdunitproperty_object

Unit	Property
dnf-automatic\.timer	ActiveState

systemd test oval:ssg-test_multi_user_wants_dnf-automatic:tst:1 false

Following items have been found on the system:

Unit	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency
multi-user.target	basic.target	sysinit.target	kmod-static-nodes.service	systemd-tmpfiles-setup.service	ldconfig.service	sys-kernel-config.mount	systemd-update-utmp.service	plymouth-read-write.service	systemd-random-seed.service	systemd-journal-catalog-update.service	dracut-shutdown.service	local-fs.target	-.mount	boot.mount	systemd-remount-fs.service	systemd-modules-load.service	systemd-udevd.service	lvm2-lvmpolld.socket	systemd-udev-trigger.service	cryptsetup.target	dev-hugepages.mount	sys-fs-fuse-connections.mount	rngd.service	proc-sys-fs-binfmt_misc.automount	sys-kernel-debug.mount	selinux-autorelabel-mark.service	nis-domainname.service	systemd-binfmt.service	systemd-update-done.service	systemd-journald.service	dev-mqueue.mount	import-state.service	systemd-hwdb-update.service	systemd-ask-password-console.path	systemd-sysctl.service	systemd-machine-id-commit.service	systemd-sysusers.service	lvm2-monitor.service	systemd-journal-flush.service	loadmodules.service	plymouth-start.service	swap.target	dev-mapper-rhel\x2dswap.swap	systemd-firstboot.service	systemd-tmpfiles-setup-dev.service	slices.target	-.slice	system.slice	timers.target	systemd-tmpfiles-clean.timer	dnf-makecache.timer	unbound-anchor.timer	microcode.service	sockets.target	cockpit.socket	dm-event.socket	systemd-journald.socket	systemd-udevd-control.socket	systemd-initctl.socket	sssd-kcm.socket	systemd-coredump.socket	dbus.socket	systemd-udevd-kernel.socket	systemd-journald-dev-log.socket	paths.target	auditd.service	chronyd.service	httpd.service	systemd-update-utmp-runlevel.service	plymouth-quit.service	irqbalance.service	crond.service	getty.target	getty@tty1.service	rsyslog.service	sshd.service	NetworkManager.service	sssd.service	firewalld.service	remote-fs.target	systemd-ask-password-wall.path	plymouth-quit-wait.service	dbus.service	tuned.service	rhsmcertd.service	kdump.service	systemd-logind.service	systemd-user-sessions.service

Configure dnf-automatic to Install Only Security Updates

Rule ID xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-dnf-automatic_security_updates_only:def:1

Time 2021-03-21T19:59:44+01:00

Severity low

Identifiers and References

Identifiers: CCE-82267-6

References: SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080

Description

To configure dnf-automatic to install only security updates automatically, set upgrade_type to security under [commands] section in /etc/dnf/automatic.conf.

Rationale

By default, dnf-automatic installs all available updates. Reducing the amount of updated packages only to updates that were issued as a part of a security advisory increases the system stability.

Remediation Shell script ⇲


CONF="/etc/dnf/automatic.conf"
APPLY_UPDATES_REGEX="[[:space:]]*\[commands]([^\n\[]*\n+)+?[[:space:]]*upgrade_type"
COMMANDS_REGEX="[[:space:]]*\[commands]"

# Try find [commands] and upgrade_type in automatic.conf, if it exists, set
# it to security, if it isn't here, add it, if [commands] doesn't exist,
# add it there
if grep -qzosP $APPLY_UPDATES_REGEX $CONF; then
    sed -i "s/upgrade_type[^(\n)]*/upgrade_type = security/" $CONF
elif grep -qs $COMMANDS_REGEX $CONF; then
    sed -i "/$COMMANDS_REGEX/a upgrade_type = security" $CONF
else
    mkdir -p /etc/dnf
    echo -e "[commands]\nupgrade_type = security" >> $CONF
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium

- name: Configure dnf-automatic to Install Only Security Updates
  ini_file:
    dest: /etc/dnf/automatic.conf
    section: commands
    option: upgrade_type
    value: security
    create: true
  tags:
    - dnf-automatic_security_updates_only
    - low_severity
    - unknown_strategy
    - low_complexity
    - medium_disruption
    - no_reboot_needed
    - CCE-82267-6
    - NIST-800-53-SI-2(5)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-SI-2(c)

OVAL test results details

tests the value of upgrade_type setting in the /etc/dnf/automatic.conf file oval:ssg-test_dnf-automatic_security_updates_only:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_dnf-automatic_security_updates_only:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/dnf/automatic.conf	^\s\[commands\].(?:\n\s[^[\s].)\n^\supgrade_type[ \t]=[ \t](.+?)[ \t]*(?:$\|#)	1

The configuration file /etc/dnf/automatic.conf exists for dnf-automatic_security_updates_only oval:ssg-test_dnf-automatic_security_updates_only_config_file_exists:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_dnf-automatic_security_updates_only_config_file:obj:1 of type file_object

Filepath
^/etc/dnf/automatic.conf

Ensure /var Located On Separate Partition

Rule ID xccdf_org.ssgproject.content_rule_partition_for_var

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-partition_for_var:def:1

Time 2021-03-21T19:59:44+01:00

Severity low

Identifiers and References

Identifiers: CCE-80852-7

References: NT28(R12), 1.1.6, 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, SRG-OS-000341-VMM-001220

Description

The /var directory is used by daemons and other system services to store frequently-changing data. Ensure that /var has its own partition or logical volume at installation time, or migrate it using LVM.

Rationale

Ensuring that /var is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is not uncommon for the /var directory to contain world-writable directories installed by other software packages.

Remediation Anaconda snippet ⇲

Complexity:	low
Disruption:	high
Strategy:	enable


part /var

OVAL test results details

/var on own partition oval:ssg-test_var_partition:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_mount_var_own_partition:obj:1 of type partition_object

Mount point
/var

Ensure /home Located On Separate Partition

Rule ID xccdf_org.ssgproject.content_rule_partition_for_home

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-partition_for_home:def:1

Time 2021-03-21T19:59:44+01:00

Severity low

Identifiers and References

Identifiers: CCE-81044-0

References: NT28(R12), 1.1.13, 12, 15, 8, APO13.01, DSS05.02, CCI-000366, CCI-001208, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227

Description

If user home directories will be stored locally, create a separate partition for /home at installation time (or migrate it later using LVM). If /home will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later.

Rationale

Ensuring that /home is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage.

Remediation Anaconda snippet ⇲

Complexity:	low
Disruption:	high
Strategy:	enable


part /home

OVAL test results details

/home on own partition oval:ssg-test_home_partition:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_mount_home_own_partition:obj:1 of type partition_object

Mount point
/home

Ensure /var/log/audit Located On Separate Partition

Rule ID xccdf_org.ssgproject.content_rule_partition_for_var_log_audit

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-partition_for_var_log_audit:def:1

Time 2021-03-21T19:59:44+01:00

Severity low

Identifiers and References

Identifiers: CCE-80854-3

References: 1.1.12, 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS05.02, DSS05.04, DSS05.07, MEA02.01, CCI-000366, CCI-001849, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.2, SR 7.6, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.17.2.1, CM-6(a), AU-4, SC-5(2), PR.DS-4, PR.PT-1, PR.PT-4, SRG-OS-000341-GPOS-00132, SRG-OS-000480-GPOS-00227, SRG-OS-000341-VMM-001220

Description

Audit logs are stored in the /var/log/audit directory. Ensure that it has its own partition or logical volume at installation time, or migrate it later using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon.

Rationale

Placing /var/log/audit in its own partition enables better separation between audit files and other files, and helps ensure that auditing cannot be halted due to the partition running out of space.

Remediation Anaconda snippet ⇲

Complexity:	low
Disruption:	high
Strategy:	enable


part /var/log/audit

OVAL test results details

/var/log/audit on own partition oval:ssg-test_var_log_audit_partition:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_mount_var_log_audit_own_partition:obj:1 of type partition_object

Mount point
/var/log/audit

Ensure /var/log Located On Separate Partition

Rule ID xccdf_org.ssgproject.content_rule_partition_for_var_log

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-partition_for_var_log:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-80853-5

References: NT28(R12), NT28(R47), 1.1.11, 1, 12, 14, 15, 16, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, DSS05.02, DSS05.04, DSS05.07, MEA02.01, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), AU-4, SC-5(2), PR.PT-1, PR.PT-4, SRG-OS-000480-GPOS-00227

Description

System logs are stored in the /var/log directory. Ensure that it has its own partition or logical volume at installation time, or migrate it using LVM.

Rationale

Placing /var/log in its own partition enables better separation between log files and other files in /var/.

Remediation Anaconda snippet ⇲

Complexity:	low
Disruption:	high
Strategy:	enable


part /var/log

OVAL test results details

/var/log on own partition oval:ssg-test_var_log_partition:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_mount_var_log_own_partition:obj:1 of type partition_object

Mount point
/var/log

Install dnf-plugin-subscription-manager Package

Rule ID	xccdf_org.ssgproject.content_rule_package_dnf-plugin-subscription-manager_installed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_dnf-plugin-subscription-manager_installed:def:1
Time	2021-03-21T19:59:44+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82315-3 References: FPT_TUD_EXT.1, FPT_TUD_EXT.2, SRG-OS-000366-GPOS-00153
Description	The `dnf-plugin-subscription-manager` package can be installed with the following command: $ sudo yum install dnf-plugin-subscription-manager
Rationale	This package provides plugins to interact with repositories and subscriptions from the Red Hat entitlement platform; contains subscription-manager and product-id plugins.

OVAL test results details

package dnf-plugin-subscription-manager is installed oval:ssg-test_package_dnf-plugin-subscription-manager_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
dnf-plugin-subscription-manager	x86_64	(none)	1.el8_3	1.27.18	0:1.27.18-1.el8_3	199e2f91fd431d51	dnf-plugin-subscription-manager-0:1.27.18-1.el8_3.x86_64

Install openscap-scanner Package

Rule ID	xccdf_org.ssgproject.content_rule_package_openscap-scanner_installed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_openscap-scanner_installed:def:1
Time	2021-03-21T19:59:44+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82220-5 References: SRG-OS-000480-GPOS-00227, SRG-OS-000191-GPOS-00080
Description	The `openscap-scanner` package can be installed with the following command: $ sudo yum install openscap-scanner
Rationale	`openscap-scanner` contains the `oscap` command line tool. This tool is a configuration and vulnerability scanner, capable of performing compliance checking using SCAP content.

OVAL test results details

package openscap-scanner is installed oval:ssg-test_package_openscap-scanner_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
openscap-scanner	x86_64	(none)	6.el8_3	1.3.3	0:1.3.3-6.el8_3	199e2f91fd431d51	openscap-scanner-0:1.3.3-6.el8_3.x86_64

Install rng-tools Package

Rule ID	xccdf_org.ssgproject.content_rule_package_rng-tools_installed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_rng-tools_installed:def:1
Time	2021-03-21T19:59:44+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82968-9 References: SRG-OS-000480-GPOS-00227
Description	The `rng-tools` package can be installed with the following command: $ sudo yum install rng-tools
Rationale	`rng-tools` provides hardware random number generator tools, such as those used in the formation of x509/PKI certificates.

OVAL test results details

package rng-tools is installed oval:ssg-test_package_rng-tools_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
rng-tools	x86_64	(none)	3.el8	6.8	0:6.8-3.el8	199e2f91fd431d51	rng-tools-0:6.8-3.el8.x86_64

Install scap-security-guide Package

Rule ID	xccdf_org.ssgproject.content_rule_package_scap-security-guide_installed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_scap-security-guide_installed:def:1
Time	2021-03-21T19:59:44+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82949-9 References: SRG-OS-000480-GPOS-00227
Description	The `scap-security-guide` package can be installed with the following command: $ sudo yum install scap-security-guide
Rationale	The `scap-security-guide` package provides a guide for configuration of the system from the final system's security point of view. The guidance is specified in the Security Content Automation Protocol (SCAP) format and constitutes a catalog of practical hardening advice, linked to government requirements where applicable. The SCAP Security Guide project bridges the gap between generalized policy requirements and specific implementation guidelines. A system administrator can use the `oscap` CLI tool from the `openscap-scanner` package, or the SCAP Workbench GUI tool from the `scap-workbench` package, to verify that the system conforms to provided guidelines. Refer to the scap-security-guide(8) manual page for futher information.

OVAL test results details

package scap-security-guide is installed oval:ssg-test_package_scap-security-guide_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
scap-security-guide	noarch	(none)	16.el8_3	0.1.50	0:0.1.50-16.el8_3	199e2f91fd431d51	scap-security-guide-0:0.1.50-16.el8_3.noarch

Install subscription-manager Package

Rule ID	xccdf_org.ssgproject.content_rule_package_subscription-manager_installed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_subscription-manager_installed:def:1
Time	2021-03-21T19:59:44+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82316-1 References: FPT_TUD_EXT.1, FPT_TUD_EXT.2, SRG-OS-000366-GPOS-00153
Description	The `subscription-manager` package can be installed with the following command: $ sudo yum install subscription-manager
Rationale	Red Hat Subscription Manager is a local service which tracks installed products and subscriptions on a local system to help manage subscription assignments. It communicates with the backend subscription service (the Customer Portal or an on-premise server such as Subscription Asset Manager) and works with content management tools such as yum.

OVAL test results details

package subscription-manager is installed oval:ssg-test_package_subscription-manager_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
subscription-manager	x86_64	(none)	1.el8_3	1.27.18	0:1.27.18-1.el8_3	199e2f91fd431d51	subscription-manager-0:1.27.18-1.el8_3.x86_64

Uninstall abrt-addon-ccpp Package

Rule ID	xccdf_org.ssgproject.content_rule_package_abrt-addon-ccpp_removed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_abrt-addon-ccpp_removed:def:1
Time	2021-03-21T19:59:44+01:00
Severity	low
Identifiers and References	Identifiers: CCE-82919-2 References: SRG-OS-000095-GPOS-00049
Description	The `abrt-addon-ccpp` package can be removed with the following command: $ sudo yum erase abrt-addon-ccpp
Rationale	`abrt-addon-ccpp` contains hooks for C/C++ crashed programs and `abrt`'s C/C++ analyzer plugin.

OVAL test results details

package abrt-addon-ccpp is removed oval:ssg-test_package_abrt-addon-ccpp_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_abrt-addon-ccpp_removed:obj:1 of type rpminfo_object

Name
abrt-addon-ccpp

Uninstall abrt-addon-kerneloops Package

Rule ID	xccdf_org.ssgproject.content_rule_package_abrt-addon-kerneloops_removed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_abrt-addon-kerneloops_removed:def:1
Time	2021-03-21T19:59:44+01:00
Severity	low
Identifiers and References	Identifiers: CCE-82926-7 References: SRG-OS-000095-GPOS-00049
Description	The `abrt-addon-kerneloops` package can be removed with the following command: $ sudo yum erase abrt-addon-kerneloops
Rationale	`abrt-addon-kerneloops` contains plugins for collecting kernel crash information and reporter plugin which sends this information to a specified server, usually to kerneloops.org.

OVAL test results details

package abrt-addon-kerneloops is removed oval:ssg-test_package_abrt-addon-kerneloops_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_abrt-addon-kerneloops_removed:obj:1 of type rpminfo_object

Name
abrt-addon-kerneloops

Uninstall abrt-addon-python Package

Rule ID	xccdf_org.ssgproject.content_rule_package_abrt-addon-python_removed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_abrt-addon-python_removed:def:1
Time	2021-03-21T19:59:44+01:00
Severity	low
Identifiers and References	Identifiers: CCE-82923-4 References: SRG-OS-000095-GPOS-00049
Description	The `abrt-addon-python` package can be removed with the following command: $ sudo yum erase abrt-addon-python
Rationale	`abrt-addon-python` contains python hook and python analyzer plugin for handling uncaught exceptions in python programs.

OVAL test results details

package abrt-addon-python is removed oval:ssg-test_package_abrt-addon-python_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_abrt-addon-python_removed:obj:1 of type rpminfo_object

Name
abrt-addon-python

Uninstall abrt-cli Package

Rule ID	xccdf_org.ssgproject.content_rule_package_abrt-cli_removed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_abrt-cli_removed:def:1
Time	2021-03-21T19:59:44+01:00
Severity	low
Identifiers and References	Identifiers: CCE-82907-7 References: SRG-OS-000095-GPOS-00049
Description	The `abrt-cli` package can be removed with the following command: $ sudo yum erase abrt-cli
Rationale	`abrt-cli` contains a command line client for controlling abrt daemon over sockets.

OVAL test results details

package abrt-cli is removed oval:ssg-test_package_abrt-cli_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_abrt-cli_removed:obj:1 of type rpminfo_object

Name
abrt-cli

Uninstall abrt-plugin-logger Package

Rule ID	xccdf_org.ssgproject.content_rule_package_abrt-plugin-logger_removed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_abrt-plugin-logger_removed:def:1
Time	2021-03-21T19:59:44+01:00
Severity	low
Identifiers and References	Identifiers: CCE-82913-5 References: SRG-OS-000095-GPOS-00049
Description	The `abrt-plugin-logger` package can be removed with the following command: $ sudo yum erase abrt-plugin-logger
Rationale	`abrt-plugin-logger` is an ABRT plugin which writes a report to a specified file.

OVAL test results details

package abrt-plugin-logger is removed oval:ssg-test_package_abrt-plugin-logger_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_abrt-plugin-logger_removed:obj:1 of type rpminfo_object

Name
abrt-plugin-logger

Uninstall abrt-plugin-rhtsupport Package

Rule ID	xccdf_org.ssgproject.content_rule_package_abrt-plugin-rhtsupport_removed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_abrt-plugin-rhtsupport_removed:def:1
Time	2021-03-21T19:59:44+01:00
Severity	low
Identifiers and References	Identifiers: CCE-82916-8 References: SRG-OS-000095-GPOS-00049
Description	The `abrt-plugin-rhtsupport` package can be removed with the following command: $ sudo yum erase abrt-plugin-rhtsupport
Rationale	`abrt-plugin-rhtsupport` is a ABRT plugin to report bugs into the Red Hat Support system.

OVAL test results details

package abrt-plugin-rhtsupport is removed oval:ssg-test_package_abrt-plugin-rhtsupport_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_abrt-plugin-rhtsupport_removed:obj:1 of type rpminfo_object

Name
abrt-plugin-rhtsupport

Uninstall abrt-plugin-sosreport Package

Rule ID	xccdf_org.ssgproject.content_rule_package_abrt-plugin-sosreport_removed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_abrt-plugin-sosreport_removed:def:1
Time	2021-03-21T19:59:44+01:00
Severity	low
Identifiers and References	Identifiers: CCE-82910-1 References: SRG-OS-000095-GPOS-00049
Description	The `abrt-plugin-sosreport` package can be removed with the following command: $ sudo yum erase abrt-plugin-sosreport
Rationale	`abrt-plugin-sosreport` provides a plugin to include an sosreport in an ABRT report.

OVAL test results details

package abrt-plugin-sosreport is removed oval:ssg-test_package_abrt-plugin-sosreport_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_abrt-plugin-sosreport_removed:obj:1 of type rpminfo_object

Name
abrt-plugin-sosreport

Uninstall gssproxy Package

Rule ID	xccdf_org.ssgproject.content_rule_package_gssproxy_removed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_gssproxy_removed:def:1
Time	2021-03-21T19:59:44+01:00
Severity	low
Identifiers and References	Identifiers: CCE-82943-2 References: SRG-OS-000095-GPOS-00049
Description	The `gssproxy` package can be removed with the following command: $ sudo yum erase gssproxy
Rationale	`gssproxy` is a proxy for GSS API credential handling.

OVAL test results details

package gssproxy is removed oval:ssg-test_package_gssproxy_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_gssproxy_removed:obj:1 of type rpminfo_object

Name
gssproxy

Uninstall iprutils Package

Rule ID xccdf_org.ssgproject.content_rule_package_iprutils_removed

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-package_iprutils_removed:def:1

Time 2021-03-21T19:59:44+01:00

Severity low

Identifiers and References

Identifiers: CCE-82946-5

References: SRG-OS-000095-GPOS-00049

Description

The iprutils package can be removed with the following command:

$ sudo yum erase iprutils

Rationale

iprutils provides a suite of utlilities to manage and configure SCSI devices supported by the ipr SCSI storage device driver.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Strategy:	disable


# CAUTION: This remediation script will remove iprutils
#	   from the system, and may remove any packages
#	   that depend on iprutils. Execute this
#	   remediation AFTER testing on a non-production
#	   system!

if rpm -q --quiet "iprutils" ; then
    yum remove -y "iprutils"
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	disable

- name: Ensure iprutils is removed
  package:
    name: iprutils
    state: absent
  tags:
    - package_iprutils_removed
    - low_severity
    - disable_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-82946-5

Remediation Puppet snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	disable

include remove_iprutils

class remove_iprutils {
  package { 'iprutils':
    ensure => 'purged',
  }
}

Remediation Anaconda snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	disable


package --remove=iprutils

OVAL test results details

package iprutils is removed oval:ssg-test_package_iprutils_removed:tst:1 false

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
iprutils	x86_64	(none)	1.el8	2.4.19	0:2.4.19-1.el8	199e2f91fd431d51	iprutils-0:2.4.19-1.el8.x86_64

Uninstall krb5-workstation Package

Rule ID	xccdf_org.ssgproject.content_rule_package_krb5-workstation_removed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_krb5-workstation_removed:def:1
Time	2021-03-21T19:59:44+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82931-7 References: SRG-OS-000095-GPOS-00049, SRG-OS-000120-GPOS-00061
Description	The `krb5-workstation` package can be removed with the following command: $ sudo yum erase krb5-workstation
Rationale	Kerberos is a network authentication system. The `krb5-workstation` package contains the basic Kerberos programs (`kinit`, `klist`, `kdestroy`, `kpasswd`). Currently, Kerberos does not utilize FIPS 140-2 cryptography and is not permitted on Government networks, nor is it permitted in many regulatory environments such as HIPAA.

OVAL test results details

package krb5-workstation is removed oval:ssg-test_package_krb5-workstation_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_krb5-workstation_removed:obj:1 of type rpminfo_object

Name
krb5-workstation

Uninstall pigz Package

Rule ID xccdf_org.ssgproject.content_rule_package_pigz_removed

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-package_pigz_removed:def:1

Time 2021-03-21T19:59:44+01:00

Severity low

Identifiers and References

Identifiers: CCE-82397-1

References: SRG-OS-000433-GPOS-00192

Description

The pigz package can be removed with the following command:

$ sudo yum erase pigz

Rationale

Binaries shipped in pigz package in Red Hat Enterprise Linux 8 have not been compiled using recommended compiler flags. The binaries are compiled without sufficient stack protection and its address space layout randomization (ASLR) is weak.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Strategy:	disable


# CAUTION: This remediation script will remove pigz
#	   from the system, and may remove any packages
#	   that depend on pigz. Execute this
#	   remediation AFTER testing on a non-production
#	   system!

if rpm -q --quiet "pigz" ; then
    yum remove -y "pigz"
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	disable

- name: Ensure pigz is removed
  package:
    name: pigz
    state: absent
  tags:
    - package_pigz_removed
    - low_severity
    - disable_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-82397-1

Remediation Puppet snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	disable

include remove_pigz

class remove_pigz {
  package { 'pigz':
    ensure => 'purged',
  }
}

Remediation Anaconda snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	disable


package --remove=pigz

OVAL test results details

package pigz is removed oval:ssg-test_package_pigz_removed:tst:1 false

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
pigz	x86_64	(none)	4.el8	2.4	0:2.4-4.el8	199e2f91fd431d51	pigz-0:2.4-4.el8.x86_64

Uninstall tuned Package

Rule ID xccdf_org.ssgproject.content_rule_package_tuned_removed

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-package_tuned_removed:def:1

Time 2021-03-21T19:59:44+01:00

Severity low

Identifiers and References

Identifiers: CCE-82904-4

References: SRG-OS-000095-GPOS-00049

Description

The tuned package can be removed with the following command:

$ sudo yum erase tuned

Rationale

tuned contains a daemon that tunes the system settings dynamically. It does so by monitoring the usage of several system components periodically. Based on that information, components will then be put into lower or higher power savings modes to adapt to the current usage.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Strategy:	disable


# CAUTION: This remediation script will remove tuned
#	   from the system, and may remove any packages
#	   that depend on tuned. Execute this
#	   remediation AFTER testing on a non-production
#	   system!

if rpm -q --quiet "tuned" ; then
    yum remove -y "tuned"
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	disable

- name: Ensure tuned is removed
  package:
    name: tuned
    state: absent
  tags:
    - package_tuned_removed
    - low_severity
    - disable_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-82904-4

Remediation Puppet snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	disable

include remove_tuned

class remove_tuned {
  package { 'tuned':
    ensure => 'purged',
  }
}

Remediation Anaconda snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	disable


package --remove=tuned

OVAL test results details

package tuned is removed oval:ssg-test_package_tuned_removed:tst:1 false

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
tuned	noarch	(none)	3.el8_3.2	2.14.0	0:2.14.0-3.el8_3.2	199e2f91fd431d51	tuned-0:2.14.0-3.el8_3.2.noarch

Install sudo Package

Rule ID	xccdf_org.ssgproject.content_rule_package_sudo_installed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_sudo_installed:def:1
Time	2021-03-21T19:59:44+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82214-8 References: 1.3.1, CM-6(a), SRG-OS-000324-GPOS-00125
Description	The `sudo` package can be installed with the following command: $ sudo yum install sudo
Rationale	`sudo` is a program designed to allow a system administrator to give limited root privileges to users and log root activity. The basic philosophy is to give as few privileges as possible but still allow system users to get their work done.

OVAL test results details

package sudo is installed oval:ssg-test_package_sudo_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
sudo	x86_64	(none)	6.el8_3.1	1.8.29	0:1.8.29-6.el8_3.1	199e2f91fd431d51	sudo-0:1.8.29-6.el8_3.1.x86_64

Install AIDE

Rule ID xccdf_org.ssgproject.content_rule_package_aide_installed

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-package_aide_installed:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-80844-4

References: NT28(R51), 1.4.1, 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150

Description

The aide package can be installed with the following command:

$ sudo yum install aide

Rationale

The AIDE package must be installed if it is to be available for integrity checking.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Strategy:	enable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then

if ! rpm -q --quiet "aide" ; then
    yum install -y "aide"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	enable

- name: Ensure aide is installed
  package:
    name: aide
    state: present
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - package_aide_installed
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-80844-4
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-11.5
    - CJIS-5.10.1.3

Remediation Puppet snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	enable

include install_aide

class install_aide {
  package { 'aide':
    ensure => 'installed',
  }
}

Remediation Anaconda snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	enable


package --add=aide

OVAL test results details

package aide is installed oval:ssg-test_package_aide_installed:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_aide_installed:obj:1 of type rpminfo_object

Name
aide

Enable Dracut FIPS Module

Rule ID	xccdf_org.ssgproject.content_rule_enable_dracut_fips_module
Result	fail
Multi-check rule	no
OVAL Definition ID	oval:ssg-enable_dracut_fips_module:def:1
Time	2021-03-21T19:59:44+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82155-3 References: CCI-000068, CCI-000803, CCI-002450, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590
Description	To enable FIPS mode, run the following command: fips-mode-setup --enable To enable FIPS, the system requires that the `fips` module is added in `dracut` configuration. Check if `/etc/dracut.conf.d/40-fips.conf` contain `add_dracutmodules+=" fips "`
Rationale	Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.
Warnings	warning The system needs to be rebooted for these changes to take effect. warning System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications. FIPS-140 is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf To meet this, the system has to have cryptographic software provided by a vendor that has undergone this certification. This means providing documentation, test results, design information, and independent third party review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process.

OVAL test results details

add_dracutmodules contains fips oval:ssg-test_enable_dracut_fips_module:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_enable_dracut_fips_module:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/dracut.conf.d/40-fips.conf	^\sadd_dracutmodules\+="\s(\w)\s"\s(?:#.)?$	1

Enable FIPS Mode

Rule ID xccdf_org.ssgproject.content_rule_enable_fips_mode

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-enable_fips_mode:def:1

Time 2021-03-21T19:59:44+01:00

Severity high

Identifiers and References

Identifiers: CCE-80942-6

References: CCI-000068, CCI-000803, CCI-002450, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590

Description

To enable FIPS mode, run the following command:

fips-mode-setup --enable

The fips-mode-setup command will configure the system in FIPS mode by automatically configuring the following:

Setting the kernel FIPS mode flag (/proc/sys/crypto/fips_enabled) to 1
Creating /etc/system-fips
Setting the system crypto policy in /etc/crypto-policies/config to FIPS
Loading the Dracut fips module

Furthermore, the system running in FIPS mode should be FIPS certified by NIST.

Rationale

Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.

Warnings

warning The system needs to be rebooted for these changes to take effect.

warning System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications. FIPS-140 is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf To meet this, the system has to have cryptographic software provided by a vendor that has undergone this certification. This means providing documentation, test results, design information, and independent third party review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process.

Remediation Shell script ⇲

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then

fips-mode-setup --enable

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	medium
Disruption:	medium
Reboot:	true
Strategy:	restrict

- name: enable fips mode
  command: /usr/bin/fips-mode-setup --enable
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - enable_fips_mode
    - high_severity
    - restrict_strategy
    - medium_complexity
    - medium_disruption
    - reboot_required
    - CCE-80942-6
    - NIST-800-53-SC-12(2)
    - NIST-800-53-SC-12(3)
    - NIST-800-53-IA-7
    - NIST-800-53-SC-13
    - NIST-800-53-CM-6(a)
    - NIST-800-53-SC-12

OVAL test results details

/etc/system-fips exists oval:ssg-test_etc_system_fips:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_etc_system_fips:obj:1 of type file_object

Filepath
/etc/system-fips

kernel runtime parameter crypto.fips_enabled set to 1 oval:ssg-test_sysctl_crypto_fips_enabled:tst:1 false

Following items have been found on the system:

Name	Value
crypto.fips_enabled	0

add_dracutmodules contains fips oval:ssg-test_enable_dracut_fips_module:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_enable_dracut_fips_module:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/dracut.conf.d/40-fips.conf	^\sadd_dracutmodules\+="\s(\w)\s"\s(?:#.)?$	1

check for crypto policy correctly configured in /etc/crypto-policies/config oval:ssg-test_configure_crypto_policy:tst:1 false

Following items have been found on the system:

Path	Content
/etc/crypto-policies/config	DEFAULT

check for crypto policy correctly configured in /etc/crypto-policies/state/current oval:ssg-test_configure_crypto_policy_current:tst:1 false

Following items have been found on the system:

Path	Content
/etc/crypto-policies/state/current	DEFAULT

Check if update-crypto-policies has been run oval:ssg-test_crypto_policies_updated:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-variable_crypto_policies_config_file_age:var:1	8997462

Check if /etc/crypto-policies/back-ends/nss.config exists oval:ssg-test_crypto_policy_nss_config:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/etc/crypto-policies/back-ends/nss.config	regular	0	0	429	`rw-r--r--`

Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true

Following items have been found on the system:

Family
unix

Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true

Following items have been found on the system:

Family
unix

redhat-release-client is version 6 oval:ssg-test_rhel_client:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhel_client:obj:1 of type rpminfo_object

Name
redhat-release-client

redhat-release-client is version 6 oval:ssg-test_rhel_client:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhel_client:obj:1 of type rpminfo_object

Name
redhat-release-client

redhat-release-workstation is version 6 oval:ssg-test_rhel_workstation:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhel_workstation:obj:1 of type rpminfo_object

Name
redhat-release-workstation

redhat-release-workstation is version 6 oval:ssg-test_rhel_workstation:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhel_workstation:obj:1 of type rpminfo_object

Name
redhat-release-workstation

redhat-release-server is version 6 oval:ssg-test_rhel_server:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhel_server:obj:1 of type rpminfo_object

Name
redhat-release-server

redhat-release-server is version 6 oval:ssg-test_rhel_server:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhel_server:obj:1 of type rpminfo_object

Name
redhat-release-server

redhat-release-computenode is version 6 oval:ssg-test_rhel_computenode:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhel_computenode:obj:1 of type rpminfo_object

Name
redhat-release-computenode

redhat-release-computenode is version 6 oval:ssg-test_rhel_computenode:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhel_computenode:obj:1 of type rpminfo_object

Name
redhat-release-computenode

Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true

Following items have been found on the system:

Family
unix

Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true

Following items have been found on the system:

Family
unix

redhat-release-client is version 6 oval:ssg-test_rhel_client:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhel_client:obj:1 of type rpminfo_object

Name
redhat-release-client

redhat-release-client is version 6 oval:ssg-test_rhel_client:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhel_client:obj:1 of type rpminfo_object

Name
redhat-release-client

redhat-release-workstation is version 6 oval:ssg-test_rhel_workstation:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhel_workstation:obj:1 of type rpminfo_object

Name
redhat-release-workstation

redhat-release-workstation is version 6 oval:ssg-test_rhel_workstation:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhel_workstation:obj:1 of type rpminfo_object

Name
redhat-release-workstation

redhat-release-server is version 6 oval:ssg-test_rhel_server:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhel_server:obj:1 of type rpminfo_object

Name
redhat-release-server

redhat-release-server is version 6 oval:ssg-test_rhel_server:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhel_server:obj:1 of type rpminfo_object

Name
redhat-release-server

redhat-release-computenode is version 6 oval:ssg-test_rhel_computenode:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhel_computenode:obj:1 of type rpminfo_object

Name
redhat-release-computenode

redhat-release-computenode is version 6 oval:ssg-test_rhel_computenode:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhel_computenode:obj:1 of type rpminfo_object

Name
redhat-release-computenode

installed OS part of unix family oval:ssg-test_rhel7_unix_family:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhel7_unix_family:obj:1 of type family_object

installed OS part of unix family oval:ssg-test_rhel7_unix_family:tst:1 true

Following items have been found on the system:

Family
unix

redhat-release-client is version 7 oval:ssg-test_rhel7_client:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhel7_client:obj:1 of type rpminfo_object

Name
redhat-release-client

redhat-release-client is version 7 oval:ssg-test_rhel7_client:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhel7_client:obj:1 of type rpminfo_object

Name
redhat-release-client

redhat-release-workstation is version 7 oval:ssg-test_rhel7_workstation:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhel7_workstation:obj:1 of type rpminfo_object

Name
redhat-release-workstation

redhat-release-workstation is version 7 oval:ssg-test_rhel7_workstation:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhel7_workstation:obj:1 of type rpminfo_object

Name
redhat-release-workstation

redhat-release-server is version 7 oval:ssg-test_rhel7_server:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhel7_server:obj:1 of type rpminfo_object

Name
redhat-release-server

redhat-release-server is version 7 oval:ssg-test_rhel7_server:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhel7_server:obj:1 of type rpminfo_object

Name
redhat-release-server

redhat-release-computenode is version 7 oval:ssg-test_rhel7_computenode:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhel7_computenode:obj:1 of type rpminfo_object

Name
redhat-release-computenode

redhat-release-computenode is version 7 oval:ssg-test_rhel7_computenode:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhel7_computenode:obj:1 of type rpminfo_object

Name
redhat-release-computenode

redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object

Name
redhat-release-virtualization-host

redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object

Name
redhat-release-virtualization-host

RHEVH base RHEL is version 7 oval:ssg-test_rhevh_rhel7_version:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/redhat-release	^Red Hat Enterprise Linux release (\d)\.\d+$	1

RHEVH base RHEL is version 7 oval:ssg-test_rhevh_rhel7_version:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/redhat-release	^Red Hat Enterprise Linux release (\d)\.\d+$	1

installed OS part of unix family oval:ssg-test_rhel7_unix_family:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhel7_unix_family:obj:1 of type family_object

installed OS part of unix family oval:ssg-test_rhel7_unix_family:tst:1 true

Following items have been found on the system:

Family
unix

redhat-release-client is version 7 oval:ssg-test_rhel7_client:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhel7_client:obj:1 of type rpminfo_object

Name
redhat-release-client

redhat-release-client is version 7 oval:ssg-test_rhel7_client:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhel7_client:obj:1 of type rpminfo_object

Name
redhat-release-client

redhat-release-workstation is version 7 oval:ssg-test_rhel7_workstation:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhel7_workstation:obj:1 of type rpminfo_object

Name
redhat-release-workstation

redhat-release-workstation is version 7 oval:ssg-test_rhel7_workstation:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhel7_workstation:obj:1 of type rpminfo_object

Name
redhat-release-workstation

redhat-release-server is version 7 oval:ssg-test_rhel7_server:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhel7_server:obj:1 of type rpminfo_object

Name
redhat-release-server

redhat-release-server is version 7 oval:ssg-test_rhel7_server:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhel7_server:obj:1 of type rpminfo_object

Name
redhat-release-server

redhat-release-computenode is version 7 oval:ssg-test_rhel7_computenode:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhel7_computenode:obj:1 of type rpminfo_object

Name
redhat-release-computenode

redhat-release-computenode is version 7 oval:ssg-test_rhel7_computenode:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhel7_computenode:obj:1 of type rpminfo_object

Name
redhat-release-computenode

redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object

Name
redhat-release-virtualization-host

redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object

Name
redhat-release-virtualization-host

RHEVH base RHEL is version 7 oval:ssg-test_rhevh_rhel7_version:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/redhat-release	^Red Hat Enterprise Linux release (\d)\.\d+$	1

RHEVH base RHEL is version 7 oval:ssg-test_rhevh_rhel7_version:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/redhat-release	^Red Hat Enterprise Linux release (\d)\.\d+$	1

installed OS part of unix family oval:ssg-test_rhel8_unix_family:tst:1 true

Following items have been found on the system:

Family
unix

installed OS part of unix family oval:ssg-test_rhel8_unix_family:tst:1 true

Following items have been found on the system:

Family
unix

redhat-release is version 8 oval:ssg-test_rhel8:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
redhat-release	x86_64	(none)	1.0.el8	8.3	0:8.3-1.0.el8	199e2f91fd431d51	redhat-release-0:8.3-1.0.el8.x86_64

redhat-release is version 8 oval:ssg-test_rhel8:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
redhat-release	x86_64	(none)	1.0.el8	8.3	0:8.3-1.0.el8	199e2f91fd431d51	redhat-release-0:8.3-1.0.el8.x86_64

redhat-release-coreos is version 8 oval:ssg-test_rhel8_coreos:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhel8_coreos:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/os-release	^PRETTY_NAME="Red Hat Enterprise Linux CoreOS \d+\.(\d)\d+\.[\d\.\-]+ $[\w\s]+$"$	1

redhat-release-coreos is version 8 oval:ssg-test_rhel8_coreos:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhel8_coreos:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/os-release	^PRETTY_NAME="Red Hat Enterprise Linux CoreOS \d+\.(\d)\d+\.[\d\.\-]+ $[\w\s]+$"$	1

redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object

Name
redhat-release-virtualization-host

redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object

Name
redhat-release-virtualization-host

RHEVH base RHEL is version 8 oval:ssg-test_rhevh_rhel8_version:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/redhat-release	^Red Hat Enterprise Linux release (\d)\.\d+$	1

RHEVH base RHEL is version 8 oval:ssg-test_rhevh_rhel8_version:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/redhat-release	^Red Hat Enterprise Linux release (\d)\.\d+$	1

installed OS part of unix family oval:ssg-test_rhel8_unix_family:tst:1 true

Following items have been found on the system:

Family
unix

installed OS part of unix family oval:ssg-test_rhel8_unix_family:tst:1 true

Following items have been found on the system:

Family
unix

redhat-release is version 8 oval:ssg-test_rhel8:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
redhat-release	x86_64	(none)	1.0.el8	8.3	0:8.3-1.0.el8	199e2f91fd431d51	redhat-release-0:8.3-1.0.el8.x86_64

redhat-release is version 8 oval:ssg-test_rhel8:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
redhat-release	x86_64	(none)	1.0.el8	8.3	0:8.3-1.0.el8	199e2f91fd431d51	redhat-release-0:8.3-1.0.el8.x86_64

redhat-release-coreos is version 8 oval:ssg-test_rhel8_coreos:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhel8_coreos:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/os-release	^PRETTY_NAME="Red Hat Enterprise Linux CoreOS \d+\.(\d)\d+\.[\d\.\-]+ $[\w\s]+$"$	1

redhat-release-coreos is version 8 oval:ssg-test_rhel8_coreos:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhel8_coreos:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/os-release	^PRETTY_NAME="Red Hat Enterprise Linux CoreOS \d+\.(\d)\d+\.[\d\.\-]+ $[\w\s]+$"$	1

redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object

Name
redhat-release-virtualization-host

redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object

Name
redhat-release-virtualization-host

RHEVH base RHEL is version 8 oval:ssg-test_rhevh_rhel8_version:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/redhat-release	^Red Hat Enterprise Linux release (\d)\.\d+$	1

RHEVH base RHEL is version 8 oval:ssg-test_rhevh_rhel8_version:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/redhat-release	^Red Hat Enterprise Linux release (\d)\.\d+$	1

Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true

Following items have been found on the system:

Family
unix

Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true

Following items have been found on the system:

Family
unix

oraclelinux-release is version 7 oval:ssg-test_ol7_system:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-obj_ol7_system:obj:1 of type rpminfo_object

Name
oraclelinux-release

oraclelinux-release is version 7 oval:ssg-test_ol7_system:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_ol7_system:obj:1 of type rpminfo_object

Name
oraclelinux-release

Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true

Following items have been found on the system:

Family
unix

Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true

Following items have been found on the system:

Family
unix

oraclelinux-release is version 7 oval:ssg-test_ol7_system:tst:1 not evaluated

No items have been found conforming to the following objects:

Object oval:ssg-obj_ol7_system:obj:1 of type rpminfo_object

Name
oraclelinux-release

oraclelinux-release is version 7 oval:ssg-test_ol7_system:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_ol7_system:obj:1 of type rpminfo_object

Name
oraclelinux-release

tests if var_system_crypto_policy is set to FIPS oval:ssg-test_system_crypto_policy_value:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-var_system_crypto_policy:var:1	FIPS:OSPP

Install crypto-policies package

Rule ID	xccdf_org.ssgproject.content_rule_package_crypto-policies_installed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_crypto-policies_installed:def:1
Time	2021-03-21T19:59:44+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82723-8 References: FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174
Description	The `crypto-policies` package can be installed with the following command: $ sudo yum install crypto-policies
Rationale	Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data.

OVAL test results details

package crypto-policies is installed oval:ssg-test_package_crypto-policies_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
crypto-policies	noarch	(none)	1.git51d1222.el8	20200713	0:20200713-1.git51d1222.el8	199e2f91fd431d51	crypto-policies-0:20200713-1.git51d1222.el8.noarch

OpenSSL uses strong entropy source

Rule ID xccdf_org.ssgproject.content_rule_openssl_use_strong_entropy

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-openssl_use_strong_entropy:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82721-2

References: FIA_AFL.1, SRG-OS-000480-GPOS-00227

Description

By default, OpenSSL doesn't always use a SP800-90A compliant random number generator. A way to configure OpenSSL to always use a strong source is to setup a wrapper that defines a shell function that shadows the actual openssl binary, and that ensures that the -rand /dev/random option is added to every openssl invocation. To do so, place the following shell snippet exactly as-is to /etc/profile.d/openssl-rand.sh:

# provide a default -rand /dev/random option to openssl commands that
# support it

# written inefficiently for maximum shell compatibility
openssl()
(
  openssl_bin=/usr/bin/openssl

  case "$*" in
    # if user specified -rand, honor it
    *\ -rand\ *|*\ -help*) exec $openssl_bin "$@" ;;
  esac

  cmds=`$openssl_bin list -digest-commands -cipher-commands | tr '\n' ' '`
  for i in `$openssl_bin list -commands`; do
    if $openssl_bin list -options "$i" | grep -q '^rand '; then
      cmds=" $i $cmds"
    fi
  done

  case "$cmds" in
    *\ "$1"\ *)
      cmd="$1"; shift
      exec $openssl_bin "$cmd" -rand /dev/random "$@" ;;
  esac

  exec $openssl_bin "$@"
)

Rationale

This rule ensures that openssl invocations always uses SP800-90A compliant random number generator as a default behavior.

Warnings

warning This setting can cause problems on computers without the hardware random generator, because insufficient entropy blocks the program until enough entropy is available.

Remediation Shell script ⇲


cat > /etc/profile.d/openssl-rand.sh <<- 'EOM'
# provide a default -rand /dev/random option to openssl commands that
# support it

# written inefficiently for maximum shell compatibility
openssl()
(
  openssl_bin=/usr/bin/openssl

  case "$*" in
    # if user specified -rand, honor it
    *\ -rand\ *|*\ -help*) exec $openssl_bin "$@" ;;
  esac

  cmds=`$openssl_bin list -digest-commands -cipher-commands | tr '\n' ' '`
  for i in `$openssl_bin list -commands`; do
    if $openssl_bin list -options "$i" | grep -q '^rand '; then
      cmds=" $i $cmds"
    fi
  done

  case "$cmds" in
    *\ "$1"\ *)
      cmd="$1"; shift
      exec $openssl_bin "$cmd" -rand /dev/random "$@" ;;
  esac

  exec $openssl_bin "$@"
)
EOM

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

- name: Put a file with shell wrapper to configure OpenSSL to always use strong entropy
  copy:
    dest: /etc/profile.d/openssl-rand.sh
    content: |
      # provide a default -rand /dev/random option to openssl commands that
      # support it

      # written inefficiently for maximum shell compatibility
      openssl()
      (
        openssl_bin=/usr/bin/openssl

        case "$*" in
          # if user specified -rand, honor it
          *\ -rand\ *|*\ -help*) exec $openssl_bin "$@" ;;
        esac

        cmds=`$openssl_bin list -digest-commands -cipher-commands | tr '\n' ' '`
        for i in `$openssl_bin list -commands`; do
          if $openssl_bin list -options "$i" | grep -q '^rand '; then
            cmds=" $i $cmds"
          fi
        done

        case "$cmds" in
          *\ "$1"\ *)
            cmd="$1"; shift
            exec $openssl_bin "$cmd" -rand /dev/random "$@" ;;
        esac

        exec $openssl_bin "$@"
      )
  tags:
    - openssl_use_strong_entropy
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-82721-2

OVAL test results details

Test if openssl is configured to generate random data with strong entropy oval:ssg-test_openssl_strong_entropy:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_openssl_strong_entropy:obj:1 of type filehash58_object

Filepath	Hash type
/etc/profile.d/openssl-rand.sh	SHA-256

Configure SSH to use System Crypto Policy

Rule ID	xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-configure_ssh_crypto_policy:def:1
Time	2021-03-21T19:59:44+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80939-2 References: 5.2.20, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SRG-OS-000250-GPOS-00093
Description	Crypto Policies provide a centralized control over crypto algorithms usage of many packages. SSH is supported by crypto policy, but the SSH configuration may be set up to ignore it. To check that Crypto Policies settings are configured correctly, ensure that the `CRYPTO_POLICY` variable is either commented or not set at all in the `/etc/sysconfig/sshd`.
Rationale	Overriding the system crypto policy makes the behavior of the SSH service violate expectations, and makes system configuration more fragmented.

OVAL test results details

Check that the SSH configuration mandates usage of system-wide crypto policies. oval:ssg-test_configure_ssh_crypto_policy:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_configure_ssh_crypto_policy:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysconfig/sshd	^\sCRYPTO_POLICY\s=.*$	1

Configure BIND to use System Crypto Policy

Rule ID	xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-configure_bind_crypto_policy:def:1
Time	2021-03-21T19:59:44+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80934-3 References: SC-13, SC-12(2), SC-12(3), SRG-OS-000423-GPOS-00187, SRG-OS-000426-GPOS-00190
Description	Crypto Policies provide a centralized control over crypto algorithms usage of many packages. BIND is supported by crypto policy, but the BIND configuration may be set up to ignore it. To check that Crypto Policies settings are configured correctly, ensure that the `/etc/named.conf` includes the appropriate configuration: In the `options` section of `/etc/named.conf`, make sure that the following line is not commented out or superseded by later includes: `include "/etc/crypto-policies/back-ends/bind.config";`
Rationale	Overriding the system crypto policy makes the behavior of the BIND service violate expectations, and makes system configuration more fragmented.

OVAL test results details

package bind is removed oval:ssg-test_package_bind_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_bind_removed:obj:1 of type rpminfo_object

Name
bind

Check that the configuration includes the policy config file. oval:ssg-test_configure_bind_crypto_policy:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_configure_bind_crypto_policy:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/named.conf	^\sinclude\s+"/etc/crypto-policies/back-ends/bind.config"\s;\s*$	1

Configure OpenSSL library to use System Crypto Policy

Rule ID	xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-configure_openssl_crypto_policy:def:1
Time	2021-03-21T19:59:44+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80938-4 References: AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), SRG-OS-000250-GPOS-00093
Description	Crypto Policies provide a centralized control over crypto algorithms usage of many packages. OpenSSL is supported by crypto policy, but the OpenSSL configuration may be set up to ignore it. To check that Crypto Policies settings are configured correctly, you have to examine the OpenSSL config file available under `/etc/pki/tls/openssl.cnf`. This file has the `ini` format, and it enables crypto policy support if there is a `[ crypto_policy ]` section that contains the `.include /etc/crypto-policies/back-ends/opensslcnf.config` directive.
Rationale	Overriding the system crypto policy makes the behavior of the Java runtime violates expectations, and makes system configuration more fragmented.

OVAL test results details

Check that the configuration mandates usage of system-wide crypto policies. oval:ssg-test_configure_openssl_crypto_policy:tst:1 true

Following items have been found on the system:

Path	Content
/etc/pki/tls/openssl.cnf	[ crypto_policy ] .include /etc/crypto-policies/back-ends/opensslcnf.config

Configure Libreswan to use System Crypto Policy

Rule ID	xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-configure_libreswan_crypto_policy:def:1
Time	2021-03-21T19:59:44+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80937-6 References: CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), SRG-OS-000033-GPOS-00014
Description	Crypto Policies provide a centralized control over crypto algorithms usage of many packages. Libreswan is supported by system crypto policy, but the Libreswan configuration may be set up to ignore it. To check that Crypto Policies settings are configured correctly, ensure that the `/etc/ipsec.conf` includes the appropriate configuration file. In `/etc/ipsec.conf`, make sure that the following line is not commented out or superseded by later includes: `include /etc/crypto-policies/back-ends/libreswan.config`
Rationale	Overriding the system crypto policy makes the behavior of the Libreswan service violate expectations, and makes system configuration more fragmented.

OVAL test results details

package libreswan is installed oval:ssg-test_package_libreswan_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
libreswan	x86_64	(none)	7.el8_3	3.32	0:3.32-7.el8_3	199e2f91fd431d51	libreswan-0:3.32-7.el8_3.x86_64

Check that the libreswan configuration includes the crypto policy config file oval:ssg-test_configure_libreswan_crypto_policy:tst:1 true

Following items have been found on the system:

Path	Content
/etc/ipsec.conf	include /etc/crypto-policies/back-ends/libreswan.config # It is best to add your IPsec connections as separate files in /etc/ipsec.d/

Configure session renegotiation for SSH client

Rule ID xccdf_org.ssgproject.content_rule_ssh_client_rekey_limit

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-ssh_client_rekey_limit:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82880-6

References: FCS_SSHS_EXT.1

Description

The RekeyLimit parameter specifies how often the session key is renegotiated, both in terms of amount of data that may be transmitted and the time elapsed. To decrease the default limits, put line RekeyLimit 1G 1h to file /etc/ssh/ssh_config.d/02-rekey-limit.conf. Make sure that there is no other RekeyLimit configuration preceding the include directive in the main config file /etc/ssh/ssh_config. Check also other files in /etc/ssh/ssh_config.d directory. Files are processed according to lexicographical order of file names. Make sure that there is no file processed before 02-rekey-limit.conf containing definition of RekeyLimit.

Rationale

By decreasing the limit based on the amount of data and enabling time-based limit, effects of potential attacks against encryption keys are limited.

Remediation Shell script ⇲



var_ssh_client_rekey_limit_size="1G"

var_ssh_client_rekey_limit_time="1h"



main_config="/etc/ssh/ssh_config"
include_directory="/etc/ssh/ssh_config.d"

if grep -q '^[\s]*RekeyLimit.*$' "$main_config"; then
  sed -i '/^[\s]*RekeyLimit.*/d' "$main_config"
fi

for file in "$include_directory"/*.conf; do
  if grep -q '^[\s]*RekeyLimit.*$' "$file"; then
    sed -i '/^[\s]*RekeyLimit.*/d' "$file"
  fi
done

if [ -e "/etc/ssh/ssh_config.d/02-rekey-limit.conf" ] ; then
    LC_ALL=C sed -i "/^\s*RekeyLimit\s\+/d" "/etc/ssh/ssh_config.d/02-rekey-limit.conf"
else
    touch "/etc/ssh/ssh_config.d/02-rekey-limit.conf"
fi
cp "/etc/ssh/ssh_config.d/02-rekey-limit.conf" "/etc/ssh/ssh_config.d/02-rekey-limit.conf.bak"
# Insert at the end of the file
printf '%s\n' "RekeyLimit $var_ssh_client_rekey_limit_size $var_ssh_client_rekey_limit_time" >> "/etc/ssh/ssh_config.d/02-rekey-limit.conf"
# Clean up after ourselves.
rm "/etc/ssh/ssh_config.d/02-rekey-limit.conf.bak"

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	configure

- name: XCCDF Value var_ssh_client_rekey_limit_size # promote to variable
  set_fact:
    var_ssh_client_rekey_limit_size: !!str 1G
  tags:
    - always
- name: XCCDF Value var_ssh_client_rekey_limit_time # promote to variable
  set_fact:
    var_ssh_client_rekey_limit_time: !!str 1h
  tags:
    - always

- name: Ensure RekeyLimit is not configured in /etc/ssh/ssh_config
  lineinfile:
    path: /etc/ssh/ssh_config
    create: false
    regexp: ^\s*RekeyLimit.*$
    state: absent
  tags:
    - ssh_client_rekey_limit
    - medium_severity
    - configure_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-82880-6

- name: Collect all include config files for ssh client which configure RekeyLimit
  find:
    paths: /etc/ssh/ssh_config.d/
    contains: ^[\s]*RekeyLimit.*$
    patterns: '*.config'
  register: ssh_config_include_files
  tags:
    - ssh_client_rekey_limit
    - medium_severity
    - configure_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-82880-6

- name: Remove all occurences of RekeyLimit configuration from include config files
    of ssh client
  lineinfile:
    path: '{{ item }}'
    regexp: ^[\s]*RekeyLimit.*$
    state: absent
  loop: '{{ ssh_config_include_files.files }}'
  tags:
    - ssh_client_rekey_limit
    - medium_severity
    - configure_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-82880-6

- name: Ensure that rekey limit is set to {{ var_ssh_client_rekey_limit_size }} {{
    var_ssh_client_rekey_limit_time }} in /etc/ssh/ssh_config.d/02-rekey-limit.conf
  lineinfile:
    path: /etc/ssh/ssh_config.d/02-rekey-limit.conf
    create: true
    regexp: ^\s*RekeyLimit.*$
    line: RekeyLimit {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time
      }}
    state: present
  tags:
    - ssh_client_rekey_limit
    - medium_severity
    - configure_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-82880-6

OVAL test results details

tests the value of RekeyLimit setting in /etc/ssh/ssh_config file oval:ssg-test_ssh_client_rekey_limit_main_config:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_ssh_client_rekey_limit_main_config:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/ssh/ssh_config	^[\s]RekeyLimit.$	1

tests the value of RekeyLimit setting in /etc/ssh/ssh_config.d/*.conf oval:ssg-test_ssh_client_rekey_limit_include_configs:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_ssh_client_rekey_limit_include_configs:obj:1 of type textfilecontent54_object

Filepath

Pattern

Instance

^[\s]*RekeyLimit[\s]+1G[\s]+1h[\s]*$

^/etc/ssh/ssh_config\.d/.*\.conf$

Configure System Cryptography Policy

Rule ID xccdf_org.ssgproject.content_rule_configure_crypto_policy

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-configure_crypto_policy:def:1

Time 2021-03-21T19:59:44+01:00

Severity high

Identifiers and References

Identifiers: CCE-80935-0

References: 1.10, 1.11, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174

Description

To configure the system cryptography policy to use ciphers only from the FIPS:OSPP policy, run the following command:

$ sudo update-crypto-policies --set FIPS:OSPP

The rule checks if settings for selected crypto policy are configured as expected. Configuration files in the /etc/crypto-policies/back-ends are either symlinks to correct files provided by Crypto-policies package or they are regular files in case crypto policy customizations are applied. Crypto policies may be customized by crypto policy modules, in which case it is delimited from the base policy using a colon.

Rationale

Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data.

Warnings

warning The system needs to be rebooted for these changes to take effect.

Remediation Shell script ⇲


# include remediation functions library

var_system_crypto_policy="FIPS:OSPP"

update-crypto-policies --set ${var_system_crypto_policy}

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

- name: XCCDF Value var_system_crypto_policy # promote to variable
  set_fact:
    var_system_crypto_policy: !!str FIPS:OSPP
  tags:
    - always

- name: Configure System Cryptography Policy
  lineinfile:
    path: /etc/crypto-policies/config
    regexp: ^(?!#)(\S+)$
    line: '{{ var_system_crypto_policy }}'
    create: true
  tags:
    - configure_crypto_policy
    - high_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-80935-0
    - NIST-800-53-AC-17(a)
    - NIST-800-53-AC-17(2)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-MA-4(6)
    - NIST-800-53-SC-13
    - NIST-800-53-SC-12(2)
    - NIST-800-53-SC-12(3)

- name: Verify that Crypto Policy is Set (runtime)
  command: /usr/bin/update-crypto-policies --set {{ var_system_crypto_policy }}
  tags:
    - configure_crypto_policy
    - high_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-80935-0
    - NIST-800-53-AC-17(a)
    - NIST-800-53-AC-17(2)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-MA-4(6)
    - NIST-800-53-SC-13
    - NIST-800-53-SC-12(2)
    - NIST-800-53-SC-12(3)

OVAL test results details

check for crypto policy correctly configured in /etc/crypto-policies/config oval:ssg-test_configure_crypto_policy:tst:1 false

Following items have been found on the system:

Path	Content
/etc/crypto-policies/config	DEFAULT

check for crypto policy correctly configured in /etc/crypto-policies/state/current oval:ssg-test_configure_crypto_policy_current:tst:1 false

Following items have been found on the system:

Path	Content
/etc/crypto-policies/state/current	DEFAULT

Check if update-crypto-policies has been run oval:ssg-test_crypto_policies_updated:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-variable_crypto_policies_config_file_age:var:1	8997462

Check if /etc/crypto-policies/back-ends/nss.config exists oval:ssg-test_crypto_policy_nss_config:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/etc/crypto-policies/back-ends/nss.config	regular	0	0	429	`rw-r--r--`

Configure Kerberos to use System Crypto Policy

Rule ID	xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-configure_kerberos_crypto_policy:def:1
Time	2021-03-21T19:59:44+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80936-8 References: SC-13, SC-12(2), SC-12(3), SRG-OS-000120-GPOS-00061
Description	Crypto Policies provide a centralized control over crypto algorithms usage of many packages. Kerberos is supported by crypto policy, but it's configuration may be set up to ignore it. To check that Crypto Policies settings for Kerberos are configured correctly, examine that there is a symlink at /etc/krb5.conf.d/crypto-policies targeting /etc/cypto-policies/back-ends/krb5.config. If the symlink exists, kerberos is configured to use the system-wide crypto policy settings.
Rationale	Overriding the system crypto policy makes the behavior of Kerberos violate expectations, and makes system configuration more fragmented.

OVAL test results details

Check if kerberos configuration symlink and crypto policy kerberos backend symlink point to same file oval:ssg-test_configure_kerberos_crypto_policy_symlink:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-var_symlink_kerberos_crypto_policy_configuration:var:1	/usr/share/crypto-policies/DEFAULT/krb5.txt

Check if kerberos configuration symlink links to the crypto-policy backend file oval:ssg-test_configure_kerberos_crypto_policy_nosymlink:tst:1 false

Following items have been found on the system:

Var ref	Value
oval:ssg-var_symlink_kerberos_crypto_policy_configuration:var:1	/usr/share/crypto-policies/DEFAULT/krb5.txt

Enable Kernel Page-Table Isolation (KPTI)

Rule ID xccdf_org.ssgproject.content_rule_grub2_pti_argument

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-grub2_pti_argument:def:1

Time 2021-03-21T19:59:44+01:00

Severity high

Identifiers and References

Identifiers: CCE-82194-2

References: SI-16, SRG-OS-000433-GPOS-00193

Description

To enable Kernel page-table isolation, add the argument pti=on to the default GRUB 2 command line for the Linux operating system in /etc/default/grub, in the manner below:

GRUB_CMDLINE_LINUX="pti=on"

Rationale

Kernel page-table isolation is a kernel feature that mitigates the Meltdown security vulnerability and hardens the kernel against attempts to bypass kernel address space layout randomization (KASLR).

Warnings

grub2-mkconfig -o

command as follows:

On BIOS-based machines, issue the following command as root:
```
~]# grub2-mkconfig -o /boot/grub2/grub.cfg
```
On UEFI-based machines, issue the following command as root:
```
~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
```

Remediation Shell script ⇲

# Remediation is applicable only in certain platforms
if rpm --quiet -q grub2-common && [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then

# Correct grub2 kernelopts value using grub2-editenv
if ! grub2-editenv - list | grep -qE '^kernelopts=(.*\s)?pti=on(\s.*)?$'; then
  grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) pti=on"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	medium
Disruption:	low
Reboot:	true
Strategy:	restrict

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
    - grub2_pti_argument
    - high_severity
    - restrict_strategy
    - medium_complexity
    - low_disruption
    - reboot_required
    - CCE-82194-2
    - NIST-800-53-SI-16

- name: get current kernel parameters
  command: /usr/bin/grub2-editenv - list
  register: kernelopts
  changed_when: false
  when:
    - '"grub2-common" in ansible_facts.packages'
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - grub2_pti_argument
    - high_severity
    - restrict_strategy
    - medium_complexity
    - low_disruption
    - reboot_required
    - CCE-82194-2
    - NIST-800-53-SI-16

- name: Update the bootloader menu
  command: /usr/bin/grub2-editenv - set "{{ item }} pti=on"
  with_items: '{{ kernelopts.stdout_lines | select(''match'', ''^kernelopts.*'') |
    list }}'
  when:
    - kernelopts.stdout_lines is defined
    - kernelopts.stdout_lines | length > 0
    - kernelopts.stdout | regex_search('^kernelopts=(?:.*\s)?pti=on(?:\s.*)?$', multiline=True)
      is none
    - '"grub2-common" in ansible_facts.packages'
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - grub2_pti_argument
    - high_severity
    - restrict_strategy
    - medium_complexity
    - low_disruption
    - reboot_required
    - CCE-82194-2
    - NIST-800-53-SI-16

Remediation script ⇲

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  kernelArguments:
    - pti=on

OVAL test results details

check forkernel command line parameters pti=on in /boot/grub2/grubenv for all kernels oval:ssg-test_grub2_pti_argument_grub_env:tst:1 false

Following items have been found on the system:

Path	Content
/boot/grub2/grubenv	kernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet

Set the UEFI Boot Loader Password

Rule ID	xccdf_org.ssgproject.content_rule_grub2_uefi_password
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-grub2_uefi_password:def:1
Time	2021-03-21T19:59:44+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80829-5 References: NT28(R17), 1.4.2, 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), PR.AC-4, PR.AC-6, PR.PT-3, FIA_AFL.1, SRG-OS-000080-GPOS-00048
Description	The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings. Since plaintext passwords are a security risk, generate a hash for the pasword by running the following command: $ grub2-setpassword When prompted, enter the password that was selected. Once the superuser password has been added, update the `grub.cfg` file by running: grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
Rationale	Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode.
Warnings	warning To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation must be automated as a component of machine provisioning, or followed manually as outlined above. Also, do NOT manually add the superuser account and password to the `grub.cfg` file as the grub2-mkconfig command overwrites this file.

OVAL test results details

/boot/efi/EFI/redhat/grub.cfg does not exist oval:ssg-test_grub2_uefi_password_grub_cfg:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_grub2_uefi_password_grub_cfg:obj:1 of type file_object

Filepath
/boot/efi/EFI/redhat/grub.cfg

make sure a password is defined in /boot/efi/EFI/redhat/user.cfg oval:ssg-test_grub2_uefi_password_usercfg:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_grub2_uefi_password_usercfg:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/boot/efi/EFI/redhat/user.cfg	^[\s]GRUB2_PASSWORD=grub\.pbkdf2\.sha512.$	1

make sure a password is defined in /boot/efi/EFI/redhat/grub.cfg oval:ssg-test_grub2_uefi_password_grubcfg:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_grub2_uefi_password_grubcfg:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/boot/efi/EFI/redhat/grub.cfg	^[\s]password_pbkdf2[\s]+.[\s]+grub\.pbkdf2\.sha512.*$	1

superuser is defined in /boot/efi/EFI/redhat/grub.cfg. oval:ssg-test_bootloader_uefi_superuser:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_bootloader_uefi_superuser:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/boot/efi/EFI/redhat/grub.cfg	^[\s]*set[\s]+superusers=("?)[a-zA-Z_]+\1$	1

Disable vsyscalls

Rule ID	xccdf_org.ssgproject.content_rule_grub2_vsyscall_argument
Result	informational
Multi-check rule	no
OVAL Definition ID	oval:ssg-grub2_vsyscall_argument:def:1
Time	2021-03-21T19:59:44+01:00
Severity	info
Identifiers and References	Identifiers: CCE-80946-7 References: CM-7(a), SRG-OS-000480-GPOS-00227
Description	To disable use of virtual syscalls, add the argument `vsyscall=none` to the default GRUB 2 command line for the Linux operating system in `/etc/default/grub`, in the manner below: GRUB_CMDLINE_LINUX="vsyscall=none"
Rationale	Virtual Syscalls provide an opportunity of attack for a user who has control of the return instruction pointer.
Warnings	warning The GRUB 2 configuration file, `grub.cfg`, is automatically updated each time a new kernel is installed. Note that any changes to `/etc/default/grub` require rebuilding the `grub.cfg` file. To update the GRUB 2 configuration file manually, use the grub2-mkconfig -o command as follows: On BIOS-based machines, issue the following command as `root`: ~]# grub2-mkconfig -o /boot/grub2/grub.cfg On UEFI-based machines, issue the following command as `root`: ~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg

OVAL test results details

check forkernel command line parameters vsyscall=none in /boot/grub2/grubenv for all kernels oval:ssg-test_grub2_vsyscall_argument_grub_env:tst:1 false

Following items have been found on the system:

Path	Content
/boot/grub2/grubenv	kernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet

Enable Auditing to Start Prior to the Audit Daemon in zIPL

Rule ID	xccdf_org.ssgproject.content_rule_zipl_audit_argument
Result	notapplicable
Multi-check rule	no
Time	2021-03-21T19:59:44+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83321-0
Description	To ensure all processes can be audited, even those which start prior to the audit daemon, check that all boot entries in `/boot/loader/entries/*.conf` have `audit=1` included in its options. To ensure that new kernels and boot entries continue to enable audit, add `audit=1` to `/etc/kernel/cmdline`.
Rationale	Each process on the system carries an "auditable" flag which indicates whether its activities can be audited. Although `auditd` takes care of enabling this for all processes which launch after it does, adding the kernel argument ensures it is set for every process during boot.

Enable page allocator poisoning in zIPL

Rule ID	xccdf_org.ssgproject.content_rule_zipl_page_poison_argument
Result	notapplicable
Multi-check rule	no
Time	2021-03-21T19:59:44+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83351-7
Description	To enable poisoning of free pages, check that all boot entries in `/boot/loader/entries/*.conf` have `page_poison=1` included in its options. To ensure that new kernels and boot entries continue to enable page poisoning, add `page_poison=1` to `/etc/kernel/cmdline`.
Rationale	Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory.

Disable vsyscalls in zIPL

Rule ID	xccdf_org.ssgproject.content_rule_zipl_vsyscall_argument
Result	notapplicable
Multi-check rule	no
Time	2021-03-21T19:59:44+01:00
Severity	info
Identifiers and References	Identifiers: CCE-83381-4
Description	To disable use of virtual syscalls, check that all boot entries in `/boot/loader/entries/*.conf` have `vsyscall=none` included in its options. To ensure that new kernels and boot entries continue to disable virtual syscalls, add `vsyscall=none` to `/etc/kernel/cmdline`.
Rationale	Virtual Syscalls provide an opportunity of attack for a user who has control of the return instruction pointer.

Ensure all zIPL boot entries are BLS compliant

Rule ID	xccdf_org.ssgproject.content_rule_zipl_bls_entries_only
Result	notapplicable
Multi-check rule	no
Time	2021-03-21T19:59:44+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83485-3
Description	Ensure that zIPL boot entries fully adheres to Boot Loader Specification (BLS) by checking that `/etc/zipl.conf` doesn't contain `image =` .
Rationale	Red Hat Enterprise Linux 8 adheres to Boot Loader Specification (BLS) and is the prefered method of configuration.
Warnings	warning To prevent breakage or removal of all boot entries oconfigured in /etc/zipl.conf automated remediation for this rule is not available.

Extend Audit Backlog Limit for the Audit Daemon in zIPL

Rule ID	xccdf_org.ssgproject.content_rule_zipl_audit_backlog_limit_argument
Result	notapplicable
Multi-check rule	no
Time	2021-03-21T19:59:44+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83341-8
Description	To improve the kernel capacity to queue all log events, even those which start prior to the audit daemon, check that all boot entries in `/boot/loader/entries/*.conf` have `audit_backlog_limit=8192` included in its options. To ensure that new kernels and boot entries continue to extend the audit log events queue, add `audit_backlog_limit=8192` to `/etc/kernel/cmdline`.
Rationale	audit_backlog_limit sets the queue length for audit events awaiting transfer to the audit daemon. Until the audit daemon is up and running, all log messages are stored in this queue. If the queue is overrun during boot process, the action defined by audit failure flag is taken.

Ensure zIPL bootmap is up to date

Rule ID	xccdf_org.ssgproject.content_rule_zipl_bootmap_is_up_to_date
Result	notapplicable
Multi-check rule	no
Time	2021-03-21T19:59:44+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83486-1
Description	Make sure that `/boot/bootmap` is up to date. Every time a boot entry or zIPL configuration is changed `/boot/bootmap` needs to be updated to reflect the changes. Run `zipl` command to generate an updated `/boot/bootmap`.
Rationale	The file `/boot/bootmap` contains all boot data, keeping it up to date is crucial to boot correct kernel and options.

Enable SLUB/SLAB allocator poisoning in zIPL

Rule ID	xccdf_org.ssgproject.content_rule_zipl_slub_debug_argument
Result	notapplicable
Multi-check rule	no
Time	2021-03-21T19:59:44+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83371-5
Description	To enable poisoning of SLUB/SLAB objects, check that all boot entries in `/boot/loader/entries/*.conf` have `slub_debug=P` included in its options. To ensure that new kernels and boot entries continue to enable poisoning of SLUB/SLAB objects, add `slub_debug=P` to `/etc/kernel/cmdline`.
Rationale	Poisoning writes an arbitrary value to freed objects, so any modification or reference to that object after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory.

Install firewalld Package

Rule ID	xccdf_org.ssgproject.content_rule_package_firewalld_installed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_firewalld_installed:def:1
Time	2021-03-21T19:59:44+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82998-6 References: 3.4.1.1, CM-6(a), SRG-OS-000480-GPOS-00227, SRG-OS-000298-GPOS-00116
Description	The `firewalld` package can be installed with the following command: $ sudo yum install firewalld
Rationale	The firewalld package should be installed to provide access control methods.

OVAL test results details

package firewalld is installed oval:ssg-test_package_firewalld_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
firewalld	noarch	(none)	2.el8	0.8.2	0:0.8.2-2.el8	199e2f91fd431d51	firewalld-0:0.8.2-2.el8.noarch

Verify firewalld Enabled

Rule ID	xccdf_org.ssgproject.content_rule_service_firewalld_enabled
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-service_firewalld_enabled:def:1
Time	2021-03-21T19:59:44+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80877-4 References: 3.4.2.1, 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.3, 3.4.7, CCI-000366, 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, AC-4, CM-7(b), CA-3(5), SC-7(21), CM-6(a), PR.IP-1, FMT_MOF_EXT.1, SRG-OS-000480-GPOS-00227, SRG-OS-000480-GPOS-00231, SRG-OS-000480-GPOS-00232
Description	The `firewalld` service can be enabled with the following command: $ sudo systemctl enable firewalld.service
Rationale	Access control methods provide the ability to enhance system security posture by restricting services and known good IP addresses and address ranges. This prevents connections from unknown hosts and protocols.

OVAL test results details

package firewalld is installed oval:ssg-test_service_firewalld_package_firewalld_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
firewalld	noarch	(none)	2.el8	0.8.2	0:0.8.2-2.el8	199e2f91fd431d51	firewalld-0:0.8.2-2.el8.noarch

Test that the firewalld service is running oval:ssg-test_service_running_firewalld:tst:1 true

Following items have been found on the system:

Unit	Property	Value
firewalld.service	ActiveState	active

systemd test oval:ssg-test_multi_user_wants_firewalld:tst:1 true

Following items have been found on the system:

Unit	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency
multi-user.target	basic.target	sysinit.target	kmod-static-nodes.service	systemd-tmpfiles-setup.service	ldconfig.service	sys-kernel-config.mount	systemd-update-utmp.service	plymouth-read-write.service	systemd-random-seed.service	systemd-journal-catalog-update.service	dracut-shutdown.service	local-fs.target	-.mount	boot.mount	systemd-remount-fs.service	systemd-modules-load.service	systemd-udevd.service	lvm2-lvmpolld.socket	systemd-udev-trigger.service	cryptsetup.target	dev-hugepages.mount	sys-fs-fuse-connections.mount	rngd.service	proc-sys-fs-binfmt_misc.automount	sys-kernel-debug.mount	selinux-autorelabel-mark.service	nis-domainname.service	systemd-binfmt.service	systemd-update-done.service	systemd-journald.service	dev-mqueue.mount	import-state.service	systemd-hwdb-update.service	systemd-ask-password-console.path	systemd-sysctl.service	systemd-machine-id-commit.service	systemd-sysusers.service	lvm2-monitor.service	systemd-journal-flush.service	loadmodules.service	plymouth-start.service	swap.target	dev-mapper-rhel\x2dswap.swap	systemd-firstboot.service	systemd-tmpfiles-setup-dev.service	slices.target	-.slice	system.slice	timers.target	systemd-tmpfiles-clean.timer	dnf-makecache.timer	unbound-anchor.timer	microcode.service	sockets.target	cockpit.socket	dm-event.socket	systemd-journald.socket	systemd-udevd-control.socket	systemd-initctl.socket	sssd-kcm.socket	systemd-coredump.socket	dbus.socket	systemd-udevd-kernel.socket	systemd-journald-dev-log.socket	paths.target	auditd.service	chronyd.service	httpd.service	systemd-update-utmp-runlevel.service	plymouth-quit.service	irqbalance.service	crond.service	getty.target	getty@tty1.service	rsyslog.service	sshd.service	NetworkManager.service	sssd.service	firewalld.service	remote-fs.target	systemd-ask-password-wall.path	plymouth-quit-wait.service	dbus.service	tuned.service	rhsmcertd.service	kdump.service	systemd-logind.service	systemd-user-sessions.service

systemd test oval:ssg-test_multi_user_wants_firewalld_socket:tst:1 false

Following items have been found on the system:

Unit	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency
multi-user.target	basic.target	sysinit.target	kmod-static-nodes.service	systemd-tmpfiles-setup.service	ldconfig.service	sys-kernel-config.mount	systemd-update-utmp.service	plymouth-read-write.service	systemd-random-seed.service	systemd-journal-catalog-update.service	dracut-shutdown.service	local-fs.target	-.mount	boot.mount	systemd-remount-fs.service	systemd-modules-load.service	systemd-udevd.service	lvm2-lvmpolld.socket	systemd-udev-trigger.service	cryptsetup.target	dev-hugepages.mount	sys-fs-fuse-connections.mount	rngd.service	proc-sys-fs-binfmt_misc.automount	sys-kernel-debug.mount	selinux-autorelabel-mark.service	nis-domainname.service	systemd-binfmt.service	systemd-update-done.service	systemd-journald.service	dev-mqueue.mount	import-state.service	systemd-hwdb-update.service	systemd-ask-password-console.path	systemd-sysctl.service	systemd-machine-id-commit.service	systemd-sysusers.service	lvm2-monitor.service	systemd-journal-flush.service	loadmodules.service	plymouth-start.service	swap.target	dev-mapper-rhel\x2dswap.swap	systemd-firstboot.service	systemd-tmpfiles-setup-dev.service	slices.target	-.slice	system.slice	timers.target	systemd-tmpfiles-clean.timer	dnf-makecache.timer	unbound-anchor.timer	microcode.service	sockets.target	cockpit.socket	dm-event.socket	systemd-journald.socket	systemd-udevd-control.socket	systemd-initctl.socket	sssd-kcm.socket	systemd-coredump.socket	dbus.socket	systemd-udevd-kernel.socket	systemd-journald-dev-log.socket	paths.target	auditd.service	chronyd.service	httpd.service	systemd-update-utmp-runlevel.service	plymouth-quit.service	irqbalance.service	crond.service	getty.target	getty@tty1.service	rsyslog.service	sshd.service	NetworkManager.service	sssd.service	firewalld.service	remote-fs.target	systemd-ask-password-wall.path	plymouth-quit-wait.service	dbus.service	tuned.service	rhsmcertd.service	kdump.service	systemd-logind.service	systemd-user-sessions.service

Disable Bluetooth Kernel Module

Rule ID xccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-kernel_module_bluetooth_disabled:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-80832-9

References: 11, 12, 14, 15, 3, 8, 9, 5.13.1.3, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, 3.1.16, CCI-000085, CCI-001551, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, AC-18(a), AC-18(3), CM-7(a), CM-7(b), CM-6(a), MP-7, PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000095-GPOS-00049

Description

The kernel's module loading system can be configured to prevent loading of the Bluetooth module. Add the following to the appropriate /etc/modprobe.d configuration file to prevent the loading of the Bluetooth module:

install bluetooth /bin/true

Rationale

If Bluetooth functionality must be disabled, preventing the kernel from loading the kernel module provides an additional safeguard against its activation.

Remediation Shell script ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then

if LC_ALL=C grep -q -m 1 "^install bluetooth" /etc/modprobe.d/bluetooth.conf ; then
	sed -i 's/^install bluetooth.*/install bluetooth /bin/true/g' /etc/modprobe.d/bluetooth.conf
else
	echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/bluetooth.conf
	echo "install bluetooth /bin/true" >> /etc/modprobe.d/bluetooth.conf
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: Ensure kernel module 'bluetooth' is disabled
  lineinfile:
    create: true
    dest: /etc/modprobe.d/bluetooth.conf
    regexp: bluetooth
    line: install bluetooth /bin/true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - kernel_module_bluetooth_disabled
    - medium_severity
    - disable_strategy
    - low_complexity
    - medium_disruption
    - reboot_required
    - CCE-80832-9
    - NIST-800-53-AC-18(a)
    - NIST-800-53-AC-18(3)
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-MP-7
    - NIST-800-171-3.1.16
    - CJIS-5.13.1.3

Remediation script ⇲

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 2.2.0
    storage:
      files:
      - contents:
          source: data:,install%20bluetooth%20/bin/true%0A
        filesystem: root
        mode: 0644
        path: /etc/modprobe.d/75-kernel_module_bluetooth_disabled.conf

OVAL test results details

kernel module bluetooth disabled oval:ssg-test_kernmod_bluetooth_disabled:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_kernmod_bluetooth_disabled:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/modprobe.d	^.*\.conf$	^\s*install\s+bluetooth\s+(/bin/false\|/bin/true)$	1

kernel module bluetooth disabled in /etc/modprobe.conf oval:ssg-test_kernmod_bluetooth_modprobeconf:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_kernmod_bluetooth_modprobeconf:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/modprobe.conf	^\s*install\s+bluetooth\s+(/bin/false\|/bin/true)$	1

kernel module bluetooth disabled in /etc/modules-load.d oval:ssg-test_kernmod_bluetooth_etcmodules-load:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_kernmod_bluetooth_etcmodules-load:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/modules-load.d	^.*\.conf$	^\s*install\s+bluetooth\s+(/bin/false\|/bin/true)$	1

kernel module bluetooth disabled in /run/modules-load.d oval:ssg-test_kernmod_bluetooth_runmodules-load:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_kernmod_bluetooth_runmodules-load:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/modules-load.d	^.*\.conf$	^\s*install\s+bluetooth\s+(/bin/false\|/bin/true)$	1

kernel module bluetooth disabled in /usr/lib/modules-load.d oval:ssg-test_kernmod_bluetooth_libmodules-load:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_kernmod_bluetooth_libmodules-load:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/modules-load.d	^.*\.conf$	^\s*install\s+bluetooth\s+(/bin/false\|/bin/true)$	1

kernel module bluetooth disabled in /run/modprobe.d oval:ssg-test_kernmod_bluetooth_runmodprobed:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_kernmod_bluetooth_runmodprobed:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/modprobe.d	^.*\.conf$	^\s*install\s+bluetooth\s+(/bin/false\|/bin/true)$	1

kernel module bluetooth disabled in /usr/lib/modprobe.d oval:ssg-test_kernmod_bluetooth_libmodprobed:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_kernmod_bluetooth_libmodprobed:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/modprobe.d	^.*\.conf$	^\s*install\s+bluetooth\s+(/bin/false\|/bin/true)$	1

Disable Accepting Router Advertisements on all IPv6 Interfaces by Default

Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-sysctl_net_ipv6_conf_default_accept_ra:def:1

Time 2021-03-21T19:59:44+01:00

Severity unknown

Identifiers and References

Identifiers: CCE-81007-7

References: 3.2.9, 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.1.20, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227

Description

To set the runtime status of the net.ipv6.conf.default.accept_ra kernel parameter, run the following command:

$ sudo sysctl -w net.ipv6.conf.default.accept_ra=0

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv6.conf.default.accept_ra = 0

Rationale

An illicit router advertisement message could result in a man-in-the-middle attack.

Remediation Shell script ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then


sysctl_net_ipv6_conf_default_accept_ra_value="0"

#
# Set runtime for net.ipv6.conf.default.accept_ra
#
/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_ra="$sysctl_net_ipv6_conf_default_accept_ra_value"

#
# If net.ipv6.conf.default.accept_ra present in /etc/sysctl.conf, change value to appropriate value
#	else, add "net.ipv6.conf.default.accept_ra = value" to /etc/sysctl.conf
#
# Function to replace configuration setting in config file or add the configuration setting if
# it does not exist.
#
# Expects arguments:
#
# config_file:		Configuration file that will be modified
# key:			Configuration option to change
# value:		Value of the configuration option to change
# cce:			The CCE identifier or '@CCENUM@' if no CCE identifier exists
# format:		The printf-like format string that will be given stripped key and value as arguments,
#			so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =)
#
# Optional arugments:
#
# format:		Optional argument to specify the format of how key/value should be
# 			modified/appended in the configuration file. The default is key = value.
#
# Example Call(s):
#
#     With default format of 'key = value':
#     replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@'
#
#     With custom key/value format:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s'
#
#     With a variable:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s'
#
function replace_or_append {
  local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option=''
  local config_file=$1
  local key=$2
  local value=$3
  local cce=$4
  local format=$5

  if [ "$case_insensitive_mode" = yes ]; then
    sed_case_insensitive_option="i"
    grep_case_insensitive_option="-i"
  fi
  [ -n "$format" ] || format="$default_format"
  # Check sanity of the input
  [ $# -ge "3" ] || { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; }

  # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
  # Otherwise, regular sed command will do.
  sed_command=('sed' '-i')
  if test -L "$config_file"; then
    sed_command+=('--follow-symlinks')
  fi

  # Test that the cce arg is not empty or does not equal @CCENUM@.
  # If @CCENUM@ exists, it means that there is no CCE assigned.
  if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then
    cce="${cce}"
  else
    cce="CCE"
  fi

  # Strip any search characters in the key arg so that the key can be replaced without
  # adding any search characters to the config file.
  stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "$key")

  # shellcheck disable=SC2059
  printf -v formatted_output "$format" "$stripped_key" "$value"

  # If the key exists, change it. Otherwise, add it to the config_file.
  # We search for the key string followed by a word boundary (matched by \>),
  # so if we search for 'setting', 'setting2' won't match.
  if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then
    "${sed_command[@]}" "s/${key}\\>.*/$formatted_output/g$sed_case_insensitive_option" "$config_file"
  else
    # \n is precaution for case where file ends without trailing newline
    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file"
    printf '%s\n' "$formatted_output" >> "$config_file"
  fi
}
replace_or_append '/etc/sysctl.conf' '^net.ipv6.conf.default.accept_ra' "$sysctl_net_ipv6_conf_default_accept_ra_value" 'CCE-81007-7'

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: XCCDF Value sysctl_net_ipv6_conf_default_accept_ra_value # promote to variable
  set_fact:
    sysctl_net_ipv6_conf_default_accept_ra_value: !!str 0
  tags:
    - always

- name: Ensure sysctl net.ipv6.conf.default.accept_ra is set
  sysctl:
    name: net.ipv6.conf.default.accept_ra
    value: '{{ sysctl_net_ipv6_conf_default_accept_ra_value }}'
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - sysctl_net_ipv6_conf_default_accept_ra
    - unknown_severity
    - disable_strategy
    - low_complexity
    - medium_disruption
    - reboot_required
    - CCE-81007-7
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-171-3.1.20

Remediation script ⇲

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 2.2.0
    storage:
      files:
      - contents:
          source: data:,net.ipv6.conf.default.accept_ra%3D0
        filesystem: root
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_net_ipv6_conf_default_accept_ra.conf

OVAL test results details

net.ipv6.conf.all.disable_ipv6 static configuration oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1 oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1 false

Following items have been found on the system:

Name	Value
net.ipv6.conf.all.disable_ipv6	0

net.ipv6.conf.default.accept_ra static configuration oval:ssg-test_static_sysctl_net_ipv6_conf_default_accept_ra:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_net_ipv6_conf_default_accept_ra:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	(?:^\|.\n)[^#]net.ipv6.conf.default.accept_ra[\s]=[\s](\d+)[\s]*\n	1

net.ipv6.conf.default.accept_ra static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv6_conf_default_accept_ra:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_net_ipv6_conf_default_accept_ra:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv6.conf.default.accept_ra[\s]=[\s](\d+)[\s]*\n	1

net.ipv6.conf.default.accept_ra static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv6_conf_default_accept_ra:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_default_accept_ra:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv6.conf.default.accept_ra[\s]=[\s](\d+)[\s]*\n	1

net.ipv6.conf.default.accept_ra static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_default_accept_ra:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_default_accept_ra:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv6.conf.default.accept_ra[\s]=[\s](\d+)[\s]*\n	1

kernel runtime parameter net.ipv6.conf.default.accept_ra set to the appropriate value oval:ssg-test_sysctl_runtime_net_ipv6_conf_default_accept_ra:tst:1 false

Following items have been found on the system:

Name	Value
net.ipv6.conf.default.accept_ra	1

Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default

Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-sysctl_net_ipv6_conf_default_accept_source_route:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-81015-0

References: NT28(R22), 3.2.1, 1, 12, 13, 14, 15, 16, 18, 4, 6, 8, 9, APO01.06, APO13.01, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.07, DSS06.02, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.4.3.3, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), DE.AE-1, ID.AM-3, PR.AC-5, PR.DS-5, PR.PT-4, SRG-OS-000480-GPOS-00227

Description

To set the runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter, run the following command:

$ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv6.conf.default.accept_source_route = 0

Rationale

Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router. Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required.

Remediation Shell script ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then


sysctl_net_ipv6_conf_default_accept_source_route_value="0"

#
# Set runtime for net.ipv6.conf.default.accept_source_route
#
/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_source_route="$sysctl_net_ipv6_conf_default_accept_source_route_value"

#
# If net.ipv6.conf.default.accept_source_route present in /etc/sysctl.conf, change value to appropriate value
#	else, add "net.ipv6.conf.default.accept_source_route = value" to /etc/sysctl.conf
#
# Function to replace configuration setting in config file or add the configuration setting if
# it does not exist.
#
# Expects arguments:
#
# config_file:		Configuration file that will be modified
# key:			Configuration option to change
# value:		Value of the configuration option to change
# cce:			The CCE identifier or '@CCENUM@' if no CCE identifier exists
# format:		The printf-like format string that will be given stripped key and value as arguments,
#			so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =)
#
# Optional arugments:
#
# format:		Optional argument to specify the format of how key/value should be
# 			modified/appended in the configuration file. The default is key = value.
#
# Example Call(s):
#
#     With default format of 'key = value':
#     replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@'
#
#     With custom key/value format:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s'
#
#     With a variable:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s'
#
function replace_or_append {
  local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option=''
  local config_file=$1
  local key=$2
  local value=$3
  local cce=$4
  local format=$5

  if [ "$case_insensitive_mode" = yes ]; then
    sed_case_insensitive_option="i"
    grep_case_insensitive_option="-i"
  fi
  [ -n "$format" ] || format="$default_format"
  # Check sanity of the input
  [ $# -ge "3" ] || { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; }

  # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
  # Otherwise, regular sed command will do.
  sed_command=('sed' '-i')
  if test -L "$config_file"; then
    sed_command+=('--follow-symlinks')
  fi

  # Test that the cce arg is not empty or does not equal @CCENUM@.
  # If @CCENUM@ exists, it means that there is no CCE assigned.
  if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then
    cce="${cce}"
  else
    cce="CCE"
  fi

  # Strip any search characters in the key arg so that the key can be replaced without
  # adding any search characters to the config file.
  stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "$key")

  # shellcheck disable=SC2059
  printf -v formatted_output "$format" "$stripped_key" "$value"

  # If the key exists, change it. Otherwise, add it to the config_file.
  # We search for the key string followed by a word boundary (matched by \>),
  # so if we search for 'setting', 'setting2' won't match.
  if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then
    "${sed_command[@]}" "s/${key}\\>.*/$formatted_output/g$sed_case_insensitive_option" "$config_file"
  else
    # \n is precaution for case where file ends without trailing newline
    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file"
    printf '%s\n' "$formatted_output" >> "$config_file"
  fi
}
replace_or_append '/etc/sysctl.conf' '^net.ipv6.conf.default.accept_source_route' "$sysctl_net_ipv6_conf_default_accept_source_route_value" 'CCE-81015-0'

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: XCCDF Value sysctl_net_ipv6_conf_default_accept_source_route_value # promote to variable
  set_fact:
    sysctl_net_ipv6_conf_default_accept_source_route_value: !!str 0
  tags:
    - always

- name: Ensure sysctl net.ipv6.conf.default.accept_source_route is set
  sysctl:
    name: net.ipv6.conf.default.accept_source_route
    value: '{{ sysctl_net_ipv6_conf_default_accept_source_route_value }}'
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - sysctl_net_ipv6_conf_default_accept_source_route
    - medium_severity
    - disable_strategy
    - low_complexity
    - medium_disruption
    - reboot_required
    - CCE-81015-0
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-171-3.1.20

Remediation script ⇲

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 2.2.0
    storage:
      files:
      - contents:
          source: data:,net.ipv6.conf.default.accept_source_route%3D0
        filesystem: root
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_net_ipv6_conf_default_accept_source_route.conf

OVAL test results details

net.ipv6.conf.all.disable_ipv6 static configuration oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1 oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1 false

Following items have been found on the system:

Name	Value
net.ipv6.conf.all.disable_ipv6	0

net.ipv6.conf.default.accept_source_route static configuration oval:ssg-test_static_sysctl_net_ipv6_conf_default_accept_source_route:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_net_ipv6_conf_default_accept_source_route:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	(?:^\|.\n)[^#]net.ipv6.conf.default.accept_source_route[\s]=[\s](\d+)[\s]*\n	1

net.ipv6.conf.default.accept_source_route static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv6_conf_default_accept_source_route:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_net_ipv6_conf_default_accept_source_route:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv6.conf.default.accept_source_route[\s]=[\s](\d+)[\s]*\n	1

net.ipv6.conf.default.accept_source_route static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv6_conf_default_accept_source_route:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_default_accept_source_route:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv6.conf.default.accept_source_route[\s]=[\s](\d+)[\s]*\n	1

net.ipv6.conf.default.accept_source_route static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_default_accept_source_route:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_default_accept_source_route:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv6.conf.default.accept_source_route[\s]=[\s](\d+)[\s]*\n	1

kernel runtime parameter net.ipv6.conf.default.accept_source_route set to the appropriate value oval:ssg-test_sysctl_runtime_net_ipv6_conf_default_accept_source_route:tst:1 true

Following items have been found on the system:

Name	Value
net.ipv6.conf.default.accept_source_route	0

Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces

Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-sysctl_net_ipv6_conf_all_accept_source_route:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-81013-5

Description

To set the runtime status of the net.ipv6.conf.all.accept_source_route kernel parameter, run the following command:

$ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv6.conf.all.accept_source_route = 0

Rationale

Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router.

Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required.

Remediation Shell script ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then


sysctl_net_ipv6_conf_all_accept_source_route_value="0"

#
# Set runtime for net.ipv6.conf.all.accept_source_route
#
/sbin/sysctl -q -n -w net.ipv6.conf.all.accept_source_route="$sysctl_net_ipv6_conf_all_accept_source_route_value"

#
# If net.ipv6.conf.all.accept_source_route present in /etc/sysctl.conf, change value to appropriate value
#	else, add "net.ipv6.conf.all.accept_source_route = value" to /etc/sysctl.conf
#
# Function to replace configuration setting in config file or add the configuration setting if
# it does not exist.
#
# Expects arguments:
#
# config_file:		Configuration file that will be modified
# key:			Configuration option to change
# value:		Value of the configuration option to change
# cce:			The CCE identifier or '@CCENUM@' if no CCE identifier exists
# format:		The printf-like format string that will be given stripped key and value as arguments,
#			so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =)
#
# Optional arugments:
#
# format:		Optional argument to specify the format of how key/value should be
# 			modified/appended in the configuration file. The default is key = value.
#
# Example Call(s):
#
#     With default format of 'key = value':
#     replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@'
#
#     With custom key/value format:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s'
#
#     With a variable:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s'
#
function replace_or_append {
  local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option=''
  local config_file=$1
  local key=$2
  local value=$3
  local cce=$4
  local format=$5

  if [ "$case_insensitive_mode" = yes ]; then
    sed_case_insensitive_option="i"
    grep_case_insensitive_option="-i"
  fi
  [ -n "$format" ] || format="$default_format"
  # Check sanity of the input
  [ $# -ge "3" ] || { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; }

  # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
  # Otherwise, regular sed command will do.
  sed_command=('sed' '-i')
  if test -L "$config_file"; then
    sed_command+=('--follow-symlinks')
  fi

  # Test that the cce arg is not empty or does not equal @CCENUM@.
  # If @CCENUM@ exists, it means that there is no CCE assigned.
  if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then
    cce="${cce}"
  else
    cce="CCE"
  fi

  # Strip any search characters in the key arg so that the key can be replaced without
  # adding any search characters to the config file.
  stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "$key")

  # shellcheck disable=SC2059
  printf -v formatted_output "$format" "$stripped_key" "$value"

  # If the key exists, change it. Otherwise, add it to the config_file.
  # We search for the key string followed by a word boundary (matched by \>),
  # so if we search for 'setting', 'setting2' won't match.
  if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then
    "${sed_command[@]}" "s/${key}\\>.*/$formatted_output/g$sed_case_insensitive_option" "$config_file"
  else
    # \n is precaution for case where file ends without trailing newline
    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file"
    printf '%s\n' "$formatted_output" >> "$config_file"
  fi
}
replace_or_append '/etc/sysctl.conf' '^net.ipv6.conf.all.accept_source_route' "$sysctl_net_ipv6_conf_all_accept_source_route_value" 'CCE-81013-5'

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: XCCDF Value sysctl_net_ipv6_conf_all_accept_source_route_value # promote to variable
  set_fact:
    sysctl_net_ipv6_conf_all_accept_source_route_value: !!str 0
  tags:
    - always

- name: Ensure sysctl net.ipv6.conf.all.accept_source_route is set
  sysctl:
    name: net.ipv6.conf.all.accept_source_route
    value: '{{ sysctl_net_ipv6_conf_all_accept_source_route_value }}'
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - sysctl_net_ipv6_conf_all_accept_source_route
    - medium_severity
    - disable_strategy
    - low_complexity
    - medium_disruption
    - reboot_required
    - CCE-81013-5
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-171-3.1.20

Remediation script ⇲

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 2.2.0
    storage:
      files:
      - contents:
          source: data:,net.ipv6.conf.all.accept_source_route%3D0
        filesystem: root
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_net_ipv6_conf_all_accept_source_route.conf

OVAL test results details

net.ipv6.conf.all.disable_ipv6 static configuration oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1 oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1 false

Following items have been found on the system:

Name	Value
net.ipv6.conf.all.disable_ipv6	0

net.ipv6.conf.all.accept_source_route static configuration oval:ssg-test_static_sysctl_net_ipv6_conf_all_accept_source_route:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_net_ipv6_conf_all_accept_source_route:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	(?:^\|.\n)[^#]net.ipv6.conf.all.accept_source_route[\s]=[\s](\d+)[\s]*\n	1

net.ipv6.conf.all.accept_source_route static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_accept_source_route:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_accept_source_route:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv6.conf.all.accept_source_route[\s]=[\s](\d+)[\s]*\n	1

net.ipv6.conf.all.accept_source_route static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_accept_source_route:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_accept_source_route:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv6.conf.all.accept_source_route[\s]=[\s](\d+)[\s]*\n	1

net.ipv6.conf.all.accept_source_route static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_accept_source_route:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_accept_source_route:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv6.conf.all.accept_source_route[\s]=[\s](\d+)[\s]*\n	1

kernel runtime parameter net.ipv6.conf.all.accept_source_route set to the appropriate value oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_accept_source_route:tst:1 true

Following items have been found on the system:

Name	Value
net.ipv6.conf.all.accept_source_route	0

Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_net_ipv6_conf_default_accept_redirects:def:1
Time	2021-03-21T19:59:44+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-81010-1 References: NT28(R22), 3.3.2, 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.1.20, CCI-001551, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227
Description	To set the runtime status of the `net.ipv6.conf.default.accept_redirects` kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv6.conf.default.accept_redirects = 0
Rationale	An illicit ICMP redirect message could result in a man-in-the-middle attack.

OVAL test results details

net.ipv6.conf.all.disable_ipv6 static configuration oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1 oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1 false

Following items have been found on the system:

Name	Value
net.ipv6.conf.all.disable_ipv6	0

net.ipv6.conf.default.accept_redirects static configuration oval:ssg-test_static_sysctl_net_ipv6_conf_default_accept_redirects:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_net_ipv6_conf_default_accept_redirects:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	(?:^\|.\n)[^#]net.ipv6.conf.default.accept_redirects[\s]=[\s](\d+)[\s]*\n	1

net.ipv6.conf.default.accept_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv6_conf_default_accept_redirects:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.d/50-libreswan.conf	# We disable redirects for XFRM/IPsec net.ipv6.conf.default.accept_redirects = 0

net.ipv6.conf.default.accept_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv6_conf_default_accept_redirects:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_default_accept_redirects:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv6.conf.default.accept_redirects[\s]=[\s](\d+)[\s]*\n	1

net.ipv6.conf.default.accept_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_default_accept_redirects:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_default_accept_redirects:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv6.conf.default.accept_redirects[\s]=[\s](\d+)[\s]*\n	1

kernel runtime parameter net.ipv6.conf.default.accept_redirects set to the appropriate value oval:ssg-test_sysctl_runtime_net_ipv6_conf_default_accept_redirects:tst:1 true

Following items have been found on the system:

Name	Value
net.ipv6.conf.default.accept_redirects	0

Configure Accepting Router Advertisements on All IPv6 Interfaces

Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-sysctl_net_ipv6_conf_all_accept_ra:def:1

Time 2021-03-21T19:59:44+01:00

Severity unknown

Identifiers and References

Identifiers: CCE-81006-9

Description

To set the runtime status of the net.ipv6.conf.all.accept_ra kernel parameter, run the following command:

$ sudo sysctl -w net.ipv6.conf.all.accept_ra=0

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv6.conf.all.accept_ra = 0

Rationale

An illicit router advertisement message could result in a man-in-the-middle attack.

Remediation Shell script ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then


sysctl_net_ipv6_conf_all_accept_ra_value="0"

#
# Set runtime for net.ipv6.conf.all.accept_ra
#
/sbin/sysctl -q -n -w net.ipv6.conf.all.accept_ra="$sysctl_net_ipv6_conf_all_accept_ra_value"

#
# If net.ipv6.conf.all.accept_ra present in /etc/sysctl.conf, change value to appropriate value
#	else, add "net.ipv6.conf.all.accept_ra = value" to /etc/sysctl.conf
#
# Function to replace configuration setting in config file or add the configuration setting if
# it does not exist.
#
# Expects arguments:
#
# config_file:		Configuration file that will be modified
# key:			Configuration option to change
# value:		Value of the configuration option to change
# cce:			The CCE identifier or '@CCENUM@' if no CCE identifier exists
# format:		The printf-like format string that will be given stripped key and value as arguments,
#			so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =)
#
# Optional arugments:
#
# format:		Optional argument to specify the format of how key/value should be
# 			modified/appended in the configuration file. The default is key = value.
#
# Example Call(s):
#
#     With default format of 'key = value':
#     replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@'
#
#     With custom key/value format:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s'
#
#     With a variable:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s'
#
function replace_or_append {
  local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option=''
  local config_file=$1
  local key=$2
  local value=$3
  local cce=$4
  local format=$5

  if [ "$case_insensitive_mode" = yes ]; then
    sed_case_insensitive_option="i"
    grep_case_insensitive_option="-i"
  fi
  [ -n "$format" ] || format="$default_format"
  # Check sanity of the input
  [ $# -ge "3" ] || { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; }

  # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
  # Otherwise, regular sed command will do.
  sed_command=('sed' '-i')
  if test -L "$config_file"; then
    sed_command+=('--follow-symlinks')
  fi

  # Test that the cce arg is not empty or does not equal @CCENUM@.
  # If @CCENUM@ exists, it means that there is no CCE assigned.
  if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then
    cce="${cce}"
  else
    cce="CCE"
  fi

  # Strip any search characters in the key arg so that the key can be replaced without
  # adding any search characters to the config file.
  stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "$key")

  # shellcheck disable=SC2059
  printf -v formatted_output "$format" "$stripped_key" "$value"

  # If the key exists, change it. Otherwise, add it to the config_file.
  # We search for the key string followed by a word boundary (matched by \>),
  # so if we search for 'setting', 'setting2' won't match.
  if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then
    "${sed_command[@]}" "s/${key}\\>.*/$formatted_output/g$sed_case_insensitive_option" "$config_file"
  else
    # \n is precaution for case where file ends without trailing newline
    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file"
    printf '%s\n' "$formatted_output" >> "$config_file"
  fi
}
replace_or_append '/etc/sysctl.conf' '^net.ipv6.conf.all.accept_ra' "$sysctl_net_ipv6_conf_all_accept_ra_value" 'CCE-81006-9'

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: XCCDF Value sysctl_net_ipv6_conf_all_accept_ra_value # promote to variable
  set_fact:
    sysctl_net_ipv6_conf_all_accept_ra_value: !!str 0
  tags:
    - always

- name: Ensure sysctl net.ipv6.conf.all.accept_ra is set
  sysctl:
    name: net.ipv6.conf.all.accept_ra
    value: '{{ sysctl_net_ipv6_conf_all_accept_ra_value }}'
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - sysctl_net_ipv6_conf_all_accept_ra
    - unknown_severity
    - disable_strategy
    - low_complexity
    - medium_disruption
    - reboot_required
    - CCE-81006-9
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-171-3.1.20

OVAL test results details

net.ipv6.conf.all.disable_ipv6 static configuration oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1 oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1 false

Following items have been found on the system:

Name	Value
net.ipv6.conf.all.disable_ipv6	0

net.ipv6.conf.all.accept_ra static configuration oval:ssg-test_static_sysctl_net_ipv6_conf_all_accept_ra:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_net_ipv6_conf_all_accept_ra:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	(?:^\|.\n)[^#]net.ipv6.conf.all.accept_ra[\s]=[\s](\d+)[\s]*\n	1

net.ipv6.conf.all.accept_ra static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_accept_ra:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_accept_ra:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv6.conf.all.accept_ra[\s]=[\s](\d+)[\s]*\n	1

net.ipv6.conf.all.accept_ra static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_accept_ra:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_accept_ra:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv6.conf.all.accept_ra[\s]=[\s](\d+)[\s]*\n	1

net.ipv6.conf.all.accept_ra static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_accept_ra:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_accept_ra:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv6.conf.all.accept_ra[\s]=[\s](\d+)[\s]*\n	1

kernel runtime parameter net.ipv6.conf.all.accept_ra set to the appropriate value oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_accept_ra:tst:1 false

Following items have been found on the system:

Name	Value
net.ipv6.conf.all.accept_ra	1

Disable Accepting ICMP Redirects for All IPv6 Interfaces

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_net_ipv6_conf_all_accept_redirects:def:1
Time	2021-03-21T19:59:44+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-81009-3 References: NT28(R22), 3.3.2, 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.1.20, CCI-001551, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227
Description	To set the runtime status of the `net.ipv6.conf.all.accept_redirects` kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv6.conf.all.accept_redirects = 0
Rationale	An illicit ICMP redirect message could result in a man-in-the-middle attack.

OVAL test results details

net.ipv6.conf.all.disable_ipv6 static configuration oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	^[\s]net.ipv6.conf.all.disable_ipv6[\s]=[\s]1[\s]$	1

kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1 oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1 false

Following items have been found on the system:

Name	Value
net.ipv6.conf.all.disable_ipv6	0

net.ipv6.conf.all.accept_redirects static configuration oval:ssg-test_static_sysctl_net_ipv6_conf_all_accept_redirects:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_net_ipv6_conf_all_accept_redirects:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	(?:^\|.\n)[^#]net.ipv6.conf.all.accept_redirects[\s]=[\s](\d+)[\s]*\n	1

net.ipv6.conf.all.accept_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_accept_redirects:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.d/50-libreswan.conf	# We disable redirects for XFRM/IPsec net.ipv6.conf.default.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0

net.ipv6.conf.all.accept_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_accept_redirects:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_accept_redirects:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv6.conf.all.accept_redirects[\s]=[\s](\d+)[\s]*\n	1

net.ipv6.conf.all.accept_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_accept_redirects:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_accept_redirects:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv6.conf.all.accept_redirects[\s]=[\s](\d+)[\s]*\n	1

kernel runtime parameter net.ipv6.conf.all.accept_redirects set to the appropriate value oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_accept_redirects:tst:1 true

Following items have been found on the system:

Name	Value
net.ipv6.conf.all.accept_redirects	0

Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_net_ipv4_conf_default_send_redirects:def:1
Time	2021-03-21T19:59:44+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80921-0 References: NT28(R22), 3.1.2, 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), SC-5CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227
Description	To set the runtime status of the `net.ipv4.conf.default.send_redirects` kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.send_redirects=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv4.conf.default.send_redirects = 0
Rationale	ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology. The ability to send ICMP redirects is only appropriate for systems acting as routers.

OVAL test results details

net.ipv4.conf.default.send_redirects static configuration oval:ssg-test_static_sysctl_net_ipv4_conf_default_send_redirects:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_net_ipv4_conf_default_send_redirects:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]net.ipv4.conf.default.send_redirects[\s]=[\s]0[\s]$	1

net.ipv4.conf.default.send_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv4_conf_default_send_redirects:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.d/50-libreswan.conf	net.ipv4.conf.default.send_redirects = 0

net.ipv4.conf.default.send_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv4_conf_default_send_redirects:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv4_conf_default_send_redirects:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]net.ipv4.conf.default.send_redirects[\s]=[\s]0[\s]$	1

net.ipv4.conf.default.send_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_default_send_redirects:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_default_send_redirects:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	^[\s]net.ipv4.conf.default.send_redirects[\s]=[\s]0[\s]$	1

kernel runtime parameter net.ipv4.conf.default.send_redirects set to 0 oval:ssg-test_sysctl_runtime_net_ipv4_conf_default_send_redirects:tst:1 true

Following items have been found on the system:

Name	Value
net.ipv4.conf.default.send_redirects	0

Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_net_ipv4_conf_all_send_redirects:def:1
Time	2021-03-21T19:59:44+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80918-6 References: NT28(R22), 3.1.2, 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), SC-5CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227
Description	To set the runtime status of the `net.ipv4.conf.all.send_redirects` kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.send_redirects=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv4.conf.all.send_redirects = 0
Rationale	ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology. The ability to send ICMP redirects is only appropriate for systems acting as routers.

OVAL test results details

net.ipv4.conf.all.send_redirects static configuration oval:ssg-test_static_sysctl_net_ipv4_conf_all_send_redirects:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_net_ipv4_conf_all_send_redirects:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]net.ipv4.conf.all.send_redirects[\s]=[\s]0[\s]$	1

net.ipv4.conf.all.send_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv4_conf_all_send_redirects:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.d/50-libreswan.conf	net.ipv4.conf.all.send_redirects = 0

net.ipv4.conf.all.send_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv4_conf_all_send_redirects:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv4_conf_all_send_redirects:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]net.ipv4.conf.all.send_redirects[\s]=[\s]0[\s]$	1

net.ipv4.conf.all.send_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_all_send_redirects:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_all_send_redirects:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	^[\s]net.ipv4.conf.all.send_redirects[\s]=[\s]0[\s]$	1

kernel runtime parameter net.ipv4.conf.all.send_redirects set to 0 oval:ssg-test_sysctl_runtime_net_ipv4_conf_all_send_redirects:tst:1 true

Following items have been found on the system:

Name	Value
net.ipv4.conf.all.send_redirects	0

Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces

Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-sysctl_net_ipv4_ip_forward:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-81024-2

References: NT28(R22), 3.1.1., 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, DSS06.06, 3.1.20, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.9.1.2, CM-7(a), CM-7(b), SC-5CM-6(a), SC-7(a), DE.CM-1, PR.DS-4, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227

Description

To set the runtime status of the net.ipv4.ip_forward kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.ip_forward=0

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv4.ip_forward = 0

Rationale

Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this capability is used when not required, system network information may be unnecessarily transmitted across the network.

Warnings

warning Certain technologies such as virtual machines, containers, etc. rely on IPv4 forwarding to enable and use networking. Disabling IPv4 forwarding would cause those technologies to stop working. Therefore, this rule should not be used in profiles or benchmarks that target usage of IPv4 forwarding.

Remediation Shell script ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then



#
# Set runtime for net.ipv4.ip_forward
#
/sbin/sysctl -q -n -w net.ipv4.ip_forward="0"

#
# If net.ipv4.ip_forward present in /etc/sysctl.conf, change value to "0"
#	else, add "net.ipv4.ip_forward = 0" to /etc/sysctl.conf
#
# Function to replace configuration setting in config file or add the configuration setting if
# it does not exist.
#
# Expects arguments:
#
# config_file:		Configuration file that will be modified
# key:			Configuration option to change
# value:		Value of the configuration option to change
# cce:			The CCE identifier or '@CCENUM@' if no CCE identifier exists
# format:		The printf-like format string that will be given stripped key and value as arguments,
#			so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =)
#
# Optional arugments:
#
# format:		Optional argument to specify the format of how key/value should be
# 			modified/appended in the configuration file. The default is key = value.
#
# Example Call(s):
#
#     With default format of 'key = value':
#     replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@'
#
#     With custom key/value format:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s'
#
#     With a variable:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s'
#
function replace_or_append {
  local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option=''
  local config_file=$1
  local key=$2
  local value=$3
  local cce=$4
  local format=$5

  if [ "$case_insensitive_mode" = yes ]; then
    sed_case_insensitive_option="i"
    grep_case_insensitive_option="-i"
  fi
  [ -n "$format" ] || format="$default_format"
  # Check sanity of the input
  [ $# -ge "3" ] || { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; }

  # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
  # Otherwise, regular sed command will do.
  sed_command=('sed' '-i')
  if test -L "$config_file"; then
    sed_command+=('--follow-symlinks')
  fi

  # Test that the cce arg is not empty or does not equal @CCENUM@.
  # If @CCENUM@ exists, it means that there is no CCE assigned.
  if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then
    cce="${cce}"
  else
    cce="CCE"
  fi

  # Strip any search characters in the key arg so that the key can be replaced without
  # adding any search characters to the config file.
  stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "$key")

  # shellcheck disable=SC2059
  printf -v formatted_output "$format" "$stripped_key" "$value"

  # If the key exists, change it. Otherwise, add it to the config_file.
  # We search for the key string followed by a word boundary (matched by \>),
  # so if we search for 'setting', 'setting2' won't match.
  if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then
    "${sed_command[@]}" "s/${key}\\>.*/$formatted_output/g$sed_case_insensitive_option" "$config_file"
  else
    # \n is precaution for case where file ends without trailing newline
    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file"
    printf '%s\n' "$formatted_output" >> "$config_file"
  fi
}
replace_or_append '/etc/sysctl.conf' '^net.ipv4.ip_forward' "0" 'CCE-81024-2'

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: Ensure sysctl net.ipv4.ip_forward is set to 0
  sysctl:
    name: net.ipv4.ip_forward
    value: '0'
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - sysctl_net_ipv4_ip_forward
    - medium_severity
    - disable_strategy
    - low_complexity
    - medium_disruption
    - reboot_required
    - CCE-81024-2
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-SC-5CM-6(a)
    - NIST-800-53-SC-7(a)
    - NIST-800-171-3.1.20

OVAL test results details

net.ipv4.ip_forward static configuration oval:ssg-test_static_sysctl_net_ipv4_ip_forward:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_net_ipv4_ip_forward:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]net.ipv4.ip_forward[\s]=[\s]0[\s]$	1

net.ipv4.ip_forward static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv4_ip_forward:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_net_ipv4_ip_forward:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	^[\s]net.ipv4.ip_forward[\s]=[\s]0[\s]$	1

net.ipv4.ip_forward static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv4_ip_forward:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv4_ip_forward:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]net.ipv4.ip_forward[\s]=[\s]0[\s]$	1

net.ipv4.ip_forward static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv4_ip_forward:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv4_ip_forward:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	^[\s]net.ipv4.ip_forward[\s]=[\s]0[\s]$	1

kernel runtime parameter net.ipv4.ip_forward set to 0 oval:ssg-test_sysctl_runtime_net_ipv4_ip_forward:tst:1 true

Following items have been found on the system:

Name	Value
net.ipv4.ip_forward	0

Disable Accepting ICMP Redirects for All IPv4 Interfaces

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_net_ipv4_conf_all_accept_redirects:def:1
Time	2021-03-21T19:59:44+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80917-8 References: NT28(R22), 3.2.2, 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, 5.10.1.1, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, DSS06.06, 3.1.20, CCI-000366, CCI-001503, CCI-001551, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.CM-1, PR.DS-4, PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227
Description	To set the runtime status of the `net.ipv4.conf.all.accept_redirects` kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv4.conf.all.accept_redirects = 0
Rationale	ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required."

OVAL test results details

net.ipv4.conf.all.accept_redirects static configuration oval:ssg-test_static_sysctl_net_ipv4_conf_all_accept_redirects:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_net_ipv4_conf_all_accept_redirects:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	(?:^\|.\n)[^#]net.ipv4.conf.all.accept_redirects[\s]=[\s](\d+)[\s]*\n	1

net.ipv4.conf.all.accept_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv4_conf_all_accept_redirects:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.d/50-libreswan.conf	# We disable redirects for XFRM/IPsec net.ipv6.conf.default.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.all.accept_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv4_conf_all_accept_redirects:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv4_conf_all_accept_redirects:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv4.conf.all.accept_redirects[\s]=[\s](\d+)[\s]*\n	1

net.ipv4.conf.all.accept_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_all_accept_redirects:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_all_accept_redirects:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv4.conf.all.accept_redirects[\s]=[\s](\d+)[\s]*\n	1

kernel runtime parameter net.ipv4.conf.all.accept_redirects set to the appropriate value oval:ssg-test_sysctl_runtime_net_ipv4_conf_all_accept_redirects:tst:1 true

Following items have been found on the system:

Name	Value
net.ipv4.conf.all.accept_redirects	0

Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces

Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-sysctl_net_ipv4_conf_all_log_martians:def:1

Time 2021-03-21T19:59:44+01:00

Severity unknown

Identifiers and References

Identifiers: CCE-81018-4

References: NT28(R22), 3.2.4, 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.04, DSS03.05, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.06, 3.1.20, CCI-000126, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.11.2.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), SC-5(3)(a), DE.CM-1, PR.AC-3, PR.DS-4, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227

Description

To set the runtime status of the net.ipv4.conf.all.log_martians kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.all.log_martians=1

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv4.conf.all.log_martians = 1

Rationale

The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.

Remediation Shell script ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then


sysctl_net_ipv4_conf_all_log_martians_value="1"

#
# Set runtime for net.ipv4.conf.all.log_martians
#
/sbin/sysctl -q -n -w net.ipv4.conf.all.log_martians="$sysctl_net_ipv4_conf_all_log_martians_value"

#
# If net.ipv4.conf.all.log_martians present in /etc/sysctl.conf, change value to appropriate value
#	else, add "net.ipv4.conf.all.log_martians = value" to /etc/sysctl.conf
#
# Function to replace configuration setting in config file or add the configuration setting if
# it does not exist.
#
# Expects arguments:
#
# config_file:		Configuration file that will be modified
# key:			Configuration option to change
# value:		Value of the configuration option to change
# cce:			The CCE identifier or '@CCENUM@' if no CCE identifier exists
# format:		The printf-like format string that will be given stripped key and value as arguments,
#			so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =)
#
# Optional arugments:
#
# format:		Optional argument to specify the format of how key/value should be
# 			modified/appended in the configuration file. The default is key = value.
#
# Example Call(s):
#
#     With default format of 'key = value':
#     replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@'
#
#     With custom key/value format:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s'
#
#     With a variable:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s'
#
function replace_or_append {
  local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option=''
  local config_file=$1
  local key=$2
  local value=$3
  local cce=$4
  local format=$5

  if [ "$case_insensitive_mode" = yes ]; then
    sed_case_insensitive_option="i"
    grep_case_insensitive_option="-i"
  fi
  [ -n "$format" ] || format="$default_format"
  # Check sanity of the input
  [ $# -ge "3" ] || { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; }

  # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
  # Otherwise, regular sed command will do.
  sed_command=('sed' '-i')
  if test -L "$config_file"; then
    sed_command+=('--follow-symlinks')
  fi

  # Test that the cce arg is not empty or does not equal @CCENUM@.
  # If @CCENUM@ exists, it means that there is no CCE assigned.
  if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then
    cce="${cce}"
  else
    cce="CCE"
  fi

  # Strip any search characters in the key arg so that the key can be replaced without
  # adding any search characters to the config file.
  stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "$key")

  # shellcheck disable=SC2059
  printf -v formatted_output "$format" "$stripped_key" "$value"

  # If the key exists, change it. Otherwise, add it to the config_file.
  # We search for the key string followed by a word boundary (matched by \>),
  # so if we search for 'setting', 'setting2' won't match.
  if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then
    "${sed_command[@]}" "s/${key}\\>.*/$formatted_output/g$sed_case_insensitive_option" "$config_file"
  else
    # \n is precaution for case where file ends without trailing newline
    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file"
    printf '%s\n' "$formatted_output" >> "$config_file"
  fi
}
replace_or_append '/etc/sysctl.conf' '^net.ipv4.conf.all.log_martians' "$sysctl_net_ipv4_conf_all_log_martians_value" 'CCE-81018-4'

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: XCCDF Value sysctl_net_ipv4_conf_all_log_martians_value # promote to variable
  set_fact:
    sysctl_net_ipv4_conf_all_log_martians_value: !!str 1
  tags:
    - always

- name: Ensure sysctl net.ipv4.conf.all.log_martians is set
  sysctl:
    name: net.ipv4.conf.all.log_martians
    value: '{{ sysctl_net_ipv4_conf_all_log_martians_value }}'
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - sysctl_net_ipv4_conf_all_log_martians
    - unknown_severity
    - disable_strategy
    - low_complexity
    - medium_disruption
    - reboot_required
    - CCE-81018-4
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-SC-5(3)(a)
    - NIST-800-171-3.1.20

Remediation script ⇲

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 2.2.0
    storage:
      files:
      - contents:
          source: data:,net.ipv4.conf.all.log_martians%3D1
        filesystem: root
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_log_martians.conf

OVAL test results details

net.ipv4.conf.all.log_martians static configuration oval:ssg-test_static_sysctl_net_ipv4_conf_all_log_martians:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_net_ipv4_conf_all_log_martians:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	(?:^\|.\n)[^#]net.ipv4.conf.all.log_martians[\s]=[\s](\d+)[\s]*\n	1

net.ipv4.conf.all.log_martians static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv4_conf_all_log_martians:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_net_ipv4_conf_all_log_martians:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv4.conf.all.log_martians[\s]=[\s](\d+)[\s]*\n	1

net.ipv4.conf.all.log_martians static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv4_conf_all_log_martians:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv4_conf_all_log_martians:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv4.conf.all.log_martians[\s]=[\s](\d+)[\s]*\n	1

net.ipv4.conf.all.log_martians static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_all_log_martians:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_all_log_martians:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv4.conf.all.log_martians[\s]=[\s](\d+)[\s]*\n	1

kernel runtime parameter net.ipv4.conf.all.log_martians set to the appropriate value oval:ssg-test_sysctl_runtime_net_ipv4_conf_all_log_martians:tst:1 false

Following items have been found on the system:

Name	Value
net.ipv4.conf.all.log_martians	0

Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_net_ipv4_conf_default_accept_redirects:def:1
Time	2021-03-21T19:59:44+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80919-4 References: NT28(R22), 3.2.2, 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, CCI-001551, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227
Description	To set the runtime status of the `net.ipv4.conf.default.accept_redirects` kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv4.conf.default.accept_redirects = 0
Rationale	ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required.

OVAL test results details

net.ipv4.conf.default.accept_redirects static configuration oval:ssg-test_static_sysctl_net_ipv4_conf_default_accept_redirects:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_net_ipv4_conf_default_accept_redirects:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	(?:^\|.\n)[^#]net.ipv4.conf.default.accept_redirects[\s]=[\s](\d+)[\s]*\n	1

net.ipv4.conf.default.accept_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv4_conf_default_accept_redirects:tst:1 true

Following items have been found on the system:

Path	Content
/etc/sysctl.d/50-libreswan.conf	# We disable redirects for XFRM/IPsec net.ipv6.conf.default.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.default.accept_redirects = 0

net.ipv4.conf.default.accept_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv4_conf_default_accept_redirects:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv4_conf_default_accept_redirects:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv4.conf.default.accept_redirects[\s]=[\s](\d+)[\s]*\n	1

net.ipv4.conf.default.accept_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_default_accept_redirects:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_default_accept_redirects:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv4.conf.default.accept_redirects[\s]=[\s](\d+)[\s]*\n	1

kernel runtime parameter net.ipv4.conf.default.accept_redirects set to the appropriate value oval:ssg-test_sysctl_runtime_net_ipv4_conf_default_accept_redirects:tst:1 true

Following items have been found on the system:

Name	Value
net.ipv4.conf.default.accept_redirects	0

Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces

Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-sysctl_net_ipv4_icmp_ignore_bogus_error_responses:def:1

Time 2021-03-21T19:59:44+01:00

Severity unknown

Identifiers and References

Identifiers: CCE-81023-4

References: NT28(R22), 3.2.6, 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, DSS06.06, 3.1.20, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.9.1.2, CM-7(a), CM-7(b), SC-5, DE.CM-1, PR.DS-4, PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227

Description

To set the runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv4.icmp_ignore_bogus_error_responses = 1

Rationale

Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged.

Remediation Shell script ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then


sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value="1"

#
# Set runtime for net.ipv4.icmp_ignore_bogus_error_responses
#
/sbin/sysctl -q -n -w net.ipv4.icmp_ignore_bogus_error_responses="$sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value"

#
# If net.ipv4.icmp_ignore_bogus_error_responses present in /etc/sysctl.conf, change value to appropriate value
#	else, add "net.ipv4.icmp_ignore_bogus_error_responses = value" to /etc/sysctl.conf
#
# Function to replace configuration setting in config file or add the configuration setting if
# it does not exist.
#
# Expects arguments:
#
# config_file:		Configuration file that will be modified
# key:			Configuration option to change
# value:		Value of the configuration option to change
# cce:			The CCE identifier or '@CCENUM@' if no CCE identifier exists
# format:		The printf-like format string that will be given stripped key and value as arguments,
#			so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =)
#
# Optional arugments:
#
# format:		Optional argument to specify the format of how key/value should be
# 			modified/appended in the configuration file. The default is key = value.
#
# Example Call(s):
#
#     With default format of 'key = value':
#     replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@'
#
#     With custom key/value format:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s'
#
#     With a variable:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s'
#
function replace_or_append {
  local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option=''
  local config_file=$1
  local key=$2
  local value=$3
  local cce=$4
  local format=$5

  if [ "$case_insensitive_mode" = yes ]; then
    sed_case_insensitive_option="i"
    grep_case_insensitive_option="-i"
  fi
  [ -n "$format" ] || format="$default_format"
  # Check sanity of the input
  [ $# -ge "3" ] || { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; }

  # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
  # Otherwise, regular sed command will do.
  sed_command=('sed' '-i')
  if test -L "$config_file"; then
    sed_command+=('--follow-symlinks')
  fi

  # Test that the cce arg is not empty or does not equal @CCENUM@.
  # If @CCENUM@ exists, it means that there is no CCE assigned.
  if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then
    cce="${cce}"
  else
    cce="CCE"
  fi

  # Strip any search characters in the key arg so that the key can be replaced without
  # adding any search characters to the config file.
  stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "$key")

  # shellcheck disable=SC2059
  printf -v formatted_output "$format" "$stripped_key" "$value"

  # If the key exists, change it. Otherwise, add it to the config_file.
  # We search for the key string followed by a word boundary (matched by \>),
  # so if we search for 'setting', 'setting2' won't match.
  if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then
    "${sed_command[@]}" "s/${key}\\>.*/$formatted_output/g$sed_case_insensitive_option" "$config_file"
  else
    # \n is precaution for case where file ends without trailing newline
    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file"
    printf '%s\n' "$formatted_output" >> "$config_file"
  fi
}
replace_or_append '/etc/sysctl.conf' '^net.ipv4.icmp_ignore_bogus_error_responses' "$sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value" 'CCE-81023-4'

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: XCCDF Value sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value # promote to variable
  set_fact:
    sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value: !!str 1
  tags:
    - always

- name: Ensure sysctl net.ipv4.icmp_ignore_bogus_error_responses is set
  sysctl:
    name: net.ipv4.icmp_ignore_bogus_error_responses
    value: '{{ sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value }}'
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - sysctl_net_ipv4_icmp_ignore_bogus_error_responses
    - unknown_severity
    - disable_strategy
    - low_complexity
    - medium_disruption
    - reboot_required
    - CCE-81023-4
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-SC-5
    - NIST-800-171-3.1.20

Remediation script ⇲

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 2.2.0
    storage:
      files:
      - contents:
          source: data:,net.ipv4.icmp_ignore_bogus_error_responses%3D1
        filesystem: root
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_net_ipv4_icmp_ignore_bogus_error_responses.conf

OVAL test results details

net.ipv4.icmp_ignore_bogus_error_responses static configuration oval:ssg-test_static_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	(?:^\|.\n)[^#]net.ipv4.icmp_ignore_bogus_error_responses[\s]=[\s](\d+)[\s]*\n	1

net.ipv4.icmp_ignore_bogus_error_responses static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv4_icmp_ignore_bogus_error_responses:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_net_ipv4_icmp_ignore_bogus_error_responses:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv4.icmp_ignore_bogus_error_responses[\s]=[\s](\d+)[\s]*\n	1

net.ipv4.icmp_ignore_bogus_error_responses static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv4_icmp_ignore_bogus_error_responses:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv4_icmp_ignore_bogus_error_responses:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv4.icmp_ignore_bogus_error_responses[\s]=[\s](\d+)[\s]*\n	1

net.ipv4.icmp_ignore_bogus_error_responses static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv4_icmp_ignore_bogus_error_responses:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv4_icmp_ignore_bogus_error_responses:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv4.icmp_ignore_bogus_error_responses[\s]=[\s](\d+)[\s]*\n	1

kernel runtime parameter net.ipv4.icmp_ignore_bogus_error_responses set to the appropriate value oval:ssg-test_sysctl_runtime_net_ipv4_icmp_ignore_bogus_error_responses:tst:1 true

Following items have been found on the system:

Name	Value
net.ipv4.icmp_ignore_bogus_error_responses	1

Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_net_ipv4_conf_all_rp_filter:def:1
Time	2021-03-21T19:59:44+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-81021-8 References: NT28(R22), 3.2.7, 1, 12, 13, 14, 15, 16, 18, 2, 4, 6, 7, 8, 9, APO01.06, APO13.01, BAI04.04, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.07, DSS06.02, 3.1.20, CCI-000366, CCI-001551, 4.2.3.4, 4.3.3.4, 4.4.3.3, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.PT-4, SRG-OS-000480-GPOS-00227
Description	To set the runtime status of the `net.ipv4.conf.all.rp_filter` kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.rp_filter=1 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv4.conf.all.rp_filter = 1
Rationale	Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.

OVAL test results details

net.ipv4.conf.all.rp_filter static configuration oval:ssg-test_static_sysctl_net_ipv4_conf_all_rp_filter:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_net_ipv4_conf_all_rp_filter:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	(?:^\|.\n)[^#]net.ipv4.conf.all.rp_filter[\s]=[\s](\d+)[\s]*\n	1

net.ipv4.conf.all.rp_filter static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv4_conf_all_rp_filter:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_net_ipv4_conf_all_rp_filter:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv4.conf.all.rp_filter[\s]=[\s](\d+)[\s]*\n	1

net.ipv4.conf.all.rp_filter static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv4_conf_all_rp_filter:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv4_conf_all_rp_filter:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv4.conf.all.rp_filter[\s]=[\s](\d+)[\s]*\n	1

net.ipv4.conf.all.rp_filter static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_all_rp_filter:tst:1 true

Following items have been found on the system:

Path	Content
/usr/lib/sysctl.d/50-default.conf	# Source route verification net.ipv4.conf.all.rp_filter = 1

kernel runtime parameter net.ipv4.conf.all.rp_filter set to the appropriate value oval:ssg-test_sysctl_runtime_net_ipv4_conf_all_rp_filter:tst:1 true

Following items have been found on the system:

Name	Value
net.ipv4.conf.all.rp_filter	1

Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces

Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-sysctl_net_ipv4_icmp_echo_ignore_broadcasts:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-80922-8

References: 3.2.5, 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), SC-5, DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227

Description

To set the runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv4.icmp_echo_ignore_broadcasts = 1

Rationale

Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.
Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network.

Remediation Shell script ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then


sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value="1"

#
# Set runtime for net.ipv4.icmp_echo_ignore_broadcasts
#
/sbin/sysctl -q -n -w net.ipv4.icmp_echo_ignore_broadcasts="$sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value"

#
# If net.ipv4.icmp_echo_ignore_broadcasts present in /etc/sysctl.conf, change value to appropriate value
#	else, add "net.ipv4.icmp_echo_ignore_broadcasts = value" to /etc/sysctl.conf
#
# Function to replace configuration setting in config file or add the configuration setting if
# it does not exist.
#
# Expects arguments:
#
# config_file:		Configuration file that will be modified
# key:			Configuration option to change
# value:		Value of the configuration option to change
# cce:			The CCE identifier or '@CCENUM@' if no CCE identifier exists
# format:		The printf-like format string that will be given stripped key and value as arguments,
#			so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =)
#
# Optional arugments:
#
# format:		Optional argument to specify the format of how key/value should be
# 			modified/appended in the configuration file. The default is key = value.
#
# Example Call(s):
#
#     With default format of 'key = value':
#     replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@'
#
#     With custom key/value format:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s'
#
#     With a variable:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s'
#
function replace_or_append {
  local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option=''
  local config_file=$1
  local key=$2
  local value=$3
  local cce=$4
  local format=$5

  if [ "$case_insensitive_mode" = yes ]; then
    sed_case_insensitive_option="i"
    grep_case_insensitive_option="-i"
  fi
  [ -n "$format" ] || format="$default_format"
  # Check sanity of the input
  [ $# -ge "3" ] || { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; }

  # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
  # Otherwise, regular sed command will do.
  sed_command=('sed' '-i')
  if test -L "$config_file"; then
    sed_command+=('--follow-symlinks')
  fi

  # Test that the cce arg is not empty or does not equal @CCENUM@.
  # If @CCENUM@ exists, it means that there is no CCE assigned.
  if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then
    cce="${cce}"
  else
    cce="CCE"
  fi

  # Strip any search characters in the key arg so that the key can be replaced without
  # adding any search characters to the config file.
  stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "$key")

  # shellcheck disable=SC2059
  printf -v formatted_output "$format" "$stripped_key" "$value"

  # If the key exists, change it. Otherwise, add it to the config_file.
  # We search for the key string followed by a word boundary (matched by \>),
  # so if we search for 'setting', 'setting2' won't match.
  if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then
    "${sed_command[@]}" "s/${key}\\>.*/$formatted_output/g$sed_case_insensitive_option" "$config_file"
  else
    # \n is precaution for case where file ends without trailing newline
    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file"
    printf '%s\n' "$formatted_output" >> "$config_file"
  fi
}
replace_or_append '/etc/sysctl.conf' '^net.ipv4.icmp_echo_ignore_broadcasts' "$sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value" 'CCE-80922-8'

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: XCCDF Value sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value # promote to variable
  set_fact:
    sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value: !!str 1
  tags:
    - always

- name: Ensure sysctl net.ipv4.icmp_echo_ignore_broadcasts is set
  sysctl:
    name: net.ipv4.icmp_echo_ignore_broadcasts
    value: '{{ sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value }}'
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - sysctl_net_ipv4_icmp_echo_ignore_broadcasts
    - medium_severity
    - disable_strategy
    - low_complexity
    - medium_disruption
    - reboot_required
    - CCE-80922-8
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-SC-5
    - NIST-800-171-3.1.20
    - CJIS-5.10.1.1

Remediation script ⇲

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 2.2.0
    storage:
      files:
      - contents:
          source: data:,net.ipv4.icmp_echo_ignore_broadcasts%3D1
        filesystem: root
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_net_ipv4_icmp_echo_ignore_broadcasts.conf

OVAL test results details

net.ipv4.icmp_echo_ignore_broadcasts static configuration oval:ssg-test_static_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	(?:^\|.\n)[^#]net.ipv4.icmp_echo_ignore_broadcasts[\s]=[\s](\d+)[\s]*\n	1

net.ipv4.icmp_echo_ignore_broadcasts static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv4_icmp_echo_ignore_broadcasts:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_net_ipv4_icmp_echo_ignore_broadcasts:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv4.icmp_echo_ignore_broadcasts[\s]=[\s](\d+)[\s]*\n	1

net.ipv4.icmp_echo_ignore_broadcasts static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv4_icmp_echo_ignore_broadcasts:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv4_icmp_echo_ignore_broadcasts:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv4.icmp_echo_ignore_broadcasts[\s]=[\s](\d+)[\s]*\n	1

net.ipv4.icmp_echo_ignore_broadcasts static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv4_icmp_echo_ignore_broadcasts:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv4_icmp_echo_ignore_broadcasts:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv4.icmp_echo_ignore_broadcasts[\s]=[\s](\d+)[\s]*\n	1

kernel runtime parameter net.ipv4.icmp_echo_ignore_broadcasts set to the appropriate value oval:ssg-test_sysctl_runtime_net_ipv4_icmp_echo_ignore_broadcasts:tst:1 true

Following items have been found on the system:

Name	Value
net.ipv4.icmp_echo_ignore_broadcasts	1

Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default

Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_log_martians

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-sysctl_net_ipv4_conf_default_log_martians:def:1

Time 2021-03-21T19:59:44+01:00

Severity unknown

Identifiers and References

Identifiers: CCE-81020-0

References: 3.2.4, 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.04, DSS03.05, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.06, 3.1.20, CCI-000126, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.11.2.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), SC-5(3)(a), DE.CM-1, PR.AC-3, PR.DS-4, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227

Description

To set the runtime status of the net.ipv4.conf.default.log_martians kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.default.log_martians=1

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv4.conf.default.log_martians = 1

Rationale

Remediation Shell script ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then


sysctl_net_ipv4_conf_default_log_martians_value="1"

#
# Set runtime for net.ipv4.conf.default.log_martians
#
/sbin/sysctl -q -n -w net.ipv4.conf.default.log_martians="$sysctl_net_ipv4_conf_default_log_martians_value"

#
# If net.ipv4.conf.default.log_martians present in /etc/sysctl.conf, change value to appropriate value
#	else, add "net.ipv4.conf.default.log_martians = value" to /etc/sysctl.conf
#
# Function to replace configuration setting in config file or add the configuration setting if
# it does not exist.
#
# Expects arguments:
#
# config_file:		Configuration file that will be modified
# key:			Configuration option to change
# value:		Value of the configuration option to change
# cce:			The CCE identifier or '@CCENUM@' if no CCE identifier exists
# format:		The printf-like format string that will be given stripped key and value as arguments,
#			so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =)
#
# Optional arugments:
#
# format:		Optional argument to specify the format of how key/value should be
# 			modified/appended in the configuration file. The default is key = value.
#
# Example Call(s):
#
#     With default format of 'key = value':
#     replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@'
#
#     With custom key/value format:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s'
#
#     With a variable:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s'
#
function replace_or_append {
  local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option=''
  local config_file=$1
  local key=$2
  local value=$3
  local cce=$4
  local format=$5

  if [ "$case_insensitive_mode" = yes ]; then
    sed_case_insensitive_option="i"
    grep_case_insensitive_option="-i"
  fi
  [ -n "$format" ] || format="$default_format"
  # Check sanity of the input
  [ $# -ge "3" ] || { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; }

  # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
  # Otherwise, regular sed command will do.
  sed_command=('sed' '-i')
  if test -L "$config_file"; then
    sed_command+=('--follow-symlinks')
  fi

  # Test that the cce arg is not empty or does not equal @CCENUM@.
  # If @CCENUM@ exists, it means that there is no CCE assigned.
  if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then
    cce="${cce}"
  else
    cce="CCE"
  fi

  # Strip any search characters in the key arg so that the key can be replaced without
  # adding any search characters to the config file.
  stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "$key")

  # shellcheck disable=SC2059
  printf -v formatted_output "$format" "$stripped_key" "$value"

  # If the key exists, change it. Otherwise, add it to the config_file.
  # We search for the key string followed by a word boundary (matched by \>),
  # so if we search for 'setting', 'setting2' won't match.
  if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then
    "${sed_command[@]}" "s/${key}\\>.*/$formatted_output/g$sed_case_insensitive_option" "$config_file"
  else
    # \n is precaution for case where file ends without trailing newline
    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file"
    printf '%s\n' "$formatted_output" >> "$config_file"
  fi
}
replace_or_append '/etc/sysctl.conf' '^net.ipv4.conf.default.log_martians' "$sysctl_net_ipv4_conf_default_log_martians_value" 'CCE-81020-0'

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: XCCDF Value sysctl_net_ipv4_conf_default_log_martians_value # promote to variable
  set_fact:
    sysctl_net_ipv4_conf_default_log_martians_value: !!str 1
  tags:
    - always

- name: Ensure sysctl net.ipv4.conf.default.log_martians is set
  sysctl:
    name: net.ipv4.conf.default.log_martians
    value: '{{ sysctl_net_ipv4_conf_default_log_martians_value }}'
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - sysctl_net_ipv4_conf_default_log_martians
    - unknown_severity
    - disable_strategy
    - low_complexity
    - medium_disruption
    - reboot_required
    - CCE-81020-0
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-SC-5(3)(a)
    - NIST-800-171-3.1.20

Remediation script ⇲

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 2.2.0
    storage:
      files:
      - contents:
          source: data:,net.ipv4.conf.default.log_martians%3D1
        filesystem: root
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_log_martians.conf

OVAL test results details

net.ipv4.conf.default.log_martians static configuration oval:ssg-test_static_sysctl_net_ipv4_conf_default_log_martians:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_net_ipv4_conf_default_log_martians:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	(?:^\|.\n)[^#]net.ipv4.conf.default.log_martians[\s]=[\s](\d+)[\s]*\n	1

net.ipv4.conf.default.log_martians static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv4_conf_default_log_martians:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_net_ipv4_conf_default_log_martians:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv4.conf.default.log_martians[\s]=[\s](\d+)[\s]*\n	1

net.ipv4.conf.default.log_martians static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv4_conf_default_log_martians:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv4_conf_default_log_martians:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv4.conf.default.log_martians[\s]=[\s](\d+)[\s]*\n	1

net.ipv4.conf.default.log_martians static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_default_log_martians:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_default_log_martians:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv4.conf.default.log_martians[\s]=[\s](\d+)[\s]*\n	1

kernel runtime parameter net.ipv4.conf.default.log_martians set to the appropriate value oval:ssg-test_sysctl_runtime_net_ipv4_conf_default_log_martians:tst:1 false

Following items have been found on the system:

Name	Value
net.ipv4.conf.default.log_martians	0

Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default

Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-sysctl_net_ipv4_conf_default_rp_filter:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-81022-6

References: NT28(R22), 3.2.7, 1, 12, 13, 14, 15, 16, 18, 2, 4, 6, 7, 8, 9, APO01.06, APO13.01, BAI04.04, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.07, DSS06.02, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.4.3.3, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.PT-4, SRG-OS-000480-GPOS-00227

Description

To set the runtime status of the net.ipv4.conf.default.rp_filter kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.default.rp_filter=1

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv4.conf.default.rp_filter = 1

Rationale

Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.

Remediation Shell script ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then


sysctl_net_ipv4_conf_default_rp_filter_value="1"

#
# Set runtime for net.ipv4.conf.default.rp_filter
#
/sbin/sysctl -q -n -w net.ipv4.conf.default.rp_filter="$sysctl_net_ipv4_conf_default_rp_filter_value"

#
# If net.ipv4.conf.default.rp_filter present in /etc/sysctl.conf, change value to appropriate value
#	else, add "net.ipv4.conf.default.rp_filter = value" to /etc/sysctl.conf
#
# Function to replace configuration setting in config file or add the configuration setting if
# it does not exist.
#
# Expects arguments:
#
# config_file:		Configuration file that will be modified
# key:			Configuration option to change
# value:		Value of the configuration option to change
# cce:			The CCE identifier or '@CCENUM@' if no CCE identifier exists
# format:		The printf-like format string that will be given stripped key and value as arguments,
#			so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =)
#
# Optional arugments:
#
# format:		Optional argument to specify the format of how key/value should be
# 			modified/appended in the configuration file. The default is key = value.
#
# Example Call(s):
#
#     With default format of 'key = value':
#     replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@'
#
#     With custom key/value format:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s'
#
#     With a variable:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s'
#
function replace_or_append {
  local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option=''
  local config_file=$1
  local key=$2
  local value=$3
  local cce=$4
  local format=$5

  if [ "$case_insensitive_mode" = yes ]; then
    sed_case_insensitive_option="i"
    grep_case_insensitive_option="-i"
  fi
  [ -n "$format" ] || format="$default_format"
  # Check sanity of the input
  [ $# -ge "3" ] || { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; }

  # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
  # Otherwise, regular sed command will do.
  sed_command=('sed' '-i')
  if test -L "$config_file"; then
    sed_command+=('--follow-symlinks')
  fi

  # Test that the cce arg is not empty or does not equal @CCENUM@.
  # If @CCENUM@ exists, it means that there is no CCE assigned.
  if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then
    cce="${cce}"
  else
    cce="CCE"
  fi

  # Strip any search characters in the key arg so that the key can be replaced without
  # adding any search characters to the config file.
  stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "$key")

  # shellcheck disable=SC2059
  printf -v formatted_output "$format" "$stripped_key" "$value"

  # If the key exists, change it. Otherwise, add it to the config_file.
  # We search for the key string followed by a word boundary (matched by \>),
  # so if we search for 'setting', 'setting2' won't match.
  if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then
    "${sed_command[@]}" "s/${key}\\>.*/$formatted_output/g$sed_case_insensitive_option" "$config_file"
  else
    # \n is precaution for case where file ends without trailing newline
    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file"
    printf '%s\n' "$formatted_output" >> "$config_file"
  fi
}
replace_or_append '/etc/sysctl.conf' '^net.ipv4.conf.default.rp_filter' "$sysctl_net_ipv4_conf_default_rp_filter_value" 'CCE-81022-6'

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: XCCDF Value sysctl_net_ipv4_conf_default_rp_filter_value # promote to variable
  set_fact:
    sysctl_net_ipv4_conf_default_rp_filter_value: !!str 1
  tags:
    - always

- name: Ensure sysctl net.ipv4.conf.default.rp_filter is set
  sysctl:
    name: net.ipv4.conf.default.rp_filter
    value: '{{ sysctl_net_ipv4_conf_default_rp_filter_value }}'
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - sysctl_net_ipv4_conf_default_rp_filter
    - medium_severity
    - disable_strategy
    - low_complexity
    - medium_disruption
    - reboot_required
    - CCE-81022-6
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-SC-7(a)
    - NIST-800-171-3.1.20

Remediation script ⇲

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 2.2.0
    storage:
      files:
      - contents:
          source: data:,net.ipv4.conf.default.rp_filter%3D1
        filesystem: root
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_rp_filter.conf

OVAL test results details

net.ipv4.conf.default.rp_filter static configuration oval:ssg-test_static_sysctl_net_ipv4_conf_default_rp_filter:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_net_ipv4_conf_default_rp_filter:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	(?:^\|.\n)[^#]net.ipv4.conf.default.rp_filter[\s]=[\s](\d+)[\s]*\n	1

net.ipv4.conf.default.rp_filter static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv4_conf_default_rp_filter:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_net_ipv4_conf_default_rp_filter:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv4.conf.default.rp_filter[\s]=[\s](\d+)[\s]*\n	1

net.ipv4.conf.default.rp_filter static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv4_conf_default_rp_filter:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv4_conf_default_rp_filter:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv4.conf.default.rp_filter[\s]=[\s](\d+)[\s]*\n	1

net.ipv4.conf.default.rp_filter static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_default_rp_filter:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_default_rp_filter:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv4.conf.default.rp_filter[\s]=[\s](\d+)[\s]*\n	1

kernel runtime parameter net.ipv4.conf.default.rp_filter set to the appropriate value oval:ssg-test_sysctl_runtime_net_ipv4_conf_default_rp_filter:tst:1 false

Following items have been found on the system:

Name	Value
net.ipv4.conf.default.rp_filter	0

Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_net_ipv4_conf_all_accept_source_route:def:1
Time	2021-03-21T19:59:44+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-81011-9 References: NT28(R22), 3.2.1, 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), SC-5CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227
Description	To set the runtime status of the `net.ipv4.conf.all.accept_source_route` kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: net.ipv4.conf.all.accept_source_route = 0
Rationale	Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router. Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.

OVAL test results details

net.ipv4.conf.all.accept_source_route static configuration oval:ssg-test_static_sysctl_net_ipv4_conf_all_accept_source_route:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_net_ipv4_conf_all_accept_source_route:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	(?:^\|.\n)[^#]net.ipv4.conf.all.accept_source_route[\s]=[\s](\d+)[\s]*\n	1

net.ipv4.conf.all.accept_source_route static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv4_conf_all_accept_source_route:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_net_ipv4_conf_all_accept_source_route:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv4.conf.all.accept_source_route[\s]=[\s](\d+)[\s]*\n	1

net.ipv4.conf.all.accept_source_route static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv4_conf_all_accept_source_route:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv4_conf_all_accept_source_route:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv4.conf.all.accept_source_route[\s]=[\s](\d+)[\s]*\n	1

net.ipv4.conf.all.accept_source_route static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_all_accept_source_route:tst:1 true

Following items have been found on the system:

Path	Content
/usr/lib/sysctl.d/50-default.conf	# Do not accept source routing net.ipv4.conf.all.accept_source_route = 0

kernel runtime parameter net.ipv4.conf.all.accept_source_route set to the appropriate value oval:ssg-test_sysctl_runtime_net_ipv4_conf_all_accept_source_route:tst:1 true

Following items have been found on the system:

Name	Value
net.ipv4.conf.all.accept_source_route	0

Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default

Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-sysctl_net_ipv4_conf_default_accept_source_route:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-80920-2

References: NT28(R22), 3.2.1, 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, CCI-001551, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), SC-5, SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227

Description

To set the runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv4.conf.default.accept_source_route = 0

Rationale

Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures.
Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required, such as when IPv4 forwarding is enabled and the system is legitimately functioning as a router.

Remediation Shell script ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then


sysctl_net_ipv4_conf_default_accept_source_route_value="0"

#
# Set runtime for net.ipv4.conf.default.accept_source_route
#
/sbin/sysctl -q -n -w net.ipv4.conf.default.accept_source_route="$sysctl_net_ipv4_conf_default_accept_source_route_value"

#
# If net.ipv4.conf.default.accept_source_route present in /etc/sysctl.conf, change value to appropriate value
#	else, add "net.ipv4.conf.default.accept_source_route = value" to /etc/sysctl.conf
#
# Function to replace configuration setting in config file or add the configuration setting if
# it does not exist.
#
# Expects arguments:
#
# config_file:		Configuration file that will be modified
# key:			Configuration option to change
# value:		Value of the configuration option to change
# cce:			The CCE identifier or '@CCENUM@' if no CCE identifier exists
# format:		The printf-like format string that will be given stripped key and value as arguments,
#			so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =)
#
# Optional arugments:
#
# format:		Optional argument to specify the format of how key/value should be
# 			modified/appended in the configuration file. The default is key = value.
#
# Example Call(s):
#
#     With default format of 'key = value':
#     replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@'
#
#     With custom key/value format:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s'
#
#     With a variable:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s'
#
function replace_or_append {
  local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option=''
  local config_file=$1
  local key=$2
  local value=$3
  local cce=$4
  local format=$5

  if [ "$case_insensitive_mode" = yes ]; then
    sed_case_insensitive_option="i"
    grep_case_insensitive_option="-i"
  fi
  [ -n "$format" ] || format="$default_format"
  # Check sanity of the input
  [ $# -ge "3" ] || { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; }

  # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
  # Otherwise, regular sed command will do.
  sed_command=('sed' '-i')
  if test -L "$config_file"; then
    sed_command+=('--follow-symlinks')
  fi

  # Test that the cce arg is not empty or does not equal @CCENUM@.
  # If @CCENUM@ exists, it means that there is no CCE assigned.
  if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then
    cce="${cce}"
  else
    cce="CCE"
  fi

  # Strip any search characters in the key arg so that the key can be replaced without
  # adding any search characters to the config file.
  stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "$key")

  # shellcheck disable=SC2059
  printf -v formatted_output "$format" "$stripped_key" "$value"

  # If the key exists, change it. Otherwise, add it to the config_file.
  # We search for the key string followed by a word boundary (matched by \>),
  # so if we search for 'setting', 'setting2' won't match.
  if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then
    "${sed_command[@]}" "s/${key}\\>.*/$formatted_output/g$sed_case_insensitive_option" "$config_file"
  else
    # \n is precaution for case where file ends without trailing newline
    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file"
    printf '%s\n' "$formatted_output" >> "$config_file"
  fi
}
replace_or_append '/etc/sysctl.conf' '^net.ipv4.conf.default.accept_source_route' "$sysctl_net_ipv4_conf_default_accept_source_route_value" 'CCE-80920-2'

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: XCCDF Value sysctl_net_ipv4_conf_default_accept_source_route_value # promote to variable
  set_fact:
    sysctl_net_ipv4_conf_default_accept_source_route_value: !!str 0
  tags:
    - always

- name: Ensure sysctl net.ipv4.conf.default.accept_source_route is set
  sysctl:
    name: net.ipv4.conf.default.accept_source_route
    value: '{{ sysctl_net_ipv4_conf_default_accept_source_route_value }}'
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - sysctl_net_ipv4_conf_default_accept_source_route
    - medium_severity
    - disable_strategy
    - low_complexity
    - medium_disruption
    - reboot_required
    - CCE-80920-2
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-SC-5
    - NIST-800-53-SC-7(a)
    - NIST-800-171-3.1.20
    - CJIS-5.10.1.1

Remediation script ⇲

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 2.2.0
    storage:
      files:
      - contents:
          source: data:,net.ipv4.conf.default.accept_source_route%3D0
        filesystem: root
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_accept_source_route.conf

OVAL test results details

net.ipv4.conf.default.accept_source_route static configuration oval:ssg-test_static_sysctl_net_ipv4_conf_default_accept_source_route:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_net_ipv4_conf_default_accept_source_route:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	(?:^\|.\n)[^#]net.ipv4.conf.default.accept_source_route[\s]=[\s](\d+)[\s]*\n	1

net.ipv4.conf.default.accept_source_route static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv4_conf_default_accept_source_route:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_net_ipv4_conf_default_accept_source_route:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv4.conf.default.accept_source_route[\s]=[\s](\d+)[\s]*\n	1

net.ipv4.conf.default.accept_source_route static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv4_conf_default_accept_source_route:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv4_conf_default_accept_source_route:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv4.conf.default.accept_source_route[\s]=[\s](\d+)[\s]*\n	1

net.ipv4.conf.default.accept_source_route static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_default_accept_source_route:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_default_accept_source_route:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv4.conf.default.accept_source_route[\s]=[\s](\d+)[\s]*\n	1

kernel runtime parameter net.ipv4.conf.default.accept_source_route set to the appropriate value oval:ssg-test_sysctl_runtime_net_ipv4_conf_default_accept_source_route:tst:1 false

Following items have been found on the system:

Name	Value
net.ipv4.conf.default.accept_source_route	1

Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces

Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-sysctl_net_ipv4_conf_all_secure_redirects:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-81016-8

References: NT28(R22), 3.2.3, 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-001503, CCI-001551, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227

Description

To set the runtime status of the net.ipv4.conf.all.secure_redirects kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.all.secure_redirects=0

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv4.conf.all.secure_redirects = 0

Rationale

Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.

Remediation Shell script ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then


sysctl_net_ipv4_conf_all_secure_redirects_value="0"

#
# Set runtime for net.ipv4.conf.all.secure_redirects
#
/sbin/sysctl -q -n -w net.ipv4.conf.all.secure_redirects="$sysctl_net_ipv4_conf_all_secure_redirects_value"

#
# If net.ipv4.conf.all.secure_redirects present in /etc/sysctl.conf, change value to appropriate value
#	else, add "net.ipv4.conf.all.secure_redirects = value" to /etc/sysctl.conf
#
# Function to replace configuration setting in config file or add the configuration setting if
# it does not exist.
#
# Expects arguments:
#
# config_file:		Configuration file that will be modified
# key:			Configuration option to change
# value:		Value of the configuration option to change
# cce:			The CCE identifier or '@CCENUM@' if no CCE identifier exists
# format:		The printf-like format string that will be given stripped key and value as arguments,
#			so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =)
#
# Optional arugments:
#
# format:		Optional argument to specify the format of how key/value should be
# 			modified/appended in the configuration file. The default is key = value.
#
# Example Call(s):
#
#     With default format of 'key = value':
#     replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@'
#
#     With custom key/value format:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s'
#
#     With a variable:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s'
#
function replace_or_append {
  local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option=''
  local config_file=$1
  local key=$2
  local value=$3
  local cce=$4
  local format=$5

  if [ "$case_insensitive_mode" = yes ]; then
    sed_case_insensitive_option="i"
    grep_case_insensitive_option="-i"
  fi
  [ -n "$format" ] || format="$default_format"
  # Check sanity of the input
  [ $# -ge "3" ] || { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; }

  # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
  # Otherwise, regular sed command will do.
  sed_command=('sed' '-i')
  if test -L "$config_file"; then
    sed_command+=('--follow-symlinks')
  fi

  # Test that the cce arg is not empty or does not equal @CCENUM@.
  # If @CCENUM@ exists, it means that there is no CCE assigned.
  if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then
    cce="${cce}"
  else
    cce="CCE"
  fi

  # Strip any search characters in the key arg so that the key can be replaced without
  # adding any search characters to the config file.
  stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "$key")

  # shellcheck disable=SC2059
  printf -v formatted_output "$format" "$stripped_key" "$value"

  # If the key exists, change it. Otherwise, add it to the config_file.
  # We search for the key string followed by a word boundary (matched by \>),
  # so if we search for 'setting', 'setting2' won't match.
  if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then
    "${sed_command[@]}" "s/${key}\\>.*/$formatted_output/g$sed_case_insensitive_option" "$config_file"
  else
    # \n is precaution for case where file ends without trailing newline
    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file"
    printf '%s\n' "$formatted_output" >> "$config_file"
  fi
}
replace_or_append '/etc/sysctl.conf' '^net.ipv4.conf.all.secure_redirects' "$sysctl_net_ipv4_conf_all_secure_redirects_value" 'CCE-81016-8'

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: XCCDF Value sysctl_net_ipv4_conf_all_secure_redirects_value # promote to variable
  set_fact:
    sysctl_net_ipv4_conf_all_secure_redirects_value: !!str 0
  tags:
    - always

- name: Ensure sysctl net.ipv4.conf.all.secure_redirects is set
  sysctl:
    name: net.ipv4.conf.all.secure_redirects
    value: '{{ sysctl_net_ipv4_conf_all_secure_redirects_value }}'
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - sysctl_net_ipv4_conf_all_secure_redirects
    - medium_severity
    - disable_strategy
    - low_complexity
    - medium_disruption
    - reboot_required
    - CCE-81016-8
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-SC-7(a)
    - NIST-800-171-3.1.20

Remediation script ⇲

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 2.2.0
    storage:
      files:
      - contents:
          source: data:,net.ipv4.conf.all.secure_redirects%3D0
        filesystem: root
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_secure_redirects.conf

OVAL test results details

net.ipv4.conf.all.secure_redirects static configuration oval:ssg-test_static_sysctl_net_ipv4_conf_all_secure_redirects:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_net_ipv4_conf_all_secure_redirects:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	(?:^\|.\n)[^#]net.ipv4.conf.all.secure_redirects[\s]=[\s](\d+)[\s]*\n	1

net.ipv4.conf.all.secure_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv4_conf_all_secure_redirects:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_net_ipv4_conf_all_secure_redirects:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv4.conf.all.secure_redirects[\s]=[\s](\d+)[\s]*\n	1

net.ipv4.conf.all.secure_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv4_conf_all_secure_redirects:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv4_conf_all_secure_redirects:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv4.conf.all.secure_redirects[\s]=[\s](\d+)[\s]*\n	1

net.ipv4.conf.all.secure_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_all_secure_redirects:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_all_secure_redirects:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv4.conf.all.secure_redirects[\s]=[\s](\d+)[\s]*\n	1

kernel runtime parameter net.ipv4.conf.all.secure_redirects set to the appropriate value oval:ssg-test_sysctl_runtime_net_ipv4_conf_all_secure_redirects:tst:1 false

Following items have been found on the system:

Name	Value
net.ipv4.conf.all.secure_redirects	1

Configure Kernel Parameter for Accepting Secure Redirects By Default

Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-sysctl_net_ipv4_conf_default_secure_redirects:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-81017-6

References: NT28(R22), 3.2.3, 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-001551, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), SC-5, SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227

Description

To set the runtime status of the net.ipv4.conf.default.secure_redirects kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.default.secure_redirects=0

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv4.conf.default.secure_redirects = 0

Rationale

Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.

Remediation Shell script ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then


sysctl_net_ipv4_conf_default_secure_redirects_value="0"

#
# Set runtime for net.ipv4.conf.default.secure_redirects
#
/sbin/sysctl -q -n -w net.ipv4.conf.default.secure_redirects="$sysctl_net_ipv4_conf_default_secure_redirects_value"

#
# If net.ipv4.conf.default.secure_redirects present in /etc/sysctl.conf, change value to appropriate value
#	else, add "net.ipv4.conf.default.secure_redirects = value" to /etc/sysctl.conf
#
# Function to replace configuration setting in config file or add the configuration setting if
# it does not exist.
#
# Expects arguments:
#
# config_file:		Configuration file that will be modified
# key:			Configuration option to change
# value:		Value of the configuration option to change
# cce:			The CCE identifier or '@CCENUM@' if no CCE identifier exists
# format:		The printf-like format string that will be given stripped key and value as arguments,
#			so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =)
#
# Optional arugments:
#
# format:		Optional argument to specify the format of how key/value should be
# 			modified/appended in the configuration file. The default is key = value.
#
# Example Call(s):
#
#     With default format of 'key = value':
#     replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@'
#
#     With custom key/value format:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s'
#
#     With a variable:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s'
#
function replace_or_append {
  local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option=''
  local config_file=$1
  local key=$2
  local value=$3
  local cce=$4
  local format=$5

  if [ "$case_insensitive_mode" = yes ]; then
    sed_case_insensitive_option="i"
    grep_case_insensitive_option="-i"
  fi
  [ -n "$format" ] || format="$default_format"
  # Check sanity of the input
  [ $# -ge "3" ] || { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; }

  # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
  # Otherwise, regular sed command will do.
  sed_command=('sed' '-i')
  if test -L "$config_file"; then
    sed_command+=('--follow-symlinks')
  fi

  # Test that the cce arg is not empty or does not equal @CCENUM@.
  # If @CCENUM@ exists, it means that there is no CCE assigned.
  if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then
    cce="${cce}"
  else
    cce="CCE"
  fi

  # Strip any search characters in the key arg so that the key can be replaced without
  # adding any search characters to the config file.
  stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "$key")

  # shellcheck disable=SC2059
  printf -v formatted_output "$format" "$stripped_key" "$value"

  # If the key exists, change it. Otherwise, add it to the config_file.
  # We search for the key string followed by a word boundary (matched by \>),
  # so if we search for 'setting', 'setting2' won't match.
  if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then
    "${sed_command[@]}" "s/${key}\\>.*/$formatted_output/g$sed_case_insensitive_option" "$config_file"
  else
    # \n is precaution for case where file ends without trailing newline
    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file"
    printf '%s\n' "$formatted_output" >> "$config_file"
  fi
}
replace_or_append '/etc/sysctl.conf' '^net.ipv4.conf.default.secure_redirects' "$sysctl_net_ipv4_conf_default_secure_redirects_value" 'CCE-81017-6'

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: XCCDF Value sysctl_net_ipv4_conf_default_secure_redirects_value # promote to variable
  set_fact:
    sysctl_net_ipv4_conf_default_secure_redirects_value: !!str 0
  tags:
    - always

- name: Ensure sysctl net.ipv4.conf.default.secure_redirects is set
  sysctl:
    name: net.ipv4.conf.default.secure_redirects
    value: '{{ sysctl_net_ipv4_conf_default_secure_redirects_value }}'
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - sysctl_net_ipv4_conf_default_secure_redirects
    - medium_severity
    - disable_strategy
    - low_complexity
    - medium_disruption
    - reboot_required
    - CCE-81017-6
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-SC-5
    - NIST-800-53-SC-7(a)
    - NIST-800-171-3.1.20

Remediation script ⇲

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 2.2.0
    storage:
      files:
      - contents:
          source: data:,net.ipv4.conf.default.secure_redirects%3D0
        filesystem: root
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_secure_redirects.conf

OVAL test results details

net.ipv4.conf.default.secure_redirects static configuration oval:ssg-test_static_sysctl_net_ipv4_conf_default_secure_redirects:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_net_ipv4_conf_default_secure_redirects:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	(?:^\|.\n)[^#]net.ipv4.conf.default.secure_redirects[\s]=[\s](\d+)[\s]*\n	1

net.ipv4.conf.default.secure_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv4_conf_default_secure_redirects:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_net_ipv4_conf_default_secure_redirects:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv4.conf.default.secure_redirects[\s]=[\s](\d+)[\s]*\n	1

net.ipv4.conf.default.secure_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv4_conf_default_secure_redirects:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv4_conf_default_secure_redirects:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv4.conf.default.secure_redirects[\s]=[\s](\d+)[\s]*\n	1

net.ipv4.conf.default.secure_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_default_secure_redirects:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_default_secure_redirects:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv4.conf.default.secure_redirects[\s]=[\s](\d+)[\s]*\n	1

kernel runtime parameter net.ipv4.conf.default.secure_redirects set to the appropriate value oval:ssg-test_sysctl_runtime_net_ipv4_conf_default_secure_redirects:tst:1 false

Following items have been found on the system:

Name	Value
net.ipv4.conf.default.secure_redirects	1

Enable Kernel Parameter to Use TCP Syncookies on IPv4 Interfaces

Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-sysctl_net_ipv4_tcp_syncookies:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-80923-6

References: NT28(R22), 3.2.8, 1, 12, 13, 14, 15, 16, 18, 2, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.07, DSS06.02, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.4.3.3, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), SC-5(1), SC-5(2), SC-5(3)(a), CM-6(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.PT-4, SRG-OS-000480-GPOS-00227, SRG-OS-000420-GPOS-00186, SRG-OS-000142-GPOS-00071

Description

To set the runtime status of the net.ipv4.tcp_syncookies kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.tcp_syncookies=1

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv4.tcp_syncookies = 1

Rationale

A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies can be used to track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected, and enables the system to continue servicing valid connection requests.

Remediation Shell script ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then


sysctl_net_ipv4_tcp_syncookies_value="1"

#
# Set runtime for net.ipv4.tcp_syncookies
#
/sbin/sysctl -q -n -w net.ipv4.tcp_syncookies="$sysctl_net_ipv4_tcp_syncookies_value"

#
# If net.ipv4.tcp_syncookies present in /etc/sysctl.conf, change value to appropriate value
#	else, add "net.ipv4.tcp_syncookies = value" to /etc/sysctl.conf
#
# Function to replace configuration setting in config file or add the configuration setting if
# it does not exist.
#
# Expects arguments:
#
# config_file:		Configuration file that will be modified
# key:			Configuration option to change
# value:		Value of the configuration option to change
# cce:			The CCE identifier or '@CCENUM@' if no CCE identifier exists
# format:		The printf-like format string that will be given stripped key and value as arguments,
#			so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =)
#
# Optional arugments:
#
# format:		Optional argument to specify the format of how key/value should be
# 			modified/appended in the configuration file. The default is key = value.
#
# Example Call(s):
#
#     With default format of 'key = value':
#     replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@'
#
#     With custom key/value format:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s'
#
#     With a variable:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s'
#
function replace_or_append {
  local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option=''
  local config_file=$1
  local key=$2
  local value=$3
  local cce=$4
  local format=$5

  if [ "$case_insensitive_mode" = yes ]; then
    sed_case_insensitive_option="i"
    grep_case_insensitive_option="-i"
  fi
  [ -n "$format" ] || format="$default_format"
  # Check sanity of the input
  [ $# -ge "3" ] || { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; }

  # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
  # Otherwise, regular sed command will do.
  sed_command=('sed' '-i')
  if test -L "$config_file"; then
    sed_command+=('--follow-symlinks')
  fi

  # Test that the cce arg is not empty or does not equal @CCENUM@.
  # If @CCENUM@ exists, it means that there is no CCE assigned.
  if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then
    cce="${cce}"
  else
    cce="CCE"
  fi

  # Strip any search characters in the key arg so that the key can be replaced without
  # adding any search characters to the config file.
  stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "$key")

  # shellcheck disable=SC2059
  printf -v formatted_output "$format" "$stripped_key" "$value"

  # If the key exists, change it. Otherwise, add it to the config_file.
  # We search for the key string followed by a word boundary (matched by \>),
  # so if we search for 'setting', 'setting2' won't match.
  if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then
    "${sed_command[@]}" "s/${key}\\>.*/$formatted_output/g$sed_case_insensitive_option" "$config_file"
  else
    # \n is precaution for case where file ends without trailing newline
    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file"
    printf '%s\n' "$formatted_output" >> "$config_file"
  fi
}
replace_or_append '/etc/sysctl.conf' '^net.ipv4.tcp_syncookies' "$sysctl_net_ipv4_tcp_syncookies_value" 'CCE-80923-6'

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: XCCDF Value sysctl_net_ipv4_tcp_syncookies_value # promote to variable
  set_fact:
    sysctl_net_ipv4_tcp_syncookies_value: !!str 1
  tags:
    - always

- name: Ensure sysctl net.ipv4.tcp_syncookies is set
  sysctl:
    name: net.ipv4.tcp_syncookies
    value: '{{ sysctl_net_ipv4_tcp_syncookies_value }}'
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - sysctl_net_ipv4_tcp_syncookies
    - medium_severity
    - disable_strategy
    - low_complexity
    - medium_disruption
    - reboot_required
    - CCE-80923-6
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-SC-5(1)
    - NIST-800-53-SC-5(2)
    - NIST-800-53-SC-5(3)(a)
    - NIST-800-53-CM-6(a)
    - NIST-800-171-3.1.20
    - CJIS-5.10.1.1

Remediation script ⇲

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 2.2.0
    storage:
      files:
      - contents:
          source: data:,net.ipv4.tcp_syncookies%3D1
        filesystem: root
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_net_ipv4_tcp_syncookies.conf

OVAL test results details

net.ipv4.tcp_syncookies static configuration oval:ssg-test_static_sysctl_net_ipv4_tcp_syncookies:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_net_ipv4_tcp_syncookies:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	(?:^\|.\n)[^#]net.ipv4.tcp_syncookies[\s]=[\s](\d+)[\s]*\n	1

net.ipv4.tcp_syncookies static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_ipv4_tcp_syncookies:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_net_ipv4_tcp_syncookies:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv4.tcp_syncookies[\s]=[\s](\d+)[\s]*\n	1

net.ipv4.tcp_syncookies static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_ipv4_tcp_syncookies:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_ipv4_tcp_syncookies:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv4.tcp_syncookies[\s]=[\s](\d+)[\s]*\n	1

net.ipv4.tcp_syncookies static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_ipv4_tcp_syncookies:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_ipv4_tcp_syncookies:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	(?:^\|.\n)[^#]net.ipv4.tcp_syncookies[\s]=[\s](\d+)[\s]*\n	1

kernel runtime parameter net.ipv4.tcp_syncookies set to the appropriate value oval:ssg-test_sysctl_runtime_net_ipv4_tcp_syncookies:tst:1 true

Following items have been found on the system:

Name	Value
net.ipv4.tcp_syncookies	1

Install iptables Package

Rule ID	xccdf_org.ssgproject.content_rule_package_iptables_installed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_iptables_installed:def:1
Time	2021-03-21T19:59:44+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82982-0 References: 3.4.1.1, CM-6(a), SRG-OS-000480-GPOS-00227
Description	The `iptables` package can be installed with the following command: $ sudo yum install iptables
Rationale	`iptables` controls the Linux kernel network packet filtering code. `iptables` allows system operators to set up firewalls and IP masquerading, etc.

OVAL test results details

package iptables is installed oval:ssg-test_package_iptables_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
iptables	x86_64	(none)	15.el8_3.3	1.8.4	0:1.8.4-15.el8_3.3	199e2f91fd431d51	iptables-0:1.8.4-15.el8_3.3.x86_64

Disable IEEE 1394 (FireWire) Support

Rule ID xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-kernel_module_firewire-core_disabled:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82005-0

References: FMT_SMF_EXT.1, SRG-OS-000095-GPOS-00049

Description

The IEEE 1394 (FireWire) is a serial bus standard for high-speed real-time communication. To configure the system to prevent the firewire-core kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:

install firewire-core /bin/true

Rationale

Disabling FireWire protects the system against exploitation of any flaws in its implementation.

Remediation Shell script ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then

if LC_ALL=C grep -q -m 1 "^install firewire-core" /etc/modprobe.d/firewire-core.conf ; then
	sed -i 's/^install firewire-core.*/install firewire-core /bin/true/g' /etc/modprobe.d/firewire-core.conf
else
	echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/firewire-core.conf
	echo "install firewire-core /bin/true" >> /etc/modprobe.d/firewire-core.conf
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: Ensure kernel module 'firewire-core' is disabled
  lineinfile:
    create: true
    dest: /etc/modprobe.d/firewire-core.conf
    regexp: firewire-core
    line: install firewire-core /bin/true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - kernel_module_firewire-core_disabled
    - medium_severity
    - disable_strategy
    - low_complexity
    - medium_disruption
    - reboot_required
    - CCE-82005-0

Remediation script ⇲

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 2.2.0
    storage:
      files:
      - contents:
          source: data:,install%20firewire-core%20/bin/true%0A
        filesystem: root
        mode: 0644
        path: /etc/modprobe.d/75-kernel_module_firewire-core_disabled.conf

OVAL test results details

kernel module firewire-core disabled oval:ssg-test_kernmod_firewire-core_disabled:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_kernmod_firewire-core_disabled:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/modprobe.d	^.*\.conf$	^\s*install\s+firewire-core\s+(/bin/false\|/bin/true)$	1

kernel module firewire-core disabled in /etc/modprobe.conf oval:ssg-test_kernmod_firewire-core_modprobeconf:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_kernmod_firewire-core_modprobeconf:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/modprobe.conf	^\s*install\s+firewire-core\s+(/bin/false\|/bin/true)$	1

kernel module firewire-core disabled in /etc/modules-load.d oval:ssg-test_kernmod_firewire-core_etcmodules-load:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_kernmod_firewire-core_etcmodules-load:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/modules-load.d	^.*\.conf$	^\s*install\s+firewire-core\s+(/bin/false\|/bin/true)$	1

kernel module firewire-core disabled in /run/modules-load.d oval:ssg-test_kernmod_firewire-core_runmodules-load:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_kernmod_firewire-core_runmodules-load:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/modules-load.d	^.*\.conf$	^\s*install\s+firewire-core\s+(/bin/false\|/bin/true)$	1

kernel module firewire-core disabled in /usr/lib/modules-load.d oval:ssg-test_kernmod_firewire-core_libmodules-load:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_kernmod_firewire-core_libmodules-load:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/modules-load.d	^.*\.conf$	^\s*install\s+firewire-core\s+(/bin/false\|/bin/true)$	1

kernel module firewire-core disabled in /run/modprobe.d oval:ssg-test_kernmod_firewire-core_runmodprobed:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_kernmod_firewire-core_runmodprobed:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/modprobe.d	^.*\.conf$	^\s*install\s+firewire-core\s+(/bin/false\|/bin/true)$	1

kernel module firewire-core disabled in /usr/lib/modprobe.d oval:ssg-test_kernmod_firewire-core_libmodprobed:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_kernmod_firewire-core_libmodprobed:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/modprobe.d	^.*\.conf$	^\s*install\s+firewire-core\s+(/bin/false\|/bin/true)$	1

Disable SCTP Support

Rule ID xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-kernel_module_sctp_disabled:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-80834-5

References: 3.5.2, 11, 14, 3, 9, 5.10.1, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.4.6, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000095-GPOS-00049

Description

The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. To configure the system to prevent the sctp kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:

install sctp /bin/true

Rationale

Disabling SCTP protects the system against exploitation of any flaws in its implementation.

Remediation Shell script ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then

if LC_ALL=C grep -q -m 1 "^install sctp" /etc/modprobe.d/sctp.conf ; then
	sed -i 's/^install sctp.*/install sctp /bin/true/g' /etc/modprobe.d/sctp.conf
else
	echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/sctp.conf
	echo "install sctp /bin/true" >> /etc/modprobe.d/sctp.conf
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: Ensure kernel module 'sctp' is disabled
  lineinfile:
    create: true
    dest: /etc/modprobe.d/sctp.conf
    regexp: sctp
    line: install sctp /bin/true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - kernel_module_sctp_disabled
    - medium_severity
    - disable_strategy
    - low_complexity
    - medium_disruption
    - reboot_required
    - CCE-80834-5
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-171-3.4.6
    - CJIS-5.10.1

Remediation script ⇲

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 2.2.0
    storage:
      files:
      - contents:
          source: data:,install%20sctp%20/bin/true%0A
        filesystem: root
        mode: 0644
        path: /etc/modprobe.d/75-kernel_module_sctp_disabled.conf

OVAL test results details

kernel module sctp disabled oval:ssg-test_kernmod_sctp_disabled:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_kernmod_sctp_disabled:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/modprobe.d	^.*\.conf$	^\s*install\s+sctp\s+(/bin/false\|/bin/true)$	1

kernel module sctp disabled in /etc/modprobe.conf oval:ssg-test_kernmod_sctp_modprobeconf:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_kernmod_sctp_modprobeconf:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/modprobe.conf	^\s*install\s+sctp\s+(/bin/false\|/bin/true)$	1

kernel module sctp disabled in /etc/modules-load.d oval:ssg-test_kernmod_sctp_etcmodules-load:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_kernmod_sctp_etcmodules-load:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/modules-load.d	^.*\.conf$	^\s*install\s+sctp\s+(/bin/false\|/bin/true)$	1

kernel module sctp disabled in /run/modules-load.d oval:ssg-test_kernmod_sctp_runmodules-load:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_kernmod_sctp_runmodules-load:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/modules-load.d	^.*\.conf$	^\s*install\s+sctp\s+(/bin/false\|/bin/true)$	1

kernel module sctp disabled in /usr/lib/modules-load.d oval:ssg-test_kernmod_sctp_libmodules-load:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_kernmod_sctp_libmodules-load:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/modules-load.d	^.*\.conf$	^\s*install\s+sctp\s+(/bin/false\|/bin/true)$	1

kernel module sctp disabled in /run/modprobe.d oval:ssg-test_kernmod_sctp_runmodprobed:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_kernmod_sctp_runmodprobed:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/modprobe.d	^.*\.conf$	^\s*install\s+sctp\s+(/bin/false\|/bin/true)$	1

kernel module sctp disabled in /usr/lib/modprobe.d oval:ssg-test_kernmod_sctp_libmodprobed:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_kernmod_sctp_libmodprobed:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/modprobe.d	^.*\.conf$	^\s*install\s+sctp\s+(/bin/false\|/bin/true)$	1

Disable CAN Support

Rule ID xccdf_org.ssgproject.content_rule_kernel_module_can_disabled

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-kernel_module_can_disabled:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82059-7

References: FMT_SMF_EXT.1, SRG-OS-000095-GPOS-00049

Description

The Controller Area Network (CAN) is a serial communications protocol which was initially developed for automotive and is now also used in marine, industrial, and medical applications. To configure the system to prevent the can kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:

install can /bin/true

Rationale

Disabling CAN protects the system against exploitation of any flaws in its implementation.

Remediation Shell script ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then

if LC_ALL=C grep -q -m 1 "^install can" /etc/modprobe.d/can.conf ; then
	sed -i 's/^install can.*/install can /bin/true/g' /etc/modprobe.d/can.conf
else
	echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/can.conf
	echo "install can /bin/true" >> /etc/modprobe.d/can.conf
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: Ensure kernel module 'can' is disabled
  lineinfile:
    create: true
    dest: /etc/modprobe.d/can.conf
    regexp: can
    line: install can /bin/true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - kernel_module_can_disabled
    - medium_severity
    - disable_strategy
    - low_complexity
    - medium_disruption
    - reboot_required
    - CCE-82059-7

Remediation script ⇲

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 2.2.0
    storage:
      files:
      - contents:
          source: data:,install%20can%20/bin/true%0A
        filesystem: root
        mode: 0644
        path: /etc/modprobe.d/75-kernel_module_can_disabled.conf

OVAL test results details

kernel module can disabled oval:ssg-test_kernmod_can_disabled:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_kernmod_can_disabled:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/modprobe.d	^.*\.conf$	^\s*install\s+can\s+(/bin/false\|/bin/true)$	1

kernel module can disabled in /etc/modprobe.conf oval:ssg-test_kernmod_can_modprobeconf:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_kernmod_can_modprobeconf:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/modprobe.conf	^\s*install\s+can\s+(/bin/false\|/bin/true)$	1

kernel module can disabled in /etc/modules-load.d oval:ssg-test_kernmod_can_etcmodules-load:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_kernmod_can_etcmodules-load:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/modules-load.d	^.*\.conf$	^\s*install\s+can\s+(/bin/false\|/bin/true)$	1

kernel module can disabled in /run/modules-load.d oval:ssg-test_kernmod_can_runmodules-load:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_kernmod_can_runmodules-load:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/modules-load.d	^.*\.conf$	^\s*install\s+can\s+(/bin/false\|/bin/true)$	1

kernel module can disabled in /usr/lib/modules-load.d oval:ssg-test_kernmod_can_libmodules-load:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_kernmod_can_libmodules-load:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/modules-load.d	^.*\.conf$	^\s*install\s+can\s+(/bin/false\|/bin/true)$	1

kernel module can disabled in /run/modprobe.d oval:ssg-test_kernmod_can_runmodprobed:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_kernmod_can_runmodprobed:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/modprobe.d	^.*\.conf$	^\s*install\s+can\s+(/bin/false\|/bin/true)$	1

kernel module can disabled in /usr/lib/modprobe.d oval:ssg-test_kernmod_can_libmodprobed:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_kernmod_can_libmodprobed:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/modprobe.d	^.*\.conf$	^\s*install\s+can\s+(/bin/false\|/bin/true)$	1

Disable TIPC Support

Rule ID xccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-kernel_module_tipc_disabled:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82297-3

References: 3.3.4, 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, FMT_SMF_EXT.1, SRG-OS-000095-GPOS-00049

Description

The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in a cluster. To configure the system to prevent the tipc kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:

install tipc /bin/true

Rationale

Disabling TIPC protects the system against exploitation of any flaws in its implementation.

Warnings

warning This configuration baseline was created to deploy the base operating system for general purpose workloads. When the operating system is configured for certain purposes, such as a node in High Performance Computing cluster, it is expected that the tipc kernel module will be loaded.

Remediation Shell script ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then

if LC_ALL=C grep -q -m 1 "^install tipc" /etc/modprobe.d/tipc.conf ; then
	sed -i 's/^install tipc.*/install tipc /bin/true/g' /etc/modprobe.d/tipc.conf
else
	echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/tipc.conf
	echo "install tipc /bin/true" >> /etc/modprobe.d/tipc.conf
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: Ensure kernel module 'tipc' is disabled
  lineinfile:
    create: true
    dest: /etc/modprobe.d/tipc.conf
    regexp: tipc
    line: install tipc /bin/true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - kernel_module_tipc_disabled
    - medium_severity
    - disable_strategy
    - low_complexity
    - medium_disruption
    - reboot_required
    - CCE-82297-3
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)

Remediation script ⇲

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 2.2.0
    storage:
      files:
      - contents:
          source: data:,install%20tipc%20/bin/true%0A
        filesystem: root
        mode: 0644
        path: /etc/modprobe.d/75-kernel_module_tipc_disabled.conf

OVAL test results details

kernel module tipc disabled oval:ssg-test_kernmod_tipc_disabled:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_kernmod_tipc_disabled:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/modprobe.d	^.*\.conf$	^\s*install\s+tipc\s+(/bin/false\|/bin/true)$	1

kernel module tipc disabled in /etc/modprobe.conf oval:ssg-test_kernmod_tipc_modprobeconf:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_kernmod_tipc_modprobeconf:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/modprobe.conf	^\s*install\s+tipc\s+(/bin/false\|/bin/true)$	1

kernel module tipc disabled in /etc/modules-load.d oval:ssg-test_kernmod_tipc_etcmodules-load:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_kernmod_tipc_etcmodules-load:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/modules-load.d	^.*\.conf$	^\s*install\s+tipc\s+(/bin/false\|/bin/true)$	1

kernel module tipc disabled in /run/modules-load.d oval:ssg-test_kernmod_tipc_runmodules-load:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_kernmod_tipc_runmodules-load:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/modules-load.d	^.*\.conf$	^\s*install\s+tipc\s+(/bin/false\|/bin/true)$	1

kernel module tipc disabled in /usr/lib/modules-load.d oval:ssg-test_kernmod_tipc_libmodules-load:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_kernmod_tipc_libmodules-load:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/modules-load.d	^.*\.conf$	^\s*install\s+tipc\s+(/bin/false\|/bin/true)$	1

kernel module tipc disabled in /run/modprobe.d oval:ssg-test_kernmod_tipc_runmodprobed:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_kernmod_tipc_runmodprobed:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/modprobe.d	^.*\.conf$	^\s*install\s+tipc\s+(/bin/false\|/bin/true)$	1

kernel module tipc disabled in /usr/lib/modprobe.d oval:ssg-test_kernmod_tipc_libmodprobed:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_kernmod_tipc_libmodprobed:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/modprobe.d	^.*\.conf$	^\s*install\s+tipc\s+(/bin/false\|/bin/true)$	1

Disable ATM Support

Rule ID xccdf_org.ssgproject.content_rule_kernel_module_atm_disabled

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-kernel_module_atm_disabled:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82028-2

References: FMT_SMF_EXT.1, SRG-OS-000095-GPOS-00049

Description

The Asynchronous Transfer Mode (ATM) is a protocol operating on network, data link, and physical layers, based on virtual circuits and virtual paths. To configure the system to prevent the atm kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:

install atm /bin/true

Rationale

Disabling ATM protects the system against exploitation of any flaws in its implementation.

Remediation Shell script ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then

if LC_ALL=C grep -q -m 1 "^install atm" /etc/modprobe.d/atm.conf ; then
	sed -i 's/^install atm.*/install atm /bin/true/g' /etc/modprobe.d/atm.conf
else
	echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/atm.conf
	echo "install atm /bin/true" >> /etc/modprobe.d/atm.conf
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: Ensure kernel module 'atm' is disabled
  lineinfile:
    create: true
    dest: /etc/modprobe.d/atm.conf
    regexp: atm
    line: install atm /bin/true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - kernel_module_atm_disabled
    - medium_severity
    - disable_strategy
    - low_complexity
    - medium_disruption
    - reboot_required
    - CCE-82028-2

Remediation script ⇲

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 2.2.0
    storage:
      files:
      - contents:
          source: data:,install%20atm%20/bin/true%0A
        filesystem: root
        mode: 0644
        path: /etc/modprobe.d/75-kernel_module_atm_disabled.conf

OVAL test results details

kernel module atm disabled oval:ssg-test_kernmod_atm_disabled:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_kernmod_atm_disabled:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/modprobe.d	^.*\.conf$	^\s*install\s+atm\s+(/bin/false\|/bin/true)$	1

kernel module atm disabled in /etc/modprobe.conf oval:ssg-test_kernmod_atm_modprobeconf:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_kernmod_atm_modprobeconf:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/modprobe.conf	^\s*install\s+atm\s+(/bin/false\|/bin/true)$	1

kernel module atm disabled in /etc/modules-load.d oval:ssg-test_kernmod_atm_etcmodules-load:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_kernmod_atm_etcmodules-load:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/modules-load.d	^.*\.conf$	^\s*install\s+atm\s+(/bin/false\|/bin/true)$	1

kernel module atm disabled in /run/modules-load.d oval:ssg-test_kernmod_atm_runmodules-load:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_kernmod_atm_runmodules-load:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/modules-load.d	^.*\.conf$	^\s*install\s+atm\s+(/bin/false\|/bin/true)$	1

kernel module atm disabled in /usr/lib/modules-load.d oval:ssg-test_kernmod_atm_libmodules-load:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_kernmod_atm_libmodules-load:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/modules-load.d	^.*\.conf$	^\s*install\s+atm\s+(/bin/false\|/bin/true)$	1

kernel module atm disabled in /run/modprobe.d oval:ssg-test_kernmod_atm_runmodprobed:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_kernmod_atm_runmodprobed:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/modprobe.d	^.*\.conf$	^\s*install\s+atm\s+(/bin/false\|/bin/true)$	1

kernel module atm disabled in /usr/lib/modprobe.d oval:ssg-test_kernmod_atm_libmodprobed:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_kernmod_atm_libmodprobed:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/modprobe.d	^.*\.conf$	^\s*install\s+atm\s+(/bin/false\|/bin/true)$	1

Install policycoreutils-python-utils package

Rule ID	xccdf_org.ssgproject.content_rule_package_policycoreutils-python-utils_installed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_policycoreutils-python-utils_installed:def:1
Time	2021-03-21T19:59:44+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82724-6 References: SRG-OS-000480-GPOS-00227
Description	The `policycoreutils-python-utils` package can be installed with the following command: $ sudo yum install policycoreutils-python-utils
Rationale	This package is required to operate and manage an SELinux environment and its policies. It provides utilities such as semanage, audit2allow, audit2why, chcat and sandbox.

OVAL test results details

package policycoreutils-python-utils is installed oval:ssg-test_package_policycoreutils-python-utils_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
policycoreutils-python-utils	noarch	(none)	9.el8	2.9	0:2.9-9.el8	199e2f91fd431d51	policycoreutils-python-utils-0:2.9-9.el8.noarch

Install policycoreutils Package

Rule ID	xccdf_org.ssgproject.content_rule_package_policycoreutils_installed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_policycoreutils_installed:def:1
Time	2021-03-21T19:59:44+01:00
Severity	high
Identifiers and References	Identifiers: CCE-82976-2 References: SRG-OS-000480-GPOS-00227
Description	The `policycoreutils` package can be installed with the following command: $ sudo yum install policycoreutils
Rationale	Security-enhanced Linux is a feature of the Linux kernel and a number of utilities with enhanced security functionality designed to add mandatory access controls to Linux. The Security-enhanced Linux kernel contains new architectural components originally developed to improve security of the Flask operating system. These architectural components provide general support for the enforcement of many kinds of mandatory access control policies, including those based on the concepts of Type Enforcement, Role-based Access Control, and Multi-level Security. `policycoreutils` contains the policy core utilities that are required for basic operation of an SELinux-enabled system. These utilities include `load_policy` to load SELinux policies, `setfiles` to label filesystems, `newrole` to switch roles, and `run_init` to run `/etc/init.d` scripts in the proper context.

OVAL test results details

package policycoreutils is installed oval:ssg-test_package_policycoreutils_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
policycoreutils	x86_64	(none)	9.el8	2.9	0:2.9-9.el8	199e2f91fd431d51	policycoreutils-0:2.9-9.el8.x86_64

Ensure SELinux State is Enforcing

Rule ID	xccdf_org.ssgproject.content_rule_selinux_state
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-selinux_state:def:1
Time	2021-03-21T19:59:44+01:00
Severity	high
Identifiers and References	Identifiers: CCE-80869-1 References: NT28(R4), 1.7.1.4, 1, 11, 12, 13, 14, 15, 16, 18, 3, 4, 5, 6, 8, 9, APO01.06, APO11.04, APO13.01, BAI03.05, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, MEA02.01, 3.1.2, 3.7.2, CCI-002165, CCI-002696, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), 4.2.3.4, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-3, AC-3(3)(a), AU-9, SC-7(21), DE.AE-1, ID.AM-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.DS-5, PR.PT-1, PR.PT-3, PR.PT-4, SRG-OS-000445-GPOS-00199, SRG-OS-000445-VMM-001780
Description	The SELinux state should be set to `enforcing` at system boot time. In the file `/etc/selinux/config`, add or correct the following line to configure the system to boot into enforcing mode: SELINUX=enforcing
Rationale	Setting the SELinux state to enforcing ensures SELinux is able to confine potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the system or further elevating their privileges.

OVAL test results details

/selinux/enforce is 1 oval:ssg-test_etc_selinux_config:tst:1 true

Following items have been found on the system:

Path	Content
/etc/selinux/config	SELINUX=enforcing

Configure SELinux Policy

Rule ID	xccdf_org.ssgproject.content_rule_selinux_policytype
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-selinux_policytype:def:1
Time	2021-03-21T19:59:44+01:00
Severity	high
Identifiers and References	Identifiers: CCE-80868-3 References: NT28(R66), 1.7.1.3, 1, 11, 12, 13, 14, 15, 16, 18, 3, 4, 5, 6, 8, 9, APO01.06, APO11.04, APO13.01, BAI03.05, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, MEA02.01, 3.1.2, 3.7.2, CCI-002696, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), 4.2.3.4, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-3, AC-3(3)(a), AU-9, SC-7(21), DE.AE-1, ID.AM-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.DS-5, PR.PT-1, PR.PT-3, PR.PT-4, SRG-OS-000445-GPOS-00199, SRG-OS-000445-VMM-001780
Description	The SELinux `targeted` policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct the following line in `/etc/selinux/config`: SELINUXTYPE=targeted Other policies, such as `mls`, provide additional security labeling and greater confinement but are not compatible with many general-purpose use cases.
Rationale	Setting the SELinux policy to `targeted` or a more specialized policy ensures the system will confine processes that are likely to be targeted for exploitation, such as network or system services. Note: During the development or debugging of SELinux modules, it is common to temporarily place non-production systems in `permissive` mode. In such temporary cases, SELinux policies should be developed, and once work is completed, the system should be reconfigured to `targeted`.

OVAL test results details

Tests the value of the ^[\s]SELINUXTYPE[\s]=[\s]([^#]) expression in the /etc/selinux/config file oval:ssg-test_selinux_policy:tst:1 true

Following items have been found on the system:

Path	Content
/etc/selinux/config	SELINUXTYPE=targeted

Enable Kernel Parameter to Enforce DAC on Symlinks

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_fs_protected_symlinks
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_fs_protected_symlinks:def:1
Time	2021-03-21T19:59:44+01:00
Severity	unknown
Identifiers and References	Identifiers: CCE-81030-9 References: NT28(R23), 1.6.1, CM-6(a), AC-6(1), SRG-OS-000324-GPOS-00125
Description	To set the runtime status of the `fs.protected_symlinks` kernel parameter, run the following command: $ sudo sysctl -w fs.protected_symlinks=1 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: fs.protected_symlinks = 1
Rationale	By enabling this kernel parameter, symbolic links are permitted to be followed only when outside a sticky world-writable directory, or when the UID of the link and follower match, or when the directory owner matches the symlink's owner. Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of `open()` or `creat()`.

OVAL test results details

fs.protected_symlinks static configuration oval:ssg-test_static_sysctl_fs_protected_symlinks:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_fs_protected_symlinks:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]fs.protected_symlinks[\s]=[\s]1[\s]$	1

fs.protected_symlinks static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_fs_protected_symlinks:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_fs_protected_symlinks:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	^[\s]fs.protected_symlinks[\s]=[\s]1[\s]$	1

fs.protected_symlinks static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_fs_protected_symlinks:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_fs_protected_symlinks:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]fs.protected_symlinks[\s]=[\s]1[\s]$	1

fs.protected_symlinks static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_fs_protected_symlinks:tst:1 true

Following items have been found on the system:

Path	Content
/usr/lib/sysctl.d/50-default.conf	fs.protected_symlinks = 1

kernel runtime parameter fs.protected_symlinks set to 1 oval:ssg-test_sysctl_runtime_fs_protected_symlinks:tst:1 true

Following items have been found on the system:

Name	Value
fs.protected_symlinks	1

Enable Kernel Parameter to Enforce DAC on Hardlinks

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_fs_protected_hardlinks
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_fs_protected_hardlinks:def:1
Time	2021-03-21T19:59:44+01:00
Severity	unknown
Identifiers and References	Identifiers: CCE-81027-5 References: NT28(R23), 1.6.1, CM-6(a), AC-6(1), SRG-OS-000324-GPOS-00125
Description	To set the runtime status of the `fs.protected_hardlinks` kernel parameter, run the following command: $ sudo sysctl -w fs.protected_hardlinks=1 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: fs.protected_hardlinks = 1
Rationale	By enabling this kernel parameter, users can no longer create soft or hard links to files which they do not own. Disallowing such hardlinks mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of `open()` or `creat()`.

OVAL test results details

fs.protected_hardlinks static configuration oval:ssg-test_static_sysctl_fs_protected_hardlinks:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_fs_protected_hardlinks:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]fs.protected_hardlinks[\s]=[\s]1[\s]$	1

fs.protected_hardlinks static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_fs_protected_hardlinks:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_fs_protected_hardlinks:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	^[\s]fs.protected_hardlinks[\s]=[\s]1[\s]$	1

fs.protected_hardlinks static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_fs_protected_hardlinks:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_fs_protected_hardlinks:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]fs.protected_hardlinks[\s]=[\s]1[\s]$	1

fs.protected_hardlinks static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_fs_protected_hardlinks:tst:1 true

Following items have been found on the system:

Path	Content
/usr/lib/sysctl.d/50-default.conf	fs.protected_hardlinks = 1

kernel runtime parameter fs.protected_hardlinks set to 1 oval:ssg-test_sysctl_runtime_fs_protected_hardlinks:tst:1 true

Following items have been found on the system:

Name	Value
fs.protected_hardlinks	1

Disable Mounting of cramfs

Rule ID xccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-kernel_module_cramfs_disabled:def:1

Time 2021-03-21T19:59:44+01:00

Severity low

Identifiers and References

Identifiers: CCE-81031-7

References: 1.1.1.1, 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.4.6, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000095-GPOS-00049

Description

To configure the system to prevent the cramfs kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:

install cramfs /bin/true

This effectively prevents usage of this uncommon filesystem. The cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs image can be used without having to first decompress the image.

Rationale

Removing support for unneeded filesystem types reduces the local attack surface of the server.

Remediation Shell script ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then

if LC_ALL=C grep -q -m 1 "^install cramfs" /etc/modprobe.d/cramfs.conf ; then
	sed -i 's/^install cramfs.*/install cramfs /bin/true/g' /etc/modprobe.d/cramfs.conf
else
	echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/cramfs.conf
	echo "install cramfs /bin/true" >> /etc/modprobe.d/cramfs.conf
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: Ensure kernel module 'cramfs' is disabled
  lineinfile:
    create: true
    dest: /etc/modprobe.d/cramfs.conf
    regexp: cramfs
    line: install cramfs /bin/true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - kernel_module_cramfs_disabled
    - low_severity
    - disable_strategy
    - low_complexity
    - medium_disruption
    - reboot_required
    - CCE-81031-7
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-171-3.4.6

Remediation script ⇲

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 2.2.0
    storage:
      files:
      - contents:
          source: data:,install%20cramfs%20/bin/true%0A
        filesystem: root
        mode: 0644
        path: /etc/modprobe.d/75-kernel_module_cramfs_disabled.conf

OVAL test results details

kernel module cramfs disabled oval:ssg-test_kernmod_cramfs_disabled:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_kernmod_cramfs_disabled:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/modprobe.d	^.*\.conf$	^\s*install\s+cramfs\s+(/bin/false\|/bin/true)$	1

kernel module cramfs disabled in /etc/modprobe.conf oval:ssg-test_kernmod_cramfs_modprobeconf:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_kernmod_cramfs_modprobeconf:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/modprobe.conf	^\s*install\s+cramfs\s+(/bin/false\|/bin/true)$	1

kernel module cramfs disabled in /etc/modules-load.d oval:ssg-test_kernmod_cramfs_etcmodules-load:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_kernmod_cramfs_etcmodules-load:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/modules-load.d	^.*\.conf$	^\s*install\s+cramfs\s+(/bin/false\|/bin/true)$	1

kernel module cramfs disabled in /run/modules-load.d oval:ssg-test_kernmod_cramfs_runmodules-load:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_kernmod_cramfs_runmodules-load:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/modules-load.d	^.*\.conf$	^\s*install\s+cramfs\s+(/bin/false\|/bin/true)$	1

kernel module cramfs disabled in /usr/lib/modules-load.d oval:ssg-test_kernmod_cramfs_libmodules-load:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_kernmod_cramfs_libmodules-load:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/modules-load.d	^.*\.conf$	^\s*install\s+cramfs\s+(/bin/false\|/bin/true)$	1

kernel module cramfs disabled in /run/modprobe.d oval:ssg-test_kernmod_cramfs_runmodprobed:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_kernmod_cramfs_runmodprobed:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/modprobe.d	^.*\.conf$	^\s*install\s+cramfs\s+(/bin/false\|/bin/true)$	1

kernel module cramfs disabled in /usr/lib/modprobe.d oval:ssg-test_kernmod_cramfs_libmodprobed:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_kernmod_cramfs_libmodprobed:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/modprobe.d	^.*\.conf$	^\s*install\s+cramfs\s+(/bin/false\|/bin/true)$	1

Restrict Exposed Kernel Pointer Addresses Access

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_kernel_kptr_restrict:def:1
Time	2021-03-21T19:59:44+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80915-2 References: NT28(R23), SC-30, SC-30(2), SC-30(5), CM-6(a), SRG-OS-000132-GPOS-00067
Description	To set the runtime status of the `kernel.kptr_restrict` kernel parameter, run the following command: $ sudo sysctl -w kernel.kptr_restrict=1 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: kernel.kptr_restrict = 1
Rationale	Exposing kernel pointers (through procfs or `seq_printf()`) exposes kernel writeable structures that can contain functions pointers. If a write vulnereability occurs in the kernel allowing a write access to any of this structure, the kernel can be compromise. This option disallow any program withtout the CAP_SYSLOG capability from getting the kernel pointers addresses, replacing them with 0.

OVAL test results details

kernel.kptr_restrict static configuration oval:ssg-test_static_sysctl_kernel_kptr_restrict:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_kernel_kptr_restrict:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]kernel.kptr_restrict[\s]=[\s]1[\s]$	1

kernel.kptr_restrict static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_kernel_kptr_restrict:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_kernel_kptr_restrict:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	^[\s]kernel.kptr_restrict[\s]=[\s]1[\s]$	1

kernel.kptr_restrict static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_kernel_kptr_restrict:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_kernel_kptr_restrict:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]kernel.kptr_restrict[\s]=[\s]1[\s]$	1

kernel.kptr_restrict static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_kernel_kptr_restrict:tst:1 true

Following items have been found on the system:

Path	Content
/usr/lib/sysctl.d/50-default.conf	kernel.kptr_restrict = 1

kernel runtime parameter kernel.kptr_restrict set to 1 oval:ssg-test_sysctl_runtime_kernel_kptr_restrict:tst:1 true

Following items have been found on the system:

Name	Value
kernel.kptr_restrict	1

Disable acquiring, saving, and processing core dumps

Rule ID xccdf_org.ssgproject.content_rule_service_systemd-coredump_disabled

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-service_systemd-coredump_disabled:def:1

Time 2021-03-21T19:59:44+01:00

Severity unknown

Identifiers and References

Identifiers: CCE-82881-4

References: FMT_SMF_EXT.1, SRG-OS-000480-GPOS-00227

Description

The systemd-coredump.socket unit is a socket activation of the systemd-coredump@.service which processes core dumps. By masking the unit, core dump processing is disabled.

Rationale

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then

SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'systemd-coredump.service'
"$SYSTEMCTL_EXEC" disable 'systemd-coredump.service'
"$SYSTEMCTL_EXEC" mask 'systemd-coredump.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^systemd-coredump.socket'; then
    "$SYSTEMCTL_EXEC" stop 'systemd-coredump.socket'
    "$SYSTEMCTL_EXEC" disable 'systemd-coredump.socket'
    "$SYSTEMCTL_EXEC" mask 'systemd-coredump.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'systemd-coredump.service' || true

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	disable

- name: Disable service systemd-coredump
  block:

    - name: Gather the service facts
      service_facts: null

    - name: Disable service systemd-coredump
      systemd:
        name: systemd-coredump.service
        enabled: 'no'
        state: stopped
        masked: 'yes'
      when: '"systemd-coredump.service" in ansible_facts.services'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - service_systemd-coredump_disabled
    - unknown_severity
    - disable_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-82881-4

- name: Unit Socket Exists - systemd-coredump.socket
  command: systemctl list-unit-files systemd-coredump.socket
  args:
    warn: false
  register: socket_file_exists
  changed_when: false
  ignore_errors: true
  check_mode: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - service_systemd-coredump_disabled
    - unknown_severity
    - disable_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-82881-4

- name: Disable socket systemd-coredump
  systemd:
    name: systemd-coredump.socket
    enabled: 'no'
    state: stopped
    masked: 'yes'
  when:
    - '"systemd-coredump.socket" in socket_file_exists.stdout_lines[1]'
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - service_systemd-coredump_disabled
    - unknown_severity
    - disable_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-82881-4

Remediation Puppet snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	enable

include disable_systemd-coredump

class disable_systemd-coredump {
  service {'systemd-coredump':
    enable => false,
    ensure => 'stopped',
  }
}

Remediation script ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 2.2.0
    systemd:
      units:
      - name: systemd-coredump.service
        enabled: false
        mask: true
      - name: systemd-coredump.socket
        enabled: false
        mask: true

Remediation script ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 2.2.0
    systemd:
      units:
      - name: systemd-coredump.service
        enabled: false
        mask: true
      - name: systemd-coredump.socket
        enabled: false
        mask: true

OVAL test results details

package systemd is removed oval:ssg-test_service_systemd-coredump_package_systemd_removed:tst:1 false

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
systemd	x86_64	(none)	41.el8_3.1	239	0:239-41.el8_3.1	199e2f91fd431d51	systemd-0:239-41.el8_3.1.x86_64

Test that the systemd-coredump service is not running oval:ssg-test_service_not_running_systemd-coredump:tst:1 false

Following items have been found on the system:

Unit	Property	Value
systemd-coredump.socket	ActiveState	active

Test that the property LoadState from the service systemd-coredump is masked oval:ssg-test_service_loadstate_is_masked_systemd-coredump:tst:1 false

Following items have been found on the system:

Unit	Property	Value
systemd-coredump.socket	LoadState	loaded

Test that the property FragmentPath from the service systemd-coredump is set to /dev/null oval:ssg-test_service_fragmentpath_is_dev_null_systemd-coredump:tst:1 false

Following items have been found on the system:

Unit	Property	Value
systemd-coredump.socket	FragmentPath	/usr/lib/systemd/system/systemd-coredump.socket

Disable storing core dump

Rule ID xccdf_org.ssgproject.content_rule_coredump_disable_storage

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-coredump_disable_storage:def:1

Time 2021-03-21T19:59:44+01:00

Severity unknown

Identifiers and References

Identifiers: CCE-82252-8

References: 1.6.1, FMT_SMF_EXT.1, SRG-OS-000480-GPOS-00227

Description

The Storage option in [Coredump] section of /etc/systemd/coredump.conf can be set to none to disable storing core dumps permanently.

Rationale

A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers or system operators trying to debug problems. Enabling core dumps on production systems is not recommended, however there may be overriding operational requirements to enable advanced debuging. Permitting temporary enablement of core dumps during such situations should be reviewed through local needs and policy.

Warnings

warning If the /etc/systemd/coredump.conf file does not already contain the [Coredump] section, the value will not be configured correctly.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

if [ -e "/etc/systemd/coredump.conf" ] ; then
    LC_ALL=C sed -i "/^\s*Storage\s*=\s*/Id" "/etc/systemd/coredump.conf"
else
    touch "/etc/systemd/coredump.conf"
fi
cp "/etc/systemd/coredump.conf" "/etc/systemd/coredump.conf.bak"
# Insert at the end of the file
printf '%s\n' "Storage=none" >> "/etc/systemd/coredump.conf"
# Clean up after ourselves.
rm "/etc/systemd/coredump.conf.bak"

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

- name: Disable storing core dump
  block:

    - name: Deduplicate values from /etc/systemd/coredump.conf
      lineinfile:
        path: /etc/systemd/coredump.conf
        create: false
        regexp: ^\s*Storage\s*=\s*
        state: absent

    - name: Insert correct line to /etc/systemd/coredump.conf
      lineinfile:
        path: /etc/systemd/coredump.conf
        create: false
        line: Storage=none
        state: present
  tags:
    - coredump_disable_storage
    - unknown_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-82252-8

Remediation script ⇲

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 2.2.0
    storage:
      files:
      - contents:
          source: data:,%23%20%20This%20file%20is%20part%20of%20systemd.%0A%23%0A%23%20%20systemd%20is%20free%20software%3B%20you%20can%20redistribute%20it%20and/or%20modify%20it%0A%23%20%20under%20the%20terms%20of%20the%20GNU%20Lesser%20General%20Public%20License%20as%20published%20by%0A%23%20%20the%20Free%20Software%20Foundation%3B%20either%20version%202.1%20of%20the%20License%2C%20or%0A%23%20%20%28at%20your%20option%29%20any%20later%20version.%0A%23%0A%23%20Entries%20in%20this%20file%20show%20the%20compile%20time%20defaults.%0A%23%20You%20can%20change%20settings%20by%20editing%20this%20file.%0A%23%20Defaults%20can%20be%20restored%20by%20simply%20deleting%20this%20file.%0A%23%0A%23%20See%20coredump.conf%285%29%20for%20details.%0A%0A%5BCoredump%5D%0A%23Storage%3Dexternal%0A%23Compress%3Dyes%0A%23ProcessSizeMax%3D2G%0A%23ExternalSizeMax%3D2G%0A%23JournalSizeMax%3D767M%0A%23MaxUse%3D%0A%23KeepFree%3D%0AStorage%3Dnone%0AProcessSizeMax%3D0%0A
        filesystem: root
        mode: 0644
        path: /etc/systemd/coredump.conf

OVAL test results details

tests the value of Storage setting in the /etc/systemd/coredump.conf file oval:ssg-test_coredump_disable_storage:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_coredump_disable_storage:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/systemd/coredump.conf	^\s\[Coredump\].(?:\n\s[^[\s].)\n^[ \t](?i)Storage(?-i)[ \t]=[ \t](.+?)[ \t]*(?:$\|#)	1

Disable Core Dumps for All Users

Rule ID xccdf_org.ssgproject.content_rule_disable_users_coredumps

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-disable_users_coredumps:def:1

Time 2021-03-21T19:59:44+01:00

Severity unknown

Identifiers and References

Identifiers: CCE-81038-2

References: 1.6.1, 1, 12, 13, 15, 16, 2, 7, 8, APO13.01, BAI04.04, DSS01.03, DSS03.05, DSS05.07, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.17.2.1, DE.CM-1, PR.DS-4, SRG-OS-000480-GPOS-00227

Description

To disable core dumps for all users, add the following line to /etc/security/limits.conf, or to a file within the /etc/security/limits.d/ directory:

*     hard   core    0

Rationale

Remediation Shell script ⇲

# Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then

SECURITY_LIMITS_FILE="/etc/security/limits.conf"

if grep -qE '\*\s+hard\s+core' $SECURITY_LIMITS_FILE; then
        sed -ri 's/(hard\s+core\s+)[[:digit:]]+/\1 0/' $SECURITY_LIMITS_FILE
else
        echo "*     hard   core    0" >> $SECURITY_LIMITS_FILE
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
    - disable_users_coredumps
    - unknown_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-81038-2

- name: disable core dumps with limits
  lineinfile:
    dest: /etc/security/limits.conf
    regexp: ^[^#].*core
    line: '*        hard       core      0'
    create: true
  when: '"pam" in ansible_facts.packages'
  tags:
    - disable_users_coredumps
    - unknown_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-81038-2

Remediation script ⇲

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 2.2.0
    storage:
      files:
      - contents:
          source: data:,%2A%20%20%20%20%20hard%20%20%20core%20%20%20%200
        filesystem: root
        mode: 0644
        path: /etc/security/limits.d/75-disable_users_coredumps.conf

OVAL test results details

Tests the value of the ^[\s]\[\s]+(hard|-)[\s]+core[\s]+([\d]+) setting in the /etc/security/limits.d directory oval:ssg-test_core_dumps_limits_d:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_core_dumps_limits_d:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/security/limits.d	^.*\.conf$	^[\s]\[\s]+(?:hard\|-)[\s]+core[\s]+([\d]+)	1

Tests for existance of the ^[\s]\[\s]+(hard|-)[\s]+core setting in the /etc/security/limits.d directory oval:ssg-test_core_dumps_limits_d_exists:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_core_dumps_limits_d_exists:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/security/limits.d	^.*\.conf$	^[\s]\[\s]+(?:hard\|-)[\s]+core	1

Tests the value of the ^[\s]\[\s]+(hard|-)[\s]+core[\s]+([\d]+) setting in the /etc/security/limits.conf file oval:ssg-test_core_dumps_limitsconf:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_core_dumps_limitsconf:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/security/limits.conf	^[\s]\[\s]+(?:hard\|-)[\s]+core[\s]+([\d]+)	1

Disable core dump backtraces

Rule ID xccdf_org.ssgproject.content_rule_coredump_disable_backtraces

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-coredump_disable_backtraces:def:1

Time 2021-03-21T19:59:44+01:00

Severity unknown

Identifiers and References

Identifiers: CCE-82251-0

References: 1.6.1, FMT_SMF_EXT.1, SRG-OS-000480-GPOS-00227

Description

The ProcessSizeMax option in [Coredump] section of /etc/systemd/coredump.conf specifies the maximum size in bytes of a core which will be processed. Core dumps exceeding this size may be stored, but the backtrace will not be generated.

Rationale

Warnings

warning If the /etc/systemd/coredump.conf file does not already contain the [Coredump] section, the value will not be configured correctly.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

if [ -e "/etc/systemd/coredump.conf" ] ; then
    LC_ALL=C sed -i "/^\s*ProcessSizeMax\s*=\s*/Id" "/etc/systemd/coredump.conf"
else
    touch "/etc/systemd/coredump.conf"
fi
cp "/etc/systemd/coredump.conf" "/etc/systemd/coredump.conf.bak"
# Insert at the end of the file
printf '%s\n' "ProcessSizeMax=0" >> "/etc/systemd/coredump.conf"
# Clean up after ourselves.
rm "/etc/systemd/coredump.conf.bak"

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

- name: Disable core dump backtraces
  block:

    - name: Deduplicate values from /etc/systemd/coredump.conf
      lineinfile:
        path: /etc/systemd/coredump.conf
        create: false
        regexp: ^\s*ProcessSizeMax\s*=\s*
        state: absent

    - name: Insert correct line to /etc/systemd/coredump.conf
      lineinfile:
        path: /etc/systemd/coredump.conf
        create: false
        line: ProcessSizeMax=0
        state: present
  tags:
    - coredump_disable_backtraces
    - unknown_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-82251-0

Remediation script ⇲

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 2.2.0
    storage:
      files:
      - contents:
          source: data:,%23%20%20This%20file%20is%20part%20of%20systemd.%0A%23%0A%23%20%20systemd%20is%20free%20software%3B%20you%20can%20redistribute%20it%20and/or%20modify%20it%0A%23%20%20under%20the%20terms%20of%20the%20GNU%20Lesser%20General%20Public%20License%20as%20published%20by%0A%23%20%20the%20Free%20Software%20Foundation%3B%20either%20version%202.1%20of%20the%20License%2C%20or%0A%23%20%20%28at%20your%20option%29%20any%20later%20version.%0A%23%0A%23%20Entries%20in%20this%20file%20show%20the%20compile%20time%20defaults.%0A%23%20You%20can%20change%20settings%20by%20editing%20this%20file.%0A%23%20Defaults%20can%20be%20restored%20by%20simply%20deleting%20this%20file.%0A%23%0A%23%20See%20coredump.conf%285%29%20for%20details.%0A%0A%5BCoredump%5D%0A%23Storage%3Dexternal%0A%23Compress%3Dyes%0A%23ProcessSizeMax%3D2G%0A%23ExternalSizeMax%3D2G%0A%23JournalSizeMax%3D767M%0A%23MaxUse%3D%0A%23KeepFree%3D%0AStorage%3Dnone%0AProcessSizeMax%3D0%0A
        filesystem: root
        mode: 0644
        path: /etc/systemd/coredump.conf

OVAL test results details

tests the value of ProcessSizeMax setting in the /etc/systemd/coredump.conf file oval:ssg-test_coredump_disable_backtraces:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_coredump_disable_backtraces:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/systemd/coredump.conf	^\s\[Coredump\].(?:\n\s[^[\s].)\n^[ \t](?i)ProcessSizeMax(?-i)[ \t]=[ \t](.+?)[ \t]*(?:$\|#)	1

Enable SLUB/SLAB allocator poisoning

Rule ID xccdf_org.ssgproject.content_rule_grub2_slub_debug_argument

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-grub2_slub_debug_argument:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-80945-9

References: CM-6(a), SRG-OS-000433-GPOS-00192

Description

To enable poisoning of SLUB/SLAB objects, add the argument slub_debug=P to the default GRUB 2 command line for the Linux operating system in /etc/default/grub, in the manner below:

GRUB_CMDLINE_LINUX="slub_debug=P"

Rationale

Poisoning writes an arbitrary value to freed objects, so any modification or reference to that object after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory.

Warnings

grub2-mkconfig -o

command as follows:

On BIOS-based machines, issue the following command as root:
```
~]# grub2-mkconfig -o /boot/grub2/grub.cfg
```
On UEFI-based machines, issue the following command as root:
```
~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
```

Remediation Shell script ⇲

# Remediation is applicable only in certain platforms
if rpm --quiet -q grub2-common && [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then

# Correct grub2 kernelopts value using grub2-editenv
if ! grub2-editenv - list | grep -qE '^kernelopts=(.*\s)?slub_debug=P(\s.*)?$'; then
  grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) slub_debug=P"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	medium
Disruption:	low
Reboot:	true
Strategy:	restrict

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
    - grub2_slub_debug_argument
    - medium_severity
    - restrict_strategy
    - medium_complexity
    - low_disruption
    - reboot_required
    - CCE-80945-9
    - NIST-800-53-CM-6(a)

- name: get current kernel parameters
  command: /usr/bin/grub2-editenv - list
  register: kernelopts
  changed_when: false
  when:
    - '"grub2-common" in ansible_facts.packages'
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - grub2_slub_debug_argument
    - medium_severity
    - restrict_strategy
    - medium_complexity
    - low_disruption
    - reboot_required
    - CCE-80945-9
    - NIST-800-53-CM-6(a)

- name: Update the bootloader menu
  command: /usr/bin/grub2-editenv - set "{{ item }} slub_debug=P"
  with_items: '{{ kernelopts.stdout_lines | select(''match'', ''^kernelopts.*'') |
    list }}'
  when:
    - kernelopts.stdout_lines is defined
    - kernelopts.stdout_lines | length > 0
    - kernelopts.stdout | regex_search('^kernelopts=(?:.*\s)?slub_debug=P(?:\s.*)?$',
      multiline=True) is none
    - '"grub2-common" in ansible_facts.packages'
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - grub2_slub_debug_argument
    - medium_severity
    - restrict_strategy
    - medium_complexity
    - low_disruption
    - reboot_required
    - CCE-80945-9
    - NIST-800-53-CM-6(a)

Remediation script ⇲

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  kernelArguments:
    - slub_debug=P

OVAL test results details

check forkernel command line parameters slub_debug=P in /boot/grub2/grubenv for all kernels oval:ssg-test_grub2_slub_debug_argument_grub_env:tst:1 false

Following items have been found on the system:

Path	Content
/boot/grub2/grubenv	kernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet

Enable page allocator poisoning

Rule ID xccdf_org.ssgproject.content_rule_grub2_page_poison_argument

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-grub2_page_poison_argument:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-80944-2

References: CM-6(a), SRG-OS-000480-GPOS-00227

Description

To enable poisoning of free pages, add the argument page_poison=1 to the default GRUB 2 command line for the Linux operating system in /etc/default/grub, in the manner below:

GRUB_CMDLINE_LINUX="page_poison=1"

Rationale

Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory.

Warnings

grub2-mkconfig -o

command as follows:

On BIOS-based machines, issue the following command as root:
```
~]# grub2-mkconfig -o /boot/grub2/grub.cfg
```
On UEFI-based machines, issue the following command as root:
```
~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
```

Remediation Shell script ⇲

# Remediation is applicable only in certain platforms
if rpm --quiet -q grub2-common && [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then

# Correct grub2 kernelopts value using grub2-editenv
if ! grub2-editenv - list | grep -qE '^kernelopts=(.*\s)?page_poison=1(\s.*)?$'; then
  grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) page_poison=1"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	medium
Disruption:	low
Reboot:	true
Strategy:	restrict

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
    - grub2_page_poison_argument
    - medium_severity
    - restrict_strategy
    - medium_complexity
    - low_disruption
    - reboot_required
    - CCE-80944-2
    - NIST-800-53-CM-6(a)

- name: get current kernel parameters
  command: /usr/bin/grub2-editenv - list
  register: kernelopts
  changed_when: false
  when:
    - '"grub2-common" in ansible_facts.packages'
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - grub2_page_poison_argument
    - medium_severity
    - restrict_strategy
    - medium_complexity
    - low_disruption
    - reboot_required
    - CCE-80944-2
    - NIST-800-53-CM-6(a)

- name: Update the bootloader menu
  command: /usr/bin/grub2-editenv - set "{{ item }} page_poison=1"
  with_items: '{{ kernelopts.stdout_lines | select(''match'', ''^kernelopts.*'') |
    list }}'
  when:
    - kernelopts.stdout_lines is defined
    - kernelopts.stdout_lines | length > 0
    - kernelopts.stdout | regex_search('^kernelopts=(?:.*\s)?page_poison=1(?:\s.*)?$',
      multiline=True) is none
    - '"grub2-common" in ansible_facts.packages'
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - grub2_page_poison_argument
    - medium_severity
    - restrict_strategy
    - medium_complexity
    - low_disruption
    - reboot_required
    - CCE-80944-2
    - NIST-800-53-CM-6(a)

Remediation script ⇲

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  kernelArguments:
    - page_poison=1

OVAL test results details

check forkernel command line parameters page_poison=1 in /boot/grub2/grubenv for all kernels oval:ssg-test_grub2_page_poison_argument_grub_env:tst:1 false

Following items have been found on the system:

Path	Content
/boot/grub2/grubenv	kernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet

Disable Kernel Image Loading

Rule ID xccdf_org.ssgproject.content_rule_sysctl_kernel_kexec_load_disabled

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-sysctl_kernel_kexec_load_disabled:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-80952-5

References: SRG-OS-000480-GPOS-00227

Description

To set the runtime status of the kernel.kexec_load_disabled kernel parameter, run the following command:

$ sudo sysctl -w kernel.kexec_load_disabled=1

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

kernel.kexec_load_disabled = 1

Rationale

Disabling kexec_load allows greater control of the kernel memory. It makes it impossible to load another kernel image after it has been disabled.

Remediation Shell script ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then



#
# Set runtime for kernel.kexec_load_disabled
#
/sbin/sysctl -q -n -w kernel.kexec_load_disabled="1"

#
# If kernel.kexec_load_disabled present in /etc/sysctl.conf, change value to "1"
#	else, add "kernel.kexec_load_disabled = 1" to /etc/sysctl.conf
#
# Function to replace configuration setting in config file or add the configuration setting if
# it does not exist.
#
# Expects arguments:
#
# config_file:		Configuration file that will be modified
# key:			Configuration option to change
# value:		Value of the configuration option to change
# cce:			The CCE identifier or '@CCENUM@' if no CCE identifier exists
# format:		The printf-like format string that will be given stripped key and value as arguments,
#			so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =)
#
# Optional arugments:
#
# format:		Optional argument to specify the format of how key/value should be
# 			modified/appended in the configuration file. The default is key = value.
#
# Example Call(s):
#
#     With default format of 'key = value':
#     replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@'
#
#     With custom key/value format:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s'
#
#     With a variable:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s'
#
function replace_or_append {
  local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option=''
  local config_file=$1
  local key=$2
  local value=$3
  local cce=$4
  local format=$5

  if [ "$case_insensitive_mode" = yes ]; then
    sed_case_insensitive_option="i"
    grep_case_insensitive_option="-i"
  fi
  [ -n "$format" ] || format="$default_format"
  # Check sanity of the input
  [ $# -ge "3" ] || { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; }

  # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
  # Otherwise, regular sed command will do.
  sed_command=('sed' '-i')
  if test -L "$config_file"; then
    sed_command+=('--follow-symlinks')
  fi

  # Test that the cce arg is not empty or does not equal @CCENUM@.
  # If @CCENUM@ exists, it means that there is no CCE assigned.
  if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then
    cce="${cce}"
  else
    cce="CCE"
  fi

  # Strip any search characters in the key arg so that the key can be replaced without
  # adding any search characters to the config file.
  stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "$key")

  # shellcheck disable=SC2059
  printf -v formatted_output "$format" "$stripped_key" "$value"

  # If the key exists, change it. Otherwise, add it to the config_file.
  # We search for the key string followed by a word boundary (matched by \>),
  # so if we search for 'setting', 'setting2' won't match.
  if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then
    "${sed_command[@]}" "s/${key}\\>.*/$formatted_output/g$sed_case_insensitive_option" "$config_file"
  else
    # \n is precaution for case where file ends without trailing newline
    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file"
    printf '%s\n' "$formatted_output" >> "$config_file"
  fi
}
replace_or_append '/etc/sysctl.conf' '^kernel.kexec_load_disabled' "1" 'CCE-80952-5'

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: Ensure sysctl kernel.kexec_load_disabled is set to 1
  sysctl:
    name: kernel.kexec_load_disabled
    value: '1'
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - sysctl_kernel_kexec_load_disabled
    - medium_severity
    - disable_strategy
    - low_complexity
    - medium_disruption
    - reboot_required
    - CCE-80952-5

Remediation script ⇲

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 2.2.0
    storage:
      files:
      - contents:
          source: data:,kernel.kexec_load_disabled%3D1
        filesystem: root
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_kernel_kexec_load_disabled.conf

OVAL test results details

kernel.kexec_load_disabled static configuration oval:ssg-test_static_sysctl_kernel_kexec_load_disabled:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_kernel_kexec_load_disabled:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]kernel.kexec_load_disabled[\s]=[\s]1[\s]$	1

kernel.kexec_load_disabled static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_kernel_kexec_load_disabled:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_kernel_kexec_load_disabled:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	^[\s]kernel.kexec_load_disabled[\s]=[\s]1[\s]$	1

kernel.kexec_load_disabled static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_kernel_kexec_load_disabled:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_kernel_kexec_load_disabled:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]kernel.kexec_load_disabled[\s]=[\s]1[\s]$	1

kernel.kexec_load_disabled static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_kernel_kexec_load_disabled:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_kernel_kexec_load_disabled:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	^[\s]kernel.kexec_load_disabled[\s]=[\s]1[\s]$	1

kernel runtime parameter kernel.kexec_load_disabled set to 1 oval:ssg-test_sysctl_runtime_kernel_kexec_load_disabled:tst:1 false

Following items have been found on the system:

Name	Value
kernel.kexec_load_disabled	0

Harden the operation of the BPF just-in-time compiler

Rule ID xccdf_org.ssgproject.content_rule_sysctl_net_core_bpf_jit_harden

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-sysctl_net_core_bpf_jit_harden:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82934-1

References: FMT_SMF_EXT.1, SRG-OS-000480-GPOS-00227

Description

To set the runtime status of the net.core.bpf_jit_harden kernel parameter, run the following command:

$ sudo sysctl -w net.core.bpf_jit_harden=2

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.core.bpf_jit_harden = 2

Rationale

When hardened, the extended Berkeley Packet Filter just-in-time compiler will randomize any kernel addresses in the BPF programs and maps, and will not expose the JIT addresses in /proc/kallsyms.

Remediation Shell script ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then



#
# Set runtime for net.core.bpf_jit_harden
#
/sbin/sysctl -q -n -w net.core.bpf_jit_harden="2"

#
# If net.core.bpf_jit_harden present in /etc/sysctl.conf, change value to "2"
#	else, add "net.core.bpf_jit_harden = 2" to /etc/sysctl.conf
#
# Function to replace configuration setting in config file or add the configuration setting if
# it does not exist.
#
# Expects arguments:
#
# config_file:		Configuration file that will be modified
# key:			Configuration option to change
# value:		Value of the configuration option to change
# cce:			The CCE identifier or '@CCENUM@' if no CCE identifier exists
# format:		The printf-like format string that will be given stripped key and value as arguments,
#			so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =)
#
# Optional arugments:
#
# format:		Optional argument to specify the format of how key/value should be
# 			modified/appended in the configuration file. The default is key = value.
#
# Example Call(s):
#
#     With default format of 'key = value':
#     replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@'
#
#     With custom key/value format:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s'
#
#     With a variable:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s'
#
function replace_or_append {
  local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option=''
  local config_file=$1
  local key=$2
  local value=$3
  local cce=$4
  local format=$5

  if [ "$case_insensitive_mode" = yes ]; then
    sed_case_insensitive_option="i"
    grep_case_insensitive_option="-i"
  fi
  [ -n "$format" ] || format="$default_format"
  # Check sanity of the input
  [ $# -ge "3" ] || { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; }

  # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
  # Otherwise, regular sed command will do.
  sed_command=('sed' '-i')
  if test -L "$config_file"; then
    sed_command+=('--follow-symlinks')
  fi

  # Test that the cce arg is not empty or does not equal @CCENUM@.
  # If @CCENUM@ exists, it means that there is no CCE assigned.
  if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then
    cce="${cce}"
  else
    cce="CCE"
  fi

  # Strip any search characters in the key arg so that the key can be replaced without
  # adding any search characters to the config file.
  stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "$key")

  # shellcheck disable=SC2059
  printf -v formatted_output "$format" "$stripped_key" "$value"

  # If the key exists, change it. Otherwise, add it to the config_file.
  # We search for the key string followed by a word boundary (matched by \>),
  # so if we search for 'setting', 'setting2' won't match.
  if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then
    "${sed_command[@]}" "s/${key}\\>.*/$formatted_output/g$sed_case_insensitive_option" "$config_file"
  else
    # \n is precaution for case where file ends without trailing newline
    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file"
    printf '%s\n' "$formatted_output" >> "$config_file"
  fi
}
replace_or_append '/etc/sysctl.conf' '^net.core.bpf_jit_harden' "2" 'CCE-82934-1'

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: Ensure sysctl net.core.bpf_jit_harden is set to 2
  sysctl:
    name: net.core.bpf_jit_harden
    value: '2'
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - sysctl_net_core_bpf_jit_harden
    - medium_severity
    - disable_strategy
    - low_complexity
    - medium_disruption
    - reboot_required
    - CCE-82934-1

OVAL test results details

net.core.bpf_jit_harden static configuration oval:ssg-test_static_sysctl_net_core_bpf_jit_harden:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_net_core_bpf_jit_harden:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]net.core.bpf_jit_harden[\s]=[\s]2[\s]$	1

net.core.bpf_jit_harden static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_net_core_bpf_jit_harden:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_net_core_bpf_jit_harden:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	^[\s]net.core.bpf_jit_harden[\s]=[\s]2[\s]$	1

net.core.bpf_jit_harden static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_net_core_bpf_jit_harden:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_net_core_bpf_jit_harden:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]net.core.bpf_jit_harden[\s]=[\s]2[\s]$	1

net.core.bpf_jit_harden static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_net_core_bpf_jit_harden:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_net_core_bpf_jit_harden:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	^[\s]net.core.bpf_jit_harden[\s]=[\s]2[\s]$	1

kernel runtime parameter net.core.bpf_jit_harden set to 2 oval:ssg-test_sysctl_runtime_net_core_bpf_jit_harden:tst:1 false

Following items have been found on the system:

Name	Value
net.core.bpf_jit_harden	1

Disable Access to Network bpf() Syscall From Unprivileged Processes

Rule ID xccdf_org.ssgproject.content_rule_sysctl_kernel_unprivileged_bpf_disabled

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-sysctl_kernel_unprivileged_bpf_disabled:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82974-7

References: FMT_SMF_EXT.1, SRG-OS-000132-GPOS-00067

Description

To set the runtime status of the kernel.unprivileged_bpf_disabled kernel parameter, run the following command:

$ sudo sysctl -w kernel.unprivileged_bpf_disabled=1

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

kernel.unprivileged_bpf_disabled = 1

Rationale

Loading and accessing the packet filters programs and maps using the bpf() syscall has the potential of revealing sensitive information about the kernel state.

Remediation Shell script ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then



#
# Set runtime for kernel.unprivileged_bpf_disabled
#
/sbin/sysctl -q -n -w kernel.unprivileged_bpf_disabled="1"

#
# If kernel.unprivileged_bpf_disabled present in /etc/sysctl.conf, change value to "1"
#	else, add "kernel.unprivileged_bpf_disabled = 1" to /etc/sysctl.conf
#
# Function to replace configuration setting in config file or add the configuration setting if
# it does not exist.
#
# Expects arguments:
#
# config_file:		Configuration file that will be modified
# key:			Configuration option to change
# value:		Value of the configuration option to change
# cce:			The CCE identifier or '@CCENUM@' if no CCE identifier exists
# format:		The printf-like format string that will be given stripped key and value as arguments,
#			so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =)
#
# Optional arugments:
#
# format:		Optional argument to specify the format of how key/value should be
# 			modified/appended in the configuration file. The default is key = value.
#
# Example Call(s):
#
#     With default format of 'key = value':
#     replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@'
#
#     With custom key/value format:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s'
#
#     With a variable:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s'
#
function replace_or_append {
  local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option=''
  local config_file=$1
  local key=$2
  local value=$3
  local cce=$4
  local format=$5

  if [ "$case_insensitive_mode" = yes ]; then
    sed_case_insensitive_option="i"
    grep_case_insensitive_option="-i"
  fi
  [ -n "$format" ] || format="$default_format"
  # Check sanity of the input
  [ $# -ge "3" ] || { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; }

  # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
  # Otherwise, regular sed command will do.
  sed_command=('sed' '-i')
  if test -L "$config_file"; then
    sed_command+=('--follow-symlinks')
  fi

  # Test that the cce arg is not empty or does not equal @CCENUM@.
  # If @CCENUM@ exists, it means that there is no CCE assigned.
  if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then
    cce="${cce}"
  else
    cce="CCE"
  fi

  # Strip any search characters in the key arg so that the key can be replaced without
  # adding any search characters to the config file.
  stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "$key")

  # shellcheck disable=SC2059
  printf -v formatted_output "$format" "$stripped_key" "$value"

  # If the key exists, change it. Otherwise, add it to the config_file.
  # We search for the key string followed by a word boundary (matched by \>),
  # so if we search for 'setting', 'setting2' won't match.
  if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then
    "${sed_command[@]}" "s/${key}\\>.*/$formatted_output/g$sed_case_insensitive_option" "$config_file"
  else
    # \n is precaution for case where file ends without trailing newline
    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file"
    printf '%s\n' "$formatted_output" >> "$config_file"
  fi
}
replace_or_append '/etc/sysctl.conf' '^kernel.unprivileged_bpf_disabled' "1" 'CCE-82974-7'

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: Ensure sysctl kernel.unprivileged_bpf_disabled is set to 1
  sysctl:
    name: kernel.unprivileged_bpf_disabled
    value: '1'
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - sysctl_kernel_unprivileged_bpf_disabled
    - medium_severity
    - disable_strategy
    - low_complexity
    - medium_disruption
    - reboot_required
    - CCE-82974-7

Remediation script ⇲

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 2.2.0
    storage:
      files:
      - contents:
          source: data:,kernel.unprivileged_bpf_disabled%3D1
        filesystem: root
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_kernel_unprivileged_bpf_disabled.conf

OVAL test results details

kernel.unprivileged_bpf_disabled static configuration oval:ssg-test_static_sysctl_kernel_unprivileged_bpf_disabled:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_kernel_unprivileged_bpf_disabled:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]kernel.unprivileged_bpf_disabled[\s]=[\s]1[\s]$	1

kernel.unprivileged_bpf_disabled static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_kernel_unprivileged_bpf_disabled:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_kernel_unprivileged_bpf_disabled:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	^[\s]kernel.unprivileged_bpf_disabled[\s]=[\s]1[\s]$	1

kernel.unprivileged_bpf_disabled static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_kernel_unprivileged_bpf_disabled:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_kernel_unprivileged_bpf_disabled:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]kernel.unprivileged_bpf_disabled[\s]=[\s]1[\s]$	1

kernel.unprivileged_bpf_disabled static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_kernel_unprivileged_bpf_disabled:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_kernel_unprivileged_bpf_disabled:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	^[\s]kernel.unprivileged_bpf_disabled[\s]=[\s]1[\s]$	1

kernel runtime parameter kernel.unprivileged_bpf_disabled set to 1 oval:ssg-test_sysctl_runtime_kernel_unprivileged_bpf_disabled:tst:1 true

Following items have been found on the system:

Name	Value
kernel.unprivileged_bpf_disabled	1

Disable the use of user namespaces

Rule ID	xccdf_org.ssgproject.content_rule_sysctl_user_max_user_namespaces
Result	informational
Multi-check rule	no
OVAL Definition ID	oval:ssg-sysctl_user_max_user_namespaces:def:1
Time	2021-03-21T19:59:44+01:00
Severity	info
Identifiers and References	Identifiers: CCE-82211-4 References: SC-39, CM-6(a), FMT_SMF_EXT.1, SRG-OS-000480-GPOS-00227
Description	To set the runtime status of the `user.max_user_namespaces` kernel parameter, run the following command: $ sudo sysctl -w user.max_user_namespaces=0 To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: user.max_user_namespaces = 0 When containers are deployed on the machine, the value should be set to large non-zero value.
Rationale	User namespaces are used primarily for Linux containers. The value 0 disallows the use of user namespaces.
Warnings	warning This configuration baseline was created to deploy the base operating system for general purpose workloads. When the operating system is configured for certain purposes, such as to host Linux Containers, it is expected that `user.max_user_namespaces` will be enabled.

OVAL test results details

user.max_user_namespaces static configuration oval:ssg-test_static_sysctl_user_max_user_namespaces:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_user_max_user_namespaces:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]user.max_user_namespaces[\s]=[\s]0[\s]$	1

user.max_user_namespaces static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_user_max_user_namespaces:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_user_max_user_namespaces:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	^[\s]user.max_user_namespaces[\s]=[\s]0[\s]$	1

user.max_user_namespaces static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_user_max_user_namespaces:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_user_max_user_namespaces:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]user.max_user_namespaces[\s]=[\s]0[\s]$	1

user.max_user_namespaces static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_user_max_user_namespaces:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_user_max_user_namespaces:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	^[\s]user.max_user_namespaces[\s]=[\s]0[\s]$	1

kernel runtime parameter user.max_user_namespaces set to 0 oval:ssg-test_sysctl_runtime_user_max_user_namespaces:tst:1 false

Following items have been found on the system:

Name	Value
user.max_user_namespaces	5111

Disable storing core dumps

Rule ID xccdf_org.ssgproject.content_rule_sysctl_kernel_core_pattern

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-sysctl_kernel_core_pattern:def:1

Time 2021-03-21T19:59:44+01:00

Severity unknown

Identifiers and References

Identifiers: CCE-82215-5

References: FMT_SMF_EXT.1, SRG-OS-000480-GPOS-00227

Description

To set the runtime status of the kernel.core_pattern kernel parameter, run the following command:

$ sudo sysctl -w kernel.core_pattern=|/bin/false

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

kernel.core_pattern = |/bin/false

Rationale

Remediation Shell script ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then



#
# Set runtime for kernel.core_pattern
#
/sbin/sysctl -q -n -w kernel.core_pattern="|/bin/false"

#
# If kernel.core_pattern present in /etc/sysctl.conf, change value to "|/bin/false"
#	else, add "kernel.core_pattern = |/bin/false" to /etc/sysctl.conf
#
# Function to replace configuration setting in config file or add the configuration setting if
# it does not exist.
#
# Expects arguments:
#
# config_file:		Configuration file that will be modified
# key:			Configuration option to change
# value:		Value of the configuration option to change
# cce:			The CCE identifier or '@CCENUM@' if no CCE identifier exists
# format:		The printf-like format string that will be given stripped key and value as arguments,
#			so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =)
#
# Optional arugments:
#
# format:		Optional argument to specify the format of how key/value should be
# 			modified/appended in the configuration file. The default is key = value.
#
# Example Call(s):
#
#     With default format of 'key = value':
#     replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@'
#
#     With custom key/value format:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s'
#
#     With a variable:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s'
#
function replace_or_append {
  local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option=''
  local config_file=$1
  local key=$2
  local value=$3
  local cce=$4
  local format=$5

  if [ "$case_insensitive_mode" = yes ]; then
    sed_case_insensitive_option="i"
    grep_case_insensitive_option="-i"
  fi
  [ -n "$format" ] || format="$default_format"
  # Check sanity of the input
  [ $# -ge "3" ] || { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; }

  # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
  # Otherwise, regular sed command will do.
  sed_command=('sed' '-i')
  if test -L "$config_file"; then
    sed_command+=('--follow-symlinks')
  fi

  # Test that the cce arg is not empty or does not equal @CCENUM@.
  # If @CCENUM@ exists, it means that there is no CCE assigned.
  if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then
    cce="${cce}"
  else
    cce="CCE"
  fi

  # Strip any search characters in the key arg so that the key can be replaced without
  # adding any search characters to the config file.
  stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "$key")

  # shellcheck disable=SC2059
  printf -v formatted_output "$format" "$stripped_key" "$value"

  # If the key exists, change it. Otherwise, add it to the config_file.
  # We search for the key string followed by a word boundary (matched by \>),
  # so if we search for 'setting', 'setting2' won't match.
  if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then
    "${sed_command[@]}" "s/${key}\\>.*/$formatted_output/g$sed_case_insensitive_option" "$config_file"
  else
    # \n is precaution for case where file ends without trailing newline
    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file"
    printf '%s\n' "$formatted_output" >> "$config_file"
  fi
}
replace_or_append '/etc/sysctl.conf' '^kernel.core_pattern' "|/bin/false" 'CCE-82215-5'

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: Ensure sysctl kernel.core_pattern is set to |/bin/false
  sysctl:
    name: kernel.core_pattern
    value: '|/bin/false'
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - sysctl_kernel_core_pattern
    - unknown_severity
    - disable_strategy
    - low_complexity
    - medium_disruption
    - reboot_required
    - CCE-82215-5

Remediation script ⇲

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 2.2.0
    storage:
      files:
      - contents:
          source: data:,kernel.core_pattern%20%3D%20%7C/bin/false%0A
        filesystem: root
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_kernel_core_pattern.conf

OVAL test results details

kernel.core_pattern static configuration oval:ssg-test_static_sysctl_kernel_core_pattern:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_kernel_core_pattern:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]kernel.core_pattern[\s]=[\s]\|/bin/false[\s]$	1

kernel.core_pattern static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_kernel_core_pattern:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_kernel_core_pattern:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	^[\s]kernel.core_pattern[\s]=[\s]\|/bin/false[\s]$	1

kernel.core_pattern static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_kernel_core_pattern:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_kernel_core_pattern:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]kernel.core_pattern[\s]=[\s]\|/bin/false[\s]$	1

kernel.core_pattern static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_kernel_core_pattern:tst:1 true

Following items have been found on the system:

Path	Content
/usr/lib/sysctl.d/50-coredump.conf	kernel.core_pattern=

kernel runtime parameter kernel.core_pattern set to |/bin/false oval:ssg-test_sysctl_runtime_kernel_core_pattern:tst:1 false

Following items have been found on the system:

Name	Value
kernel.core_pattern	\|/usr/lib/systemd/systemd-coredump %P %u %g %s %t %c %h %e

Restrict usage of ptrace to descendant processes

Rule ID xccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-sysctl_kernel_yama_ptrace_scope:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-80953-3

References: NT28(R25), SRG-OS-000132-GPOS-00067

Description

To set the runtime status of the kernel.yama.ptrace_scope kernel parameter, run the following command:

$ sudo sysctl -w kernel.yama.ptrace_scope=1

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

kernel.yama.ptrace_scope = 1

Rationale

Unrestricted usage of ptrace allows compromised binaries to run ptrace on another processes of the user. Like this, the attacker can steal sensitive information from the target processes (e.g. SSH sessions, web browser, ...) without any additional assistance from the user (i.e. without resorting to phishing).

Remediation Shell script ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then



#
# Set runtime for kernel.yama.ptrace_scope
#
/sbin/sysctl -q -n -w kernel.yama.ptrace_scope="1"

#
# If kernel.yama.ptrace_scope present in /etc/sysctl.conf, change value to "1"
#	else, add "kernel.yama.ptrace_scope = 1" to /etc/sysctl.conf
#
# Function to replace configuration setting in config file or add the configuration setting if
# it does not exist.
#
# Expects arguments:
#
# config_file:		Configuration file that will be modified
# key:			Configuration option to change
# value:		Value of the configuration option to change
# cce:			The CCE identifier or '@CCENUM@' if no CCE identifier exists
# format:		The printf-like format string that will be given stripped key and value as arguments,
#			so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =)
#
# Optional arugments:
#
# format:		Optional argument to specify the format of how key/value should be
# 			modified/appended in the configuration file. The default is key = value.
#
# Example Call(s):
#
#     With default format of 'key = value':
#     replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@'
#
#     With custom key/value format:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s'
#
#     With a variable:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s'
#
function replace_or_append {
  local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option=''
  local config_file=$1
  local key=$2
  local value=$3
  local cce=$4
  local format=$5

  if [ "$case_insensitive_mode" = yes ]; then
    sed_case_insensitive_option="i"
    grep_case_insensitive_option="-i"
  fi
  [ -n "$format" ] || format="$default_format"
  # Check sanity of the input
  [ $# -ge "3" ] || { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; }

  # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
  # Otherwise, regular sed command will do.
  sed_command=('sed' '-i')
  if test -L "$config_file"; then
    sed_command+=('--follow-symlinks')
  fi

  # Test that the cce arg is not empty or does not equal @CCENUM@.
  # If @CCENUM@ exists, it means that there is no CCE assigned.
  if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then
    cce="${cce}"
  else
    cce="CCE"
  fi

  # Strip any search characters in the key arg so that the key can be replaced without
  # adding any search characters to the config file.
  stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "$key")

  # shellcheck disable=SC2059
  printf -v formatted_output "$format" "$stripped_key" "$value"

  # If the key exists, change it. Otherwise, add it to the config_file.
  # We search for the key string followed by a word boundary (matched by \>),
  # so if we search for 'setting', 'setting2' won't match.
  if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then
    "${sed_command[@]}" "s/${key}\\>.*/$formatted_output/g$sed_case_insensitive_option" "$config_file"
  else
    # \n is precaution for case where file ends without trailing newline
    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file"
    printf '%s\n' "$formatted_output" >> "$config_file"
  fi
}
replace_or_append '/etc/sysctl.conf' '^kernel.yama.ptrace_scope' "1" 'CCE-80953-3'

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: Ensure sysctl kernel.yama.ptrace_scope is set to 1
  sysctl:
    name: kernel.yama.ptrace_scope
    value: '1'
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - sysctl_kernel_yama_ptrace_scope
    - medium_severity
    - disable_strategy
    - low_complexity
    - medium_disruption
    - reboot_required
    - CCE-80953-3

Remediation script ⇲

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 2.2.0
    storage:
      files:
      - contents:
          source: data:,kernel.yama.ptrace_scope%3D1
        filesystem: root
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_kernel_yama_ptrace_scope.conf

OVAL test results details

kernel.yama.ptrace_scope static configuration oval:ssg-test_static_sysctl_kernel_yama_ptrace_scope:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_kernel_yama_ptrace_scope:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]kernel.yama.ptrace_scope[\s]=[\s]1[\s]$	1

kernel.yama.ptrace_scope static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_kernel_yama_ptrace_scope:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_kernel_yama_ptrace_scope:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	^[\s]kernel.yama.ptrace_scope[\s]=[\s]1[\s]$	1

kernel.yama.ptrace_scope static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_kernel_yama_ptrace_scope:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_kernel_yama_ptrace_scope:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]kernel.yama.ptrace_scope[\s]=[\s]1[\s]$	1

kernel.yama.ptrace_scope static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_kernel_yama_ptrace_scope:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_kernel_yama_ptrace_scope:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	^[\s]kernel.yama.ptrace_scope[\s]=[\s]1[\s]$	1

kernel runtime parameter kernel.yama.ptrace_scope set to 1 oval:ssg-test_sysctl_runtime_kernel_yama_ptrace_scope:tst:1 false

Following items have been found on the system:

Name	Value
kernel.yama.ptrace_scope	0

Disallow kernel profiling by unprivileged users

Rule ID xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_paranoid

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-sysctl_kernel_perf_event_paranoid:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-81054-9

References: NT28(R23), FMT_SMF_EXT.1, SRG-OS-000132-GPOS-00067

Description

To set the runtime status of the kernel.perf_event_paranoid kernel parameter, run the following command:

$ sudo sysctl -w kernel.perf_event_paranoid=2

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

kernel.perf_event_paranoid = 2

Rationale

Kernel profiling can reveal sensitive information about kernel behaviour.

Remediation Shell script ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then



#
# Set runtime for kernel.perf_event_paranoid
#
/sbin/sysctl -q -n -w kernel.perf_event_paranoid="2"

#
# If kernel.perf_event_paranoid present in /etc/sysctl.conf, change value to "2"
#	else, add "kernel.perf_event_paranoid = 2" to /etc/sysctl.conf
#
# Function to replace configuration setting in config file or add the configuration setting if
# it does not exist.
#
# Expects arguments:
#
# config_file:		Configuration file that will be modified
# key:			Configuration option to change
# value:		Value of the configuration option to change
# cce:			The CCE identifier or '@CCENUM@' if no CCE identifier exists
# format:		The printf-like format string that will be given stripped key and value as arguments,
#			so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =)
#
# Optional arugments:
#
# format:		Optional argument to specify the format of how key/value should be
# 			modified/appended in the configuration file. The default is key = value.
#
# Example Call(s):
#
#     With default format of 'key = value':
#     replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@'
#
#     With custom key/value format:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s'
#
#     With a variable:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s'
#
function replace_or_append {
  local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option=''
  local config_file=$1
  local key=$2
  local value=$3
  local cce=$4
  local format=$5

  if [ "$case_insensitive_mode" = yes ]; then
    sed_case_insensitive_option="i"
    grep_case_insensitive_option="-i"
  fi
  [ -n "$format" ] || format="$default_format"
  # Check sanity of the input
  [ $# -ge "3" ] || { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; }

  # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
  # Otherwise, regular sed command will do.
  sed_command=('sed' '-i')
  if test -L "$config_file"; then
    sed_command+=('--follow-symlinks')
  fi

  # Test that the cce arg is not empty or does not equal @CCENUM@.
  # If @CCENUM@ exists, it means that there is no CCE assigned.
  if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then
    cce="${cce}"
  else
    cce="CCE"
  fi

  # Strip any search characters in the key arg so that the key can be replaced without
  # adding any search characters to the config file.
  stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "$key")

  # shellcheck disable=SC2059
  printf -v formatted_output "$format" "$stripped_key" "$value"

  # If the key exists, change it. Otherwise, add it to the config_file.
  # We search for the key string followed by a word boundary (matched by \>),
  # so if we search for 'setting', 'setting2' won't match.
  if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then
    "${sed_command[@]}" "s/${key}\\>.*/$formatted_output/g$sed_case_insensitive_option" "$config_file"
  else
    # \n is precaution for case where file ends without trailing newline
    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file"
    printf '%s\n' "$formatted_output" >> "$config_file"
  fi
}
replace_or_append '/etc/sysctl.conf' '^kernel.perf_event_paranoid' "2" 'CCE-81054-9'

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: Ensure sysctl kernel.perf_event_paranoid is set to 2
  sysctl:
    name: kernel.perf_event_paranoid
    value: '2'
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - sysctl_kernel_perf_event_paranoid
    - medium_severity
    - disable_strategy
    - low_complexity
    - medium_disruption
    - reboot_required
    - CCE-81054-9

Remediation script ⇲

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 2.2.0
    storage:
      files:
      - contents:
          source: data:,kernel.perf_event_paranoid%3D2
        filesystem: root
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_kernel_perf_event_paranoid.conf

OVAL test results details

kernel.perf_event_paranoid static configuration oval:ssg-test_static_sysctl_kernel_perf_event_paranoid:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_kernel_perf_event_paranoid:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]kernel.perf_event_paranoid[\s]=[\s]2[\s]$	1

kernel.perf_event_paranoid static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_kernel_perf_event_paranoid:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_kernel_perf_event_paranoid:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	^[\s]kernel.perf_event_paranoid[\s]=[\s]2[\s]$	1

kernel.perf_event_paranoid static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_kernel_perf_event_paranoid:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_kernel_perf_event_paranoid:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]kernel.perf_event_paranoid[\s]=[\s]2[\s]$	1

kernel.perf_event_paranoid static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_kernel_perf_event_paranoid:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_kernel_perf_event_paranoid:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	^[\s]kernel.perf_event_paranoid[\s]=[\s]2[\s]$	1

kernel runtime parameter kernel.perf_event_paranoid set to 2 oval:ssg-test_sysctl_runtime_kernel_perf_event_paranoid:tst:1 true

Following items have been found on the system:

Name	Value
kernel.perf_event_paranoid	2

Restrict Access to Kernel Message Buffer

Rule ID xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-sysctl_kernel_dmesg_restrict:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-80913-7

References: NT28(R23), 3.1.5, CCI-001314, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), SI-11(a), SI-11(b), SRG-OS-000132-GPOS-00067

Description

To set the runtime status of the kernel.dmesg_restrict kernel parameter, run the following command:

$ sudo sysctl -w kernel.dmesg_restrict=1

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

kernel.dmesg_restrict = 1

Rationale

Unprivileged access to the kernel syslog can expose sensitive kernel address information.

Remediation Shell script ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then



#
# Set runtime for kernel.dmesg_restrict
#
/sbin/sysctl -q -n -w kernel.dmesg_restrict="1"

#
# If kernel.dmesg_restrict present in /etc/sysctl.conf, change value to "1"
#	else, add "kernel.dmesg_restrict = 1" to /etc/sysctl.conf
#
# Function to replace configuration setting in config file or add the configuration setting if
# it does not exist.
#
# Expects arguments:
#
# config_file:		Configuration file that will be modified
# key:			Configuration option to change
# value:		Value of the configuration option to change
# cce:			The CCE identifier or '@CCENUM@' if no CCE identifier exists
# format:		The printf-like format string that will be given stripped key and value as arguments,
#			so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =)
#
# Optional arugments:
#
# format:		Optional argument to specify the format of how key/value should be
# 			modified/appended in the configuration file. The default is key = value.
#
# Example Call(s):
#
#     With default format of 'key = value':
#     replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@'
#
#     With custom key/value format:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s'
#
#     With a variable:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s'
#
function replace_or_append {
  local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option=''
  local config_file=$1
  local key=$2
  local value=$3
  local cce=$4
  local format=$5

  if [ "$case_insensitive_mode" = yes ]; then
    sed_case_insensitive_option="i"
    grep_case_insensitive_option="-i"
  fi
  [ -n "$format" ] || format="$default_format"
  # Check sanity of the input
  [ $# -ge "3" ] || { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; }

  # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
  # Otherwise, regular sed command will do.
  sed_command=('sed' '-i')
  if test -L "$config_file"; then
    sed_command+=('--follow-symlinks')
  fi

  # Test that the cce arg is not empty or does not equal @CCENUM@.
  # If @CCENUM@ exists, it means that there is no CCE assigned.
  if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then
    cce="${cce}"
  else
    cce="CCE"
  fi

  # Strip any search characters in the key arg so that the key can be replaced without
  # adding any search characters to the config file.
  stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "$key")

  # shellcheck disable=SC2059
  printf -v formatted_output "$format" "$stripped_key" "$value"

  # If the key exists, change it. Otherwise, add it to the config_file.
  # We search for the key string followed by a word boundary (matched by \>),
  # so if we search for 'setting', 'setting2' won't match.
  if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then
    "${sed_command[@]}" "s/${key}\\>.*/$formatted_output/g$sed_case_insensitive_option" "$config_file"
  else
    # \n is precaution for case where file ends without trailing newline
    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file"
    printf '%s\n' "$formatted_output" >> "$config_file"
  fi
}
replace_or_append '/etc/sysctl.conf' '^kernel.dmesg_restrict' "1" 'CCE-80913-7'

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	medium
Reboot:	true
Strategy:	disable

- name: Ensure sysctl kernel.dmesg_restrict is set to 1
  sysctl:
    name: kernel.dmesg_restrict
    value: '1'
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - sysctl_kernel_dmesg_restrict
    - medium_severity
    - disable_strategy
    - low_complexity
    - medium_disruption
    - reboot_required
    - CCE-80913-7
    - NIST-800-53-SI-11(a)
    - NIST-800-53-SI-11(b)
    - NIST-800-171-3.1.5

Remediation script ⇲

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 2.2.0
    storage:
      files:
      - contents:
          source: data:,kernel.dmesg_restrict%3D1
        filesystem: root
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_kernel_dmesg_restrict.conf

OVAL test results details

kernel.dmesg_restrict static configuration oval:ssg-test_static_sysctl_kernel_dmesg_restrict:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_sysctl_kernel_dmesg_restrict:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/sysctl.conf	^[\s]kernel.dmesg_restrict[\s]=[\s]1[\s]$	1

kernel.dmesg_restrict static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_etc_sysctld_kernel_dmesg_restrict:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_etc_sysctld_kernel_dmesg_restrict:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/etc/sysctl.d	^.*\.conf$	^[\s]kernel.dmesg_restrict[\s]=[\s]1[\s]$	1

kernel.dmesg_restrict static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_run_sysctld_kernel_dmesg_restrict:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_run_sysctld_kernel_dmesg_restrict:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/run/sysctl.d	^.*\.conf$	^[\s]kernel.dmesg_restrict[\s]=[\s]1[\s]$	1

kernel.dmesg_restrict static configuration in /etc/sysctl.d/*.conf oval:ssg-test_static_usr_lib_sysctld_kernel_dmesg_restrict:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_static_usr_lib_sysctld_kernel_dmesg_restrict:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/usr/lib/sysctl.d	^.*\.conf$	^[\s]kernel.dmesg_restrict[\s]=[\s]1[\s]$	1

kernel runtime parameter kernel.dmesg_restrict set to 1 oval:ssg-test_sysctl_runtime_kernel_dmesg_restrict:tst:1 false

Following items have been found on the system:

Name	Value
kernel.dmesg_restrict	0

Add noexec Option to /tmp

Rule ID xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-mount_option_tmp_noexec:def:1

Time 2021-03-21T19:59:44+01:00

Severity unknown

Identifiers and References

Identifiers: CCE-82139-7

References: NT28(R12), 1.1.5, 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154

Description

The noexec mount option can be used to prevent binaries from being executed out of /tmp. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /tmp.

Rationale

Allowing users to execute binaries from world-writable directories such as /tmp should never be necessary in normal operation and can expose the system to potential compromise.

Remediation Shell script ⇲

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then

function include_mount_options_functions {
	:
}

# $1: type of filesystem
# $2: new mount point option
# $3: filesystem of new mount point (used when adding new entry in fstab)
# $4: mount type of new mount point (used when adding new entry in fstab)
function ensure_mount_option_for_vfstype {
        local _vfstype="$1" _new_opt="$2" _filesystem=$3 _type=$4 _vfstype_points=()
        readarray -t _vfstype_points < <(grep -E "[[:space:]]${_vfstype}[[:space:]]" /etc/fstab | awk '{print $2}')

        for _vfstype_point in "${_vfstype_points[@]}"
        do
                ensure_mount_option_in_fstab "$_vfstype_point" "$_new_opt" "$_filesystem" "$_type"
        done
}

# $1: mount point
# $2: new mount point option
# $3: device or virtual string (used when adding new entry in fstab)
# $4: mount type of mount point (used when adding new entry in fstab)
function ensure_mount_option_in_fstab {
	local _mount_point="$1" _new_opt="$2" _device=$3 _type=$4
	local _mount_point_match_regexp="" _previous_mount_opts=""
	_mount_point_match_regexp="$(get_mount_point_regexp "$_mount_point")"

	if [ "$(grep -c "$_mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
		# runtime opts without some automatic kernel/userspace-added defaults
		_previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
					| sed -E "s/(rw|defaults|seclabel|${_new_opt})(,|$)//g;s/,$//")
		[ "$_previous_mount_opts" ] && _previous_mount_opts+=","
		echo "${_device} ${_mount_point} ${_type} defaults,${_previous_mount_opts}${_new_opt} 0 0" >> /etc/fstab
	elif [ "$(grep "$_mount_point_match_regexp" /etc/fstab | grep -c "$_new_opt")" -eq 0 ]; then
		_previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/fstab | awk '{print $4}')
		sed -i "s|\(${_mount_point_match_regexp}.*${_previous_mount_opts}\)|\1,${_new_opt}|" /etc/fstab
	fi
}

# $1: mount point
function get_mount_point_regexp {
		printf "[[:space:]]%s[[:space:]]" "$1"
}

# $1: mount point
function assert_mount_point_in_fstab {
	local _mount_point_match_regexp
	_mount_point_match_regexp="$(get_mount_point_regexp "$1")"
	grep "$_mount_point_match_regexp" -q /etc/fstab \
		|| { echo "The mount point '$1' is not even in /etc/fstab, so we can't set up mount options" >&2; return 1; }
}

# $1: mount point
function remove_defaults_from_fstab_if_overriden {
	local _mount_point_match_regexp
	_mount_point_match_regexp="$(get_mount_point_regexp "$1")"
	if grep "$_mount_point_match_regexp" /etc/fstab | grep -q "defaults,"
	then
		sed -i "s|\(${_mount_point_match_regexp}.*\)defaults,|\1|" /etc/fstab
	fi
}

# $1: mount point
function ensure_partition_is_mounted {
	local _mount_point="$1"
	mkdir -p "$_mount_point" || return 1
	if mountpoint -q "$_mount_point"; then
		mount -o remount --target "$_mount_point"
	else
		mount --target "$_mount_point"
	fi
}
include_mount_options_functions

function perform_remediation {
	# test "$mount_has_to_exist" = 'yes'
	if test "yes" = 'yes'; then
		assert_mount_point_in_fstab /tmp || { echo "Not remediating, because there is no record of /tmp in /etc/fstab" >&2; return 1; }
	fi

	ensure_mount_option_in_fstab "/tmp" "noexec" "" ""

	ensure_partition_is_mounted "/tmp"
}

perform_remediation

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	high
Strategy:	configure

- name: Check information associated to mountpoint
  command: findmnt --fstab '/tmp'
  register: device_name
  failed_when: device_name.rc > 1
  changed_when: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_tmp_noexec
    - unknown_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-82139-7
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-MP-7

- name: Create mount_info dictionary variable
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
    - '{{ device_name.stdout_lines[0].split() | list | lower }}'
    - '{{ device_name.stdout_lines[1].split() | list }}'
  when:
    - device_name.stdout is defined and device_name.stdout_lines is defined
    - (device_name.stdout | length > 0)
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_tmp_noexec
    - unknown_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-82139-7
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-MP-7

- name: Make sure noexec option is part of the to /tmp options
  set_fact:
    mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec''
      }) }}'
  when:
    - mount_info is defined and "noexec" not in mount_info.options
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_tmp_noexec
    - unknown_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-82139-7
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-MP-7

- name: Ensure /tmp is mounted with noexec option
  mount:
    path: /tmp
    src: '{{ mount_info.source }}'
    opts: '{{ mount_info.options }}'
    state: mounted
    fstype: '{{ mount_info.fstype }}'
  when:
    - device_name.stdout is defined
    - (device_name.stdout | length > 0)
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_tmp_noexec
    - unknown_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-82139-7
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-MP-7

Remediation Anaconda snippet ⇲

Complexity:	low
Disruption:	high
Strategy:	enable


part /tmp --mountoptions="noexec"

OVAL test results details

noexec on /tmp oval:ssg-test_tmp_partition_noexec:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_tmp_partition_noexec:obj:1 of type partition_object

Mount point
/tmp

Add nodev Option to /var

Rule ID xccdf_org.ssgproject.content_rule_mount_option_var_nodev

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-mount_option_var_nodev:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82062-1

References: CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154

Description

The nodev mount option can be used to prevent device files from being created in /var. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /var.

Rationale

The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails.

Remediation Shell script ⇲

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then

function include_mount_options_functions {
	:
}

# $1: type of filesystem
# $2: new mount point option
# $3: filesystem of new mount point (used when adding new entry in fstab)
# $4: mount type of new mount point (used when adding new entry in fstab)
function ensure_mount_option_for_vfstype {
        local _vfstype="$1" _new_opt="$2" _filesystem=$3 _type=$4 _vfstype_points=()
        readarray -t _vfstype_points < <(grep -E "[[:space:]]${_vfstype}[[:space:]]" /etc/fstab | awk '{print $2}')

        for _vfstype_point in "${_vfstype_points[@]}"
        do
                ensure_mount_option_in_fstab "$_vfstype_point" "$_new_opt" "$_filesystem" "$_type"
        done
}

# $1: mount point
# $2: new mount point option
# $3: device or virtual string (used when adding new entry in fstab)
# $4: mount type of mount point (used when adding new entry in fstab)
function ensure_mount_option_in_fstab {
	local _mount_point="$1" _new_opt="$2" _device=$3 _type=$4
	local _mount_point_match_regexp="" _previous_mount_opts=""
	_mount_point_match_regexp="$(get_mount_point_regexp "$_mount_point")"

	if [ "$(grep -c "$_mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
		# runtime opts without some automatic kernel/userspace-added defaults
		_previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
					| sed -E "s/(rw|defaults|seclabel|${_new_opt})(,|$)//g;s/,$//")
		[ "$_previous_mount_opts" ] && _previous_mount_opts+=","
		echo "${_device} ${_mount_point} ${_type} defaults,${_previous_mount_opts}${_new_opt} 0 0" >> /etc/fstab
	elif [ "$(grep "$_mount_point_match_regexp" /etc/fstab | grep -c "$_new_opt")" -eq 0 ]; then
		_previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/fstab | awk '{print $4}')
		sed -i "s|\(${_mount_point_match_regexp}.*${_previous_mount_opts}\)|\1,${_new_opt}|" /etc/fstab
	fi
}

# $1: mount point
function get_mount_point_regexp {
		printf "[[:space:]]%s[[:space:]]" "$1"
}

# $1: mount point
function assert_mount_point_in_fstab {
	local _mount_point_match_regexp
	_mount_point_match_regexp="$(get_mount_point_regexp "$1")"
	grep "$_mount_point_match_regexp" -q /etc/fstab \
		|| { echo "The mount point '$1' is not even in /etc/fstab, so we can't set up mount options" >&2; return 1; }
}

# $1: mount point
function remove_defaults_from_fstab_if_overriden {
	local _mount_point_match_regexp
	_mount_point_match_regexp="$(get_mount_point_regexp "$1")"
	if grep "$_mount_point_match_regexp" /etc/fstab | grep -q "defaults,"
	then
		sed -i "s|\(${_mount_point_match_regexp}.*\)defaults,|\1|" /etc/fstab
	fi
}

# $1: mount point
function ensure_partition_is_mounted {
	local _mount_point="$1"
	mkdir -p "$_mount_point" || return 1
	if mountpoint -q "$_mount_point"; then
		mount -o remount --target "$_mount_point"
	else
		mount --target "$_mount_point"
	fi
}
include_mount_options_functions

function perform_remediation {
	# test "$mount_has_to_exist" = 'yes'
	if test "yes" = 'yes'; then
		assert_mount_point_in_fstab /var || { echo "Not remediating, because there is no record of /var in /etc/fstab" >&2; return 1; }
	fi

	ensure_mount_option_in_fstab "/var" "nodev" "" ""

	ensure_partition_is_mounted "/var"
}

perform_remediation

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	high
Strategy:	configure

- name: Check information associated to mountpoint
  command: findmnt --fstab '/var'
  register: device_name
  failed_when: device_name.rc > 1
  changed_when: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_var_nodev
    - medium_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-82062-1
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-MP-7

- name: Create mount_info dictionary variable
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
    - '{{ device_name.stdout_lines[0].split() | list | lower }}'
    - '{{ device_name.stdout_lines[1].split() | list }}'
  when:
    - device_name.stdout is defined and device_name.stdout_lines is defined
    - (device_name.stdout | length > 0)
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_var_nodev
    - medium_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-82062-1
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-MP-7

- name: Make sure nodev option is part of the to /var options
  set_fact:
    mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev''
      }) }}'
  when:
    - mount_info is defined and "nodev" not in mount_info.options
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_var_nodev
    - medium_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-82062-1
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-MP-7

- name: Ensure /var is mounted with nodev option
  mount:
    path: /var
    src: '{{ mount_info.source }}'
    opts: '{{ mount_info.options }}'
    state: mounted
    fstype: '{{ mount_info.fstype }}'
  when:
    - device_name.stdout is defined
    - (device_name.stdout | length > 0)
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_var_nodev
    - medium_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-82062-1
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-MP-7

Remediation Anaconda snippet ⇲

Complexity:	low
Disruption:	high
Strategy:	enable


part /var --mountoptions="nodev"

OVAL test results details

nodev on /var oval:ssg-test_var_partition_nodev:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_var_partition_nodev:obj:1 of type partition_object

Mount point
/var

Add nosuid Option to /var/log

Rule ID xccdf_org.ssgproject.content_rule_mount_option_var_log_nosuid

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-mount_option_var_log_nosuid:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82065-4

References: CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154

Description

The nosuid mount option can be used to prevent execution of setuid programs in /var/log. The SUID and SGID permissions should not be required in directories containing log files. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /var/log.

Rationale

The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from partitions designated for log files.

Remediation Shell script ⇲

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then

function include_mount_options_functions {
	:
}

# $1: type of filesystem
# $2: new mount point option
# $3: filesystem of new mount point (used when adding new entry in fstab)
# $4: mount type of new mount point (used when adding new entry in fstab)
function ensure_mount_option_for_vfstype {
        local _vfstype="$1" _new_opt="$2" _filesystem=$3 _type=$4 _vfstype_points=()
        readarray -t _vfstype_points < <(grep -E "[[:space:]]${_vfstype}[[:space:]]" /etc/fstab | awk '{print $2}')

        for _vfstype_point in "${_vfstype_points[@]}"
        do
                ensure_mount_option_in_fstab "$_vfstype_point" "$_new_opt" "$_filesystem" "$_type"
        done
}

# $1: mount point
# $2: new mount point option
# $3: device or virtual string (used when adding new entry in fstab)
# $4: mount type of mount point (used when adding new entry in fstab)
function ensure_mount_option_in_fstab {
	local _mount_point="$1" _new_opt="$2" _device=$3 _type=$4
	local _mount_point_match_regexp="" _previous_mount_opts=""
	_mount_point_match_regexp="$(get_mount_point_regexp "$_mount_point")"

	if [ "$(grep -c "$_mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
		# runtime opts without some automatic kernel/userspace-added defaults
		_previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
					| sed -E "s/(rw|defaults|seclabel|${_new_opt})(,|$)//g;s/,$//")
		[ "$_previous_mount_opts" ] && _previous_mount_opts+=","
		echo "${_device} ${_mount_point} ${_type} defaults,${_previous_mount_opts}${_new_opt} 0 0" >> /etc/fstab
	elif [ "$(grep "$_mount_point_match_regexp" /etc/fstab | grep -c "$_new_opt")" -eq 0 ]; then
		_previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/fstab | awk '{print $4}')
		sed -i "s|\(${_mount_point_match_regexp}.*${_previous_mount_opts}\)|\1,${_new_opt}|" /etc/fstab
	fi
}

# $1: mount point
function get_mount_point_regexp {
		printf "[[:space:]]%s[[:space:]]" "$1"
}

# $1: mount point
function assert_mount_point_in_fstab {
	local _mount_point_match_regexp
	_mount_point_match_regexp="$(get_mount_point_regexp "$1")"
	grep "$_mount_point_match_regexp" -q /etc/fstab \
		|| { echo "The mount point '$1' is not even in /etc/fstab, so we can't set up mount options" >&2; return 1; }
}

# $1: mount point
function remove_defaults_from_fstab_if_overriden {
	local _mount_point_match_regexp
	_mount_point_match_regexp="$(get_mount_point_regexp "$1")"
	if grep "$_mount_point_match_regexp" /etc/fstab | grep -q "defaults,"
	then
		sed -i "s|\(${_mount_point_match_regexp}.*\)defaults,|\1|" /etc/fstab
	fi
}

# $1: mount point
function ensure_partition_is_mounted {
	local _mount_point="$1"
	mkdir -p "$_mount_point" || return 1
	if mountpoint -q "$_mount_point"; then
		mount -o remount --target "$_mount_point"
	else
		mount --target "$_mount_point"
	fi
}
include_mount_options_functions

function perform_remediation {
	# test "$mount_has_to_exist" = 'yes'
	if test "yes" = 'yes'; then
		assert_mount_point_in_fstab /var/log || { echo "Not remediating, because there is no record of /var/log in /etc/fstab" >&2; return 1; }
	fi

	ensure_mount_option_in_fstab "/var/log" "nosuid" "" ""

	ensure_partition_is_mounted "/var/log"
}

perform_remediation

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	high
Strategy:	configure

- name: Check information associated to mountpoint
  command: findmnt --fstab '/var/log'
  register: device_name
  failed_when: device_name.rc > 1
  changed_when: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_var_log_nosuid
    - medium_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-82065-4
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-MP-7

- name: Create mount_info dictionary variable
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
    - '{{ device_name.stdout_lines[0].split() | list | lower }}'
    - '{{ device_name.stdout_lines[1].split() | list }}'
  when:
    - device_name.stdout is defined and device_name.stdout_lines is defined
    - (device_name.stdout | length > 0)
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_var_log_nosuid
    - medium_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-82065-4
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-MP-7

- name: Make sure nosuid option is part of the to /var/log options
  set_fact:
    mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid''
      }) }}'
  when:
    - mount_info is defined and "nosuid" not in mount_info.options
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_var_log_nosuid
    - medium_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-82065-4
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-MP-7

- name: Ensure /var/log is mounted with nosuid option
  mount:
    path: /var/log
    src: '{{ mount_info.source }}'
    opts: '{{ mount_info.options }}'
    state: mounted
    fstype: '{{ mount_info.fstype }}'
  when:
    - device_name.stdout is defined
    - (device_name.stdout | length > 0)
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_var_log_nosuid
    - medium_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-82065-4
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-MP-7

Remediation Anaconda snippet ⇲

Complexity:	low
Disruption:	high
Strategy:	enable


part /var/log --mountoptions="nosuid"

OVAL test results details

nosuid on /var/log oval:ssg-test_var_log_partition_nosuid:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_var_log_partition_nosuid:obj:1 of type partition_object

Mount point
/var/log

Add nodev Option to /var/log/audit

Rule ID xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nodev

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-mount_option_var_log_audit_nodev:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82080-3

References: CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154

Description

The nodev mount option can be used to prevent device files from being created in /var/log/audit. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /var/log/audit.

Rationale

The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails.

Remediation Shell script ⇲

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then

function include_mount_options_functions {
	:
}

# $1: type of filesystem
# $2: new mount point option
# $3: filesystem of new mount point (used when adding new entry in fstab)
# $4: mount type of new mount point (used when adding new entry in fstab)
function ensure_mount_option_for_vfstype {
        local _vfstype="$1" _new_opt="$2" _filesystem=$3 _type=$4 _vfstype_points=()
        readarray -t _vfstype_points < <(grep -E "[[:space:]]${_vfstype}[[:space:]]" /etc/fstab | awk '{print $2}')

        for _vfstype_point in "${_vfstype_points[@]}"
        do
                ensure_mount_option_in_fstab "$_vfstype_point" "$_new_opt" "$_filesystem" "$_type"
        done
}

# $1: mount point
# $2: new mount point option
# $3: device or virtual string (used when adding new entry in fstab)
# $4: mount type of mount point (used when adding new entry in fstab)
function ensure_mount_option_in_fstab {
	local _mount_point="$1" _new_opt="$2" _device=$3 _type=$4
	local _mount_point_match_regexp="" _previous_mount_opts=""
	_mount_point_match_regexp="$(get_mount_point_regexp "$_mount_point")"

	if [ "$(grep -c "$_mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
		# runtime opts without some automatic kernel/userspace-added defaults
		_previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
					| sed -E "s/(rw|defaults|seclabel|${_new_opt})(,|$)//g;s/,$//")
		[ "$_previous_mount_opts" ] && _previous_mount_opts+=","
		echo "${_device} ${_mount_point} ${_type} defaults,${_previous_mount_opts}${_new_opt} 0 0" >> /etc/fstab
	elif [ "$(grep "$_mount_point_match_regexp" /etc/fstab | grep -c "$_new_opt")" -eq 0 ]; then
		_previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/fstab | awk '{print $4}')
		sed -i "s|\(${_mount_point_match_regexp}.*${_previous_mount_opts}\)|\1,${_new_opt}|" /etc/fstab
	fi
}

# $1: mount point
function get_mount_point_regexp {
		printf "[[:space:]]%s[[:space:]]" "$1"
}

# $1: mount point
function assert_mount_point_in_fstab {
	local _mount_point_match_regexp
	_mount_point_match_regexp="$(get_mount_point_regexp "$1")"
	grep "$_mount_point_match_regexp" -q /etc/fstab \
		|| { echo "The mount point '$1' is not even in /etc/fstab, so we can't set up mount options" >&2; return 1; }
}

# $1: mount point
function remove_defaults_from_fstab_if_overriden {
	local _mount_point_match_regexp
	_mount_point_match_regexp="$(get_mount_point_regexp "$1")"
	if grep "$_mount_point_match_regexp" /etc/fstab | grep -q "defaults,"
	then
		sed -i "s|\(${_mount_point_match_regexp}.*\)defaults,|\1|" /etc/fstab
	fi
}

# $1: mount point
function ensure_partition_is_mounted {
	local _mount_point="$1"
	mkdir -p "$_mount_point" || return 1
	if mountpoint -q "$_mount_point"; then
		mount -o remount --target "$_mount_point"
	else
		mount --target "$_mount_point"
	fi
}
include_mount_options_functions

function perform_remediation {
	# test "$mount_has_to_exist" = 'yes'
	if test "yes" = 'yes'; then
		assert_mount_point_in_fstab /var/log/audit || { echo "Not remediating, because there is no record of /var/log/audit in /etc/fstab" >&2; return 1; }
	fi

	ensure_mount_option_in_fstab "/var/log/audit" "nodev" "" ""

	ensure_partition_is_mounted "/var/log/audit"
}

perform_remediation

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	high
Strategy:	configure

- name: Check information associated to mountpoint
  command: findmnt --fstab '/var/log/audit'
  register: device_name
  failed_when: device_name.rc > 1
  changed_when: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_var_log_audit_nodev
    - medium_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-82080-3
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-MP-7

- name: Create mount_info dictionary variable
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
    - '{{ device_name.stdout_lines[0].split() | list | lower }}'
    - '{{ device_name.stdout_lines[1].split() | list }}'
  when:
    - device_name.stdout is defined and device_name.stdout_lines is defined
    - (device_name.stdout | length > 0)
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_var_log_audit_nodev
    - medium_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-82080-3
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-MP-7

- name: Make sure nodev option is part of the to /var/log/audit options
  set_fact:
    mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev''
      }) }}'
  when:
    - mount_info is defined and "nodev" not in mount_info.options
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_var_log_audit_nodev
    - medium_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-82080-3
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-MP-7

- name: Ensure /var/log/audit is mounted with nodev option
  mount:
    path: /var/log/audit
    src: '{{ mount_info.source }}'
    opts: '{{ mount_info.options }}'
    state: mounted
    fstype: '{{ mount_info.fstype }}'
  when:
    - device_name.stdout is defined
    - (device_name.stdout | length > 0)
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_var_log_audit_nodev
    - medium_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-82080-3
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-MP-7

Remediation Anaconda snippet ⇲

Complexity:	low
Disruption:	high
Strategy:	enable


part /var/log/audit --mountoptions="nodev"

OVAL test results details

nodev on /var/log/audit oval:ssg-test_var_log_audit_partition_nodev:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_var_log_audit_partition_nodev:obj:1 of type partition_object

Mount point
/var/log/audit

Add nodev Option to /tmp

Rule ID xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-mount_option_tmp_nodev:def:1

Time 2021-03-21T19:59:44+01:00

Severity unknown

Identifiers and References

Identifiers: CCE-82623-0

References: NT28(R12), 1.1.3, 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154

Description

The nodev mount option can be used to prevent device files from being created in /tmp. Legitimate character and block devices should not exist within temporary directories like /tmp. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /tmp.

Rationale

The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails.

Remediation Shell script ⇲

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then

function include_mount_options_functions {
	:
}

# $1: type of filesystem
# $2: new mount point option
# $3: filesystem of new mount point (used when adding new entry in fstab)
# $4: mount type of new mount point (used when adding new entry in fstab)
function ensure_mount_option_for_vfstype {
        local _vfstype="$1" _new_opt="$2" _filesystem=$3 _type=$4 _vfstype_points=()
        readarray -t _vfstype_points < <(grep -E "[[:space:]]${_vfstype}[[:space:]]" /etc/fstab | awk '{print $2}')

        for _vfstype_point in "${_vfstype_points[@]}"
        do
                ensure_mount_option_in_fstab "$_vfstype_point" "$_new_opt" "$_filesystem" "$_type"
        done
}

# $1: mount point
# $2: new mount point option
# $3: device or virtual string (used when adding new entry in fstab)
# $4: mount type of mount point (used when adding new entry in fstab)
function ensure_mount_option_in_fstab {
	local _mount_point="$1" _new_opt="$2" _device=$3 _type=$4
	local _mount_point_match_regexp="" _previous_mount_opts=""
	_mount_point_match_regexp="$(get_mount_point_regexp "$_mount_point")"

	if [ "$(grep -c "$_mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
		# runtime opts without some automatic kernel/userspace-added defaults
		_previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
					| sed -E "s/(rw|defaults|seclabel|${_new_opt})(,|$)//g;s/,$//")
		[ "$_previous_mount_opts" ] && _previous_mount_opts+=","
		echo "${_device} ${_mount_point} ${_type} defaults,${_previous_mount_opts}${_new_opt} 0 0" >> /etc/fstab
	elif [ "$(grep "$_mount_point_match_regexp" /etc/fstab | grep -c "$_new_opt")" -eq 0 ]; then
		_previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/fstab | awk '{print $4}')
		sed -i "s|\(${_mount_point_match_regexp}.*${_previous_mount_opts}\)|\1,${_new_opt}|" /etc/fstab
	fi
}

# $1: mount point
function get_mount_point_regexp {
		printf "[[:space:]]%s[[:space:]]" "$1"
}

# $1: mount point
function assert_mount_point_in_fstab {
	local _mount_point_match_regexp
	_mount_point_match_regexp="$(get_mount_point_regexp "$1")"
	grep "$_mount_point_match_regexp" -q /etc/fstab \
		|| { echo "The mount point '$1' is not even in /etc/fstab, so we can't set up mount options" >&2; return 1; }
}

# $1: mount point
function remove_defaults_from_fstab_if_overriden {
	local _mount_point_match_regexp
	_mount_point_match_regexp="$(get_mount_point_regexp "$1")"
	if grep "$_mount_point_match_regexp" /etc/fstab | grep -q "defaults,"
	then
		sed -i "s|\(${_mount_point_match_regexp}.*\)defaults,|\1|" /etc/fstab
	fi
}

# $1: mount point
function ensure_partition_is_mounted {
	local _mount_point="$1"
	mkdir -p "$_mount_point" || return 1
	if mountpoint -q "$_mount_point"; then
		mount -o remount --target "$_mount_point"
	else
		mount --target "$_mount_point"
	fi
}
include_mount_options_functions

function perform_remediation {
	# test "$mount_has_to_exist" = 'yes'
	if test "yes" = 'yes'; then
		assert_mount_point_in_fstab /tmp || { echo "Not remediating, because there is no record of /tmp in /etc/fstab" >&2; return 1; }
	fi

	ensure_mount_option_in_fstab "/tmp" "nodev" "" ""

	ensure_partition_is_mounted "/tmp"
}

perform_remediation

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	high
Strategy:	configure

- name: Check information associated to mountpoint
  command: findmnt --fstab '/tmp'
  register: device_name
  failed_when: device_name.rc > 1
  changed_when: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_tmp_nodev
    - unknown_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-82623-0
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-MP-7

- name: Create mount_info dictionary variable
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
    - '{{ device_name.stdout_lines[0].split() | list | lower }}'
    - '{{ device_name.stdout_lines[1].split() | list }}'
  when:
    - device_name.stdout is defined and device_name.stdout_lines is defined
    - (device_name.stdout | length > 0)
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_tmp_nodev
    - unknown_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-82623-0
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-MP-7

- name: Make sure nodev option is part of the to /tmp options
  set_fact:
    mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev''
      }) }}'
  when:
    - mount_info is defined and "nodev" not in mount_info.options
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_tmp_nodev
    - unknown_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-82623-0
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-MP-7

- name: Ensure /tmp is mounted with nodev option
  mount:
    path: /tmp
    src: '{{ mount_info.source }}'
    opts: '{{ mount_info.options }}'
    state: mounted
    fstype: '{{ mount_info.fstype }}'
  when:
    - device_name.stdout is defined
    - (device_name.stdout | length > 0)
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_tmp_nodev
    - unknown_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-82623-0
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-MP-7

Remediation Anaconda snippet ⇲

Complexity:	low
Disruption:	high
Strategy:	enable


part /tmp --mountoptions="nodev"

OVAL test results details

nodev on /tmp oval:ssg-test_tmp_partition_nodev:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_tmp_partition_nodev:obj:1 of type partition_object

Mount point
/tmp

Add nosuid Option to /boot

Rule ID xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-mount_option_boot_nosuid:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-81033-3

References: CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154

Description

The nosuid mount option can be used to prevent execution of setuid programs in /boot. The SUID and SGID permissions should not be required on the boot partition. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /boot.

Rationale

The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from boot partitions.

Remediation Shell script ⇲

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then

function include_mount_options_functions {
	:
}

# $1: type of filesystem
# $2: new mount point option
# $3: filesystem of new mount point (used when adding new entry in fstab)
# $4: mount type of new mount point (used when adding new entry in fstab)
function ensure_mount_option_for_vfstype {
        local _vfstype="$1" _new_opt="$2" _filesystem=$3 _type=$4 _vfstype_points=()
        readarray -t _vfstype_points < <(grep -E "[[:space:]]${_vfstype}[[:space:]]" /etc/fstab | awk '{print $2}')

        for _vfstype_point in "${_vfstype_points[@]}"
        do
                ensure_mount_option_in_fstab "$_vfstype_point" "$_new_opt" "$_filesystem" "$_type"
        done
}

# $1: mount point
# $2: new mount point option
# $3: device or virtual string (used when adding new entry in fstab)
# $4: mount type of mount point (used when adding new entry in fstab)
function ensure_mount_option_in_fstab {
	local _mount_point="$1" _new_opt="$2" _device=$3 _type=$4
	local _mount_point_match_regexp="" _previous_mount_opts=""
	_mount_point_match_regexp="$(get_mount_point_regexp "$_mount_point")"

	if [ "$(grep -c "$_mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
		# runtime opts without some automatic kernel/userspace-added defaults
		_previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
					| sed -E "s/(rw|defaults|seclabel|${_new_opt})(,|$)//g;s/,$//")
		[ "$_previous_mount_opts" ] && _previous_mount_opts+=","
		echo "${_device} ${_mount_point} ${_type} defaults,${_previous_mount_opts}${_new_opt} 0 0" >> /etc/fstab
	elif [ "$(grep "$_mount_point_match_regexp" /etc/fstab | grep -c "$_new_opt")" -eq 0 ]; then
		_previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/fstab | awk '{print $4}')
		sed -i "s|\(${_mount_point_match_regexp}.*${_previous_mount_opts}\)|\1,${_new_opt}|" /etc/fstab
	fi
}

# $1: mount point
function get_mount_point_regexp {
		printf "[[:space:]]%s[[:space:]]" "$1"
}

# $1: mount point
function assert_mount_point_in_fstab {
	local _mount_point_match_regexp
	_mount_point_match_regexp="$(get_mount_point_regexp "$1")"
	grep "$_mount_point_match_regexp" -q /etc/fstab \
		|| { echo "The mount point '$1' is not even in /etc/fstab, so we can't set up mount options" >&2; return 1; }
}

# $1: mount point
function remove_defaults_from_fstab_if_overriden {
	local _mount_point_match_regexp
	_mount_point_match_regexp="$(get_mount_point_regexp "$1")"
	if grep "$_mount_point_match_regexp" /etc/fstab | grep -q "defaults,"
	then
		sed -i "s|\(${_mount_point_match_regexp}.*\)defaults,|\1|" /etc/fstab
	fi
}

# $1: mount point
function ensure_partition_is_mounted {
	local _mount_point="$1"
	mkdir -p "$_mount_point" || return 1
	if mountpoint -q "$_mount_point"; then
		mount -o remount --target "$_mount_point"
	else
		mount --target "$_mount_point"
	fi
}
include_mount_options_functions

function perform_remediation {
	# test "$mount_has_to_exist" = 'yes'
	if test "yes" = 'yes'; then
		assert_mount_point_in_fstab /boot || { echo "Not remediating, because there is no record of /boot in /etc/fstab" >&2; return 1; }
	fi

	ensure_mount_option_in_fstab "/boot" "nosuid" "" ""

	ensure_partition_is_mounted "/boot"
}

perform_remediation

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	high
Strategy:	configure

- name: Check information associated to mountpoint
  command: findmnt --fstab '/boot'
  register: device_name
  failed_when: device_name.rc > 1
  changed_when: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_boot_nosuid
    - medium_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-81033-3
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-MP-7

- name: Create mount_info dictionary variable
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
    - '{{ device_name.stdout_lines[0].split() | list | lower }}'
    - '{{ device_name.stdout_lines[1].split() | list }}'
  when:
    - device_name.stdout is defined and device_name.stdout_lines is defined
    - (device_name.stdout | length > 0)
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_boot_nosuid
    - medium_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-81033-3
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-MP-7

- name: Make sure nosuid option is part of the to /boot options
  set_fact:
    mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid''
      }) }}'
  when:
    - mount_info is defined and "nosuid" not in mount_info.options
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_boot_nosuid
    - medium_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-81033-3
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-MP-7

- name: Ensure /boot is mounted with nosuid option
  mount:
    path: /boot
    src: '{{ mount_info.source }}'
    opts: '{{ mount_info.options }}'
    state: mounted
    fstype: '{{ mount_info.fstype }}'
  when:
    - device_name.stdout is defined
    - (device_name.stdout | length > 0)
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_boot_nosuid
    - medium_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-81033-3
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-MP-7

Remediation Anaconda snippet ⇲

Complexity:	low
Disruption:	high
Strategy:	enable


part /boot --mountoptions="nosuid"

OVAL test results details

nosuid on /boot oval:ssg-test_boot_partition_nosuid:tst:1 false

Following items have been found on the system:

Mount point	Device	Uuid	Fs type	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Total space	Space used	Space left
/boot	/dev/vda1	334f2d6c-6e12-4d07-95cd-8cb8d146b492	xfs	rw	seclabel	relatime	attr2	inode64	logbufs=8	logbsize=32k	noquota	bind	259584	85320	174264

Add nodev Option to /var/log

Rule ID xccdf_org.ssgproject.content_rule_mount_option_var_log_nodev

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-mount_option_var_log_nodev:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82077-9

References: CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154

Description

The nodev mount option can be used to prevent device files from being created in /var/log. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /var/log.

Rationale

The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails.

Remediation Shell script ⇲

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then

function include_mount_options_functions {
	:
}

# $1: type of filesystem
# $2: new mount point option
# $3: filesystem of new mount point (used when adding new entry in fstab)
# $4: mount type of new mount point (used when adding new entry in fstab)
function ensure_mount_option_for_vfstype {
        local _vfstype="$1" _new_opt="$2" _filesystem=$3 _type=$4 _vfstype_points=()
        readarray -t _vfstype_points < <(grep -E "[[:space:]]${_vfstype}[[:space:]]" /etc/fstab | awk '{print $2}')

        for _vfstype_point in "${_vfstype_points[@]}"
        do
                ensure_mount_option_in_fstab "$_vfstype_point" "$_new_opt" "$_filesystem" "$_type"
        done
}

# $1: mount point
# $2: new mount point option
# $3: device or virtual string (used when adding new entry in fstab)
# $4: mount type of mount point (used when adding new entry in fstab)
function ensure_mount_option_in_fstab {
	local _mount_point="$1" _new_opt="$2" _device=$3 _type=$4
	local _mount_point_match_regexp="" _previous_mount_opts=""
	_mount_point_match_regexp="$(get_mount_point_regexp "$_mount_point")"

	if [ "$(grep -c "$_mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
		# runtime opts without some automatic kernel/userspace-added defaults
		_previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
					| sed -E "s/(rw|defaults|seclabel|${_new_opt})(,|$)//g;s/,$//")
		[ "$_previous_mount_opts" ] && _previous_mount_opts+=","
		echo "${_device} ${_mount_point} ${_type} defaults,${_previous_mount_opts}${_new_opt} 0 0" >> /etc/fstab
	elif [ "$(grep "$_mount_point_match_regexp" /etc/fstab | grep -c "$_new_opt")" -eq 0 ]; then
		_previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/fstab | awk '{print $4}')
		sed -i "s|\(${_mount_point_match_regexp}.*${_previous_mount_opts}\)|\1,${_new_opt}|" /etc/fstab
	fi
}

# $1: mount point
function get_mount_point_regexp {
		printf "[[:space:]]%s[[:space:]]" "$1"
}

# $1: mount point
function assert_mount_point_in_fstab {
	local _mount_point_match_regexp
	_mount_point_match_regexp="$(get_mount_point_regexp "$1")"
	grep "$_mount_point_match_regexp" -q /etc/fstab \
		|| { echo "The mount point '$1' is not even in /etc/fstab, so we can't set up mount options" >&2; return 1; }
}

# $1: mount point
function remove_defaults_from_fstab_if_overriden {
	local _mount_point_match_regexp
	_mount_point_match_regexp="$(get_mount_point_regexp "$1")"
	if grep "$_mount_point_match_regexp" /etc/fstab | grep -q "defaults,"
	then
		sed -i "s|\(${_mount_point_match_regexp}.*\)defaults,|\1|" /etc/fstab
	fi
}

# $1: mount point
function ensure_partition_is_mounted {
	local _mount_point="$1"
	mkdir -p "$_mount_point" || return 1
	if mountpoint -q "$_mount_point"; then
		mount -o remount --target "$_mount_point"
	else
		mount --target "$_mount_point"
	fi
}
include_mount_options_functions

function perform_remediation {
	# test "$mount_has_to_exist" = 'yes'
	if test "yes" = 'yes'; then
		assert_mount_point_in_fstab /var/log || { echo "Not remediating, because there is no record of /var/log in /etc/fstab" >&2; return 1; }
	fi

	ensure_mount_option_in_fstab "/var/log" "nodev" "" ""

	ensure_partition_is_mounted "/var/log"
}

perform_remediation

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	high
Strategy:	configure

- name: Check information associated to mountpoint
  command: findmnt --fstab '/var/log'
  register: device_name
  failed_when: device_name.rc > 1
  changed_when: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_var_log_nodev
    - medium_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-82077-9
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-MP-7

- name: Create mount_info dictionary variable
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
    - '{{ device_name.stdout_lines[0].split() | list | lower }}'
    - '{{ device_name.stdout_lines[1].split() | list }}'
  when:
    - device_name.stdout is defined and device_name.stdout_lines is defined
    - (device_name.stdout | length > 0)
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_var_log_nodev
    - medium_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-82077-9
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-MP-7

- name: Make sure nodev option is part of the to /var/log options
  set_fact:
    mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev''
      }) }}'
  when:
    - mount_info is defined and "nodev" not in mount_info.options
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_var_log_nodev
    - medium_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-82077-9
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-MP-7

- name: Ensure /var/log is mounted with nodev option
  mount:
    path: /var/log
    src: '{{ mount_info.source }}'
    opts: '{{ mount_info.options }}'
    state: mounted
    fstype: '{{ mount_info.fstype }}'
  when:
    - device_name.stdout is defined
    - (device_name.stdout | length > 0)
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_var_log_nodev
    - medium_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-82077-9
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-MP-7

Remediation Anaconda snippet ⇲

Complexity:	low
Disruption:	high
Strategy:	enable


part /var/log --mountoptions="nodev"

OVAL test results details

nodev on /var/log oval:ssg-test_var_log_partition_nodev:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_var_log_partition_nodev:obj:1 of type partition_object

Mount point
/var/log

Add nosuid Option to /var/tmp

Rule ID xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-mount_option_var_tmp_nosuid:def:1

Time 2021-03-21T19:59:44+01:00

Severity unknown

Identifiers and References

Identifiers: CCE-82154-6

References: NT28(R12), 1.1.9, SRG-OS-000368-GPOS-00154

Description

The nosuid mount option can be used to prevent execution of setuid programs in /var/tmp. The SUID and SGID permissions should not be required in these world-writable directories. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /var/tmp.

Rationale

The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions.

Remediation Shell script ⇲

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then

function include_mount_options_functions {
	:
}

# $1: type of filesystem
# $2: new mount point option
# $3: filesystem of new mount point (used when adding new entry in fstab)
# $4: mount type of new mount point (used when adding new entry in fstab)
function ensure_mount_option_for_vfstype {
        local _vfstype="$1" _new_opt="$2" _filesystem=$3 _type=$4 _vfstype_points=()
        readarray -t _vfstype_points < <(grep -E "[[:space:]]${_vfstype}[[:space:]]" /etc/fstab | awk '{print $2}')

        for _vfstype_point in "${_vfstype_points[@]}"
        do
                ensure_mount_option_in_fstab "$_vfstype_point" "$_new_opt" "$_filesystem" "$_type"
        done
}

# $1: mount point
# $2: new mount point option
# $3: device or virtual string (used when adding new entry in fstab)
# $4: mount type of mount point (used when adding new entry in fstab)
function ensure_mount_option_in_fstab {
	local _mount_point="$1" _new_opt="$2" _device=$3 _type=$4
	local _mount_point_match_regexp="" _previous_mount_opts=""
	_mount_point_match_regexp="$(get_mount_point_regexp "$_mount_point")"

	if [ "$(grep -c "$_mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
		# runtime opts without some automatic kernel/userspace-added defaults
		_previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
					| sed -E "s/(rw|defaults|seclabel|${_new_opt})(,|$)//g;s/,$//")
		[ "$_previous_mount_opts" ] && _previous_mount_opts+=","
		echo "${_device} ${_mount_point} ${_type} defaults,${_previous_mount_opts}${_new_opt} 0 0" >> /etc/fstab
	elif [ "$(grep "$_mount_point_match_regexp" /etc/fstab | grep -c "$_new_opt")" -eq 0 ]; then
		_previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/fstab | awk '{print $4}')
		sed -i "s|\(${_mount_point_match_regexp}.*${_previous_mount_opts}\)|\1,${_new_opt}|" /etc/fstab
	fi
}

# $1: mount point
function get_mount_point_regexp {
		printf "[[:space:]]%s[[:space:]]" "$1"
}

# $1: mount point
function assert_mount_point_in_fstab {
	local _mount_point_match_regexp
	_mount_point_match_regexp="$(get_mount_point_regexp "$1")"
	grep "$_mount_point_match_regexp" -q /etc/fstab \
		|| { echo "The mount point '$1' is not even in /etc/fstab, so we can't set up mount options" >&2; return 1; }
}

# $1: mount point
function remove_defaults_from_fstab_if_overriden {
	local _mount_point_match_regexp
	_mount_point_match_regexp="$(get_mount_point_regexp "$1")"
	if grep "$_mount_point_match_regexp" /etc/fstab | grep -q "defaults,"
	then
		sed -i "s|\(${_mount_point_match_regexp}.*\)defaults,|\1|" /etc/fstab
	fi
}

# $1: mount point
function ensure_partition_is_mounted {
	local _mount_point="$1"
	mkdir -p "$_mount_point" || return 1
	if mountpoint -q "$_mount_point"; then
		mount -o remount --target "$_mount_point"
	else
		mount --target "$_mount_point"
	fi
}
include_mount_options_functions

function perform_remediation {
	# test "$mount_has_to_exist" = 'yes'
	if test "yes" = 'yes'; then
		assert_mount_point_in_fstab /var/tmp || { echo "Not remediating, because there is no record of /var/tmp in /etc/fstab" >&2; return 1; }
	fi

	ensure_mount_option_in_fstab "/var/tmp" "nosuid" "" ""

	ensure_partition_is_mounted "/var/tmp"
}

perform_remediation

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	high
Strategy:	configure

- name: Check information associated to mountpoint
  command: findmnt --fstab '/var/tmp'
  register: device_name
  failed_when: device_name.rc > 1
  changed_when: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_var_tmp_nosuid
    - unknown_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-82154-6

- name: Create mount_info dictionary variable
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
    - '{{ device_name.stdout_lines[0].split() | list | lower }}'
    - '{{ device_name.stdout_lines[1].split() | list }}'
  when:
    - device_name.stdout is defined and device_name.stdout_lines is defined
    - (device_name.stdout | length > 0)
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_var_tmp_nosuid
    - unknown_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-82154-6

- name: Make sure nosuid option is part of the to /var/tmp options
  set_fact:
    mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid''
      }) }}'
  when:
    - mount_info is defined and "nosuid" not in mount_info.options
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_var_tmp_nosuid
    - unknown_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-82154-6

- name: Ensure /var/tmp is mounted with nosuid option
  mount:
    path: /var/tmp
    src: '{{ mount_info.source }}'
    opts: '{{ mount_info.options }}'
    state: mounted
    fstype: '{{ mount_info.fstype }}'
  when:
    - device_name.stdout is defined
    - (device_name.stdout | length > 0)
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_var_tmp_nosuid
    - unknown_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-82154-6

Remediation Anaconda snippet ⇲

Complexity:	low
Disruption:	high
Strategy:	enable


part /var/tmp --mountoptions="nosuid"

OVAL test results details

nosuid on /var/tmp oval:ssg-test_var_tmp_partition_nosuid:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_var_tmp_partition_nosuid:obj:1 of type partition_object

Mount point
/var/tmp

Add nosuid Option to /tmp

Rule ID xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-mount_option_tmp_nosuid:def:1

Time 2021-03-21T19:59:44+01:00

Severity unknown

Identifiers and References

Identifiers: CCE-82140-5

References: NT28(R12), 1.1.4, 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154

Description

The nosuid mount option can be used to prevent execution of setuid programs in /tmp. The SUID and SGID permissions should not be required in these world-writable directories. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /tmp.

Rationale

The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions.

Remediation Shell script ⇲

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then

function include_mount_options_functions {
	:
}

# $1: type of filesystem
# $2: new mount point option
# $3: filesystem of new mount point (used when adding new entry in fstab)
# $4: mount type of new mount point (used when adding new entry in fstab)
function ensure_mount_option_for_vfstype {
        local _vfstype="$1" _new_opt="$2" _filesystem=$3 _type=$4 _vfstype_points=()
        readarray -t _vfstype_points < <(grep -E "[[:space:]]${_vfstype}[[:space:]]" /etc/fstab | awk '{print $2}')

        for _vfstype_point in "${_vfstype_points[@]}"
        do
                ensure_mount_option_in_fstab "$_vfstype_point" "$_new_opt" "$_filesystem" "$_type"
        done
}

# $1: mount point
# $2: new mount point option
# $3: device or virtual string (used when adding new entry in fstab)
# $4: mount type of mount point (used when adding new entry in fstab)
function ensure_mount_option_in_fstab {
	local _mount_point="$1" _new_opt="$2" _device=$3 _type=$4
	local _mount_point_match_regexp="" _previous_mount_opts=""
	_mount_point_match_regexp="$(get_mount_point_regexp "$_mount_point")"

	if [ "$(grep -c "$_mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
		# runtime opts without some automatic kernel/userspace-added defaults
		_previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
					| sed -E "s/(rw|defaults|seclabel|${_new_opt})(,|$)//g;s/,$//")
		[ "$_previous_mount_opts" ] && _previous_mount_opts+=","
		echo "${_device} ${_mount_point} ${_type} defaults,${_previous_mount_opts}${_new_opt} 0 0" >> /etc/fstab
	elif [ "$(grep "$_mount_point_match_regexp" /etc/fstab | grep -c "$_new_opt")" -eq 0 ]; then
		_previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/fstab | awk '{print $4}')
		sed -i "s|\(${_mount_point_match_regexp}.*${_previous_mount_opts}\)|\1,${_new_opt}|" /etc/fstab
	fi
}

# $1: mount point
function get_mount_point_regexp {
		printf "[[:space:]]%s[[:space:]]" "$1"
}

# $1: mount point
function assert_mount_point_in_fstab {
	local _mount_point_match_regexp
	_mount_point_match_regexp="$(get_mount_point_regexp "$1")"
	grep "$_mount_point_match_regexp" -q /etc/fstab \
		|| { echo "The mount point '$1' is not even in /etc/fstab, so we can't set up mount options" >&2; return 1; }
}

# $1: mount point
function remove_defaults_from_fstab_if_overriden {
	local _mount_point_match_regexp
	_mount_point_match_regexp="$(get_mount_point_regexp "$1")"
	if grep "$_mount_point_match_regexp" /etc/fstab | grep -q "defaults,"
	then
		sed -i "s|\(${_mount_point_match_regexp}.*\)defaults,|\1|" /etc/fstab
	fi
}

# $1: mount point
function ensure_partition_is_mounted {
	local _mount_point="$1"
	mkdir -p "$_mount_point" || return 1
	if mountpoint -q "$_mount_point"; then
		mount -o remount --target "$_mount_point"
	else
		mount --target "$_mount_point"
	fi
}
include_mount_options_functions

function perform_remediation {
	# test "$mount_has_to_exist" = 'yes'
	if test "yes" = 'yes'; then
		assert_mount_point_in_fstab /tmp || { echo "Not remediating, because there is no record of /tmp in /etc/fstab" >&2; return 1; }
	fi

	ensure_mount_option_in_fstab "/tmp" "nosuid" "" ""

	ensure_partition_is_mounted "/tmp"
}

perform_remediation

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	high
Strategy:	configure

- name: Check information associated to mountpoint
  command: findmnt --fstab '/tmp'
  register: device_name
  failed_when: device_name.rc > 1
  changed_when: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_tmp_nosuid
    - unknown_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-82140-5
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-MP-7

- name: Create mount_info dictionary variable
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
    - '{{ device_name.stdout_lines[0].split() | list | lower }}'
    - '{{ device_name.stdout_lines[1].split() | list }}'
  when:
    - device_name.stdout is defined and device_name.stdout_lines is defined
    - (device_name.stdout | length > 0)
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_tmp_nosuid
    - unknown_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-82140-5
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-MP-7

- name: Make sure nosuid option is part of the to /tmp options
  set_fact:
    mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid''
      }) }}'
  when:
    - mount_info is defined and "nosuid" not in mount_info.options
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_tmp_nosuid
    - unknown_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-82140-5
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-MP-7

- name: Ensure /tmp is mounted with nosuid option
  mount:
    path: /tmp
    src: '{{ mount_info.source }}'
    opts: '{{ mount_info.options }}'
    state: mounted
    fstype: '{{ mount_info.fstype }}'
  when:
    - device_name.stdout is defined
    - (device_name.stdout | length > 0)
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_tmp_nosuid
    - unknown_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-82140-5
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-MP-7

Remediation Anaconda snippet ⇲

Complexity:	low
Disruption:	high
Strategy:	enable


part /tmp --mountoptions="nosuid"

OVAL test results details

nosuid on /tmp oval:ssg-test_tmp_partition_nosuid:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_tmp_partition_nosuid:obj:1 of type partition_object

Mount point
/tmp

Add nodev Option to /dev/shm

Rule ID	xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-mount_option_dev_shm_nodev:def:1
Time	2021-03-21T19:59:44+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80837-8 References: 1.1.5, 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154
Description	The `nodev` mount option can be used to prevent creation of device files in `/dev/shm`. Legitimate character and block devices should not exist within temporary directories like `/dev/shm`. Add the `nodev` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/dev/shm`.
Rationale	The only legitimate location for device files is the `/dev` directory located on the root partition. The only exception to this is chroot jails.

OVAL test results details

nodev on /dev/shm oval:ssg-test_dev_shm_partition_nodev:tst:1 true

Following items have been found on the system:

Mount point	Device	Uuid	Fs type	Mount options	Mount options	Mount options	Mount options	Total space	Space used	Space left
/dev/shm	tmpfs		tmpfs	rw	seclabel	nosuid	nodev	168303	0	168303

Add nosuid Option to /var/log/audit

Rule ID xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nosuid

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-mount_option_var_log_audit_nosuid:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82921-8

References: CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154

Description

The nosuid mount option can be used to prevent execution of setuid programs in /var/log/audit. The SUID and SGID permissions should not be required in directories containing audit log files. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /var/log/audit.

Rationale

The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from partitions designated for audit log files.

Remediation Shell script ⇲

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then

function include_mount_options_functions {
	:
}

# $1: type of filesystem
# $2: new mount point option
# $3: filesystem of new mount point (used when adding new entry in fstab)
# $4: mount type of new mount point (used when adding new entry in fstab)
function ensure_mount_option_for_vfstype {
        local _vfstype="$1" _new_opt="$2" _filesystem=$3 _type=$4 _vfstype_points=()
        readarray -t _vfstype_points < <(grep -E "[[:space:]]${_vfstype}[[:space:]]" /etc/fstab | awk '{print $2}')

        for _vfstype_point in "${_vfstype_points[@]}"
        do
                ensure_mount_option_in_fstab "$_vfstype_point" "$_new_opt" "$_filesystem" "$_type"
        done
}

# $1: mount point
# $2: new mount point option
# $3: device or virtual string (used when adding new entry in fstab)
# $4: mount type of mount point (used when adding new entry in fstab)
function ensure_mount_option_in_fstab {
	local _mount_point="$1" _new_opt="$2" _device=$3 _type=$4
	local _mount_point_match_regexp="" _previous_mount_opts=""
	_mount_point_match_regexp="$(get_mount_point_regexp "$_mount_point")"

	if [ "$(grep -c "$_mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
		# runtime opts without some automatic kernel/userspace-added defaults
		_previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
					| sed -E "s/(rw|defaults|seclabel|${_new_opt})(,|$)//g;s/,$//")
		[ "$_previous_mount_opts" ] && _previous_mount_opts+=","
		echo "${_device} ${_mount_point} ${_type} defaults,${_previous_mount_opts}${_new_opt} 0 0" >> /etc/fstab
	elif [ "$(grep "$_mount_point_match_regexp" /etc/fstab | grep -c "$_new_opt")" -eq 0 ]; then
		_previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/fstab | awk '{print $4}')
		sed -i "s|\(${_mount_point_match_regexp}.*${_previous_mount_opts}\)|\1,${_new_opt}|" /etc/fstab
	fi
}

# $1: mount point
function get_mount_point_regexp {
		printf "[[:space:]]%s[[:space:]]" "$1"
}

# $1: mount point
function assert_mount_point_in_fstab {
	local _mount_point_match_regexp
	_mount_point_match_regexp="$(get_mount_point_regexp "$1")"
	grep "$_mount_point_match_regexp" -q /etc/fstab \
		|| { echo "The mount point '$1' is not even in /etc/fstab, so we can't set up mount options" >&2; return 1; }
}

# $1: mount point
function remove_defaults_from_fstab_if_overriden {
	local _mount_point_match_regexp
	_mount_point_match_regexp="$(get_mount_point_regexp "$1")"
	if grep "$_mount_point_match_regexp" /etc/fstab | grep -q "defaults,"
	then
		sed -i "s|\(${_mount_point_match_regexp}.*\)defaults,|\1|" /etc/fstab
	fi
}

# $1: mount point
function ensure_partition_is_mounted {
	local _mount_point="$1"
	mkdir -p "$_mount_point" || return 1
	if mountpoint -q "$_mount_point"; then
		mount -o remount --target "$_mount_point"
	else
		mount --target "$_mount_point"
	fi
}
include_mount_options_functions

function perform_remediation {
	# test "$mount_has_to_exist" = 'yes'
	if test "yes" = 'yes'; then
		assert_mount_point_in_fstab /var/log/audit || { echo "Not remediating, because there is no record of /var/log/audit in /etc/fstab" >&2; return 1; }
	fi

	ensure_mount_option_in_fstab "/var/log/audit" "nosuid" "" ""

	ensure_partition_is_mounted "/var/log/audit"
}

perform_remediation

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	high
Strategy:	configure

- name: Check information associated to mountpoint
  command: findmnt --fstab '/var/log/audit'
  register: device_name
  failed_when: device_name.rc > 1
  changed_when: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_var_log_audit_nosuid
    - medium_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-82921-8
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-MP-7

- name: Create mount_info dictionary variable
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
    - '{{ device_name.stdout_lines[0].split() | list | lower }}'
    - '{{ device_name.stdout_lines[1].split() | list }}'
  when:
    - device_name.stdout is defined and device_name.stdout_lines is defined
    - (device_name.stdout | length > 0)
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_var_log_audit_nosuid
    - medium_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-82921-8
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-MP-7

- name: Make sure nosuid option is part of the to /var/log/audit options
  set_fact:
    mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid''
      }) }}'
  when:
    - mount_info is defined and "nosuid" not in mount_info.options
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_var_log_audit_nosuid
    - medium_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-82921-8
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-MP-7

- name: Ensure /var/log/audit is mounted with nosuid option
  mount:
    path: /var/log/audit
    src: '{{ mount_info.source }}'
    opts: '{{ mount_info.options }}'
    state: mounted
    fstype: '{{ mount_info.fstype }}'
  when:
    - device_name.stdout is defined
    - (device_name.stdout | length > 0)
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_var_log_audit_nosuid
    - medium_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-82921-8
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-MP-7

Remediation Anaconda snippet ⇲

Complexity:	low
Disruption:	high
Strategy:	enable


part /var/log/audit --mountoptions="nosuid"

OVAL test results details

nosuid on /var/log/audit oval:ssg-test_var_log_audit_partition_nosuid:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_var_log_audit_partition_nosuid:obj:1 of type partition_object

Mount point
/var/log/audit

Add nosuid Option to /home

Rule ID xccdf_org.ssgproject.content_rule_mount_option_home_nosuid

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-mount_option_home_nosuid:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-81050-7

References: NT28(R12), 1.1.3, 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227

Description

The nosuid mount option can be used to prevent execution of setuid programs in /home. The SUID and SGID permissions should not be required in these user data directories. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /home.

Rationale

The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from user home directory partitions.

Remediation Shell script ⇲

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then

function include_mount_options_functions {
	:
}

# $1: type of filesystem
# $2: new mount point option
# $3: filesystem of new mount point (used when adding new entry in fstab)
# $4: mount type of new mount point (used when adding new entry in fstab)
function ensure_mount_option_for_vfstype {
        local _vfstype="$1" _new_opt="$2" _filesystem=$3 _type=$4 _vfstype_points=()
        readarray -t _vfstype_points < <(grep -E "[[:space:]]${_vfstype}[[:space:]]" /etc/fstab | awk '{print $2}')

        for _vfstype_point in "${_vfstype_points[@]}"
        do
                ensure_mount_option_in_fstab "$_vfstype_point" "$_new_opt" "$_filesystem" "$_type"
        done
}

# $1: mount point
# $2: new mount point option
# $3: device or virtual string (used when adding new entry in fstab)
# $4: mount type of mount point (used when adding new entry in fstab)
function ensure_mount_option_in_fstab {
	local _mount_point="$1" _new_opt="$2" _device=$3 _type=$4
	local _mount_point_match_regexp="" _previous_mount_opts=""
	_mount_point_match_regexp="$(get_mount_point_regexp "$_mount_point")"

	if [ "$(grep -c "$_mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
		# runtime opts without some automatic kernel/userspace-added defaults
		_previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
					| sed -E "s/(rw|defaults|seclabel|${_new_opt})(,|$)//g;s/,$//")
		[ "$_previous_mount_opts" ] && _previous_mount_opts+=","
		echo "${_device} ${_mount_point} ${_type} defaults,${_previous_mount_opts}${_new_opt} 0 0" >> /etc/fstab
	elif [ "$(grep "$_mount_point_match_regexp" /etc/fstab | grep -c "$_new_opt")" -eq 0 ]; then
		_previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/fstab | awk '{print $4}')
		sed -i "s|\(${_mount_point_match_regexp}.*${_previous_mount_opts}\)|\1,${_new_opt}|" /etc/fstab
	fi
}

# $1: mount point
function get_mount_point_regexp {
		printf "[[:space:]]%s[[:space:]]" "$1"
}

# $1: mount point
function assert_mount_point_in_fstab {
	local _mount_point_match_regexp
	_mount_point_match_regexp="$(get_mount_point_regexp "$1")"
	grep "$_mount_point_match_regexp" -q /etc/fstab \
		|| { echo "The mount point '$1' is not even in /etc/fstab, so we can't set up mount options" >&2; return 1; }
}

# $1: mount point
function remove_defaults_from_fstab_if_overriden {
	local _mount_point_match_regexp
	_mount_point_match_regexp="$(get_mount_point_regexp "$1")"
	if grep "$_mount_point_match_regexp" /etc/fstab | grep -q "defaults,"
	then
		sed -i "s|\(${_mount_point_match_regexp}.*\)defaults,|\1|" /etc/fstab
	fi
}

# $1: mount point
function ensure_partition_is_mounted {
	local _mount_point="$1"
	mkdir -p "$_mount_point" || return 1
	if mountpoint -q "$_mount_point"; then
		mount -o remount --target "$_mount_point"
	else
		mount --target "$_mount_point"
	fi
}
include_mount_options_functions

function perform_remediation {
	# test "$mount_has_to_exist" = 'yes'
	if test "yes" = 'yes'; then
		assert_mount_point_in_fstab /home || { echo "Not remediating, because there is no record of /home in /etc/fstab" >&2; return 1; }
	fi

	ensure_mount_option_in_fstab "/home" "nosuid" "" ""

	ensure_partition_is_mounted "/home"
}

perform_remediation

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	high
Strategy:	configure

- name: Check information associated to mountpoint
  command: findmnt --fstab '/home'
  register: device_name
  failed_when: device_name.rc > 1
  changed_when: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_home_nosuid
    - medium_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-81050-7
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-MP-7

- name: Create mount_info dictionary variable
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
    - '{{ device_name.stdout_lines[0].split() | list | lower }}'
    - '{{ device_name.stdout_lines[1].split() | list }}'
  when:
    - device_name.stdout is defined and device_name.stdout_lines is defined
    - (device_name.stdout | length > 0)
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_home_nosuid
    - medium_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-81050-7
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-MP-7

- name: Make sure nosuid option is part of the to /home options
  set_fact:
    mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid''
      }) }}'
  when:
    - mount_info is defined and "nosuid" not in mount_info.options
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_home_nosuid
    - medium_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-81050-7
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-MP-7

- name: Ensure /home is mounted with nosuid option
  mount:
    path: /home
    src: '{{ mount_info.source }}'
    opts: '{{ mount_info.options }}'
    state: mounted
    fstype: '{{ mount_info.fstype }}'
  when:
    - device_name.stdout is defined
    - (device_name.stdout | length > 0)
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_home_nosuid
    - medium_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-81050-7
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-MP-7

Remediation Anaconda snippet ⇲

Complexity:	low
Disruption:	high
Strategy:	enable


part /home --mountoptions="nosuid"

OVAL test results details

nosuid on /home oval:ssg-test_home_partition_nosuid:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_home_partition_nosuid:obj:1 of type partition_object

Mount point
/home

Add noexec Option to /var/log/audit

Rule ID xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_noexec

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-mount_option_var_log_audit_noexec:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82975-4

References: CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154

Description

The noexec mount option can be used to prevent binaries from being executed out of /var/log/audit. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /var/log/audit.

Rationale

Allowing users to execute binaries from directories containing audit log files such as /var/log/audit should never be necessary in normal operation and can expose the system to potential compromise.

Remediation Shell script ⇲

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then

function include_mount_options_functions {
	:
}

# $1: type of filesystem
# $2: new mount point option
# $3: filesystem of new mount point (used when adding new entry in fstab)
# $4: mount type of new mount point (used when adding new entry in fstab)
function ensure_mount_option_for_vfstype {
        local _vfstype="$1" _new_opt="$2" _filesystem=$3 _type=$4 _vfstype_points=()
        readarray -t _vfstype_points < <(grep -E "[[:space:]]${_vfstype}[[:space:]]" /etc/fstab | awk '{print $2}')

        for _vfstype_point in "${_vfstype_points[@]}"
        do
                ensure_mount_option_in_fstab "$_vfstype_point" "$_new_opt" "$_filesystem" "$_type"
        done
}

# $1: mount point
# $2: new mount point option
# $3: device or virtual string (used when adding new entry in fstab)
# $4: mount type of mount point (used when adding new entry in fstab)
function ensure_mount_option_in_fstab {
	local _mount_point="$1" _new_opt="$2" _device=$3 _type=$4
	local _mount_point_match_regexp="" _previous_mount_opts=""
	_mount_point_match_regexp="$(get_mount_point_regexp "$_mount_point")"

	if [ "$(grep -c "$_mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
		# runtime opts without some automatic kernel/userspace-added defaults
		_previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
					| sed -E "s/(rw|defaults|seclabel|${_new_opt})(,|$)//g;s/,$//")
		[ "$_previous_mount_opts" ] && _previous_mount_opts+=","
		echo "${_device} ${_mount_point} ${_type} defaults,${_previous_mount_opts}${_new_opt} 0 0" >> /etc/fstab
	elif [ "$(grep "$_mount_point_match_regexp" /etc/fstab | grep -c "$_new_opt")" -eq 0 ]; then
		_previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/fstab | awk '{print $4}')
		sed -i "s|\(${_mount_point_match_regexp}.*${_previous_mount_opts}\)|\1,${_new_opt}|" /etc/fstab
	fi
}

# $1: mount point
function get_mount_point_regexp {
		printf "[[:space:]]%s[[:space:]]" "$1"
}

# $1: mount point
function assert_mount_point_in_fstab {
	local _mount_point_match_regexp
	_mount_point_match_regexp="$(get_mount_point_regexp "$1")"
	grep "$_mount_point_match_regexp" -q /etc/fstab \
		|| { echo "The mount point '$1' is not even in /etc/fstab, so we can't set up mount options" >&2; return 1; }
}

# $1: mount point
function remove_defaults_from_fstab_if_overriden {
	local _mount_point_match_regexp
	_mount_point_match_regexp="$(get_mount_point_regexp "$1")"
	if grep "$_mount_point_match_regexp" /etc/fstab | grep -q "defaults,"
	then
		sed -i "s|\(${_mount_point_match_regexp}.*\)defaults,|\1|" /etc/fstab
	fi
}

# $1: mount point
function ensure_partition_is_mounted {
	local _mount_point="$1"
	mkdir -p "$_mount_point" || return 1
	if mountpoint -q "$_mount_point"; then
		mount -o remount --target "$_mount_point"
	else
		mount --target "$_mount_point"
	fi
}
include_mount_options_functions

function perform_remediation {
	# test "$mount_has_to_exist" = 'yes'
	if test "yes" = 'yes'; then
		assert_mount_point_in_fstab /var/log/audit || { echo "Not remediating, because there is no record of /var/log/audit in /etc/fstab" >&2; return 1; }
	fi

	ensure_mount_option_in_fstab "/var/log/audit" "noexec" "" ""

	ensure_partition_is_mounted "/var/log/audit"
}

perform_remediation

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	high
Strategy:	configure

- name: Check information associated to mountpoint
  command: findmnt --fstab '/var/log/audit'
  register: device_name
  failed_when: device_name.rc > 1
  changed_when: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_var_log_audit_noexec
    - medium_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-82975-4
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-MP-7

- name: Create mount_info dictionary variable
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
    - '{{ device_name.stdout_lines[0].split() | list | lower }}'
    - '{{ device_name.stdout_lines[1].split() | list }}'
  when:
    - device_name.stdout is defined and device_name.stdout_lines is defined
    - (device_name.stdout | length > 0)
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_var_log_audit_noexec
    - medium_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-82975-4
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-MP-7

- name: Make sure noexec option is part of the to /var/log/audit options
  set_fact:
    mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec''
      }) }}'
  when:
    - mount_info is defined and "noexec" not in mount_info.options
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_var_log_audit_noexec
    - medium_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-82975-4
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-MP-7

- name: Ensure /var/log/audit is mounted with noexec option
  mount:
    path: /var/log/audit
    src: '{{ mount_info.source }}'
    opts: '{{ mount_info.options }}'
    state: mounted
    fstype: '{{ mount_info.fstype }}'
  when:
    - device_name.stdout is defined
    - (device_name.stdout | length > 0)
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_var_log_audit_noexec
    - medium_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-82975-4
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-MP-7

Remediation Anaconda snippet ⇲

Complexity:	low
Disruption:	high
Strategy:	enable


part /var/log/audit --mountoptions="noexec"

OVAL test results details

noexec on /var/log/audit oval:ssg-test_var_log_audit_partition_noexec:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_var_log_audit_partition_noexec:obj:1 of type partition_object

Mount point
/var/log/audit

Add noexec Option to /var/tmp

Rule ID xccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-mount_option_var_tmp_noexec:def:1

Time 2021-03-21T19:59:44+01:00

Severity unknown

Identifiers and References

Identifiers: CCE-82151-2

References: NT28(R12), 1.1.10, SRG-OS-000368-GPOS-00154

Description

The noexec mount option can be used to prevent binaries from being executed out of /var/tmp. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /var/tmp.

Rationale

Allowing users to execute binaries from world-writable directories such as /var/tmp should never be necessary in normal operation and can expose the system to potential compromise.

Remediation Shell script ⇲

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then

function include_mount_options_functions {
	:
}

# $1: type of filesystem
# $2: new mount point option
# $3: filesystem of new mount point (used when adding new entry in fstab)
# $4: mount type of new mount point (used when adding new entry in fstab)
function ensure_mount_option_for_vfstype {
        local _vfstype="$1" _new_opt="$2" _filesystem=$3 _type=$4 _vfstype_points=()
        readarray -t _vfstype_points < <(grep -E "[[:space:]]${_vfstype}[[:space:]]" /etc/fstab | awk '{print $2}')

        for _vfstype_point in "${_vfstype_points[@]}"
        do
                ensure_mount_option_in_fstab "$_vfstype_point" "$_new_opt" "$_filesystem" "$_type"
        done
}

# $1: mount point
# $2: new mount point option
# $3: device or virtual string (used when adding new entry in fstab)
# $4: mount type of mount point (used when adding new entry in fstab)
function ensure_mount_option_in_fstab {
	local _mount_point="$1" _new_opt="$2" _device=$3 _type=$4
	local _mount_point_match_regexp="" _previous_mount_opts=""
	_mount_point_match_regexp="$(get_mount_point_regexp "$_mount_point")"

	if [ "$(grep -c "$_mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
		# runtime opts without some automatic kernel/userspace-added defaults
		_previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
					| sed -E "s/(rw|defaults|seclabel|${_new_opt})(,|$)//g;s/,$//")
		[ "$_previous_mount_opts" ] && _previous_mount_opts+=","
		echo "${_device} ${_mount_point} ${_type} defaults,${_previous_mount_opts}${_new_opt} 0 0" >> /etc/fstab
	elif [ "$(grep "$_mount_point_match_regexp" /etc/fstab | grep -c "$_new_opt")" -eq 0 ]; then
		_previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/fstab | awk '{print $4}')
		sed -i "s|\(${_mount_point_match_regexp}.*${_previous_mount_opts}\)|\1,${_new_opt}|" /etc/fstab
	fi
}

# $1: mount point
function get_mount_point_regexp {
		printf "[[:space:]]%s[[:space:]]" "$1"
}

# $1: mount point
function assert_mount_point_in_fstab {
	local _mount_point_match_regexp
	_mount_point_match_regexp="$(get_mount_point_regexp "$1")"
	grep "$_mount_point_match_regexp" -q /etc/fstab \
		|| { echo "The mount point '$1' is not even in /etc/fstab, so we can't set up mount options" >&2; return 1; }
}

# $1: mount point
function remove_defaults_from_fstab_if_overriden {
	local _mount_point_match_regexp
	_mount_point_match_regexp="$(get_mount_point_regexp "$1")"
	if grep "$_mount_point_match_regexp" /etc/fstab | grep -q "defaults,"
	then
		sed -i "s|\(${_mount_point_match_regexp}.*\)defaults,|\1|" /etc/fstab
	fi
}

# $1: mount point
function ensure_partition_is_mounted {
	local _mount_point="$1"
	mkdir -p "$_mount_point" || return 1
	if mountpoint -q "$_mount_point"; then
		mount -o remount --target "$_mount_point"
	else
		mount --target "$_mount_point"
	fi
}
include_mount_options_functions

function perform_remediation {
	# test "$mount_has_to_exist" = 'yes'
	if test "yes" = 'yes'; then
		assert_mount_point_in_fstab /var/tmp || { echo "Not remediating, because there is no record of /var/tmp in /etc/fstab" >&2; return 1; }
	fi

	ensure_mount_option_in_fstab "/var/tmp" "noexec" "" ""

	ensure_partition_is_mounted "/var/tmp"
}

perform_remediation

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	high
Strategy:	configure

- name: Check information associated to mountpoint
  command: findmnt --fstab '/var/tmp'
  register: device_name
  failed_when: device_name.rc > 1
  changed_when: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_var_tmp_noexec
    - unknown_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-82151-2

- name: Create mount_info dictionary variable
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
    - '{{ device_name.stdout_lines[0].split() | list | lower }}'
    - '{{ device_name.stdout_lines[1].split() | list }}'
  when:
    - device_name.stdout is defined and device_name.stdout_lines is defined
    - (device_name.stdout | length > 0)
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_var_tmp_noexec
    - unknown_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-82151-2

- name: Make sure noexec option is part of the to /var/tmp options
  set_fact:
    mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec''
      }) }}'
  when:
    - mount_info is defined and "noexec" not in mount_info.options
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_var_tmp_noexec
    - unknown_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-82151-2

- name: Ensure /var/tmp is mounted with noexec option
  mount:
    path: /var/tmp
    src: '{{ mount_info.source }}'
    opts: '{{ mount_info.options }}'
    state: mounted
    fstype: '{{ mount_info.fstype }}'
  when:
    - device_name.stdout is defined
    - (device_name.stdout | length > 0)
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_var_tmp_noexec
    - unknown_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-82151-2

Remediation Anaconda snippet ⇲

Complexity:	low
Disruption:	high
Strategy:	enable


part /var/tmp --mountoptions="noexec"

OVAL test results details

noexec on /var/tmp oval:ssg-test_var_tmp_partition_noexec:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_var_tmp_partition_noexec:obj:1 of type partition_object

Mount point
/var/tmp

Add nosuid Option to /dev/shm

Rule ID	xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-mount_option_dev_shm_nosuid:def:1
Time	2021-03-21T19:59:44+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80839-4 References: 1.1.16, 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154
Description	The `nosuid` mount option can be used to prevent execution of setuid programs in `/dev/shm`. The SUID and SGID permissions should not be required in these world-writable directories. Add the `nosuid` option to the fourth column of `/etc/fstab` for the line which controls mounting of `/dev/shm`.
Rationale	The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions.

OVAL test results details

nosuid on /dev/shm oval:ssg-test_dev_shm_partition_nosuid:tst:1 true

Following items have been found on the system:

Mount point	Device	Uuid	Fs type	Mount options	Mount options	Mount options	Mount options	Total space	Space used	Space left
/dev/shm	tmpfs		tmpfs	rw	seclabel	nosuid	nodev	168303	0	168303

Add noexec Option to /dev/shm

Rule ID xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-mount_option_dev_shm_noexec:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-80838-6

References: 1.1.17, 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154

Description

The noexec mount option can be used to prevent binaries from being executed out of /dev/shm. It can be dangerous to allow the execution of binaries from world-writable temporary storage directories such as /dev/shm. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /dev/shm.

Rationale

Allowing users to execute binaries from world-writable directories such as /dev/shm can expose the system to potential compromise.

Remediation Shell script ⇲

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then

function include_mount_options_functions {
	:
}

# $1: type of filesystem
# $2: new mount point option
# $3: filesystem of new mount point (used when adding new entry in fstab)
# $4: mount type of new mount point (used when adding new entry in fstab)
function ensure_mount_option_for_vfstype {
        local _vfstype="$1" _new_opt="$2" _filesystem=$3 _type=$4 _vfstype_points=()
        readarray -t _vfstype_points < <(grep -E "[[:space:]]${_vfstype}[[:space:]]" /etc/fstab | awk '{print $2}')

        for _vfstype_point in "${_vfstype_points[@]}"
        do
                ensure_mount_option_in_fstab "$_vfstype_point" "$_new_opt" "$_filesystem" "$_type"
        done
}

# $1: mount point
# $2: new mount point option
# $3: device or virtual string (used when adding new entry in fstab)
# $4: mount type of mount point (used when adding new entry in fstab)
function ensure_mount_option_in_fstab {
	local _mount_point="$1" _new_opt="$2" _device=$3 _type=$4
	local _mount_point_match_regexp="" _previous_mount_opts=""
	_mount_point_match_regexp="$(get_mount_point_regexp "$_mount_point")"

	if [ "$(grep -c "$_mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
		# runtime opts without some automatic kernel/userspace-added defaults
		_previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
					| sed -E "s/(rw|defaults|seclabel|${_new_opt})(,|$)//g;s/,$//")
		[ "$_previous_mount_opts" ] && _previous_mount_opts+=","
		echo "${_device} ${_mount_point} ${_type} defaults,${_previous_mount_opts}${_new_opt} 0 0" >> /etc/fstab
	elif [ "$(grep "$_mount_point_match_regexp" /etc/fstab | grep -c "$_new_opt")" -eq 0 ]; then
		_previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/fstab | awk '{print $4}')
		sed -i "s|\(${_mount_point_match_regexp}.*${_previous_mount_opts}\)|\1,${_new_opt}|" /etc/fstab
	fi
}

# $1: mount point
function get_mount_point_regexp {
		printf "[[:space:]]%s[[:space:]]" "$1"
}

# $1: mount point
function assert_mount_point_in_fstab {
	local _mount_point_match_regexp
	_mount_point_match_regexp="$(get_mount_point_regexp "$1")"
	grep "$_mount_point_match_regexp" -q /etc/fstab \
		|| { echo "The mount point '$1' is not even in /etc/fstab, so we can't set up mount options" >&2; return 1; }
}

# $1: mount point
function remove_defaults_from_fstab_if_overriden {
	local _mount_point_match_regexp
	_mount_point_match_regexp="$(get_mount_point_regexp "$1")"
	if grep "$_mount_point_match_regexp" /etc/fstab | grep -q "defaults,"
	then
		sed -i "s|\(${_mount_point_match_regexp}.*\)defaults,|\1|" /etc/fstab
	fi
}

# $1: mount point
function ensure_partition_is_mounted {
	local _mount_point="$1"
	mkdir -p "$_mount_point" || return 1
	if mountpoint -q "$_mount_point"; then
		mount -o remount --target "$_mount_point"
	else
		mount --target "$_mount_point"
	fi
}
include_mount_options_functions

function perform_remediation {
	# test "$mount_has_to_exist" = 'yes'
	if test "no" = 'yes'; then
		assert_mount_point_in_fstab /dev/shm || { echo "Not remediating, because there is no record of /dev/shm in /etc/fstab" >&2; return 1; }
	fi

	ensure_mount_option_in_fstab "/dev/shm" "noexec" "tmpfs" "tmpfs"

	ensure_partition_is_mounted "/dev/shm"
}

perform_remediation

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	high
Strategy:	configure

- name: Check information associated to mountpoint
  command: findmnt  '/dev/shm'
  register: device_name
  failed_when: device_name.rc > 1
  changed_when: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_dev_shm_noexec
    - medium_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-80838-6
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-MP-7

- name: Create mount_info dictionary variable
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
    - '{{ device_name.stdout_lines[0].split() | list | lower }}'
    - '{{ device_name.stdout_lines[1].split() | list }}'
  when:
    - device_name.stdout is defined and device_name.stdout_lines is defined
    - (device_name.stdout | length > 0)
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_dev_shm_noexec
    - medium_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-80838-6
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-MP-7

- name: Make sure noexec option is part of the to /dev/shm options
  set_fact:
    mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec''
      }) }}'
  when:
    - mount_info is defined and "noexec" not in mount_info.options
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_dev_shm_noexec
    - medium_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-80838-6
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-MP-7

- name: Ensure /dev/shm is mounted with noexec option
  mount:
    path: /dev/shm
    src: '{{ mount_info.source }}'
    opts: '{{ mount_info.options }}'
    state: mounted
    fstype: '{{ mount_info.fstype }}'
  when:
    - device_name.stdout is defined
    - (device_name.stdout | length > 0)
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_dev_shm_noexec
    - medium_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-80838-6
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-MP-7

OVAL test results details

noexec on /dev/shm oval:ssg-test_dev_shm_partition_noexec:tst:1 false

Following items have been found on the system:

Mount point	Device	Uuid	Fs type	Mount options	Mount options	Mount options	Mount options	Total space	Space used	Space left
/dev/shm	tmpfs		tmpfs	rw	seclabel	nosuid	nodev	168303	0	168303

Add noexec Option to /var/log

Rule ID xccdf_org.ssgproject.content_rule_mount_option_var_log_noexec

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-mount_option_var_log_noexec:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82008-4

References: CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154

Description

The noexec mount option can be used to prevent binaries from being executed out of /var/log. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /var/log.

Rationale

Allowing users to execute binaries from directories containing log files such as /var/log should never be necessary in normal operation and can expose the system to potential compromise.

Remediation Shell script ⇲

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then

function include_mount_options_functions {
	:
}

# $1: type of filesystem
# $2: new mount point option
# $3: filesystem of new mount point (used when adding new entry in fstab)
# $4: mount type of new mount point (used when adding new entry in fstab)
function ensure_mount_option_for_vfstype {
        local _vfstype="$1" _new_opt="$2" _filesystem=$3 _type=$4 _vfstype_points=()
        readarray -t _vfstype_points < <(grep -E "[[:space:]]${_vfstype}[[:space:]]" /etc/fstab | awk '{print $2}')

        for _vfstype_point in "${_vfstype_points[@]}"
        do
                ensure_mount_option_in_fstab "$_vfstype_point" "$_new_opt" "$_filesystem" "$_type"
        done
}

# $1: mount point
# $2: new mount point option
# $3: device or virtual string (used when adding new entry in fstab)
# $4: mount type of mount point (used when adding new entry in fstab)
function ensure_mount_option_in_fstab {
	local _mount_point="$1" _new_opt="$2" _device=$3 _type=$4
	local _mount_point_match_regexp="" _previous_mount_opts=""
	_mount_point_match_regexp="$(get_mount_point_regexp "$_mount_point")"

	if [ "$(grep -c "$_mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
		# runtime opts without some automatic kernel/userspace-added defaults
		_previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
					| sed -E "s/(rw|defaults|seclabel|${_new_opt})(,|$)//g;s/,$//")
		[ "$_previous_mount_opts" ] && _previous_mount_opts+=","
		echo "${_device} ${_mount_point} ${_type} defaults,${_previous_mount_opts}${_new_opt} 0 0" >> /etc/fstab
	elif [ "$(grep "$_mount_point_match_regexp" /etc/fstab | grep -c "$_new_opt")" -eq 0 ]; then
		_previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/fstab | awk '{print $4}')
		sed -i "s|\(${_mount_point_match_regexp}.*${_previous_mount_opts}\)|\1,${_new_opt}|" /etc/fstab
	fi
}

# $1: mount point
function get_mount_point_regexp {
		printf "[[:space:]]%s[[:space:]]" "$1"
}

# $1: mount point
function assert_mount_point_in_fstab {
	local _mount_point_match_regexp
	_mount_point_match_regexp="$(get_mount_point_regexp "$1")"
	grep "$_mount_point_match_regexp" -q /etc/fstab \
		|| { echo "The mount point '$1' is not even in /etc/fstab, so we can't set up mount options" >&2; return 1; }
}

# $1: mount point
function remove_defaults_from_fstab_if_overriden {
	local _mount_point_match_regexp
	_mount_point_match_regexp="$(get_mount_point_regexp "$1")"
	if grep "$_mount_point_match_regexp" /etc/fstab | grep -q "defaults,"
	then
		sed -i "s|\(${_mount_point_match_regexp}.*\)defaults,|\1|" /etc/fstab
	fi
}

# $1: mount point
function ensure_partition_is_mounted {
	local _mount_point="$1"
	mkdir -p "$_mount_point" || return 1
	if mountpoint -q "$_mount_point"; then
		mount -o remount --target "$_mount_point"
	else
		mount --target "$_mount_point"
	fi
}
include_mount_options_functions

function perform_remediation {
	# test "$mount_has_to_exist" = 'yes'
	if test "yes" = 'yes'; then
		assert_mount_point_in_fstab /var/log || { echo "Not remediating, because there is no record of /var/log in /etc/fstab" >&2; return 1; }
	fi

	ensure_mount_option_in_fstab "/var/log" "noexec" "" ""

	ensure_partition_is_mounted "/var/log"
}

perform_remediation

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	high
Strategy:	configure

- name: Check information associated to mountpoint
  command: findmnt --fstab '/var/log'
  register: device_name
  failed_when: device_name.rc > 1
  changed_when: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_var_log_noexec
    - medium_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-82008-4
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-MP-7

- name: Create mount_info dictionary variable
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
    - '{{ device_name.stdout_lines[0].split() | list | lower }}'
    - '{{ device_name.stdout_lines[1].split() | list }}'
  when:
    - device_name.stdout is defined and device_name.stdout_lines is defined
    - (device_name.stdout | length > 0)
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_var_log_noexec
    - medium_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-82008-4
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-MP-7

- name: Make sure noexec option is part of the to /var/log options
  set_fact:
    mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec''
      }) }}'
  when:
    - mount_info is defined and "noexec" not in mount_info.options
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_var_log_noexec
    - medium_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-82008-4
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-MP-7

- name: Ensure /var/log is mounted with noexec option
  mount:
    path: /var/log
    src: '{{ mount_info.source }}'
    opts: '{{ mount_info.options }}'
    state: mounted
    fstype: '{{ mount_info.fstype }}'
  when:
    - device_name.stdout is defined
    - (device_name.stdout | length > 0)
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_var_log_noexec
    - medium_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-82008-4
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-MP-7

Remediation Anaconda snippet ⇲

Complexity:	low
Disruption:	high
Strategy:	enable


part /var/log --mountoptions="noexec"

OVAL test results details

noexec on /var/log oval:ssg-test_var_log_partition_noexec:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_var_log_partition_noexec:obj:1 of type partition_object

Mount point
/var/log

Add nodev Option to /boot

Rule ID xccdf_org.ssgproject.content_rule_mount_option_boot_nodev

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-mount_option_boot_nodev:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82941-6

References: CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154

Description

The nodev mount option can be used to prevent device files from being created in /boot. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /boot.

Rationale

The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails.

Remediation Shell script ⇲

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then

function include_mount_options_functions {
	:
}

# $1: type of filesystem
# $2: new mount point option
# $3: filesystem of new mount point (used when adding new entry in fstab)
# $4: mount type of new mount point (used when adding new entry in fstab)
function ensure_mount_option_for_vfstype {
        local _vfstype="$1" _new_opt="$2" _filesystem=$3 _type=$4 _vfstype_points=()
        readarray -t _vfstype_points < <(grep -E "[[:space:]]${_vfstype}[[:space:]]" /etc/fstab | awk '{print $2}')

        for _vfstype_point in "${_vfstype_points[@]}"
        do
                ensure_mount_option_in_fstab "$_vfstype_point" "$_new_opt" "$_filesystem" "$_type"
        done
}

# $1: mount point
# $2: new mount point option
# $3: device or virtual string (used when adding new entry in fstab)
# $4: mount type of mount point (used when adding new entry in fstab)
function ensure_mount_option_in_fstab {
	local _mount_point="$1" _new_opt="$2" _device=$3 _type=$4
	local _mount_point_match_regexp="" _previous_mount_opts=""
	_mount_point_match_regexp="$(get_mount_point_regexp "$_mount_point")"

	if [ "$(grep -c "$_mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
		# runtime opts without some automatic kernel/userspace-added defaults
		_previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
					| sed -E "s/(rw|defaults|seclabel|${_new_opt})(,|$)//g;s/,$//")
		[ "$_previous_mount_opts" ] && _previous_mount_opts+=","
		echo "${_device} ${_mount_point} ${_type} defaults,${_previous_mount_opts}${_new_opt} 0 0" >> /etc/fstab
	elif [ "$(grep "$_mount_point_match_regexp" /etc/fstab | grep -c "$_new_opt")" -eq 0 ]; then
		_previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/fstab | awk '{print $4}')
		sed -i "s|\(${_mount_point_match_regexp}.*${_previous_mount_opts}\)|\1,${_new_opt}|" /etc/fstab
	fi
}

# $1: mount point
function get_mount_point_regexp {
		printf "[[:space:]]%s[[:space:]]" "$1"
}

# $1: mount point
function assert_mount_point_in_fstab {
	local _mount_point_match_regexp
	_mount_point_match_regexp="$(get_mount_point_regexp "$1")"
	grep "$_mount_point_match_regexp" -q /etc/fstab \
		|| { echo "The mount point '$1' is not even in /etc/fstab, so we can't set up mount options" >&2; return 1; }
}

# $1: mount point
function remove_defaults_from_fstab_if_overriden {
	local _mount_point_match_regexp
	_mount_point_match_regexp="$(get_mount_point_regexp "$1")"
	if grep "$_mount_point_match_regexp" /etc/fstab | grep -q "defaults,"
	then
		sed -i "s|\(${_mount_point_match_regexp}.*\)defaults,|\1|" /etc/fstab
	fi
}

# $1: mount point
function ensure_partition_is_mounted {
	local _mount_point="$1"
	mkdir -p "$_mount_point" || return 1
	if mountpoint -q "$_mount_point"; then
		mount -o remount --target "$_mount_point"
	else
		mount --target "$_mount_point"
	fi
}
include_mount_options_functions

function perform_remediation {
	# test "$mount_has_to_exist" = 'yes'
	if test "yes" = 'yes'; then
		assert_mount_point_in_fstab /boot || { echo "Not remediating, because there is no record of /boot in /etc/fstab" >&2; return 1; }
	fi

	ensure_mount_option_in_fstab "/boot" "nodev" "" ""

	ensure_partition_is_mounted "/boot"
}

perform_remediation

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	high
Strategy:	configure

- name: Check information associated to mountpoint
  command: findmnt --fstab '/boot'
  register: device_name
  failed_when: device_name.rc > 1
  changed_when: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_boot_nodev
    - medium_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-82941-6
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-MP-7

- name: Create mount_info dictionary variable
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
    - '{{ device_name.stdout_lines[0].split() | list | lower }}'
    - '{{ device_name.stdout_lines[1].split() | list }}'
  when:
    - device_name.stdout is defined and device_name.stdout_lines is defined
    - (device_name.stdout | length > 0)
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_boot_nodev
    - medium_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-82941-6
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-MP-7

- name: Make sure nodev option is part of the to /boot options
  set_fact:
    mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev''
      }) }}'
  when:
    - mount_info is defined and "nodev" not in mount_info.options
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_boot_nodev
    - medium_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-82941-6
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-MP-7

- name: Ensure /boot is mounted with nodev option
  mount:
    path: /boot
    src: '{{ mount_info.source }}'
    opts: '{{ mount_info.options }}'
    state: mounted
    fstype: '{{ mount_info.fstype }}'
  when:
    - device_name.stdout is defined
    - (device_name.stdout | length > 0)
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_boot_nodev
    - medium_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-82941-6
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-6
    - NIST-800-53-AC-6(1)
    - NIST-800-53-MP-7

Remediation Anaconda snippet ⇲

Complexity:	low
Disruption:	high
Strategy:	enable


part /boot --mountoptions="nodev"

OVAL test results details

nodev on /boot oval:ssg-test_boot_partition_nodev:tst:1 false

Following items have been found on the system:

Mount point	Device	Uuid	Fs type	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Total space	Space used	Space left
/boot	/dev/vda1	334f2d6c-6e12-4d07-95cd-8cb8d146b492	xfs	rw	seclabel	relatime	attr2	inode64	logbufs=8	logbsize=32k	noquota	bind	259584	85320	174264

Add nodev Option to Non-Root Local Partitions

Rule ID	xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions
Result	fail
Multi-check rule	no
OVAL Definition ID	oval:ssg-mount_option_nodev_nonroot_local_partitions:def:1
Time	2021-03-21T19:59:44+01:00
Severity	unknown
Identifiers and References	Identifiers: CCE-82069-6 References: 1.1.11, 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-3, SRG-OS-000368-GPOS-00154
Description	The `nodev` mount option prevents files from being interpreted as character or block devices. Legitimate character and block devices should exist only in the `/dev` directory on the root partition or within chroot jails built for system services. Add the `nodev` option to the fourth column of `/etc/fstab` for the line which controls mounting of any non-root local partitions.
Rationale	The `nodev` mount option prevents files from being interpreted as character or block devices. The only legitimate location for device files is the `/dev` directory located on the root partition. The only exception to this is chroot jails, for which it is not advised to set `nodev` on these filesystems.

OVAL test results details

nodev on local filesystems oval:ssg-test_nodev_nonroot_local_partitions:tst:1 true

Following items have been found on the system:

Mount point	Device	Uuid	Fs type	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Mount options	Total space	Space used	Space left
/boot	/dev/vda1	334f2d6c-6e12-4d07-95cd-8cb8d146b492	xfs	rw	seclabel	relatime	attr2	inode64	logbufs=8	logbsize=32k	noquota	bind	259584	85320	174264

Add nodev Option to /var/tmp

Rule ID xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nodev

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-mount_option_var_tmp_nodev:def:1

Time 2021-03-21T19:59:44+01:00

Severity unknown

Identifiers and References

Identifiers: CCE-82068-8

References: NT28(R12), 1.1.8, SRG-OS-000368-GPOS-00154

Description

The nodev mount option can be used to prevent device files from being created in /var/tmp. Legitimate character and block devices should not exist within temporary directories like /var/tmp. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /var/tmp.

Rationale

The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails.

Remediation Shell script ⇲

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then

function include_mount_options_functions {
	:
}

# $1: type of filesystem
# $2: new mount point option
# $3: filesystem of new mount point (used when adding new entry in fstab)
# $4: mount type of new mount point (used when adding new entry in fstab)
function ensure_mount_option_for_vfstype {
        local _vfstype="$1" _new_opt="$2" _filesystem=$3 _type=$4 _vfstype_points=()
        readarray -t _vfstype_points < <(grep -E "[[:space:]]${_vfstype}[[:space:]]" /etc/fstab | awk '{print $2}')

        for _vfstype_point in "${_vfstype_points[@]}"
        do
                ensure_mount_option_in_fstab "$_vfstype_point" "$_new_opt" "$_filesystem" "$_type"
        done
}

# $1: mount point
# $2: new mount point option
# $3: device or virtual string (used when adding new entry in fstab)
# $4: mount type of mount point (used when adding new entry in fstab)
function ensure_mount_option_in_fstab {
	local _mount_point="$1" _new_opt="$2" _device=$3 _type=$4
	local _mount_point_match_regexp="" _previous_mount_opts=""
	_mount_point_match_regexp="$(get_mount_point_regexp "$_mount_point")"

	if [ "$(grep -c "$_mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
		# runtime opts without some automatic kernel/userspace-added defaults
		_previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
					| sed -E "s/(rw|defaults|seclabel|${_new_opt})(,|$)//g;s/,$//")
		[ "$_previous_mount_opts" ] && _previous_mount_opts+=","
		echo "${_device} ${_mount_point} ${_type} defaults,${_previous_mount_opts}${_new_opt} 0 0" >> /etc/fstab
	elif [ "$(grep "$_mount_point_match_regexp" /etc/fstab | grep -c "$_new_opt")" -eq 0 ]; then
		_previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/fstab | awk '{print $4}')
		sed -i "s|\(${_mount_point_match_regexp}.*${_previous_mount_opts}\)|\1,${_new_opt}|" /etc/fstab
	fi
}

# $1: mount point
function get_mount_point_regexp {
		printf "[[:space:]]%s[[:space:]]" "$1"
}

# $1: mount point
function assert_mount_point_in_fstab {
	local _mount_point_match_regexp
	_mount_point_match_regexp="$(get_mount_point_regexp "$1")"
	grep "$_mount_point_match_regexp" -q /etc/fstab \
		|| { echo "The mount point '$1' is not even in /etc/fstab, so we can't set up mount options" >&2; return 1; }
}

# $1: mount point
function remove_defaults_from_fstab_if_overriden {
	local _mount_point_match_regexp
	_mount_point_match_regexp="$(get_mount_point_regexp "$1")"
	if grep "$_mount_point_match_regexp" /etc/fstab | grep -q "defaults,"
	then
		sed -i "s|\(${_mount_point_match_regexp}.*\)defaults,|\1|" /etc/fstab
	fi
}

# $1: mount point
function ensure_partition_is_mounted {
	local _mount_point="$1"
	mkdir -p "$_mount_point" || return 1
	if mountpoint -q "$_mount_point"; then
		mount -o remount --target "$_mount_point"
	else
		mount --target "$_mount_point"
	fi
}
include_mount_options_functions

function perform_remediation {
	# test "$mount_has_to_exist" = 'yes'
	if test "yes" = 'yes'; then
		assert_mount_point_in_fstab /var/tmp || { echo "Not remediating, because there is no record of /var/tmp in /etc/fstab" >&2; return 1; }
	fi

	ensure_mount_option_in_fstab "/var/tmp" "nodev" "" ""

	ensure_partition_is_mounted "/var/tmp"
}

perform_remediation

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	high
Strategy:	configure

- name: Check information associated to mountpoint
  command: findmnt --fstab '/var/tmp'
  register: device_name
  failed_when: device_name.rc > 1
  changed_when: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_var_tmp_nodev
    - unknown_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-82068-8

- name: Create mount_info dictionary variable
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
    - '{{ device_name.stdout_lines[0].split() | list | lower }}'
    - '{{ device_name.stdout_lines[1].split() | list }}'
  when:
    - device_name.stdout is defined and device_name.stdout_lines is defined
    - (device_name.stdout | length > 0)
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_var_tmp_nodev
    - unknown_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-82068-8

- name: Make sure nodev option is part of the to /var/tmp options
  set_fact:
    mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev''
      }) }}'
  when:
    - mount_info is defined and "nodev" not in mount_info.options
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_var_tmp_nodev
    - unknown_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-82068-8

- name: Ensure /var/tmp is mounted with nodev option
  mount:
    path: /var/tmp
    src: '{{ mount_info.source }}'
    opts: '{{ mount_info.options }}'
    state: mounted
    fstype: '{{ mount_info.fstype }}'
  when:
    - device_name.stdout is defined
    - (device_name.stdout | length > 0)
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_var_tmp_nodev
    - unknown_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-82068-8

Remediation Anaconda snippet ⇲

Complexity:	low
Disruption:	high
Strategy:	enable


part /var/tmp --mountoptions="nodev"

OVAL test results details

nodev on /var/tmp oval:ssg-test_var_tmp_partition_nodev:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_var_tmp_partition_nodev:obj:1 of type partition_object

Mount point
/var/tmp

Add nodev Option to /home

Rule ID xccdf_org.ssgproject.content_rule_mount_option_home_nodev

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-mount_option_home_nodev:def:1

Time 2021-03-21T19:59:44+01:00

Severity unknown

Identifiers and References

Identifiers: CCE-81048-1

References: NT28(R12), 1.1.14, SRG-OS-000368-GPOS-00154

Description

The nodev mount option can be used to prevent device files from being created in /home. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /home.

Rationale

The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails.

Remediation Shell script ⇲

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then

function include_mount_options_functions {
	:
}

# $1: type of filesystem
# $2: new mount point option
# $3: filesystem of new mount point (used when adding new entry in fstab)
# $4: mount type of new mount point (used when adding new entry in fstab)
function ensure_mount_option_for_vfstype {
        local _vfstype="$1" _new_opt="$2" _filesystem=$3 _type=$4 _vfstype_points=()
        readarray -t _vfstype_points < <(grep -E "[[:space:]]${_vfstype}[[:space:]]" /etc/fstab | awk '{print $2}')

        for _vfstype_point in "${_vfstype_points[@]}"
        do
                ensure_mount_option_in_fstab "$_vfstype_point" "$_new_opt" "$_filesystem" "$_type"
        done
}

# $1: mount point
# $2: new mount point option
# $3: device or virtual string (used when adding new entry in fstab)
# $4: mount type of mount point (used when adding new entry in fstab)
function ensure_mount_option_in_fstab {
	local _mount_point="$1" _new_opt="$2" _device=$3 _type=$4
	local _mount_point_match_regexp="" _previous_mount_opts=""
	_mount_point_match_regexp="$(get_mount_point_regexp "$_mount_point")"

	if [ "$(grep -c "$_mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
		# runtime opts without some automatic kernel/userspace-added defaults
		_previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
					| sed -E "s/(rw|defaults|seclabel|${_new_opt})(,|$)//g;s/,$//")
		[ "$_previous_mount_opts" ] && _previous_mount_opts+=","
		echo "${_device} ${_mount_point} ${_type} defaults,${_previous_mount_opts}${_new_opt} 0 0" >> /etc/fstab
	elif [ "$(grep "$_mount_point_match_regexp" /etc/fstab | grep -c "$_new_opt")" -eq 0 ]; then
		_previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/fstab | awk '{print $4}')
		sed -i "s|\(${_mount_point_match_regexp}.*${_previous_mount_opts}\)|\1,${_new_opt}|" /etc/fstab
	fi
}

# $1: mount point
function get_mount_point_regexp {
		printf "[[:space:]]%s[[:space:]]" "$1"
}

# $1: mount point
function assert_mount_point_in_fstab {
	local _mount_point_match_regexp
	_mount_point_match_regexp="$(get_mount_point_regexp "$1")"
	grep "$_mount_point_match_regexp" -q /etc/fstab \
		|| { echo "The mount point '$1' is not even in /etc/fstab, so we can't set up mount options" >&2; return 1; }
}

# $1: mount point
function remove_defaults_from_fstab_if_overriden {
	local _mount_point_match_regexp
	_mount_point_match_regexp="$(get_mount_point_regexp "$1")"
	if grep "$_mount_point_match_regexp" /etc/fstab | grep -q "defaults,"
	then
		sed -i "s|\(${_mount_point_match_regexp}.*\)defaults,|\1|" /etc/fstab
	fi
}

# $1: mount point
function ensure_partition_is_mounted {
	local _mount_point="$1"
	mkdir -p "$_mount_point" || return 1
	if mountpoint -q "$_mount_point"; then
		mount -o remount --target "$_mount_point"
	else
		mount --target "$_mount_point"
	fi
}
include_mount_options_functions

function perform_remediation {
	# test "$mount_has_to_exist" = 'yes'
	if test "yes" = 'yes'; then
		assert_mount_point_in_fstab /home || { echo "Not remediating, because there is no record of /home in /etc/fstab" >&2; return 1; }
	fi

	ensure_mount_option_in_fstab "/home" "nodev" "" ""

	ensure_partition_is_mounted "/home"
}

perform_remediation

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	high
Strategy:	configure

- name: Check information associated to mountpoint
  command: findmnt --fstab '/home'
  register: device_name
  failed_when: device_name.rc > 1
  changed_when: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_home_nodev
    - unknown_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-81048-1

- name: Create mount_info dictionary variable
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
    - '{{ device_name.stdout_lines[0].split() | list | lower }}'
    - '{{ device_name.stdout_lines[1].split() | list }}'
  when:
    - device_name.stdout is defined and device_name.stdout_lines is defined
    - (device_name.stdout | length > 0)
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_home_nodev
    - unknown_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-81048-1

- name: Make sure nodev option is part of the to /home options
  set_fact:
    mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev''
      }) }}'
  when:
    - mount_info is defined and "nodev" not in mount_info.options
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_home_nodev
    - unknown_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-81048-1

- name: Ensure /home is mounted with nodev option
  mount:
    path: /home
    src: '{{ mount_info.source }}'
    opts: '{{ mount_info.options }}'
    state: mounted
    fstype: '{{ mount_info.fstype }}'
  when:
    - device_name.stdout is defined
    - (device_name.stdout | length > 0)
    - ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - mount_option_home_nodev
    - unknown_severity
    - configure_strategy
    - low_complexity
    - high_disruption
    - no_reboot_needed
    - CCE-81048-1

Remediation Anaconda snippet ⇲

Complexity:	low
Disruption:	high
Strategy:	enable


part /home --mountoptions="nodev"

OVAL test results details

nodev on /home oval:ssg-test_home_partition_nodev:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_home_partition_nodev:obj:1 of type partition_object

Mount point
/home

Install fapolicyd Package

Rule ID xccdf_org.ssgproject.content_rule_package_fapolicyd_installed

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-package_fapolicyd_installed:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82191-8

References: CM-6(a), SI-4(22), SRG-OS-000370-GPOS-00155

Description

The fapolicyd package can be installed with the following command:

$ sudo yum install fapolicyd

Rationale

fapolicyd (File Access Policy Daemon) implements application whitelisting to decide file access rights.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Strategy:	enable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then

if ! rpm -q --quiet "fapolicyd" ; then
    yum install -y "fapolicyd"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	enable

- name: Ensure fapolicyd is installed
  package:
    name: fapolicyd
    state: present
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - package_fapolicyd_installed
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-82191-8
    - NIST-800-53-CM-6(a)
    - NIST-800-53-SI-4(22)

Remediation Puppet snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	enable

include install_fapolicyd

class install_fapolicyd {
  package { 'fapolicyd':
    ensure => 'installed',
  }
}

Remediation Anaconda snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	enable


package --add=fapolicyd

OVAL test results details

package fapolicyd is installed oval:ssg-test_package_fapolicyd_installed:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_fapolicyd_installed:obj:1 of type rpminfo_object

Name
fapolicyd

Enable the File Access Policy Service

Rule ID xccdf_org.ssgproject.content_rule_service_fapolicyd_enabled

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-service_fapolicyd_enabled:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82249-4

References: CM-6(a), SI-4(22), FMT_SMF_EXT.1, SRG-OS-000370-GPOS-00155

Description

The File Access Policy service should be enabled. The fapolicyd service can be enabled with the following command:

$ sudo systemctl enable fapolicyd.service

Rationale

The fapolicyd service (File Access Policy Daemon) implements application whitelisting to decide file access rights.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Strategy:	enable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then

SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" start 'fapolicyd.service'
"$SYSTEMCTL_EXEC" enable 'fapolicyd.service'

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	enable

- name: Enable service fapolicyd
  block:

    - name: Gather the package facts
      package_facts:
        manager: auto

    - name: Enable service fapolicyd
      service:
        name: fapolicyd
        enabled: 'yes'
        state: started
      when:
        - '"fapolicyd" in ansible_facts.packages'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - service_fapolicyd_enabled
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-82249-4
    - NIST-800-53-CM-6(a)
    - NIST-800-53-SI-4(22)

Remediation Puppet snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	enable

include enable_fapolicyd

class enable_fapolicyd {
  service {'fapolicyd':
    enable => true,
    ensure => 'running',
  }
}

OVAL test results details

package fapolicyd is installed oval:ssg-test_service_fapolicyd_package_fapolicyd_installed:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_service_fapolicyd_package_fapolicyd_installed:obj:1 of type rpminfo_object

Name
fapolicyd

Test that the fapolicyd service is running oval:ssg-test_service_running_fapolicyd:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_service_running_fapolicyd:obj:1 of type systemdunitproperty_object

Unit	Property
^fapolicyd\.(socket\|service)$	ActiveState

systemd test oval:ssg-test_multi_user_wants_fapolicyd:tst:1 false

Following items have been found on the system:

Unit	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency
multi-user.target	basic.target	sysinit.target	kmod-static-nodes.service	systemd-tmpfiles-setup.service	ldconfig.service	sys-kernel-config.mount	systemd-update-utmp.service	plymouth-read-write.service	systemd-random-seed.service	systemd-journal-catalog-update.service	dracut-shutdown.service	local-fs.target	-.mount	boot.mount	systemd-remount-fs.service	systemd-modules-load.service	systemd-udevd.service	lvm2-lvmpolld.socket	systemd-udev-trigger.service	cryptsetup.target	dev-hugepages.mount	sys-fs-fuse-connections.mount	rngd.service	proc-sys-fs-binfmt_misc.automount	sys-kernel-debug.mount	selinux-autorelabel-mark.service	nis-domainname.service	systemd-binfmt.service	systemd-update-done.service	systemd-journald.service	dev-mqueue.mount	import-state.service	systemd-hwdb-update.service	systemd-ask-password-console.path	systemd-sysctl.service	systemd-machine-id-commit.service	systemd-sysusers.service	lvm2-monitor.service	systemd-journal-flush.service	loadmodules.service	plymouth-start.service	swap.target	dev-mapper-rhel\x2dswap.swap	systemd-firstboot.service	systemd-tmpfiles-setup-dev.service	slices.target	-.slice	system.slice	timers.target	systemd-tmpfiles-clean.timer	dnf-makecache.timer	unbound-anchor.timer	microcode.service	sockets.target	cockpit.socket	dm-event.socket	systemd-journald.socket	systemd-udevd-control.socket	systemd-initctl.socket	sssd-kcm.socket	systemd-coredump.socket	dbus.socket	systemd-udevd-kernel.socket	systemd-journald-dev-log.socket	paths.target	auditd.service	chronyd.service	httpd.service	systemd-update-utmp-runlevel.service	plymouth-quit.service	irqbalance.service	crond.service	getty.target	getty@tty1.service	rsyslog.service	sshd.service	NetworkManager.service	sssd.service	firewalld.service	remote-fs.target	systemd-ask-password-wall.path	plymouth-quit-wait.service	dbus.service	tuned.service	rhsmcertd.service	kdump.service	systemd-logind.service	systemd-user-sessions.service

systemd test oval:ssg-test_multi_user_wants_fapolicyd_socket:tst:1 false

Following items have been found on the system:

Unit	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency
multi-user.target	basic.target	sysinit.target	kmod-static-nodes.service	systemd-tmpfiles-setup.service	ldconfig.service	sys-kernel-config.mount	systemd-update-utmp.service	plymouth-read-write.service	systemd-random-seed.service	systemd-journal-catalog-update.service	dracut-shutdown.service	local-fs.target	-.mount	boot.mount	systemd-remount-fs.service	systemd-modules-load.service	systemd-udevd.service	lvm2-lvmpolld.socket	systemd-udev-trigger.service	cryptsetup.target	dev-hugepages.mount	sys-fs-fuse-connections.mount	rngd.service	proc-sys-fs-binfmt_misc.automount	sys-kernel-debug.mount	selinux-autorelabel-mark.service	nis-domainname.service	systemd-binfmt.service	systemd-update-done.service	systemd-journald.service	dev-mqueue.mount	import-state.service	systemd-hwdb-update.service	systemd-ask-password-console.path	systemd-sysctl.service	systemd-machine-id-commit.service	systemd-sysusers.service	lvm2-monitor.service	systemd-journal-flush.service	loadmodules.service	plymouth-start.service	swap.target	dev-mapper-rhel\x2dswap.swap	systemd-firstboot.service	systemd-tmpfiles-setup-dev.service	slices.target	-.slice	system.slice	timers.target	systemd-tmpfiles-clean.timer	dnf-makecache.timer	unbound-anchor.timer	microcode.service	sockets.target	cockpit.socket	dm-event.socket	systemd-journald.socket	systemd-udevd-control.socket	systemd-initctl.socket	sssd-kcm.socket	systemd-coredump.socket	dbus.socket	systemd-udevd-kernel.socket	systemd-journald-dev-log.socket	paths.target	auditd.service	chronyd.service	httpd.service	systemd-update-utmp-runlevel.service	plymouth-quit.service	irqbalance.service	crond.service	getty.target	getty@tty1.service	rsyslog.service	sshd.service	NetworkManager.service	sssd.service	firewalld.service	remote-fs.target	systemd-ask-password-wall.path	plymouth-quit-wait.service	dbus.service	tuned.service	rhsmcertd.service	kdump.service	systemd-logind.service	systemd-user-sessions.service

Uninstall nfs-utils Package

Rule ID	xccdf_org.ssgproject.content_rule_package_nfs-utils_removed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_nfs-utils_removed:def:1
Time	2021-03-21T19:59:44+01:00
Severity	low
Identifiers and References	Identifiers: CCE-82932-5 References: SRG-OS-000095-GPOS-00049
Description	The `nfs-utils` package can be removed with the following command: $ sudo yum erase nfs-utils
Rationale	`nfs-utils` provides a daemon for the kernel NFS server and related tools. This package also contains the `showmount` program. `showmount` queries the mount daemon on a remote host for information about the Network File System (NFS) server on the remote host. For example, `showmount` can display the clients which are mounted on that host.

OVAL test results details

package nfs-utils is removed oval:ssg-test_package_nfs-utils_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_nfs-utils_removed:obj:1 of type rpminfo_object

Name
nfs-utils

Enable the Hardware RNG Entropy Gatherer Service

Rule ID	xccdf_org.ssgproject.content_rule_service_rngd_enabled
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-service_rngd_enabled:def:1
Time	2021-03-21T19:59:44+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82831-9 References: FCS_RBG_EXT.1, SRG-OS-000480-GPOS-00227
Description	The Hardware RNG Entropy Gatherer service should be enabled. The `rngd` service can be enabled with the following command: $ sudo systemctl enable rngd.service
Rationale	The `rngd` service feeds random data from hardware device to kernel random device.

OVAL test results details

package rng-tools is installed oval:ssg-test_service_rngd_package_rng-tools_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
rng-tools	x86_64	(none)	3.el8	6.8	0:6.8-3.el8	199e2f91fd431d51	rng-tools-0:6.8-3.el8.x86_64

Test that the rngd service is running oval:ssg-test_service_running_rngd:tst:1 true

Following items have been found on the system:

Unit	Property	Value
rngd.service	ActiveState	active

systemd test oval:ssg-test_multi_user_wants_rngd:tst:1 true

Following items have been found on the system:

Unit	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency
multi-user.target	basic.target	sysinit.target	kmod-static-nodes.service	systemd-tmpfiles-setup.service	ldconfig.service	sys-kernel-config.mount	systemd-update-utmp.service	plymouth-read-write.service	systemd-random-seed.service	systemd-journal-catalog-update.service	dracut-shutdown.service	local-fs.target	-.mount	boot.mount	systemd-remount-fs.service	systemd-modules-load.service	systemd-udevd.service	lvm2-lvmpolld.socket	systemd-udev-trigger.service	cryptsetup.target	dev-hugepages.mount	sys-fs-fuse-connections.mount	rngd.service	proc-sys-fs-binfmt_misc.automount	sys-kernel-debug.mount	selinux-autorelabel-mark.service	nis-domainname.service	systemd-binfmt.service	systemd-update-done.service	systemd-journald.service	dev-mqueue.mount	import-state.service	systemd-hwdb-update.service	systemd-ask-password-console.path	systemd-sysctl.service	systemd-machine-id-commit.service	systemd-sysusers.service	lvm2-monitor.service	systemd-journal-flush.service	loadmodules.service	plymouth-start.service	swap.target	dev-mapper-rhel\x2dswap.swap	systemd-firstboot.service	systemd-tmpfiles-setup-dev.service	slices.target	-.slice	system.slice	timers.target	systemd-tmpfiles-clean.timer	dnf-makecache.timer	unbound-anchor.timer	microcode.service	sockets.target	cockpit.socket	dm-event.socket	systemd-journald.socket	systemd-udevd-control.socket	systemd-initctl.socket	sssd-kcm.socket	systemd-coredump.socket	dbus.socket	systemd-udevd-kernel.socket	systemd-journald-dev-log.socket	paths.target	auditd.service	chronyd.service	httpd.service	systemd-update-utmp-runlevel.service	plymouth-quit.service	irqbalance.service	crond.service	getty.target	getty@tty1.service	rsyslog.service	sshd.service	NetworkManager.service	sssd.service	firewalld.service	remote-fs.target	systemd-ask-password-wall.path	plymouth-quit-wait.service	dbus.service	tuned.service	rhsmcertd.service	kdump.service	systemd-logind.service	systemd-user-sessions.service

systemd test oval:ssg-test_multi_user_wants_rngd_socket:tst:1 false

Following items have been found on the system:

Unit	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency
multi-user.target	basic.target	sysinit.target	kmod-static-nodes.service	systemd-tmpfiles-setup.service	ldconfig.service	sys-kernel-config.mount	systemd-update-utmp.service	plymouth-read-write.service	systemd-random-seed.service	systemd-journal-catalog-update.service	dracut-shutdown.service	local-fs.target	-.mount	boot.mount	systemd-remount-fs.service	systemd-modules-load.service	systemd-udevd.service	lvm2-lvmpolld.socket	systemd-udev-trigger.service	cryptsetup.target	dev-hugepages.mount	sys-fs-fuse-connections.mount	rngd.service	proc-sys-fs-binfmt_misc.automount	sys-kernel-debug.mount	selinux-autorelabel-mark.service	nis-domainname.service	systemd-binfmt.service	systemd-update-done.service	systemd-journald.service	dev-mqueue.mount	import-state.service	systemd-hwdb-update.service	systemd-ask-password-console.path	systemd-sysctl.service	systemd-machine-id-commit.service	systemd-sysusers.service	lvm2-monitor.service	systemd-journal-flush.service	loadmodules.service	plymouth-start.service	swap.target	dev-mapper-rhel\x2dswap.swap	systemd-firstboot.service	systemd-tmpfiles-setup-dev.service	slices.target	-.slice	system.slice	timers.target	systemd-tmpfiles-clean.timer	dnf-makecache.timer	unbound-anchor.timer	microcode.service	sockets.target	cockpit.socket	dm-event.socket	systemd-journald.socket	systemd-udevd-control.socket	systemd-initctl.socket	sssd-kcm.socket	systemd-coredump.socket	dbus.socket	systemd-udevd-kernel.socket	systemd-journald-dev-log.socket	paths.target	auditd.service	chronyd.service	httpd.service	systemd-update-utmp-runlevel.service	plymouth-quit.service	irqbalance.service	crond.service	getty.target	getty@tty1.service	rsyslog.service	sshd.service	NetworkManager.service	sssd.service	firewalld.service	remote-fs.target	systemd-ask-password-wall.path	plymouth-quit-wait.service	dbus.service	tuned.service	rhsmcertd.service	kdump.service	systemd-logind.service	systemd-user-sessions.service

Uninstall Sendmail Package

Rule ID	xccdf_org.ssgproject.content_rule_package_sendmail_removed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_sendmail_removed:def:1
Time	2021-03-21T19:59:44+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-81039-0 References: NT28(R1), 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227
Description	Sendmail is not the default mail transfer agent and is not installed by default. The `sendmail` package can be removed with the following command: $ sudo yum erase sendmail
Rationale	The sendmail software was not developed with security in mind and its design prevents it from being effectively contained by SELinux. Postfix should be used instead.

OVAL test results details

package sendmail is removed oval:ssg-test_package_sendmail_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_sendmail_removed:obj:1 of type rpminfo_object

Name
sendmail

Disable SSH Root Login

Rule ID xccdf_org.ssgproject.content_rule_sshd_disable_root_login

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-sshd_disable_root_login:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-80901-2

References: NT28(R19), 5.2.10, 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.6, APO01.06, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.06, DSS06.10, 3.1.1, 3.1.5, CCI-000366, CCI-000770, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, AC-6(2), AC-17(a), IA-2, IA-2(5), CM-7(a), CM-7(b), CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, PR.PT-3, FIA_AFL.1, SRG-OS-000109-GPOS-00056, SRG-OS-000480-GPOS-00227, SRG-OS-000480-VMM-002000

Description

The root user should never be allowed to login to a system directly over a network. To disable root login via SSH, add or correct the following line in /etc/ssh/sshd_config:

PermitRootLogin no

Rationale

Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging directly on as root. In addition, logging in with a user-specific account provides individual accountability of actions performed on the system and also helps to minimize direct attack attempts on root's password.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then

if [ -e "/etc/ssh/sshd_config" ] ; then
    LC_ALL=C sed -i "/^\s*PermitRootLogin\s\+/Id" "/etc/ssh/sshd_config"
else
    touch "/etc/ssh/sshd_config"
fi
cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
# Insert before the line matching the regex '^Match'.
line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
    # There was no match of '^Match', insert at
    # the end of the file.
    printf '%s\n' "PermitRootLogin no" >> "/etc/ssh/sshd_config"
else
    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
    printf '%s\n' "PermitRootLogin no" >> "/etc/ssh/sshd_config"
    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
fi
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

- name: Disable SSH Root Login
  block:

    - name: Deduplicate values from /etc/ssh/sshd_config
      lineinfile:
        path: /etc/ssh/sshd_config
        create: false
        regexp: (?i)^\s*PermitRootLogin\s+
        state: absent

    - name: Insert correct line to /etc/ssh/sshd_config
      lineinfile:
        path: /etc/ssh/sshd_config
        create: true
        line: PermitRootLogin no
        state: present
        insertbefore: ^[#\s]*Match
        validate: /usr/sbin/sshd -t -f %s
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - sshd_disable_root_login
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-80901-2
    - NIST-800-53-AC-6(2)
    - NIST-800-53-AC-17(a)
    - NIST-800-53-IA-2
    - NIST-800-53-IA-2(5)
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-
    - NIST-800-171-3.1.1
    - NIST-800-171-3.1.5
    - CJIS-5.5.6

Remediation script ⇲

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 2.2.0
    storage:
      files:
      - contents:
          source: data:,%23%09%24OpenBSD%3A%20sshd_config%2Cv%201.103%202018/04/09%2020%3A41%3A22%20tj%20Exp%20%24%0A%0A%23%20This%20is%20the%20sshd%20server%20system-wide%20configuration%20file.%20%20See%0A%23%20sshd_config%285%29%20for%20more%20information.%0A%0A%23%20This%20sshd%20was%20compiled%20with%20PATH%3D/usr/local/bin%3A/usr/bin%3A/usr/local/sbin%3A/usr/sbin%0A%0A%23%20The%20strategy%20used%20for%20options%20in%20the%20default%20sshd_config%20shipped%20with%0A%23%20OpenSSH%20is%20to%20specify%20options%20with%20their%20default%20value%20where%0A%23%20possible%2C%20but%20leave%20them%20commented.%20%20Uncommented%20options%20override%20the%0A%23%20default%20value.%0A%0A%23%20If%20you%20want%20to%20change%20the%20port%20on%20a%20SELinux%20system%2C%20you%20have%20to%20tell%0A%23%20SELinux%20about%20this%20change.%0A%23%20semanage%20port%20-a%20-t%20ssh_port_t%20-p%20tcp%20%23PORTNUMBER%0A%23%0A%23Port%2022%0A%23AddressFamily%20any%0A%23ListenAddress%200.0.0.0%0A%23ListenAddress%20%3A%3A%0A%0AHostKey%20/etc/ssh/ssh_host_rsa_key%0AHostKey%20/etc/ssh/ssh_host_ecdsa_key%0AHostKey%20/etc/ssh/ssh_host_ed25519_key%0A%0A%23%20Ciphers%20and%20keying%0ARekeyLimit%20512M%201h%0A%0A%23%20System-wide%20Crypto%20policy%3A%0A%23%20This%20system%20is%20following%20system-wide%20crypto%20policy.%20The%20changes%20to%0A%23%20Ciphers%2C%20MACs%2C%20KexAlgoritms%20and%20GSSAPIKexAlgorithsm%20will%20not%20have%20any%0A%23%20effect%20here.%20They%20will%20be%20overridden%20by%20command-line%20options%20passed%20on%0A%23%20the%20server%20start%20up.%0A%23%20To%20opt%20out%2C%20uncomment%20a%20line%20with%20redefinition%20of%20%20CRYPTO_POLICY%3D%0A%23%20variable%20in%20%20/etc/sysconfig/sshd%20%20to%20overwrite%20the%20policy.%0A%23%20For%20more%20information%2C%20see%20manual%20page%20for%20update-crypto-policies%288%29.%0A%0A%23%20Logging%0A%23SyslogFacility%20AUTH%0ASyslogFacility%20AUTHPRIV%0A%23LogLevel%20INFO%0A%0A%23%20Authentication%3A%0A%0A%23LoginGraceTime%202m%0APermitRootLogin%20no%0AStrictModes%20yes%0A%23MaxAuthTries%206%0A%23MaxSessions%2010%0A%0APubkeyAuthentication%20yes%0A%0A%23%20The%20default%20is%20to%20check%20both%20.ssh/authorized_keys%20and%20.ssh/authorized_keys2%0A%23%20but%20this%20is%20overridden%20so%20installations%20will%20only%20check%20.ssh/authorized_keys%0AAuthorizedKeysFile%09.ssh/authorized_keys%0A%0A%23AuthorizedPrincipalsFile%20none%0A%0A%23AuthorizedKeysCommand%20none%0A%23AuthorizedKeysCommandUser%20nobody%0A%0A%23%20For%20this%20to%20work%20you%20will%20also%20need%20host%20keys%20in%20/etc/ssh/ssh_known_hosts%0AHostbasedAuthentication%20no%0A%23%20Change%20to%20yes%20if%20you%20don%27t%20trust%20~/.ssh/known_hosts%20for%0A%23%20HostbasedAuthentication%0AIgnoreUserKnownHosts%20yes%0A%23%20Don%27t%20read%20the%20user%27s%20~/.rhosts%20and%20~/.shosts%20files%0AIgnoreRhosts%20yes%0A%0A%23%20To%20disable%20tunneled%20clear%20text%20passwords%2C%20change%20to%20no%20here%21%0A%23PasswordAuthentication%20yes%0APermitEmptyPasswords%20no%0APasswordAuthentication%20no%0A%0A%23%20Change%20to%20no%20to%20disable%20s/key%20passwords%0A%23ChallengeResponseAuthentication%20yes%0AChallengeResponseAuthentication%20no%0A%0A%23%20Kerberos%20options%0AKerberosAuthentication%20no%0A%23KerberosOrLocalPasswd%20yes%0A%23KerberosTicketCleanup%20yes%0A%23KerberosGetAFSToken%20no%0A%23KerberosUseKuserok%20yes%0A%0A%23%20GSSAPI%20options%0AGSSAPIAuthentication%20no%0AGSSAPICleanupCredentials%20no%0A%23GSSAPIStrictAcceptorCheck%20yes%0A%23GSSAPIKeyExchange%20no%0A%23GSSAPIEnablek5users%20no%0A%0A%23%20Set%20this%20to%20%27yes%27%20to%20enable%20PAM%20authentication%2C%20account%20processing%2C%0A%23%20and%20session%20processing.%20If%20this%20is%20enabled%2C%20PAM%20authentication%20will%0A%23%20be%20allowed%20through%20the%20ChallengeResponseAuthentication%20and%0A%23%20PasswordAuthentication.%20%20Depending%20on%20your%20PAM%20configuration%2C%0A%23%20PAM%20authentication%20via%20ChallengeResponseAuthentication%20may%20bypass%0A%23%20the%20setting%20of%20%22PermitRootLogin%20without-password%22.%0A%23%20If%20you%20just%20want%20the%20PAM%20account%20and%20session%20checks%20to%20run%20without%0A%23%20PAM%20authentication%2C%20then%20enable%20this%20but%20set%20PasswordAuthentication%0A%23%20and%20ChallengeResponseAuthentication%20to%20%27no%27.%0A%23%20WARNING%3A%20%27UsePAM%20no%27%20is%20not%20supported%20in%20Fedora%20and%20may%20cause%20several%0A%23%20problems.%0AUsePAM%20yes%0A%0A%23AllowAgentForwarding%20yes%0A%23AllowTcpForwarding%20yes%0A%23GatewayPorts%20no%0AX11Forwarding%20yes%0A%23X11DisplayOffset%2010%0A%23X11UseLocalhost%20yes%0A%23PermitTTY%20yes%0A%0A%23%20It%20is%20recommended%20to%20use%20pam_motd%20in%20/etc/pam.d/sshd%20instead%20of%20PrintMotd%2C%0A%23%20as%20it%20is%20more%20configurable%20and%20versatile%20than%20the%20built-in%20version.%0APrintMotd%20no%0A%0APrintLastLog%20yes%0A%23TCPKeepAlive%20yes%0APermitUserEnvironment%20no%0ACompression%20no%0AClientAliveInterval%20600%0AClientAliveCountMax%200%0A%23UseDNS%20no%0A%23PidFile%20/var/run/sshd.pid%0A%23MaxStartups%2010%3A30%3A100%0A%23PermitTunnel%20no%0A%23ChrootDirectory%20none%0A%23VersionAddendum%20none%0A%0A%23%20no%20default%20banner%20path%0ABanner%20/etc/issue%0A%0A%23%20Accept%20locale-related%20environment%20variables%0AAcceptEnv%20LANG%20LC_CTYPE%20LC_NUMERIC%20LC_TIME%20LC_COLLATE%20LC_MONETARY%20LC_MESSAGES%0AAcceptEnv%20LC_PAPER%20LC_NAME%20LC_ADDRESS%20LC_TELEPHONE%20LC_MEASUREMENT%0AAcceptEnv%20LC_IDENTIFICATION%20LC_ALL%20LANGUAGE%0AAcceptEnv%20XMODIFIERS%0A%0A%23%20override%20default%20of%20no%20subsystems%0ASubsystem%09sftp%09/usr/libexec/openssh/sftp-server%0A%0A%23%20Example%20of%20overriding%20settings%20on%20a%20per-user%20basis%0A%23Match%20User%20anoncvs%0A%23%09X11Forwarding%20no%0A%23%09AllowTcpForwarding%20no%0A%23%09PermitTTY%20no%0A%23%09ForceCommand%20cvs%20server%0A%0A%23Log%20user%20connections%0ALogLevel%20VERBOSE%0A%0AUsePrivilegeSeparation%20sandbox
        filesystem: root
        mode: 0600
        path: /etc/ssh/sshd_config

OVAL test results details

Verify if Profile set Value sshd_required as not required oval:ssg-test_sshd_not_required:tst:1 false

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

package openssh-server is removed oval:ssg-test_package_openssh-server_removed:tst:1 false

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
openssh-server	x86_64	(none)	5.el8	8.0p1	0:8.0p1-5.el8	199e2f91fd431d51	openssh-server-0:8.0p1-5.el8.x86_64

Verify if Profile set Value sshd_required as required oval:ssg-test_sshd_required:tst:1 false

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

package openssh-server is installed oval:ssg-test_package_openssh-server_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
openssh-server	x86_64	(none)	5.el8	8.0p1	0:8.0p1-5.el8	199e2f91fd431d51	openssh-server-0:8.0p1-5.el8.x86_64

tests the value of PermitRootLogin setting in the /etc/ssh/sshd_config file oval:ssg-test_sshd_disable_root_login:tst:1 false

Following items have been found on the system:

Path	Content
/etc/ssh/sshd_config	PermitRootLogin yes

Disable SSH Access via Empty Passwords

Rule ID	xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sshd_disable_empty_passwords:def:1
Time	2021-03-21T19:59:44+01:00
Severity	high
Identifiers and References	Identifiers: CCE-80896-4 References: NT007(R17), 5.2.11, 11, 12, 13, 14, 15, 16, 18, 3, 5, 9, 5.5.6, APO01.06, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, 3.1.1, 3.1.5, CCI-000366, CCI-000766, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.AC-4, PR.AC-6, PR.DS-5, PR.IP-1, PR.PT-3, FIA_AFL.1, SRG-OS-000106-GPOS-00053, SRG-OS-000480-GPOS-00229, SRG-OS-000480-VMM-002000
Description	To explicitly disallow SSH login from accounts with empty passwords, add or correct the following line in `/etc/ssh/sshd_config`: PermitEmptyPasswords no Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords.
Rationale	Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere.

OVAL test results details

Verify if Profile set Value sshd_required as not required oval:ssg-test_sshd_not_required:tst:1 false

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

package openssh-server is removed oval:ssg-test_package_openssh-server_removed:tst:1 false

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
openssh-server	x86_64	(none)	5.el8	8.0p1	0:8.0p1-5.el8	199e2f91fd431d51	openssh-server-0:8.0p1-5.el8.x86_64

Verify if Profile set Value sshd_required as required oval:ssg-test_sshd_required:tst:1 false

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

package openssh-server is installed oval:ssg-test_package_openssh-server_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
openssh-server	x86_64	(none)	5.el8	8.0p1	0:8.0p1-5.el8	199e2f91fd431d51	openssh-server-0:8.0p1-5.el8.x86_64

tests the value of PermitEmptyPasswords setting in the /etc/ssh/sshd_config file oval:ssg-test_sshd_disable_empty_passwords:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_sshd_disable_empty_passwords:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/ssh/sshd_config	^[ \t](?i)PermitEmptyPasswords(?-i)[ \t]+(.+?)[ \t](?:$\|#)	1

tests the absence of PermitEmptyPasswords setting in the /etc/ssh/sshd_config file oval:ssg-test_sshd_disable_empty_passwords_default_not_overriden:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_sshd_disable_empty_passwords_default_not_overriden:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/ssh/sshd_config	^[ \t]*(?i)PermitEmptyPasswords(?-i)[ \t]+	1

Force frequent session key renegotiation

Rule ID xccdf_org.ssgproject.content_rule_sshd_rekey_limit

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-sshd_rekey_limit:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82177-7

References: FCS_SSHS_EXT.1, SRG-OS-000480-GPOS-00227

Description

The RekeyLimit parameter specifies how often the session key of the is renegotiated, both in terms of amount of data that may be transmitted and the time elapsed. To decrease the default limits, put line RekeyLimit 1G 1h to file /etc/ssh/sshd_config.

Rationale

By decreasing the limit based on the amount of data and enabling time-based limit, effects of potential attacks against encryption keys are limited.

Remediation Shell script ⇲

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then


var_rekey_limit_size="1G"

var_rekey_limit_time="1h"



if [ -e "/etc/ssh/sshd_config" ] ; then
    LC_ALL=C sed -i "/^\s*RekeyLimit\s\+/Id" "/etc/ssh/sshd_config"
else
    touch "/etc/ssh/sshd_config"
fi
cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
# Insert before the line matching the regex '^Match'.
line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
    # There was no match of '^Match', insert at
    # the end of the file.
    printf '%s\n' "RekeyLimit $var_rekey_limit_size $var_rekey_limit_time" >> "/etc/ssh/sshd_config"
else
    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
    printf '%s\n' "RekeyLimit $var_rekey_limit_size $var_rekey_limit_time" >> "/etc/ssh/sshd_config"
    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
fi
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	configure

- name: XCCDF Value var_rekey_limit_size # promote to variable
  set_fact:
    var_rekey_limit_size: !!str 1G
  tags:
    - always
- name: XCCDF Value var_rekey_limit_time # promote to variable
  set_fact:
    var_rekey_limit_time: !!str 1h
  tags:
    - always

- name: Force frequent session key renegotiation
  block:

    - name: Deduplicate values from /etc/ssh/sshd_config
      lineinfile:
        path: /etc/ssh/sshd_config
        create: false
        regexp: (?i)^\s*RekeyLimit\s+
        state: absent

    - name: Insert correct line to /etc/ssh/sshd_config
      lineinfile:
        path: /etc/ssh/sshd_config
        create: true
        line: RekeyLimit {{ var_rekey_limit_size}} {{var_rekey_limit_time}}
        state: present
        insertbefore: ^[#\s]*Match
        validate: /usr/sbin/sshd -t -f %s
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - sshd_rekey_limit
    - medium_severity
    - configure_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-82177-7

Remediation script ⇲

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 2.2.0
    storage:
      files:
      - contents:
          source: data:,%23%09%24OpenBSD%3A%20sshd_config%2Cv%201.103%202018/04/09%2020%3A41%3A22%20tj%20Exp%20%24%0A%0A%23%20This%20is%20the%20sshd%20server%20system-wide%20configuration%20file.%20%20See%0A%23%20sshd_config%285%29%20for%20more%20information.%0A%0A%23%20This%20sshd%20was%20compiled%20with%20PATH%3D/usr/local/bin%3A/usr/bin%3A/usr/local/sbin%3A/usr/sbin%0A%0A%23%20The%20strategy%20used%20for%20options%20in%20the%20default%20sshd_config%20shipped%20with%0A%23%20OpenSSH%20is%20to%20specify%20options%20with%20their%20default%20value%20where%0A%23%20possible%2C%20but%20leave%20them%20commented.%20%20Uncommented%20options%20override%20the%0A%23%20default%20value.%0A%0A%23%20If%20you%20want%20to%20change%20the%20port%20on%20a%20SELinux%20system%2C%20you%20have%20to%20tell%0A%23%20SELinux%20about%20this%20change.%0A%23%20semanage%20port%20-a%20-t%20ssh_port_t%20-p%20tcp%20%23PORTNUMBER%0A%23%0A%23Port%2022%0A%23AddressFamily%20any%0A%23ListenAddress%200.0.0.0%0A%23ListenAddress%20%3A%3A%0A%0AHostKey%20/etc/ssh/ssh_host_rsa_key%0AHostKey%20/etc/ssh/ssh_host_ecdsa_key%0AHostKey%20/etc/ssh/ssh_host_ed25519_key%0A%0A%23%20Ciphers%20and%20keying%0ARekeyLimit%20512M%201h%0A%0A%23%20System-wide%20Crypto%20policy%3A%0A%23%20This%20system%20is%20following%20system-wide%20crypto%20policy.%20The%20changes%20to%0A%23%20Ciphers%2C%20MACs%2C%20KexAlgoritms%20and%20GSSAPIKexAlgorithsm%20will%20not%20have%20any%0A%23%20effect%20here.%20They%20will%20be%20overridden%20by%20command-line%20options%20passed%20on%0A%23%20the%20server%20start%20up.%0A%23%20To%20opt%20out%2C%20uncomment%20a%20line%20with%20redefinition%20of%20%20CRYPTO_POLICY%3D%0A%23%20variable%20in%20%20/etc/sysconfig/sshd%20%20to%20overwrite%20the%20policy.%0A%23%20For%20more%20information%2C%20see%20manual%20page%20for%20update-crypto-policies%288%29.%0A%0A%23%20Logging%0A%23SyslogFacility%20AUTH%0ASyslogFacility%20AUTHPRIV%0A%23LogLevel%20INFO%0A%0A%23%20Authentication%3A%0A%0A%23LoginGraceTime%202m%0APermitRootLogin%20no%0AStrictModes%20yes%0A%23MaxAuthTries%206%0A%23MaxSessions%2010%0A%0APubkeyAuthentication%20yes%0A%0A%23%20The%20default%20is%20to%20check%20both%20.ssh/authorized_keys%20and%20.ssh/authorized_keys2%0A%23%20but%20this%20is%20overridden%20so%20installations%20will%20only%20check%20.ssh/authorized_keys%0AAuthorizedKeysFile%09.ssh/authorized_keys%0A%0A%23AuthorizedPrincipalsFile%20none%0A%0A%23AuthorizedKeysCommand%20none%0A%23AuthorizedKeysCommandUser%20nobody%0A%0A%23%20For%20this%20to%20work%20you%20will%20also%20need%20host%20keys%20in%20/etc/ssh/ssh_known_hosts%0AHostbasedAuthentication%20no%0A%23%20Change%20to%20yes%20if%20you%20don%27t%20trust%20~/.ssh/known_hosts%20for%0A%23%20HostbasedAuthentication%0AIgnoreUserKnownHosts%20yes%0A%23%20Don%27t%20read%20the%20user%27s%20~/.rhosts%20and%20~/.shosts%20files%0AIgnoreRhosts%20yes%0A%0A%23%20To%20disable%20tunneled%20clear%20text%20passwords%2C%20change%20to%20no%20here%21%0A%23PasswordAuthentication%20yes%0APermitEmptyPasswords%20no%0APasswordAuthentication%20no%0A%0A%23%20Change%20to%20no%20to%20disable%20s/key%20passwords%0A%23ChallengeResponseAuthentication%20yes%0AChallengeResponseAuthentication%20no%0A%0A%23%20Kerberos%20options%0AKerberosAuthentication%20no%0A%23KerberosOrLocalPasswd%20yes%0A%23KerberosTicketCleanup%20yes%0A%23KerberosGetAFSToken%20no%0A%23KerberosUseKuserok%20yes%0A%0A%23%20GSSAPI%20options%0AGSSAPIAuthentication%20no%0AGSSAPICleanupCredentials%20no%0A%23GSSAPIStrictAcceptorCheck%20yes%0A%23GSSAPIKeyExchange%20no%0A%23GSSAPIEnablek5users%20no%0A%0A%23%20Set%20this%20to%20%27yes%27%20to%20enable%20PAM%20authentication%2C%20account%20processing%2C%0A%23%20and%20session%20processing.%20If%20this%20is%20enabled%2C%20PAM%20authentication%20will%0A%23%20be%20allowed%20through%20the%20ChallengeResponseAuthentication%20and%0A%23%20PasswordAuthentication.%20%20Depending%20on%20your%20PAM%20configuration%2C%0A%23%20PAM%20authentication%20via%20ChallengeResponseAuthentication%20may%20bypass%0A%23%20the%20setting%20of%20%22PermitRootLogin%20without-password%22.%0A%23%20If%20you%20just%20want%20the%20PAM%20account%20and%20session%20checks%20to%20run%20without%0A%23%20PAM%20authentication%2C%20then%20enable%20this%20but%20set%20PasswordAuthentication%0A%23%20and%20ChallengeResponseAuthentication%20to%20%27no%27.%0A%23%20WARNING%3A%20%27UsePAM%20no%27%20is%20not%20supported%20in%20Fedora%20and%20may%20cause%20several%0A%23%20problems.%0AUsePAM%20yes%0A%0A%23AllowAgentForwarding%20yes%0A%23AllowTcpForwarding%20yes%0A%23GatewayPorts%20no%0AX11Forwarding%20yes%0A%23X11DisplayOffset%2010%0A%23X11UseLocalhost%20yes%0A%23PermitTTY%20yes%0A%0A%23%20It%20is%20recommended%20to%20use%20pam_motd%20in%20/etc/pam.d/sshd%20instead%20of%20PrintMotd%2C%0A%23%20as%20it%20is%20more%20configurable%20and%20versatile%20than%20the%20built-in%20version.%0APrintMotd%20no%0A%0APrintLastLog%20yes%0A%23TCPKeepAlive%20yes%0APermitUserEnvironment%20no%0ACompression%20no%0AClientAliveInterval%20600%0AClientAliveCountMax%200%0A%23UseDNS%20no%0A%23PidFile%20/var/run/sshd.pid%0A%23MaxStartups%2010%3A30%3A100%0A%23PermitTunnel%20no%0A%23ChrootDirectory%20none%0A%23VersionAddendum%20none%0A%0A%23%20no%20default%20banner%20path%0ABanner%20/etc/issue%0A%0A%23%20Accept%20locale-related%20environment%20variables%0AAcceptEnv%20LANG%20LC_CTYPE%20LC_NUMERIC%20LC_TIME%20LC_COLLATE%20LC_MONETARY%20LC_MESSAGES%0AAcceptEnv%20LC_PAPER%20LC_NAME%20LC_ADDRESS%20LC_TELEPHONE%20LC_MEASUREMENT%0AAcceptEnv%20LC_IDENTIFICATION%20LC_ALL%20LANGUAGE%0AAcceptEnv%20XMODIFIERS%0A%0A%23%20override%20default%20of%20no%20subsystems%0ASubsystem%09sftp%09/usr/libexec/openssh/sftp-server%0A%0A%23%20Example%20of%20overriding%20settings%20on%20a%20per-user%20basis%0A%23Match%20User%20anoncvs%0A%23%09X11Forwarding%20no%0A%23%09AllowTcpForwarding%20no%0A%23%09PermitTTY%20no%0A%23%09ForceCommand%20cvs%20server%0A%0A%23Log%20user%20connections%0ALogLevel%20VERBOSE%0A%0AUsePrivilegeSeparation%20sandbox
        filesystem: root
        mode: 0600
        path: /etc/ssh/sshd_config

OVAL test results details

Verify if Profile set Value sshd_required as not required oval:ssg-test_sshd_not_required:tst:1 false

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

package openssh-server is removed oval:ssg-test_package_openssh-server_removed:tst:1 false

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
openssh-server	x86_64	(none)	5.el8	8.0p1	0:8.0p1-5.el8	199e2f91fd431d51	openssh-server-0:8.0p1-5.el8.x86_64

Verify if Profile set Value sshd_required as required oval:ssg-test_sshd_required:tst:1 false

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

package openssh-server is installed oval:ssg-test_package_openssh-server_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
openssh-server	x86_64	(none)	5.el8	8.0p1	0:8.0p1-5.el8	199e2f91fd431d51	openssh-server-0:8.0p1-5.el8.x86_64

tests the value of RekeyLimit setting in the file oval:ssg-test_sshd_rekey_limit:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_sshd_rekey_limit:obj:1 of type textfilecontent54_object

Filepath

Pattern

Instance

^[\s]*RekeyLimit[\s]+1G[\s]+1h[\s]*$

/etc/ssh/sshd_config

SSH server uses strong entropy to seed

Rule ID xccdf_org.ssgproject.content_rule_sshd_use_strong_rng

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-sshd_use_strong_rng:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82462-3

References: FIA_AFL.1, SRG-OS-000480-GPOS-00227

Description

To set up SSH server to use entropy from a high-quality source, edit the /etc/sysconfig/sshd file. The SSH_USE_STRONG_RNG configuration value determines how many bytes of entropy to use, so make sure that the file contains line

SSH_USE_STRONG_RNG=32

Rationale

SSH implementation in RHEL8 uses the openssl library, which doesn't use high-entropy sources by default. Randomness is needed to generate data-encryption keys, and as plaintext padding and initialization vectors in encryption algorithms, and high-quality entropy elliminates the possibility that the output of the random number generator used by SSH would be known to potential attackers.

Warnings

warning This setting can cause problems on computers without the hardware random generator, because insufficient entropy causes the connection to be blocked until enough entropy is available.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then

if [ -e "/etc/sysconfig/sshd" ] ; then
    LC_ALL=C sed -i "/^\s*SSH_USE_STRONG_RNG=/d" "/etc/sysconfig/sshd"
else
    touch "/etc/sysconfig/sshd"
fi
cp "/etc/sysconfig/sshd" "/etc/sysconfig/sshd.bak"
# Insert before the line matching the regex '^#\s*SSH_USE_STRONG_RNG'.
line_number="$(LC_ALL=C grep -n "^#\s*SSH_USE_STRONG_RNG" "/etc/sysconfig/sshd.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
    # There was no match of '^#\s*SSH_USE_STRONG_RNG', insert at
    # the end of the file.
    printf '%s\n' "SSH_USE_STRONG_RNG=32" >> "/etc/sysconfig/sshd"
else
    head -n "$(( line_number - 1 ))" "/etc/sysconfig/sshd.bak" > "/etc/sysconfig/sshd"
    printf '%s\n' "SSH_USE_STRONG_RNG=32" >> "/etc/sysconfig/sshd"
    tail -n "+$(( line_number ))" "/etc/sysconfig/sshd.bak" >> "/etc/sysconfig/sshd"
fi
# Clean up after ourselves.
rm "/etc/sysconfig/sshd.bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

- name: Setting unquoted shell-style assignment of 'SSH_USE_STRONG_RNG' to '32' in
    '/etc/sysconfig/sshd'
  block:

    - name: Deduplicate values from /etc/sysconfig/sshd
      lineinfile:
        path: /etc/sysconfig/sshd
        create: false
        regexp: ^\s*SSH_USE_STRONG_RNG=
        state: absent

    - name: Insert correct line to /etc/sysconfig/sshd
      lineinfile:
        path: /etc/sysconfig/sshd
        create: true
        line: SSH_USE_STRONG_RNG=32
        state: present
        insertbefore: ^# SSH_USE_STRONG_RNG
        validate: /usr/bin/bash -n %s
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - sshd_use_strong_rng
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-82462-3

Remediation script ⇲

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 2.2.0
    storage:
      files:
      - contents: 
          source: data:,%23%20Configuration%20file%20for%20the%20sshd%20service.%0A%0A%23%20The%20server%20keys%20are%20automatically%20generated%20if%20they%20are%20missing.%0A%23%20To%20change%20the%20automatic%20creation%2C%20adjust%20sshd.service%20options%20for%0A%23%20example%20using%20%20systemctl%20enable%20sshd-keygen%40dsa.service%20%20to%20allow%20creation%0A%23%20of%20DSA%20key%20or%20%20systemctl%20mask%20sshd-keygen%40rsa.service%20%20to%20disable%20RSA%20key%0A%23%20creation.%0A%0A%23%20Do%20not%20change%20this%20option%20unless%20you%20have%20hardware%20random%0A%23%20generator%20and%20you%20REALLY%20know%20what%20you%20are%20doing%0A%0ASSH_USE_STRONG_RNG%3D32%0A%23%20SSH_USE_STRONG_RNG%3D1%0A%0A%23%20System-wide%20crypto%20policy%3A%0A%23%20To%20opt-out%2C%20uncomment%20the%20following%20line%0A%23%20CRYPTO_POLICY%3D%0A%0A
        filesystem: root
        mode: 0640
        path: /etc/sysconfig/sshd

OVAL test results details

tests the value of SSH_USE_STRONG_RNG setting in the /etc/sysconfig/sshd file oval:ssg-test_sshd_use_strong_rng:tst:1 false

Following items have been found on the system:

Path	Content
/etc/sysconfig/sshd	SSH_USE_STRONG_RNG=0

Enable SSH Warning Banner

Rule ID xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-sshd_enable_warning_banner:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-80905-3

References: 5.2.15, 1, 12, 15, 16, 5.5.6, DSS05.04, DSS05.10, DSS06.10, 3.1.9, CCI-000048, CCI-000050, CCI-001384, CCI-001385, CCI-001386, CCI-001387, CCI-001388, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-8(a), AC-8(c), AC-17(a), CM-6(a), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007, SRG-OS-000228-GPOS-00088, SRG-OS-000023-VMM-000060, SRG-OS-000024-VMM-000070

Description

To enable the warning banner and ensure it is consistent across the system, add or correct the following line in /etc/ssh/sshd_config:

Banner /etc/issue

Another section contains information on how to create an appropriate system-wide warning banner.

Rationale

The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then

if [ -e "/etc/ssh/sshd_config" ] ; then
    LC_ALL=C sed -i "/^\s*Banner\s\+/Id" "/etc/ssh/sshd_config"
else
    touch "/etc/ssh/sshd_config"
fi
cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
# Insert before the line matching the regex '^Match'.
line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
    # There was no match of '^Match', insert at
    # the end of the file.
    printf '%s\n' "Banner /etc/issue" >> "/etc/ssh/sshd_config"
else
    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
    printf '%s\n' "Banner /etc/issue" >> "/etc/ssh/sshd_config"
    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
fi
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

- name: Enable SSH Warning Banner
  block:

    - name: Deduplicate values from /etc/ssh/sshd_config
      lineinfile:
        path: /etc/ssh/sshd_config
        create: false
        regexp: (?i)^\s*Banner\s+
        state: absent

    - name: Insert correct line to /etc/ssh/sshd_config
      lineinfile:
        path: /etc/ssh/sshd_config
        create: true
        line: Banner /etc/issue
        state: present
        insertbefore: ^[#\s]*Match
        validate: /usr/sbin/sshd -t -f %s
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - sshd_enable_warning_banner
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-80905-3
    - NIST-800-53-AC-8(a)
    - NIST-800-53-AC-8(c)
    - NIST-800-53-AC-17(a)
    - NIST-800-53-CM-6(a)
    - NIST-800-171-3.1.9
    - CJIS-5.5.6

Remediation script ⇲

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 2.2.0
    storage:
      files:
      - contents:
          source: data:,%23%09%24OpenBSD%3A%20sshd_config%2Cv%201.103%202018/04/09%2020%3A41%3A22%20tj%20Exp%20%24%0A%0A%23%20This%20is%20the%20sshd%20server%20system-wide%20configuration%20file.%20%20See%0A%23%20sshd_config%285%29%20for%20more%20information.%0A%0A%23%20This%20sshd%20was%20compiled%20with%20PATH%3D/usr/local/bin%3A/usr/bin%3A/usr/local/sbin%3A/usr/sbin%0A%0A%23%20The%20strategy%20used%20for%20options%20in%20the%20default%20sshd_config%20shipped%20with%0A%23%20OpenSSH%20is%20to%20specify%20options%20with%20their%20default%20value%20where%0A%23%20possible%2C%20but%20leave%20them%20commented.%20%20Uncommented%20options%20override%20the%0A%23%20default%20value.%0A%0A%23%20If%20you%20want%20to%20change%20the%20port%20on%20a%20SELinux%20system%2C%20you%20have%20to%20tell%0A%23%20SELinux%20about%20this%20change.%0A%23%20semanage%20port%20-a%20-t%20ssh_port_t%20-p%20tcp%20%23PORTNUMBER%0A%23%0A%23Port%2022%0A%23AddressFamily%20any%0A%23ListenAddress%200.0.0.0%0A%23ListenAddress%20%3A%3A%0A%0AHostKey%20/etc/ssh/ssh_host_rsa_key%0AHostKey%20/etc/ssh/ssh_host_ecdsa_key%0AHostKey%20/etc/ssh/ssh_host_ed25519_key%0A%0A%23%20Ciphers%20and%20keying%0ARekeyLimit%20512M%201h%0A%0A%23%20System-wide%20Crypto%20policy%3A%0A%23%20This%20system%20is%20following%20system-wide%20crypto%20policy.%20The%20changes%20to%0A%23%20Ciphers%2C%20MACs%2C%20KexAlgoritms%20and%20GSSAPIKexAlgorithsm%20will%20not%20have%20any%0A%23%20effect%20here.%20They%20will%20be%20overridden%20by%20command-line%20options%20passed%20on%0A%23%20the%20server%20start%20up.%0A%23%20To%20opt%20out%2C%20uncomment%20a%20line%20with%20redefinition%20of%20%20CRYPTO_POLICY%3D%0A%23%20variable%20in%20%20/etc/sysconfig/sshd%20%20to%20overwrite%20the%20policy.%0A%23%20For%20more%20information%2C%20see%20manual%20page%20for%20update-crypto-policies%288%29.%0A%0A%23%20Logging%0A%23SyslogFacility%20AUTH%0ASyslogFacility%20AUTHPRIV%0A%23LogLevel%20INFO%0A%0A%23%20Authentication%3A%0A%0A%23LoginGraceTime%202m%0APermitRootLogin%20no%0AStrictModes%20yes%0A%23MaxAuthTries%206%0A%23MaxSessions%2010%0A%0APubkeyAuthentication%20yes%0A%0A%23%20The%20default%20is%20to%20check%20both%20.ssh/authorized_keys%20and%20.ssh/authorized_keys2%0A%23%20but%20this%20is%20overridden%20so%20installations%20will%20only%20check%20.ssh/authorized_keys%0AAuthorizedKeysFile%09.ssh/authorized_keys%0A%0A%23AuthorizedPrincipalsFile%20none%0A%0A%23AuthorizedKeysCommand%20none%0A%23AuthorizedKeysCommandUser%20nobody%0A%0A%23%20For%20this%20to%20work%20you%20will%20also%20need%20host%20keys%20in%20/etc/ssh/ssh_known_hosts%0AHostbasedAuthentication%20no%0A%23%20Change%20to%20yes%20if%20you%20don%27t%20trust%20~/.ssh/known_hosts%20for%0A%23%20HostbasedAuthentication%0AIgnoreUserKnownHosts%20yes%0A%23%20Don%27t%20read%20the%20user%27s%20~/.rhosts%20and%20~/.shosts%20files%0AIgnoreRhosts%20yes%0A%0A%23%20To%20disable%20tunneled%20clear%20text%20passwords%2C%20change%20to%20no%20here%21%0A%23PasswordAuthentication%20yes%0APermitEmptyPasswords%20no%0APasswordAuthentication%20no%0A%0A%23%20Change%20to%20no%20to%20disable%20s/key%20passwords%0A%23ChallengeResponseAuthentication%20yes%0AChallengeResponseAuthentication%20no%0A%0A%23%20Kerberos%20options%0AKerberosAuthentication%20no%0A%23KerberosOrLocalPasswd%20yes%0A%23KerberosTicketCleanup%20yes%0A%23KerberosGetAFSToken%20no%0A%23KerberosUseKuserok%20yes%0A%0A%23%20GSSAPI%20options%0AGSSAPIAuthentication%20no%0AGSSAPICleanupCredentials%20no%0A%23GSSAPIStrictAcceptorCheck%20yes%0A%23GSSAPIKeyExchange%20no%0A%23GSSAPIEnablek5users%20no%0A%0A%23%20Set%20this%20to%20%27yes%27%20to%20enable%20PAM%20authentication%2C%20account%20processing%2C%0A%23%20and%20session%20processing.%20If%20this%20is%20enabled%2C%20PAM%20authentication%20will%0A%23%20be%20allowed%20through%20the%20ChallengeResponseAuthentication%20and%0A%23%20PasswordAuthentication.%20%20Depending%20on%20your%20PAM%20configuration%2C%0A%23%20PAM%20authentication%20via%20ChallengeResponseAuthentication%20may%20bypass%0A%23%20the%20setting%20of%20%22PermitRootLogin%20without-password%22.%0A%23%20If%20you%20just%20want%20the%20PAM%20account%20and%20session%20checks%20to%20run%20without%0A%23%20PAM%20authentication%2C%20then%20enable%20this%20but%20set%20PasswordAuthentication%0A%23%20and%20ChallengeResponseAuthentication%20to%20%27no%27.%0A%23%20WARNING%3A%20%27UsePAM%20no%27%20is%20not%20supported%20in%20Fedora%20and%20may%20cause%20several%0A%23%20problems.%0AUsePAM%20yes%0A%0A%23AllowAgentForwarding%20yes%0A%23AllowTcpForwarding%20yes%0A%23GatewayPorts%20no%0AX11Forwarding%20yes%0A%23X11DisplayOffset%2010%0A%23X11UseLocalhost%20yes%0A%23PermitTTY%20yes%0A%0A%23%20It%20is%20recommended%20to%20use%20pam_motd%20in%20/etc/pam.d/sshd%20instead%20of%20PrintMotd%2C%0A%23%20as%20it%20is%20more%20configurable%20and%20versatile%20than%20the%20built-in%20version.%0APrintMotd%20no%0A%0APrintLastLog%20yes%0A%23TCPKeepAlive%20yes%0APermitUserEnvironment%20no%0ACompression%20no%0AClientAliveInterval%20600%0AClientAliveCountMax%200%0A%23UseDNS%20no%0A%23PidFile%20/var/run/sshd.pid%0A%23MaxStartups%2010%3A30%3A100%0A%23PermitTunnel%20no%0A%23ChrootDirectory%20none%0A%23VersionAddendum%20none%0A%0A%23%20no%20default%20banner%20path%0ABanner%20/etc/issue%0A%0A%23%20Accept%20locale-related%20environment%20variables%0AAcceptEnv%20LANG%20LC_CTYPE%20LC_NUMERIC%20LC_TIME%20LC_COLLATE%20LC_MONETARY%20LC_MESSAGES%0AAcceptEnv%20LC_PAPER%20LC_NAME%20LC_ADDRESS%20LC_TELEPHONE%20LC_MEASUREMENT%0AAcceptEnv%20LC_IDENTIFICATION%20LC_ALL%20LANGUAGE%0AAcceptEnv%20XMODIFIERS%0A%0A%23%20override%20default%20of%20no%20subsystems%0ASubsystem%09sftp%09/usr/libexec/openssh/sftp-server%0A%0A%23%20Example%20of%20overriding%20settings%20on%20a%20per-user%20basis%0A%23Match%20User%20anoncvs%0A%23%09X11Forwarding%20no%0A%23%09AllowTcpForwarding%20no%0A%23%09PermitTTY%20no%0A%23%09ForceCommand%20cvs%20server%0A%0A%23Log%20user%20connections%0ALogLevel%20VERBOSE%0A%0AUsePrivilegeSeparation%20sandbox
        filesystem: root
        mode: 0600
        path: /etc/ssh/sshd_config

OVAL test results details

Verify if Profile set Value sshd_required as not required oval:ssg-test_sshd_not_required:tst:1 false

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

package openssh-server is removed oval:ssg-test_package_openssh-server_removed:tst:1 false

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
openssh-server	x86_64	(none)	5.el8	8.0p1	0:8.0p1-5.el8	199e2f91fd431d51	openssh-server-0:8.0p1-5.el8.x86_64

Verify if Profile set Value sshd_required as required oval:ssg-test_sshd_required:tst:1 false

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

package openssh-server is installed oval:ssg-test_package_openssh-server_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
openssh-server	x86_64	(none)	5.el8	8.0p1	0:8.0p1-5.el8	199e2f91fd431d51	openssh-server-0:8.0p1-5.el8.x86_64

tests the value of Banner setting in the /etc/ssh/sshd_config file oval:ssg-test_sshd_enable_warning_banner:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_sshd_enable_warning_banner:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/ssh/sshd_config	^[ \t](?i)Banner(?-i)[ \t]+(.+?)[ \t](?:$\|#)	1

Disable Kerberos Authentication

Rule ID	xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sshd_disable_kerb_auth:def:1
Time	2021-03-21T19:59:44+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80898-0 References: 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.12, CCI-000318, CCI-000368, CCI-001812, CCI-001813, CCI-001814, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.IP-1, FIA_AFL.1, SRG-OS-000364-GPOS-00151, SRG-OS-000480-VMM-002000
Description	Unless needed, SSH should not permit extraneous or unnecessary authentication mechanisms like Kerberos. To disable Kerberos authentication, add or correct the following line in the `/etc/ssh/sshd_config` file: KerberosAuthentication no
Rationale	Kerberos authentication for SSH is often implemented using GSSAPI. If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementations may be subject to exploitation.

OVAL test results details

Verify if Profile set Value sshd_required as not required oval:ssg-test_sshd_not_required:tst:1 false

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

package openssh-server is removed oval:ssg-test_package_openssh-server_removed:tst:1 false

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
openssh-server	x86_64	(none)	5.el8	8.0p1	0:8.0p1-5.el8	199e2f91fd431d51	openssh-server-0:8.0p1-5.el8.x86_64

Verify if Profile set Value sshd_required as required oval:ssg-test_sshd_required:tst:1 false

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

package openssh-server is installed oval:ssg-test_package_openssh-server_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
openssh-server	x86_64	(none)	5.el8	8.0p1	0:8.0p1-5.el8	199e2f91fd431d51	openssh-server-0:8.0p1-5.el8.x86_64

tests the value of KerberosAuthentication setting in the /etc/ssh/sshd_config file oval:ssg-test_sshd_disable_kerb_auth:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_sshd_disable_kerb_auth:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/ssh/sshd_config	^[ \t](?i)KerberosAuthentication(?-i)[ \t]+(.+?)[ \t](?:$\|#)	1

tests the absence of KerberosAuthentication setting in the /etc/ssh/sshd_config file oval:ssg-test_sshd_disable_kerb_auth_default_not_overriden:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_sshd_disable_kerb_auth_default_not_overriden:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/ssh/sshd_config	^[ \t]*(?i)KerberosAuthentication(?-i)[ \t]+	1

Set SSH Idle Timeout Interval

Rule ID xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-sshd_set_idle_timeout:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-80906-1

References: NT28(R29), 5.2.13, 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, 5.5.6, APO13.01, BAI03.01, BAI03.02, BAI03.03, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.1.11, CCI-000879, CCI-001133, CCI-002361, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, A.12.4.1, A.12.4.3, A.14.1.1, A.14.2.1, A.14.2.5, A.18.1.4, A.6.1.2, A.6.1.5, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CM-6(a), AC-17(a), AC-2(5), AC-12, AC-17(a), SC-10, CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.IP-2, Req-8.1.8, SRG-OS-000126-GPOS-00066, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109, SRG-OS-000395-GPOS-00175, SRG-OS-000480-VMM-002000

Description

SSH allows administrators to set an idle timeout interval. After this interval has passed, the idle user will be automatically logged out.

To set an idle timeout interval, edit the following line in /etc/ssh/sshd_config as follows:

ClientAliveInterval 840

The timeout interval is given in seconds. For example, have a timeout of 10 minutes, set interval to 600.

If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made in /etc/ssh/sshd_config. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle.

Rationale

Terminating an idle ssh session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been let unattended.

Remediation Shell script ⇲

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then


sshd_idle_timeout_value="840"
# Function to replace configuration setting in config file or add the configuration setting if
# it does not exist.
#
# Expects arguments:
#
# config_file:		Configuration file that will be modified
# key:			Configuration option to change
# value:		Value of the configuration option to change
# cce:			The CCE identifier or '@CCENUM@' if no CCE identifier exists
# format:		The printf-like format string that will be given stripped key and value as arguments,
#			so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =)
#
# Optional arugments:
#
# format:		Optional argument to specify the format of how key/value should be
# 			modified/appended in the configuration file. The default is key = value.
#
# Example Call(s):
#
#     With default format of 'key = value':
#     replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@'
#
#     With custom key/value format:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s'
#
#     With a variable:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s'
#
function replace_or_append {
  local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option=''
  local config_file=$1
  local key=$2
  local value=$3
  local cce=$4
  local format=$5

  if [ "$case_insensitive_mode" = yes ]; then
    sed_case_insensitive_option="i"
    grep_case_insensitive_option="-i"
  fi
  [ -n "$format" ] || format="$default_format"
  # Check sanity of the input
  [ $# -ge "3" ] || { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; }

  # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
  # Otherwise, regular sed command will do.
  sed_command=('sed' '-i')
  if test -L "$config_file"; then
    sed_command+=('--follow-symlinks')
  fi

  # Test that the cce arg is not empty or does not equal @CCENUM@.
  # If @CCENUM@ exists, it means that there is no CCE assigned.
  if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then
    cce="${cce}"
  else
    cce="CCE"
  fi

  # Strip any search characters in the key arg so that the key can be replaced without
  # adding any search characters to the config file.
  stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "$key")

  # shellcheck disable=SC2059
  printf -v formatted_output "$format" "$stripped_key" "$value"

  # If the key exists, change it. Otherwise, add it to the config_file.
  # We search for the key string followed by a word boundary (matched by \>),
  # so if we search for 'setting', 'setting2' won't match.
  if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then
    "${sed_command[@]}" "s/${key}\\>.*/$formatted_output/g$sed_case_insensitive_option" "$config_file"
  else
    # \n is precaution for case where file ends without trailing newline
    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file"
    printf '%s\n' "$formatted_output" >> "$config_file"
  fi
}
replace_or_append '/etc/ssh/sshd_config' '^ClientAliveInterval' $sshd_idle_timeout_value 'CCE-80906-1' '%s %s'

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

- name: XCCDF Value sshd_idle_timeout_value # promote to variable
  set_fact:
    sshd_idle_timeout_value: !!str 840
  tags:
    - always

- name: Set SSH Idle Timeout Interval
  block:

    - name: Deduplicate values from /etc/ssh/sshd_config
      lineinfile:
        path: /etc/ssh/sshd_config
        create: false
        regexp: (?i)^\s*ClientAliveInterval\s+
        state: absent

    - name: Insert correct line to /etc/ssh/sshd_config
      lineinfile:
        path: /etc/ssh/sshd_config
        create: true
        line: ClientAliveInterval {{ sshd_idle_timeout_value }}
        state: present
        insertbefore: ^[#\s]*Match
        validate: /usr/sbin/sshd -t -f %s
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - sshd_set_idle_timeout
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-80906-1
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-17(a)
    - NIST-800-53-AC-2(5)
    - NIST-800-53-AC-12
    - NIST-800-53-AC-17(a)
    - NIST-800-53-SC-10
    - NIST-800-53-CM-6(a)
    - NIST-800-171-3.1.11
    - PCI-DSS-Req-8.1.8
    - CJIS-5.5.6

Remediation script ⇲

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 2.2.0
    storage:
      files:
      - contents:
          source: data:,%23%09%24OpenBSD%3A%20sshd_config%2Cv%201.103%202018/04/09%2020%3A41%3A22%20tj%20Exp%20%24%0A%0A%23%20This%20is%20the%20sshd%20server%20system-wide%20configuration%20file.%20%20See%0A%23%20sshd_config%285%29%20for%20more%20information.%0A%0A%23%20This%20sshd%20was%20compiled%20with%20PATH%3D/usr/local/bin%3A/usr/bin%3A/usr/local/sbin%3A/usr/sbin%0A%0A%23%20The%20strategy%20used%20for%20options%20in%20the%20default%20sshd_config%20shipped%20with%0A%23%20OpenSSH%20is%20to%20specify%20options%20with%20their%20default%20value%20where%0A%23%20possible%2C%20but%20leave%20them%20commented.%20%20Uncommented%20options%20override%20the%0A%23%20default%20value.%0A%0A%23%20If%20you%20want%20to%20change%20the%20port%20on%20a%20SELinux%20system%2C%20you%20have%20to%20tell%0A%23%20SELinux%20about%20this%20change.%0A%23%20semanage%20port%20-a%20-t%20ssh_port_t%20-p%20tcp%20%23PORTNUMBER%0A%23%0A%23Port%2022%0A%23AddressFamily%20any%0A%23ListenAddress%200.0.0.0%0A%23ListenAddress%20%3A%3A%0A%0AHostKey%20/etc/ssh/ssh_host_rsa_key%0AHostKey%20/etc/ssh/ssh_host_ecdsa_key%0AHostKey%20/etc/ssh/ssh_host_ed25519_key%0A%0A%23%20Ciphers%20and%20keying%0ARekeyLimit%20512M%201h%0A%0A%23%20System-wide%20Crypto%20policy%3A%0A%23%20This%20system%20is%20following%20system-wide%20crypto%20policy.%20The%20changes%20to%0A%23%20Ciphers%2C%20MACs%2C%20KexAlgoritms%20and%20GSSAPIKexAlgorithsm%20will%20not%20have%20any%0A%23%20effect%20here.%20They%20will%20be%20overridden%20by%20command-line%20options%20passed%20on%0A%23%20the%20server%20start%20up.%0A%23%20To%20opt%20out%2C%20uncomment%20a%20line%20with%20redefinition%20of%20%20CRYPTO_POLICY%3D%0A%23%20variable%20in%20%20/etc/sysconfig/sshd%20%20to%20overwrite%20the%20policy.%0A%23%20For%20more%20information%2C%20see%20manual%20page%20for%20update-crypto-policies%288%29.%0A%0A%23%20Logging%0A%23SyslogFacility%20AUTH%0ASyslogFacility%20AUTHPRIV%0A%23LogLevel%20INFO%0A%0A%23%20Authentication%3A%0A%0A%23LoginGraceTime%202m%0APermitRootLogin%20no%0AStrictModes%20yes%0A%23MaxAuthTries%206%0A%23MaxSessions%2010%0A%0APubkeyAuthentication%20yes%0A%0A%23%20The%20default%20is%20to%20check%20both%20.ssh/authorized_keys%20and%20.ssh/authorized_keys2%0A%23%20but%20this%20is%20overridden%20so%20installations%20will%20only%20check%20.ssh/authorized_keys%0AAuthorizedKeysFile%09.ssh/authorized_keys%0A%0A%23AuthorizedPrincipalsFile%20none%0A%0A%23AuthorizedKeysCommand%20none%0A%23AuthorizedKeysCommandUser%20nobody%0A%0A%23%20For%20this%20to%20work%20you%20will%20also%20need%20host%20keys%20in%20/etc/ssh/ssh_known_hosts%0AHostbasedAuthentication%20no%0A%23%20Change%20to%20yes%20if%20you%20don%27t%20trust%20~/.ssh/known_hosts%20for%0A%23%20HostbasedAuthentication%0AIgnoreUserKnownHosts%20yes%0A%23%20Don%27t%20read%20the%20user%27s%20~/.rhosts%20and%20~/.shosts%20files%0AIgnoreRhosts%20yes%0A%0A%23%20To%20disable%20tunneled%20clear%20text%20passwords%2C%20change%20to%20no%20here%21%0A%23PasswordAuthentication%20yes%0APermitEmptyPasswords%20no%0APasswordAuthentication%20no%0A%0A%23%20Change%20to%20no%20to%20disable%20s/key%20passwords%0A%23ChallengeResponseAuthentication%20yes%0AChallengeResponseAuthentication%20no%0A%0A%23%20Kerberos%20options%0AKerberosAuthentication%20no%0A%23KerberosOrLocalPasswd%20yes%0A%23KerberosTicketCleanup%20yes%0A%23KerberosGetAFSToken%20no%0A%23KerberosUseKuserok%20yes%0A%0A%23%20GSSAPI%20options%0AGSSAPIAuthentication%20no%0AGSSAPICleanupCredentials%20no%0A%23GSSAPIStrictAcceptorCheck%20yes%0A%23GSSAPIKeyExchange%20no%0A%23GSSAPIEnablek5users%20no%0A%0A%23%20Set%20this%20to%20%27yes%27%20to%20enable%20PAM%20authentication%2C%20account%20processing%2C%0A%23%20and%20session%20processing.%20If%20this%20is%20enabled%2C%20PAM%20authentication%20will%0A%23%20be%20allowed%20through%20the%20ChallengeResponseAuthentication%20and%0A%23%20PasswordAuthentication.%20%20Depending%20on%20your%20PAM%20configuration%2C%0A%23%20PAM%20authentication%20via%20ChallengeResponseAuthentication%20may%20bypass%0A%23%20the%20setting%20of%20%22PermitRootLogin%20without-password%22.%0A%23%20If%20you%20just%20want%20the%20PAM%20account%20and%20session%20checks%20to%20run%20without%0A%23%20PAM%20authentication%2C%20then%20enable%20this%20but%20set%20PasswordAuthentication%0A%23%20and%20ChallengeResponseAuthentication%20to%20%27no%27.%0A%23%20WARNING%3A%20%27UsePAM%20no%27%20is%20not%20supported%20in%20Fedora%20and%20may%20cause%20several%0A%23%20problems.%0AUsePAM%20yes%0A%0A%23AllowAgentForwarding%20yes%0A%23AllowTcpForwarding%20yes%0A%23GatewayPorts%20no%0AX11Forwarding%20yes%0A%23X11DisplayOffset%2010%0A%23X11UseLocalhost%20yes%0A%23PermitTTY%20yes%0A%0A%23%20It%20is%20recommended%20to%20use%20pam_motd%20in%20/etc/pam.d/sshd%20instead%20of%20PrintMotd%2C%0A%23%20as%20it%20is%20more%20configurable%20and%20versatile%20than%20the%20built-in%20version.%0APrintMotd%20no%0A%0APrintLastLog%20yes%0A%23TCPKeepAlive%20yes%0APermitUserEnvironment%20no%0ACompression%20no%0AClientAliveInterval%20600%0AClientAliveCountMax%200%0A%23UseDNS%20no%0A%23PidFile%20/var/run/sshd.pid%0A%23MaxStartups%2010%3A30%3A100%0A%23PermitTunnel%20no%0A%23ChrootDirectory%20none%0A%23VersionAddendum%20none%0A%0A%23%20no%20default%20banner%20path%0ABanner%20/etc/issue%0A%0A%23%20Accept%20locale-related%20environment%20variables%0AAcceptEnv%20LANG%20LC_CTYPE%20LC_NUMERIC%20LC_TIME%20LC_COLLATE%20LC_MONETARY%20LC_MESSAGES%0AAcceptEnv%20LC_PAPER%20LC_NAME%20LC_ADDRESS%20LC_TELEPHONE%20LC_MEASUREMENT%0AAcceptEnv%20LC_IDENTIFICATION%20LC_ALL%20LANGUAGE%0AAcceptEnv%20XMODIFIERS%0A%0A%23%20override%20default%20of%20no%20subsystems%0ASubsystem%09sftp%09/usr/libexec/openssh/sftp-server%0A%0A%23%20Example%20of%20overriding%20settings%20on%20a%20per-user%20basis%0A%23Match%20User%20anoncvs%0A%23%09X11Forwarding%20no%0A%23%09AllowTcpForwarding%20no%0A%23%09PermitTTY%20no%0A%23%09ForceCommand%20cvs%20server%0A%0A%23Log%20user%20connections%0ALogLevel%20VERBOSE%0A%0AUsePrivilegeSeparation%20sandbox
        filesystem: root
        mode: 0600
        path: /etc/ssh/sshd_config

OVAL test results details

Verify if Profile set Value sshd_required as not required oval:ssg-test_sshd_not_required:tst:1 false

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

package openssh-server is removed oval:ssg-test_package_openssh-server_removed:tst:1 false

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
openssh-server	x86_64	(none)	5.el8	8.0p1	0:8.0p1-5.el8	199e2f91fd431d51	openssh-server-0:8.0p1-5.el8.x86_64

Verify if Profile set Value sshd_required as required oval:ssg-test_sshd_required:tst:1 false

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

package openssh-server is installed oval:ssg-test_package_openssh-server_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
openssh-server	x86_64	(none)	5.el8	8.0p1	0:8.0p1-5.el8	199e2f91fd431d51	openssh-server-0:8.0p1-5.el8.x86_64

timeout is configured oval:ssg-test_sshd_idle_timeout:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_sshd_idle_timeout:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/ssh/sshd_config	^[\s](?i)ClientAliveInterval[\s]+(\d+)[\s](?:#.*)?$	1

Enable Use of Strict Mode Checking

Rule ID	xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-sshd_enable_strictmodes:def:1
Time	2021-03-21T19:59:44+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80904-6 References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.1.12, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-6, AC-17(a), CM-6(a), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, SRG-OS-000480-VMM-002000
Description	SSHs `StrictModes` option checks file and ownership permissions in the user's home directory `.ssh` folder before accepting login. If world- writable permissions are found, logon is rejected. To enable `StrictModes` in SSH, add or correct the following line in the `/etc/ssh/sshd_config` file: StrictModes yes
Rationale	If other users have access to modify user-specific SSH configuration files, they may be able to log into the system as another user.

OVAL test results details

Verify if Profile set Value sshd_required as not required oval:ssg-test_sshd_not_required:tst:1 false

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

package openssh-server is removed oval:ssg-test_package_openssh-server_removed:tst:1 false

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
openssh-server	x86_64	(none)	5.el8	8.0p1	0:8.0p1-5.el8	199e2f91fd431d51	openssh-server-0:8.0p1-5.el8.x86_64

Verify if Profile set Value sshd_required as required oval:ssg-test_sshd_required:tst:1 false

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

package openssh-server is installed oval:ssg-test_package_openssh-server_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
openssh-server	x86_64	(none)	5.el8	8.0p1	0:8.0p1-5.el8	199e2f91fd431d51	openssh-server-0:8.0p1-5.el8.x86_64

tests the value of StrictModes setting in the /etc/ssh/sshd_config file oval:ssg-test_sshd_enable_strictmodes:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_sshd_enable_strictmodes:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/ssh/sshd_config	^[ \t](?i)StrictModes(?-i)[ \t]+(.+?)[ \t](?:$\|#)	1

tests the absence of StrictModes setting in the /etc/ssh/sshd_config file oval:ssg-test_sshd_enable_strictmodes_default_not_overriden:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_sshd_enable_strictmodes_default_not_overriden:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/ssh/sshd_config	^[ \t]*(?i)StrictModes(?-i)[ \t]+	1

Disable Host-Based Authentication

Rule ID	xccdf_org.ssgproject.content_rule_disable_host_auth
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-disable_host_auth:def:1
Time	2021-03-21T19:59:44+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80786-7 References: 5.2.9, 11, 12, 14, 15, 16, 18, 3, 5, 9, 5.5.6, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06, 3.1.12, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-3, AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.AC-4, PR.AC-6, PR.IP-1, PR.PT-3, FIA_AFL.1, SRG-OS-000480-GPOS-00229, SRG-OS-000480-VMM-002000
Description	SSH's cryptographic host-based authentication is more secure than `.rhosts` authentication. However, it is not recommended that hosts unilaterally trust one another, even within an organization. To disable host-based authentication, add or correct the following line in `/etc/ssh/sshd_config`: HostbasedAuthentication no
Rationale	SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.

OVAL test results details

Verify if Profile set Value sshd_required as not required oval:ssg-test_sshd_not_required:tst:1 false

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

package openssh-server is removed oval:ssg-test_package_openssh-server_removed:tst:1 false

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
openssh-server	x86_64	(none)	5.el8	8.0p1	0:8.0p1-5.el8	199e2f91fd431d51	openssh-server-0:8.0p1-5.el8.x86_64

Verify if Profile set Value sshd_required as required oval:ssg-test_sshd_required:tst:1 false

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

package openssh-server is installed oval:ssg-test_package_openssh-server_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
openssh-server	x86_64	(none)	5.el8	8.0p1	0:8.0p1-5.el8	199e2f91fd431d51	openssh-server-0:8.0p1-5.el8.x86_64

tests the value of HostbasedAuthentication setting in the /etc/ssh/sshd_config file oval:ssg-test_disable_host_auth:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_disable_host_auth:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/ssh/sshd_config	^[ \t](?i)HostbasedAuthentication(?-i)[ \t]+(.+?)[ \t](?:$\|#)	1

tests the absence of HostbasedAuthentication setting in the /etc/ssh/sshd_config file oval:ssg-test_disable_host_auth_default_not_overriden:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_disable_host_auth_default_not_overriden:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/ssh/sshd_config	^[ \t]*(?i)HostbasedAuthentication(?-i)[ \t]+	1

Set SSH Client Alive Max Count

Rule ID xccdf_org.ssgproject.content_rule_sshd_set_keepalive

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-sshd_set_keepalive:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-80907-9

References: 5.2.13, 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, 5.5.6, APO13.01, BAI03.01, BAI03.02, BAI03.03, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.1.11, CCI-000879, CCI-001133, CCI-002361, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, A.12.4.1, A.12.4.3, A.14.1.1, A.14.2.1, A.14.2.5, A.18.1.4, A.6.1.2, A.6.1.5, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, AC-2(5), AC-12, AC-17(a), SC-10, CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.IP-2, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109, SRG-OS-000480-VMM-002000

Description

To ensure the SSH idle timeout occurs precisely when the ClientAliveInterval is set, edit /etc/ssh/sshd_config as follows:

ClientAliveCountMax 0

Rationale

This ensures a user login will be terminated as soon as the ClientAliveInterval is reached.

Remediation Shell script ⇲

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then


var_sshd_set_keepalive="0"

if [ -e "/etc/ssh/sshd_config" ] ; then
    LC_ALL=C sed -i "/^\s*ClientAliveCountMax\s\+/Id" "/etc/ssh/sshd_config"
else
    touch "/etc/ssh/sshd_config"
fi
cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
# Insert before the line matching the regex '^Match'.
line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
    # There was no match of '^Match', insert at
    # the end of the file.
    printf '%s\n' "ClientAliveCountMax $var_sshd_set_keepalive" >> "/etc/ssh/sshd_config"
else
    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
    printf '%s\n' "ClientAliveCountMax $var_sshd_set_keepalive" >> "/etc/ssh/sshd_config"
    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
fi
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

- name: XCCDF Value var_sshd_set_keepalive # promote to variable
  set_fact:
    var_sshd_set_keepalive: !!str 0
  tags:
    - always

- name: Set SSH Client Alive Max Count
  block:

    - name: Deduplicate values from /etc/ssh/sshd_config
      lineinfile:
        path: /etc/ssh/sshd_config
        create: false
        regexp: (?i)^\s*ClientAliveCountMax\s+
        state: absent

    - name: Insert correct line to /etc/ssh/sshd_config
      lineinfile:
        path: /etc/ssh/sshd_config
        create: true
        line: ClientAliveCountMax {{ var_sshd_set_keepalive }}
        state: present
        insertbefore: ^[#\s]*Match
        validate: /usr/sbin/sshd -t -f %s
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - sshd_set_keepalive
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-80907-9
    - NIST-800-53-AC-2(5)
    - NIST-800-53-AC-12
    - NIST-800-53-AC-17(a)
    - NIST-800-53-SC-10
    - NIST-800-53-CM-6(a)
    - NIST-800-171-3.1.11
    - CJIS-5.5.6

Remediation script ⇲

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 2.2.0
    storage:
      files:
      - contents:
          source: data:,%23%09%24OpenBSD%3A%20sshd_config%2Cv%201.103%202018/04/09%2020%3A41%3A22%20tj%20Exp%20%24%0A%0A%23%20This%20is%20the%20sshd%20server%20system-wide%20configuration%20file.%20%20See%0A%23%20sshd_config%285%29%20for%20more%20information.%0A%0A%23%20This%20sshd%20was%20compiled%20with%20PATH%3D/usr/local/bin%3A/usr/bin%3A/usr/local/sbin%3A/usr/sbin%0A%0A%23%20The%20strategy%20used%20for%20options%20in%20the%20default%20sshd_config%20shipped%20with%0A%23%20OpenSSH%20is%20to%20specify%20options%20with%20their%20default%20value%20where%0A%23%20possible%2C%20but%20leave%20them%20commented.%20%20Uncommented%20options%20override%20the%0A%23%20default%20value.%0A%0A%23%20If%20you%20want%20to%20change%20the%20port%20on%20a%20SELinux%20system%2C%20you%20have%20to%20tell%0A%23%20SELinux%20about%20this%20change.%0A%23%20semanage%20port%20-a%20-t%20ssh_port_t%20-p%20tcp%20%23PORTNUMBER%0A%23%0A%23Port%2022%0A%23AddressFamily%20any%0A%23ListenAddress%200.0.0.0%0A%23ListenAddress%20%3A%3A%0A%0AHostKey%20/etc/ssh/ssh_host_rsa_key%0AHostKey%20/etc/ssh/ssh_host_ecdsa_key%0AHostKey%20/etc/ssh/ssh_host_ed25519_key%0A%0A%23%20Ciphers%20and%20keying%0ARekeyLimit%20512M%201h%0A%0A%23%20System-wide%20Crypto%20policy%3A%0A%23%20This%20system%20is%20following%20system-wide%20crypto%20policy.%20The%20changes%20to%0A%23%20Ciphers%2C%20MACs%2C%20KexAlgoritms%20and%20GSSAPIKexAlgorithsm%20will%20not%20have%20any%0A%23%20effect%20here.%20They%20will%20be%20overridden%20by%20command-line%20options%20passed%20on%0A%23%20the%20server%20start%20up.%0A%23%20To%20opt%20out%2C%20uncomment%20a%20line%20with%20redefinition%20of%20%20CRYPTO_POLICY%3D%0A%23%20variable%20in%20%20/etc/sysconfig/sshd%20%20to%20overwrite%20the%20policy.%0A%23%20For%20more%20information%2C%20see%20manual%20page%20for%20update-crypto-policies%288%29.%0A%0A%23%20Logging%0A%23SyslogFacility%20AUTH%0ASyslogFacility%20AUTHPRIV%0A%23LogLevel%20INFO%0A%0A%23%20Authentication%3A%0A%0A%23LoginGraceTime%202m%0APermitRootLogin%20no%0AStrictModes%20yes%0A%23MaxAuthTries%206%0A%23MaxSessions%2010%0A%0APubkeyAuthentication%20yes%0A%0A%23%20The%20default%20is%20to%20check%20both%20.ssh/authorized_keys%20and%20.ssh/authorized_keys2%0A%23%20but%20this%20is%20overridden%20so%20installations%20will%20only%20check%20.ssh/authorized_keys%0AAuthorizedKeysFile%09.ssh/authorized_keys%0A%0A%23AuthorizedPrincipalsFile%20none%0A%0A%23AuthorizedKeysCommand%20none%0A%23AuthorizedKeysCommandUser%20nobody%0A%0A%23%20For%20this%20to%20work%20you%20will%20also%20need%20host%20keys%20in%20/etc/ssh/ssh_known_hosts%0AHostbasedAuthentication%20no%0A%23%20Change%20to%20yes%20if%20you%20don%27t%20trust%20~/.ssh/known_hosts%20for%0A%23%20HostbasedAuthentication%0AIgnoreUserKnownHosts%20yes%0A%23%20Don%27t%20read%20the%20user%27s%20~/.rhosts%20and%20~/.shosts%20files%0AIgnoreRhosts%20yes%0A%0A%23%20To%20disable%20tunneled%20clear%20text%20passwords%2C%20change%20to%20no%20here%21%0A%23PasswordAuthentication%20yes%0APermitEmptyPasswords%20no%0APasswordAuthentication%20no%0A%0A%23%20Change%20to%20no%20to%20disable%20s/key%20passwords%0A%23ChallengeResponseAuthentication%20yes%0AChallengeResponseAuthentication%20no%0A%0A%23%20Kerberos%20options%0AKerberosAuthentication%20no%0A%23KerberosOrLocalPasswd%20yes%0A%23KerberosTicketCleanup%20yes%0A%23KerberosGetAFSToken%20no%0A%23KerberosUseKuserok%20yes%0A%0A%23%20GSSAPI%20options%0AGSSAPIAuthentication%20no%0AGSSAPICleanupCredentials%20no%0A%23GSSAPIStrictAcceptorCheck%20yes%0A%23GSSAPIKeyExchange%20no%0A%23GSSAPIEnablek5users%20no%0A%0A%23%20Set%20this%20to%20%27yes%27%20to%20enable%20PAM%20authentication%2C%20account%20processing%2C%0A%23%20and%20session%20processing.%20If%20this%20is%20enabled%2C%20PAM%20authentication%20will%0A%23%20be%20allowed%20through%20the%20ChallengeResponseAuthentication%20and%0A%23%20PasswordAuthentication.%20%20Depending%20on%20your%20PAM%20configuration%2C%0A%23%20PAM%20authentication%20via%20ChallengeResponseAuthentication%20may%20bypass%0A%23%20the%20setting%20of%20%22PermitRootLogin%20without-password%22.%0A%23%20If%20you%20just%20want%20the%20PAM%20account%20and%20session%20checks%20to%20run%20without%0A%23%20PAM%20authentication%2C%20then%20enable%20this%20but%20set%20PasswordAuthentication%0A%23%20and%20ChallengeResponseAuthentication%20to%20%27no%27.%0A%23%20WARNING%3A%20%27UsePAM%20no%27%20is%20not%20supported%20in%20Fedora%20and%20may%20cause%20several%0A%23%20problems.%0AUsePAM%20yes%0A%0A%23AllowAgentForwarding%20yes%0A%23AllowTcpForwarding%20yes%0A%23GatewayPorts%20no%0AX11Forwarding%20yes%0A%23X11DisplayOffset%2010%0A%23X11UseLocalhost%20yes%0A%23PermitTTY%20yes%0A%0A%23%20It%20is%20recommended%20to%20use%20pam_motd%20in%20/etc/pam.d/sshd%20instead%20of%20PrintMotd%2C%0A%23%20as%20it%20is%20more%20configurable%20and%20versatile%20than%20the%20built-in%20version.%0APrintMotd%20no%0A%0APrintLastLog%20yes%0A%23TCPKeepAlive%20yes%0APermitUserEnvironment%20no%0ACompression%20no%0AClientAliveInterval%20600%0AClientAliveCountMax%200%0A%23UseDNS%20no%0A%23PidFile%20/var/run/sshd.pid%0A%23MaxStartups%2010%3A30%3A100%0A%23PermitTunnel%20no%0A%23ChrootDirectory%20none%0A%23VersionAddendum%20none%0A%0A%23%20no%20default%20banner%20path%0ABanner%20/etc/issue%0A%0A%23%20Accept%20locale-related%20environment%20variables%0AAcceptEnv%20LANG%20LC_CTYPE%20LC_NUMERIC%20LC_TIME%20LC_COLLATE%20LC_MONETARY%20LC_MESSAGES%0AAcceptEnv%20LC_PAPER%20LC_NAME%20LC_ADDRESS%20LC_TELEPHONE%20LC_MEASUREMENT%0AAcceptEnv%20LC_IDENTIFICATION%20LC_ALL%20LANGUAGE%0AAcceptEnv%20XMODIFIERS%0A%0A%23%20override%20default%20of%20no%20subsystems%0ASubsystem%09sftp%09/usr/libexec/openssh/sftp-server%0A%0A%23%20Example%20of%20overriding%20settings%20on%20a%20per-user%20basis%0A%23Match%20User%20anoncvs%0A%23%09X11Forwarding%20no%0A%23%09AllowTcpForwarding%20no%0A%23%09PermitTTY%20no%0A%23%09ForceCommand%20cvs%20server%0A%0A%23Log%20user%20connections%0ALogLevel%20VERBOSE%0A%0AUsePrivilegeSeparation%20sandbox
        filesystem: root
        mode: 0600
        path: /etc/ssh/sshd_config

OVAL test results details

Verify if Profile set Value sshd_required as not required oval:ssg-test_sshd_not_required:tst:1 false

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

package openssh-server is removed oval:ssg-test_package_openssh-server_removed:tst:1 false

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
openssh-server	x86_64	(none)	5.el8	8.0p1	0:8.0p1-5.el8	199e2f91fd431d51	openssh-server-0:8.0p1-5.el8.x86_64

Verify if Profile set Value sshd_required as required oval:ssg-test_sshd_required:tst:1 false

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

package openssh-server is installed oval:ssg-test_package_openssh-server_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
openssh-server	x86_64	(none)	5.el8	8.0p1	0:8.0p1-5.el8	199e2f91fd431d51	openssh-server-0:8.0p1-5.el8.x86_64

Tests the value of the ClientAliveCountMax setting in the /etc/ssh/sshd_config file oval:ssg-test_sshd_clientalivecountmax:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_sshd_clientalivecountmax:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/ssh/sshd_config	^[\s](?i)ClientAliveCountMax[\s]+([\d]+)[\s](?:#.*)?$	1

Disable GSSAPI Authentication

Rule ID xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-sshd_disable_gssapi_auth:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-80897-2

References: 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.12, CCI-000318, CCI-000368, CCI-001812, CCI-001813, CCI-001814, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-7(a), CM-7(b), CM-6(a), AC-17(a), PR.IP-1, FIA_AFL.1, SRG-OS-000364-GPOS-00151, SRG-OS-000480-VMM-002000

Description

Unless needed, SSH should not permit extraneous or unnecessary authentication mechanisms like GSSAPI. To disable GSSAPI authentication, add or correct the following line in the /etc/ssh/sshd_config file:

GSSAPIAuthentication no

Rationale

GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then

if [ -e "/etc/ssh/sshd_config" ] ; then
    LC_ALL=C sed -i "/^\s*GSSAPIAuthentication\s\+/Id" "/etc/ssh/sshd_config"
else
    touch "/etc/ssh/sshd_config"
fi
cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
# Insert before the line matching the regex '^Match'.
line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
    # There was no match of '^Match', insert at
    # the end of the file.
    printf '%s\n' "GSSAPIAuthentication no" >> "/etc/ssh/sshd_config"
else
    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
    printf '%s\n' "GSSAPIAuthentication no" >> "/etc/ssh/sshd_config"
    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
fi
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

- name: Disable GSSAPI Authentication
  block:

    - name: Deduplicate values from /etc/ssh/sshd_config
      lineinfile:
        path: /etc/ssh/sshd_config
        create: false
        regexp: (?i)^\s*GSSAPIAuthentication\s+
        state: absent

    - name: Insert correct line to /etc/ssh/sshd_config
      lineinfile:
        path: /etc/ssh/sshd_config
        create: true
        line: GSSAPIAuthentication no
        state: present
        insertbefore: ^[#\s]*Match
        validate: /usr/sbin/sshd -t -f %s
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - sshd_disable_gssapi_auth
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-80897-2
    - NIST-800-53-CM-7(a)
    - NIST-800-53-CM-7(b)
    - NIST-800-53-CM-6(a)
    - NIST-800-53-AC-17(a)
    - NIST-800-171-3.1.12

Remediation script ⇲

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 2.2.0
    storage:
      files:
      - contents:
          source: data:,%23%09%24OpenBSD%3A%20sshd_config%2Cv%201.103%202018/04/09%2020%3A41%3A22%20tj%20Exp%20%24%0A%0A%23%20This%20is%20the%20sshd%20server%20system-wide%20configuration%20file.%20%20See%0A%23%20sshd_config%285%29%20for%20more%20information.%0A%0A%23%20This%20sshd%20was%20compiled%20with%20PATH%3D/usr/local/bin%3A/usr/bin%3A/usr/local/sbin%3A/usr/sbin%0A%0A%23%20The%20strategy%20used%20for%20options%20in%20the%20default%20sshd_config%20shipped%20with%0A%23%20OpenSSH%20is%20to%20specify%20options%20with%20their%20default%20value%20where%0A%23%20possible%2C%20but%20leave%20them%20commented.%20%20Uncommented%20options%20override%20the%0A%23%20default%20value.%0A%0A%23%20If%20you%20want%20to%20change%20the%20port%20on%20a%20SELinux%20system%2C%20you%20have%20to%20tell%0A%23%20SELinux%20about%20this%20change.%0A%23%20semanage%20port%20-a%20-t%20ssh_port_t%20-p%20tcp%20%23PORTNUMBER%0A%23%0A%23Port%2022%0A%23AddressFamily%20any%0A%23ListenAddress%200.0.0.0%0A%23ListenAddress%20%3A%3A%0A%0AHostKey%20/etc/ssh/ssh_host_rsa_key%0AHostKey%20/etc/ssh/ssh_host_ecdsa_key%0AHostKey%20/etc/ssh/ssh_host_ed25519_key%0A%0A%23%20Ciphers%20and%20keying%0ARekeyLimit%20512M%201h%0A%0A%23%20System-wide%20Crypto%20policy%3A%0A%23%20This%20system%20is%20following%20system-wide%20crypto%20policy.%20The%20changes%20to%0A%23%20Ciphers%2C%20MACs%2C%20KexAlgoritms%20and%20GSSAPIKexAlgorithsm%20will%20not%20have%20any%0A%23%20effect%20here.%20They%20will%20be%20overridden%20by%20command-line%20options%20passed%20on%0A%23%20the%20server%20start%20up.%0A%23%20To%20opt%20out%2C%20uncomment%20a%20line%20with%20redefinition%20of%20%20CRYPTO_POLICY%3D%0A%23%20variable%20in%20%20/etc/sysconfig/sshd%20%20to%20overwrite%20the%20policy.%0A%23%20For%20more%20information%2C%20see%20manual%20page%20for%20update-crypto-policies%288%29.%0A%0A%23%20Logging%0A%23SyslogFacility%20AUTH%0ASyslogFacility%20AUTHPRIV%0A%23LogLevel%20INFO%0A%0A%23%20Authentication%3A%0A%0A%23LoginGraceTime%202m%0APermitRootLogin%20no%0AStrictModes%20yes%0A%23MaxAuthTries%206%0A%23MaxSessions%2010%0A%0APubkeyAuthentication%20yes%0A%0A%23%20The%20default%20is%20to%20check%20both%20.ssh/authorized_keys%20and%20.ssh/authorized_keys2%0A%23%20but%20this%20is%20overridden%20so%20installations%20will%20only%20check%20.ssh/authorized_keys%0AAuthorizedKeysFile%09.ssh/authorized_keys%0A%0A%23AuthorizedPrincipalsFile%20none%0A%0A%23AuthorizedKeysCommand%20none%0A%23AuthorizedKeysCommandUser%20nobody%0A%0A%23%20For%20this%20to%20work%20you%20will%20also%20need%20host%20keys%20in%20/etc/ssh/ssh_known_hosts%0AHostbasedAuthentication%20no%0A%23%20Change%20to%20yes%20if%20you%20don%27t%20trust%20~/.ssh/known_hosts%20for%0A%23%20HostbasedAuthentication%0AIgnoreUserKnownHosts%20yes%0A%23%20Don%27t%20read%20the%20user%27s%20~/.rhosts%20and%20~/.shosts%20files%0AIgnoreRhosts%20yes%0A%0A%23%20To%20disable%20tunneled%20clear%20text%20passwords%2C%20change%20to%20no%20here%21%0A%23PasswordAuthentication%20yes%0APermitEmptyPasswords%20no%0APasswordAuthentication%20no%0A%0A%23%20Change%20to%20no%20to%20disable%20s/key%20passwords%0A%23ChallengeResponseAuthentication%20yes%0AChallengeResponseAuthentication%20no%0A%0A%23%20Kerberos%20options%0AKerberosAuthentication%20no%0A%23KerberosOrLocalPasswd%20yes%0A%23KerberosTicketCleanup%20yes%0A%23KerberosGetAFSToken%20no%0A%23KerberosUseKuserok%20yes%0A%0A%23%20GSSAPI%20options%0AGSSAPIAuthentication%20no%0AGSSAPICleanupCredentials%20no%0A%23GSSAPIStrictAcceptorCheck%20yes%0A%23GSSAPIKeyExchange%20no%0A%23GSSAPIEnablek5users%20no%0A%0A%23%20Set%20this%20to%20%27yes%27%20to%20enable%20PAM%20authentication%2C%20account%20processing%2C%0A%23%20and%20session%20processing.%20If%20this%20is%20enabled%2C%20PAM%20authentication%20will%0A%23%20be%20allowed%20through%20the%20ChallengeResponseAuthentication%20and%0A%23%20PasswordAuthentication.%20%20Depending%20on%20your%20PAM%20configuration%2C%0A%23%20PAM%20authentication%20via%20ChallengeResponseAuthentication%20may%20bypass%0A%23%20the%20setting%20of%20%22PermitRootLogin%20without-password%22.%0A%23%20If%20you%20just%20want%20the%20PAM%20account%20and%20session%20checks%20to%20run%20without%0A%23%20PAM%20authentication%2C%20then%20enable%20this%20but%20set%20PasswordAuthentication%0A%23%20and%20ChallengeResponseAuthentication%20to%20%27no%27.%0A%23%20WARNING%3A%20%27UsePAM%20no%27%20is%20not%20supported%20in%20Fedora%20and%20may%20cause%20several%0A%23%20problems.%0AUsePAM%20yes%0A%0A%23AllowAgentForwarding%20yes%0A%23AllowTcpForwarding%20yes%0A%23GatewayPorts%20no%0AX11Forwarding%20yes%0A%23X11DisplayOffset%2010%0A%23X11UseLocalhost%20yes%0A%23PermitTTY%20yes%0A%0A%23%20It%20is%20recommended%20to%20use%20pam_motd%20in%20/etc/pam.d/sshd%20instead%20of%20PrintMotd%2C%0A%23%20as%20it%20is%20more%20configurable%20and%20versatile%20than%20the%20built-in%20version.%0APrintMotd%20no%0A%0APrintLastLog%20yes%0A%23TCPKeepAlive%20yes%0APermitUserEnvironment%20no%0ACompression%20no%0AClientAliveInterval%20600%0AClientAliveCountMax%200%0A%23UseDNS%20no%0A%23PidFile%20/var/run/sshd.pid%0A%23MaxStartups%2010%3A30%3A100%0A%23PermitTunnel%20no%0A%23ChrootDirectory%20none%0A%23VersionAddendum%20none%0A%0A%23%20no%20default%20banner%20path%0ABanner%20/etc/issue%0A%0A%23%20Accept%20locale-related%20environment%20variables%0AAcceptEnv%20LANG%20LC_CTYPE%20LC_NUMERIC%20LC_TIME%20LC_COLLATE%20LC_MONETARY%20LC_MESSAGES%0AAcceptEnv%20LC_PAPER%20LC_NAME%20LC_ADDRESS%20LC_TELEPHONE%20LC_MEASUREMENT%0AAcceptEnv%20LC_IDENTIFICATION%20LC_ALL%20LANGUAGE%0AAcceptEnv%20XMODIFIERS%0A%0A%23%20override%20default%20of%20no%20subsystems%0ASubsystem%09sftp%09/usr/libexec/openssh/sftp-server%0A%0A%23%20Example%20of%20overriding%20settings%20on%20a%20per-user%20basis%0A%23Match%20User%20anoncvs%0A%23%09X11Forwarding%20no%0A%23%09AllowTcpForwarding%20no%0A%23%09PermitTTY%20no%0A%23%09ForceCommand%20cvs%20server%0A%0A%23Log%20user%20connections%0ALogLevel%20VERBOSE%0A%0AUsePrivilegeSeparation%20sandbox
        filesystem: root
        mode: 0600
        path: /etc/ssh/sshd_config

OVAL test results details

Verify if Profile set Value sshd_required as not required oval:ssg-test_sshd_not_required:tst:1 false

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

package openssh-server is removed oval:ssg-test_package_openssh-server_removed:tst:1 false

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
openssh-server	x86_64	(none)	5.el8	8.0p1	0:8.0p1-5.el8	199e2f91fd431d51	openssh-server-0:8.0p1-5.el8.x86_64

Verify if Profile set Value sshd_required as required oval:ssg-test_sshd_required:tst:1 false

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-sshd_required:var:1	0

package openssh-server is installed oval:ssg-test_package_openssh-server_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
openssh-server	x86_64	(none)	5.el8	8.0p1	0:8.0p1-5.el8	199e2f91fd431d51	openssh-server-0:8.0p1-5.el8.x86_64

tests the value of GSSAPIAuthentication setting in the /etc/ssh/sshd_config file oval:ssg-test_sshd_disable_gssapi_auth:tst:1 false

Following items have been found on the system:

Path	Content
/etc/ssh/sshd_config	GSSAPIAuthentication yes

tests the absence of GSSAPIAuthentication setting in the /etc/ssh/sshd_config file oval:ssg-test_sshd_disable_gssapi_auth_default_not_overriden:tst:1 false

Following items have been found on the system:

Path	Content
/etc/ssh/sshd_config	GSSAPIAuthentication

Install OpenSSH client software

Rule ID	xccdf_org.ssgproject.content_rule_package_openssh-clients_installed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_openssh-clients_installed:def:1
Time	2021-03-21T19:59:44+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82722-0 References: FIA_UAU.5, FTP_ITC_EXT.1, SRG-OS-000480-GPOS-00227
Description	The `openssh-clients` package can be installed with the following command: $ sudo yum install openssh-clients
Rationale	This package includes utilities to make encrypted connections and transfer files securely to SSH servers.

OVAL test results details

package openssh-clients is installed oval:ssg-test_package_openssh-clients_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
openssh-clients	x86_64	(none)	5.el8	8.0p1	0:8.0p1-5.el8	199e2f91fd431d51	openssh-clients-0:8.0p1-5.el8.x86_64

Install the OpenSSH Server Package

Rule ID	xccdf_org.ssgproject.content_rule_package_openssh-server_installed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_openssh-server_installed:def:1
Time	2021-03-21T19:59:44+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-83303-8 References: 13, 14, APO01.06, DSS05.02, DSS05.04, DSS05.07, DSS06.02, DSS06.06, CCI-002418, CCI-002420, CCI-002421, CCI-002422, SR 3.1, SR 3.8, SR 4.1, SR 4.2, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), PR.DS-2, PR.DS-5, FIA_UAU.5, FTP_ITC_EXT.1, SRG-OS-000423-GPOS-00187, SRG-OS-000423-GPOS-00188, SRG-OS-000423-GPOS-00189, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190, SRG-OS000423-GPOS-00190
Description	The `openssh-server` package should be installed. The `openssh-server` package can be installed with the following command: $ sudo yum install openssh-server
Rationale	Without protection of the transmitted information, confidentiality, and integrity may be compromised because unprotected communications can be intercepted and either read or altered.

OVAL test results details

package openssh-server is installed oval:ssg-test_package_openssh-server_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
openssh-server	x86_64	(none)	5.el8	8.0p1	0:8.0p1-5.el8	199e2f91fd431d51	openssh-server-0:8.0p1-5.el8.x86_64

Uninstall Automatic Bug Reporting Tool (abrt)

Rule ID	xccdf_org.ssgproject.content_rule_package_abrt_removed
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-package_abrt_removed:def:1
Time	2021-03-21T19:59:44+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-80948-3 References: SRG-OS-000095-GPOS-00049
Description	The Automatic Bug Reporting Tool (`abrt`) collects and reports crash data when an application crash is detected. Using a variety of plugins, abrt can email crash reports to system administrators, log crash reports to files, or forward crash reports to a centralized issue tracking system such as RHTSupport. The `abrt` package can be removed with the following command: $ sudo yum erase abrt
Rationale	Mishandling crash data could expose sensitive information about vulnerabilities in software executing on the system, as well as sensitive information from within a process's address space or registers.

OVAL test results details

package abrt is removed oval:ssg-test_package_abrt_removed:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_abrt_removed:obj:1 of type rpminfo_object

Name
abrt

Install usbguard Package

Rule ID xccdf_org.ssgproject.content_rule_package_usbguard_installed

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-package_usbguard_installed:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82959-8

References: SRG-OS-000378-GPOS-00163

Description

The usbguard package can be installed with the following command:

$ sudo yum install usbguard

Rationale

usbguard is a software framework that helps to protect against rogue USB devices by implementing basic whitelisting/blacklisting capabilities based on USB device attributes.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Strategy:	enable


if ! rpm -q --quiet "usbguard" ; then
    yum install -y "usbguard"
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	enable

- name: Ensure usbguard is installed
  package:
    name: usbguard
    state: present
  tags:
    - package_usbguard_installed
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-82959-8

Remediation Puppet snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	enable

include install_usbguard

class install_usbguard {
  package { 'usbguard':
    ensure => 'installed',
  }
}

Remediation Anaconda snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	enable


package --add=usbguard

OVAL test results details

package usbguard is installed oval:ssg-test_package_usbguard_installed:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_package_usbguard_installed:obj:1 of type rpminfo_object

Name
usbguard

Enable the USBGuard Service

Rule ID xccdf_org.ssgproject.content_rule_service_usbguard_enabled

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-service_usbguard_enabled:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82853-3

References: FMT_SMF_EXT.1, SRG-OS-000378-GPOS-00163

Description

The USBGuard service should be enabled. The usbguard service can be enabled with the following command:

$ sudo systemctl enable usbguard.service

Rationale

The usbguard service must be running in order to enforce the USB device authorization policy for all USB devices.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Strategy:	enable

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then

SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" start 'usbguard.service'
"$SYSTEMCTL_EXEC" enable 'usbguard.service'

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	enable

- name: Enable service usbguard
  block:

    - name: Gather the package facts
      package_facts:
        manager: auto

    - name: Enable service usbguard
      service:
        name: usbguard
        enabled: 'yes'
        state: started
      when:
        - '"usbguard" in ansible_facts.packages'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz"]
  tags:
    - service_usbguard_enabled
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - CCE-82853-3

Remediation Puppet snippet ⇲

Complexity:	low
Disruption:	low
Strategy:	enable

include enable_usbguard

class enable_usbguard {
  service {'usbguard':
    enable => true,
    ensure => 'running',
  }
}

OVAL test results details

package usbguard is installed oval:ssg-test_service_usbguard_package_usbguard_installed:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_test_service_usbguard_package_usbguard_installed:obj:1 of type rpminfo_object

Name
usbguard

Test that the usbguard service is running oval:ssg-test_service_running_usbguard:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_service_running_usbguard:obj:1 of type systemdunitproperty_object

Unit	Property
^usbguard\.(socket\|service)$	ActiveState

systemd test oval:ssg-test_multi_user_wants_usbguard:tst:1 false

Following items have been found on the system:

Unit	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency
multi-user.target	basic.target	sysinit.target	kmod-static-nodes.service	systemd-tmpfiles-setup.service	ldconfig.service	sys-kernel-config.mount	systemd-update-utmp.service	plymouth-read-write.service	systemd-random-seed.service	systemd-journal-catalog-update.service	dracut-shutdown.service	local-fs.target	-.mount	boot.mount	systemd-remount-fs.service	systemd-modules-load.service	systemd-udevd.service	lvm2-lvmpolld.socket	systemd-udev-trigger.service	cryptsetup.target	dev-hugepages.mount	sys-fs-fuse-connections.mount	rngd.service	proc-sys-fs-binfmt_misc.automount	sys-kernel-debug.mount	selinux-autorelabel-mark.service	nis-domainname.service	systemd-binfmt.service	systemd-update-done.service	systemd-journald.service	dev-mqueue.mount	import-state.service	systemd-hwdb-update.service	systemd-ask-password-console.path	systemd-sysctl.service	systemd-machine-id-commit.service	systemd-sysusers.service	lvm2-monitor.service	systemd-journal-flush.service	loadmodules.service	plymouth-start.service	swap.target	dev-mapper-rhel\x2dswap.swap	systemd-firstboot.service	systemd-tmpfiles-setup-dev.service	slices.target	-.slice	system.slice	timers.target	systemd-tmpfiles-clean.timer	dnf-makecache.timer	unbound-anchor.timer	microcode.service	sockets.target	cockpit.socket	dm-event.socket	systemd-journald.socket	systemd-udevd-control.socket	systemd-initctl.socket	sssd-kcm.socket	systemd-coredump.socket	dbus.socket	systemd-udevd-kernel.socket	systemd-journald-dev-log.socket	paths.target	auditd.service	chronyd.service	httpd.service	systemd-update-utmp-runlevel.service	plymouth-quit.service	irqbalance.service	crond.service	getty.target	getty@tty1.service	rsyslog.service	sshd.service	NetworkManager.service	sssd.service	firewalld.service	remote-fs.target	systemd-ask-password-wall.path	plymouth-quit-wait.service	dbus.service	tuned.service	rhsmcertd.service	kdump.service	systemd-logind.service	systemd-user-sessions.service

systemd test oval:ssg-test_multi_user_wants_usbguard_socket:tst:1 false

Following items have been found on the system:

Unit	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency
multi-user.target	basic.target	sysinit.target	kmod-static-nodes.service	systemd-tmpfiles-setup.service	ldconfig.service	sys-kernel-config.mount	systemd-update-utmp.service	plymouth-read-write.service	systemd-random-seed.service	systemd-journal-catalog-update.service	dracut-shutdown.service	local-fs.target	-.mount	boot.mount	systemd-remount-fs.service	systemd-modules-load.service	systemd-udevd.service	lvm2-lvmpolld.socket	systemd-udev-trigger.service	cryptsetup.target	dev-hugepages.mount	sys-fs-fuse-connections.mount	rngd.service	proc-sys-fs-binfmt_misc.automount	sys-kernel-debug.mount	selinux-autorelabel-mark.service	nis-domainname.service	systemd-binfmt.service	systemd-update-done.service	systemd-journald.service	dev-mqueue.mount	import-state.service	systemd-hwdb-update.service	systemd-ask-password-console.path	systemd-sysctl.service	systemd-machine-id-commit.service	systemd-sysusers.service	lvm2-monitor.service	systemd-journal-flush.service	loadmodules.service	plymouth-start.service	swap.target	dev-mapper-rhel\x2dswap.swap	systemd-firstboot.service	systemd-tmpfiles-setup-dev.service	slices.target	-.slice	system.slice	timers.target	systemd-tmpfiles-clean.timer	dnf-makecache.timer	unbound-anchor.timer	microcode.service	sockets.target	cockpit.socket	dm-event.socket	systemd-journald.socket	systemd-udevd-control.socket	systemd-initctl.socket	sssd-kcm.socket	systemd-coredump.socket	dbus.socket	systemd-udevd-kernel.socket	systemd-journald-dev-log.socket	paths.target	auditd.service	chronyd.service	httpd.service	systemd-update-utmp-runlevel.service	plymouth-quit.service	irqbalance.service	crond.service	getty.target	getty@tty1.service	rsyslog.service	sshd.service	NetworkManager.service	sssd.service	firewalld.service	remote-fs.target	systemd-ask-password-wall.path	plymouth-quit-wait.service	dbus.service	tuned.service	rhsmcertd.service	kdump.service	systemd-logind.service	systemd-user-sessions.service

Authorize Human Interface Devices and USB hubs in USBGuard daemon

Rule ID	xccdf_org.ssgproject.content_rule_usbguard_allow_hid_and_hub
Result	fail
Multi-check rule	no
OVAL Definition ID	oval:ssg-usbguard_allow_hid_and_hub:def:1
Time	2021-03-21T19:59:44+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82368-2 References: FMT_SMF_EXT.1, SRG-OS-000114-GPOS-00059
Description	To allow authorization of USB devices combining human interface device and hub capabilities by USBGuard daemon, add the line `allow with-interface match_all { 03:: 09:00:* }` to `/etc/usbguard/rules.conf`.
Rationale	Without allowing Human Interface Devices, it might not be possible to interact with the system. Without allowing hubs, it might not be possible to use any USB devices on the system.
Warnings	warning This rule should be understood primarily as a convenience administration feature. This rule ensures that if the USBGuard default rules.conf file is present, it will alter it so that USB human interface devices and hubs are allowed. However, if the rules.conf file is altered by system administrator, the rule does not check if USB human interface devices and hubs are allowed. This assumes that an administrator modified the file with some purpose in mind.
Remediation Shell script ⇲ `#!/bin/bash echo "allow with-interface match-all { 03:: 09:00:* }" >> /etc/usbguard/rules.conf`

OVAL test results details

Check that /etc/usbguard/rules.conf contains at least one non whitespace character and exists oval:ssg-test_usbguard_rules_nonempty:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_usbguard_rules_nonempty:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/usbguard/rules.conf	^.\S+.$	1

Log USBGuard daemon audit events using Linux Audit

Rule ID xccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-configure_usbguard_auditbackend:def:1

Time 2021-03-21T19:59:44+01:00

Severity medium

Identifiers and References

Identifiers: CCE-82168-6

References: FMT_SMF_EXT.1, SRG-OS-000062-GPOS-00031

Description

To configure USBGuard daemon to log via Linux Audit (as opposed directly to a file), AuditBackend option in /etc/usbguard/usbguard-daemon.conf needs to be set to LinuxAudit.

Rationale

Using the Linux Audit logging allows for centralized trace of events.

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Strategy:	restrict

if [ -e "/etc/usbguard/usbguard-daemon.conf" ] ; then
    LC_ALL=C sed -i "/^\s*AuditBackend=/d" "/etc/usbguard/usbguard-daemon.conf"
else
    touch "/etc/usbguard/usbguard-daemon.conf"
fi
cp "/etc/usbguard/usbguard-daemon.conf" "/etc/usbguard/usbguard-daemon.conf.bak"
# Insert at the end of the file
printf '%s\n' "AuditBackend=LinuxAudit" >> "/etc/usbguard/usbguard-daemon.conf"
# Clean up after ourselves.
rm "/etc/usbguard/usbguard-daemon.conf.bak"

OVAL test results details

tests the value of AuditBackend setting in the /etc/usbguard/usbguard-daemon.conf file oval:ssg-test_configure_usbguard_auditbackend:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_configure_usbguard_auditbackend:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/usbguard/usbguard-daemon.conf	^[ \t]AuditBackend=(.+?)[ \t](?:$\|#)	1

The configuration file /etc/usbguard/usbguard-daemon.conf exists for configure_usbguard_auditbackend oval:ssg-test_configure_usbguard_auditbackend_config_file_exists:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_configure_usbguard_auditbackend_config_file:obj:1 of type file_object

Filepath
^/etc/usbguard/usbguard-daemon.conf

Disable network management of chrony daemon

Rule ID	xccdf_org.ssgproject.content_rule_chronyd_no_chronyc_network
Result	fail
Multi-check rule	no
OVAL Definition ID	oval:ssg-chronyd_no_chronyc_network:def:1
Time	2021-03-21T19:59:44+01:00
Severity	unknown
Identifiers and References	Identifiers: CCE-82840-0 References: FMT_SMF_EXT.1, SRG-OS-000096-GPOS-00050
Description	The `cmdport` option in `/etc/chrony.conf` can be set to `0` to stop chrony daemon from listening on the UDP port 323 for management connections made by chronyc.
Rationale	Not exposing the management interface of the chrony daemon on the network diminishes the attack space.
Remediation Shell script ⇲ # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then # Include source function library # Function to replace configuration setting in config file or add the configuration setting if # it does not exist. # # Expects arguments: # # config_file: Configuration file that will be modified # key: Configuration option to change # value: Value of the configuration option to change # cce: The CCE identifier or '@CCENUM@' if no CCE identifier exists # format: The printf-like format string that will be given stripped key and value as arguments, # so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =) # # Optional arugments: # # format: Optional argument to specify the format of how key/value should be # modified/appended in the configuration file. The default is key = value. # # Example Call(s): # # With default format of 'key = value': # replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@' # # With custom key/value format: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s' # # With a variable: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s' # function replace_or_append { local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option='' local config_file=$1 local key=$2 local value=$3 local cce=$4 local format=$5 if [ "$case_insensitive_mode" = yes ]; then sed_case_insensitive_option="i" grep_case_insensitive_option="-i" fi [ -n "$format" ] \|\| format="$default_format" # Check sanity of the input [ $# -ge "3" ] \|\| { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; } # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed. # Otherwise, regular sed command will do. sed_command=('sed' '-i') if test -L "$config_file"; then sed_command+=('--follow-symlinks') fi # Test that the cce arg is not empty or does not equal @CCENUM@. # If @CCENUM@ exists, it means that there is no CCE assigned. if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then cce="${cce}" else cce="CCE" fi # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]//g' <<< "$key") # shellcheck disable=SC2059 printf -v formatted_output "$format" "$stripped_key" "$value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then "${sed_command[@]}" "s/${key}\\>./$formatted_output/g$sed_case_insensitive_option" "$config_file" else # \n is precaution for case where file ends without trailing newline printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file" printf '%s\n' "$formatted_output" >> "$config_file" fi } replace_or_append /etc/chrony.conf '^cmdport' 0 'CCE-82840-0' '%s %s' else >&2 echo 'Remediation is not applicable, nothing was done' fi

OVAL test results details

package chrony is installed oval:ssg-test_service_chronyd_package_chrony_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
chrony	x86_64	(none)	1.el8	3.5	0:3.5-1.el8	199e2f91fd431d51	chrony-0:3.5-1.el8.x86_64

Test that the chronyd service is running oval:ssg-test_service_running_chronyd:tst:1 true

Following items have been found on the system:

Unit	Property	Value
chronyd.service	ActiveState	active

systemd test oval:ssg-test_multi_user_wants_chronyd:tst:1 true

Following items have been found on the system:

Unit	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency
multi-user.target	basic.target	sysinit.target	kmod-static-nodes.service	systemd-tmpfiles-setup.service	ldconfig.service	sys-kernel-config.mount	systemd-update-utmp.service	plymouth-read-write.service	systemd-random-seed.service	systemd-journal-catalog-update.service	dracut-shutdown.service	local-fs.target	-.mount	boot.mount	systemd-remount-fs.service	systemd-modules-load.service	systemd-udevd.service	lvm2-lvmpolld.socket	systemd-udev-trigger.service	cryptsetup.target	dev-hugepages.mount	sys-fs-fuse-connections.mount	rngd.service	proc-sys-fs-binfmt_misc.automount	sys-kernel-debug.mount	selinux-autorelabel-mark.service	nis-domainname.service	systemd-binfmt.service	systemd-update-done.service	systemd-journald.service	dev-mqueue.mount	import-state.service	systemd-hwdb-update.service	systemd-ask-password-console.path	systemd-sysctl.service	systemd-machine-id-commit.service	systemd-sysusers.service	lvm2-monitor.service	systemd-journal-flush.service	loadmodules.service	plymouth-start.service	swap.target	dev-mapper-rhel\x2dswap.swap	systemd-firstboot.service	systemd-tmpfiles-setup-dev.service	slices.target	-.slice	system.slice	timers.target	systemd-tmpfiles-clean.timer	dnf-makecache.timer	unbound-anchor.timer	microcode.service	sockets.target	cockpit.socket	dm-event.socket	systemd-journald.socket	systemd-udevd-control.socket	systemd-initctl.socket	sssd-kcm.socket	systemd-coredump.socket	dbus.socket	systemd-udevd-kernel.socket	systemd-journald-dev-log.socket	paths.target	auditd.service	chronyd.service	httpd.service	systemd-update-utmp-runlevel.service	plymouth-quit.service	irqbalance.service	crond.service	getty.target	getty@tty1.service	rsyslog.service	sshd.service	NetworkManager.service	sssd.service	firewalld.service	remote-fs.target	systemd-ask-password-wall.path	plymouth-quit-wait.service	dbus.service	tuned.service	rhsmcertd.service	kdump.service	systemd-logind.service	systemd-user-sessions.service

systemd test oval:ssg-test_multi_user_wants_chronyd_socket:tst:1 false

Following items have been found on the system:

Unit	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency
multi-user.target	basic.target	sysinit.target	kmod-static-nodes.service	systemd-tmpfiles-setup.service	ldconfig.service	sys-kernel-config.mount	systemd-update-utmp.service	plymouth-read-write.service	systemd-random-seed.service	systemd-journal-catalog-update.service	dracut-shutdown.service	local-fs.target	-.mount	boot.mount	systemd-remount-fs.service	systemd-modules-load.service	systemd-udevd.service	lvm2-lvmpolld.socket	systemd-udev-trigger.service	cryptsetup.target	dev-hugepages.mount	sys-fs-fuse-connections.mount	rngd.service	proc-sys-fs-binfmt_misc.automount	sys-kernel-debug.mount	selinux-autorelabel-mark.service	nis-domainname.service	systemd-binfmt.service	systemd-update-done.service	systemd-journald.service	dev-mqueue.mount	import-state.service	systemd-hwdb-update.service	systemd-ask-password-console.path	systemd-sysctl.service	systemd-machine-id-commit.service	systemd-sysusers.service	lvm2-monitor.service	systemd-journal-flush.service	loadmodules.service	plymouth-start.service	swap.target	dev-mapper-rhel\x2dswap.swap	systemd-firstboot.service	systemd-tmpfiles-setup-dev.service	slices.target	-.slice	system.slice	timers.target	systemd-tmpfiles-clean.timer	dnf-makecache.timer	unbound-anchor.timer	microcode.service	sockets.target	cockpit.socket	dm-event.socket	systemd-journald.socket	systemd-udevd-control.socket	systemd-initctl.socket	sssd-kcm.socket	systemd-coredump.socket	dbus.socket	systemd-udevd-kernel.socket	systemd-journald-dev-log.socket	paths.target	auditd.service	chronyd.service	httpd.service	systemd-update-utmp-runlevel.service	plymouth-quit.service	irqbalance.service	crond.service	getty.target	getty@tty1.service	rsyslog.service	sshd.service	NetworkManager.service	sssd.service	firewalld.service	remote-fs.target	systemd-ask-password-wall.path	plymouth-quit-wait.service	dbus.service	tuned.service	rhsmcertd.service	kdump.service	systemd-logind.service	systemd-user-sessions.service

check if cmdport is 0 in /etc/chrony.conf oval:ssg-test_chronyd_no_chronyc_network:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_chronyd_cmdport_value:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/chrony.conf	^\s*cmdport[\s]+(\S+)	1

Disable chrony daemon from acting as server

Rule ID	xccdf_org.ssgproject.content_rule_chronyd_client_only
Result	fail
Multi-check rule	no
OVAL Definition ID	oval:ssg-chronyd_client_only:def:1
Time	2021-03-21T19:59:44+01:00
Severity	unknown
Identifiers and References	Identifiers: CCE-82988-7 References: FMT_SMF_EXT.1, SRG-OS-000096-GPOS-00050
Description	The `port` option in `/etc/chrony.conf` can be set to `0` to make chrony daemon to never open any listening port for server operation and to operate strictly in a client-only mode.
Rationale	Minimizing the exposure of the server functionality of the chrony daemon diminishes the attack surface.
Remediation Shell script ⇲ # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv -a ! -f /run/.containerenv ]; then # Include source function library # Function to replace configuration setting in config file or add the configuration setting if # it does not exist. # # Expects arguments: # # config_file: Configuration file that will be modified # key: Configuration option to change # value: Value of the configuration option to change # cce: The CCE identifier or '@CCENUM@' if no CCE identifier exists # format: The printf-like format string that will be given stripped key and value as arguments, # so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =) # # Optional arugments: # # format: Optional argument to specify the format of how key/value should be # modified/appended in the configuration file. The default is key = value. # # Example Call(s): # # With default format of 'key = value': # replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@' # # With custom key/value format: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s' # # With a variable: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s' # function replace_or_append { local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option='' local config_file=$1 local key=$2 local value=$3 local cce=$4 local format=$5 if [ "$case_insensitive_mode" = yes ]; then sed_case_insensitive_option="i" grep_case_insensitive_option="-i" fi [ -n "$format" ] \|\| format="$default_format" # Check sanity of the input [ $# -ge "3" ] \|\| { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; } # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed. # Otherwise, regular sed command will do. sed_command=('sed' '-i') if test -L "$config_file"; then sed_command+=('--follow-symlinks') fi # Test that the cce arg is not empty or does not equal @CCENUM@. # If @CCENUM@ exists, it means that there is no CCE assigned. if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then cce="${cce}" else cce="CCE" fi # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]//g' <<< "$key") # shellcheck disable=SC2059 printf -v formatted_output "$format" "$stripped_key" "$value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then "${sed_command[@]}" "s/${key}\\>./$formatted_output/g$sed_case_insensitive_option" "$config_file" else # \n is precaution for case where file ends without trailing newline printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file" printf '%s\n' "$formatted_output" >> "$config_file" fi } replace_or_append /etc/chrony.conf '^port' 0 'CCE-82988-7' '%s %s' else >&2 echo 'Remediation is not applicable, nothing was done' fi

OVAL test results details

package chrony is installed oval:ssg-test_service_chronyd_package_chrony_installed:tst:1 true

Following items have been found on the system:

Name	Arch	Epoch	Release	Version	Evr	Signature keyid	Extended name
chrony	x86_64	(none)	1.el8	3.5	0:3.5-1.el8	199e2f91fd431d51	chrony-0:3.5-1.el8.x86_64

Test that the chronyd service is running oval:ssg-test_service_running_chronyd:tst:1 true

Following items have been found on the system:

Unit	Property	Value
chronyd.service	ActiveState	active

systemd test oval:ssg-test_multi_user_wants_chronyd:tst:1 true

Following items have been found on the system:

Unit	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency
multi-user.target	basic.target	sysinit.target	kmod-static-nodes.service	systemd-tmpfiles-setup.service	ldconfig.service	sys-kernel-config.mount	systemd-update-utmp.service	plymouth-read-write.service	systemd-random-seed.service	systemd-journal-catalog-update.service	dracut-shutdown.service	local-fs.target	-.mount	boot.mount	systemd-remount-fs.service	systemd-modules-load.service	systemd-udevd.service	lvm2-lvmpolld.socket	systemd-udev-trigger.service	cryptsetup.target	dev-hugepages.mount	sys-fs-fuse-connections.mount	rngd.service	proc-sys-fs-binfmt_misc.automount	sys-kernel-debug.mount	selinux-autorelabel-mark.service	nis-domainname.service	systemd-binfmt.service	systemd-update-done.service	systemd-journald.service	dev-mqueue.mount	import-state.service	systemd-hwdb-update.service	systemd-ask-password-console.path	systemd-sysctl.service	systemd-machine-id-commit.service	systemd-sysusers.service	lvm2-monitor.service	systemd-journal-flush.service	loadmodules.service	plymouth-start.service	swap.target	dev-mapper-rhel\x2dswap.swap	systemd-firstboot.service	systemd-tmpfiles-setup-dev.service	slices.target	-.slice	system.slice	timers.target	systemd-tmpfiles-clean.timer	dnf-makecache.timer	unbound-anchor.timer	microcode.service	sockets.target	cockpit.socket	dm-event.socket	systemd-journald.socket	systemd-udevd-control.socket	systemd-initctl.socket	sssd-kcm.socket	systemd-coredump.socket	dbus.socket	systemd-udevd-kernel.socket	systemd-journald-dev-log.socket	paths.target	auditd.service	chronyd.service	httpd.service	systemd-update-utmp-runlevel.service	plymouth-quit.service	irqbalance.service	crond.service	getty.target	getty@tty1.service	rsyslog.service	sshd.service	NetworkManager.service	sssd.service	firewalld.service	remote-fs.target	systemd-ask-password-wall.path	plymouth-quit-wait.service	dbus.service	tuned.service	rhsmcertd.service	kdump.service	systemd-logind.service	systemd-user-sessions.service

systemd test oval:ssg-test_multi_user_wants_chronyd_socket:tst:1 false

Following items have been found on the system:

Unit	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency	Dependency
multi-user.target	basic.target	sysinit.target	kmod-static-nodes.service	systemd-tmpfiles-setup.service	ldconfig.service	sys-kernel-config.mount	systemd-update-utmp.service	plymouth-read-write.service	systemd-random-seed.service	systemd-journal-catalog-update.service	dracut-shutdown.service	local-fs.target	-.mount	boot.mount	systemd-remount-fs.service	systemd-modules-load.service	systemd-udevd.service	lvm2-lvmpolld.socket	systemd-udev-trigger.service	cryptsetup.target	dev-hugepages.mount	sys-fs-fuse-connections.mount	rngd.service	proc-sys-fs-binfmt_misc.automount	sys-kernel-debug.mount	selinux-autorelabel-mark.service	nis-domainname.service	systemd-binfmt.service	systemd-update-done.service	systemd-journald.service	dev-mqueue.mount	import-state.service	systemd-hwdb-update.service	systemd-ask-password-console.path	systemd-sysctl.service	systemd-machine-id-commit.service	systemd-sysusers.service	lvm2-monitor.service	systemd-journal-flush.service	loadmodules.service	plymouth-start.service	swap.target	dev-mapper-rhel\x2dswap.swap	systemd-firstboot.service	systemd-tmpfiles-setup-dev.service	slices.target	-.slice	system.slice	timers.target	systemd-tmpfiles-clean.timer	dnf-makecache.timer	unbound-anchor.timer	microcode.service	sockets.target	cockpit.socket	dm-event.socket	systemd-journald.socket	systemd-udevd-control.socket	systemd-initctl.socket	sssd-kcm.socket	systemd-coredump.socket	dbus.socket	systemd-udevd-kernel.socket	systemd-journald-dev-log.socket	paths.target	auditd.service	chronyd.service	httpd.service	systemd-update-utmp-runlevel.service	plymouth-quit.service	irqbalance.service	crond.service	getty.target	getty@tty1.service	rsyslog.service	sshd.service	NetworkManager.service	sssd.service	firewalld.service	remote-fs.target	systemd-ask-password-wall.path	plymouth-quit-wait.service	dbus.service	tuned.service	rhsmcertd.service	kdump.service	systemd-logind.service	systemd-user-sessions.service

check if port is 0 in /etc/chrony.conf oval:ssg-test_chronyd_client_only:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-obj_chronyd_port_value:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/chrony.conf	^\s*port[\s]+(\S+)	1

Disable Kerberos by removing host keytab

Rule ID	xccdf_org.ssgproject.content_rule_kerberos_disable_no_keytab
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-kerberos_disable_no_keytab:def:1
Time	2021-03-21T19:59:44+01:00
Severity	medium
Identifiers and References	Identifiers: CCE-82175-1 References: FCS_CKM.1, SRG-OS-000120-GPOS-00061
Description	Kerberos is not an approved key distribution method for Common Criteria. To prevent using Kerberos by system daemons, remove the Kerberos keytab files, especially `/etc/krb5.keytab`.
Rationale	The key derivation function (KDF) in Kerberos is not FIPS compatible.

OVAL test results details

Ensure keytab file does not exist oval:ssg-test_kerberos_disable_no_keytab:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-obj_kerberos_disable_no_keytab:obj:1 of type file_object

Filepath
^/etc/.+\.keytab$

Red Hat and Red Hat Enterprise Linux are either registered trademarks or trademarks of Red Hat, Inc. in the United States and other countries. All other names are registered trademarks or trademarks of their respective companies.